Get-AzRoleAssignment

Lists Azure RBAC role assignments at the specified scope. By default it lists all role assignments in the selected Azure subscription. Use respective parameters to list assignments to a specific user, or to list assignments on a specific resource group or resource.

The cmdlet may call below Microsoft Graph API according to input parameters:

  • GET /users/{id}
  • GET /servicePrincipals/{id}
  • GET /groups/{id}
  • GET /directoryObjects/{id}
  • POST /directoryObjects/getByIds

Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role assignment is not found or current account has insufficient privileges to get object type.

Syntax

Get-AzRoleAssignment
   [-RoleDefinitionName <String>]
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -ObjectId <String>
   [-RoleDefinitionName <String>]
   [-ExpandPrincipalGroups]
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -ObjectId <String>
   -ResourceGroupName <String>
   [-RoleDefinitionName <String>]
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -ObjectId <String>
   -ResourceGroupName <String>
   -ResourceName <String>
   -ResourceType <String>
   [-ParentResource <String>]
   [-RoleDefinitionName <String>]
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -ObjectId <String>
   [-RoleDefinitionName <String>]
   -Scope <String>
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   [-ObjectId <String>]
   -RoleDefinitionId <Guid>
   [-Scope <String>]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -SignInName <String>
   -ResourceGroupName <String>
   [-RoleDefinitionName <String>]
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -SignInName <String>
   -ResourceGroupName <String>
   -ResourceName <String>
   -ResourceType <String>
   [-ParentResource <String>]
   [-RoleDefinitionName <String>]
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -SignInName <String>
   [-RoleDefinitionName <String>]
   -Scope <String>
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -SignInName <String>
   [-RoleDefinitionName <String>]
   [-ExpandPrincipalGroups]
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -ServicePrincipalName <String>
   -ResourceGroupName <String>
   [-RoleDefinitionName <String>]
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -ServicePrincipalName <String>
   -ResourceGroupName <String>
   -ResourceName <String>
   -ResourceType <String>
   [-ParentResource <String>]
   [-RoleDefinitionName <String>]
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -ServicePrincipalName <String>
   [-RoleDefinitionName <String>]
   -Scope <String>
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -ServicePrincipalName <String>
   [-RoleDefinitionName <String>]
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -ResourceGroupName <String>
   [-RoleDefinitionName <String>]
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   -ResourceGroupName <String>
   -ResourceName <String>
   -ResourceType <String>
   [-ParentResource <String>]
   [-RoleDefinitionName <String>]
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzRoleAssignment
   [-RoleDefinitionName <String>]
   -Scope <String>
   [-IncludeClassicAdministrators]
   [-SkipClientSideScopeValidation]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Description

Use the Get-AzRoleAssignment command to list all role assignments that are effective on a scope. Without any parameters, this command returns all the role assignments made under the subscription. This list can be filtered using filtering parameters for principal, role and scope. The subject of the assignment must be specified. To specify a user, use SignInName or Microsoft Entra ObjectId parameters. To specify a security group, use Microsoft Entra ObjectId parameter. And to specify a Microsoft Entra application, use ServicePrincipalName or ObjectId parameters. The role that is being assigned must be specified using the RoleDefinitionName parameter. The scope at which access is being granted may be specified. It defaults to the selected subscription. The scope of the assignment can be specified using one of the following parameter combinations a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId>. This will filter assignments that are effective at that particular scope i.e. all assignments at that scope and above. b. ResourceGroupName - Name of any resource group under the subscription. This will filter assignments effective at the specified resource group c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under the subscription and will filter assignments effective at that resource scope. To determine what access a particular user has in the subscription, use the ExpandPrincipalGroups switch. This will list all roles assigned to the user, and to the groups that the user is member of. Use the IncludeClassicAdministrators switch to also display the subscription admins and co-admins.

Examples

Example 1

Get-AzRoleAssignment

List all role assignments in the subscription

Example 2

Get-AzRoleAssignment -ResourceGroupName testRG -SignInName john.doe@contoso.com

Gets all role assignments made to user john.doe@contoso.com, and the groups of which he is member, at the testRG scope or above.

Example 3

Get-AzRoleAssignment -ServicePrincipalName "http://testapp1.com"

Gets all role assignments of the specified service principal

Example 4

Get-AzRoleAssignment -Scope "/subscriptions/96231a05-34ce-4eb4-aa6a-70759cbb5e83/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"

Gets role assignments at the 'site1' website scope.

Parameters

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ExpandPrincipalGroups

If specified, returns roles directly assigned to the user and to the groups of which the user is a member (transitively). Supported only for a user principal.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-IncludeClassicAdministrators

If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ObjectId

The Microsoft Entra ObjectId of the User, Group or Service Principal. Filters all assignments that are made to the specified principal.

Type:String
Aliases:Id, PrincipalId
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ParentResource

The parent resource in the hierarchy of the resource specified using ResourceName parameter. Must be used in conjunction with ResourceGroupName, ResourceType, and ResourceName parameters.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ResourceGroupName

The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ResourceName

The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType, and (optionally)ParentResource parameters.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ResourceType

The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName, and (optionally)ParentResource parameters.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-RoleDefinitionId

Id of the Role that is assigned to the principal.

Type:Guid
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-RoleDefinitionName

Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Scope

The Scope of the role assignment. In the format of relative URI. For e.g. /subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG. It must start with "/subscriptions/{id}". The command filters all assignments that are effective at that scope.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ServicePrincipalName

The ServicePrincipalName of the service principal. Filters all assignments that are made to the specified Microsoft Entra application.

Type:String
Aliases:SPN
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-SignInName

The email address or the user principal name of the user. Filters all assignments that are made to the specified user.

Type:String
Aliases:Email, UserPrincipalName
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-SkipClientSideScopeValidation

If specified, skip client side scope validation.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String

Guid

Outputs

PSRoleAssignment

Notes

Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment