get role assignment for each subscription

[john-ske]

Thanks for the AADRolesInventory-Graph. script. the issue i am facing is i am trying to get these roles for each subscription from my tenant. i tried to use graph
$Subscriptions = @()
$uri = 'https://graph.microsoft.com/v1.0/subscriptions
but its empty.
Also, as an alternative tried to use this AAD_Groups_MemberOf_inventoryMG PowerShell script but this one also not displaying the subscription the user is part of.

all i am trying to do is get the user RBAC for each subscription using graph. (i tried using Get-AzSubscription and i get what i want but i cant automate it using app registration).

any help to get the roles for each subscription would be greatly appreciated.

Thanks
John

[michevnew]

Those are different things. The /subscriptions endpoint in Graph is used for change notifications, it has nothing to do with Azure subscriptions. What you need to do is run the script with credentials/token for each of these subscriptions, either by using an admin user configured therein, or registering an application across all the involved AAD tenants. In either case, the script will only cover Azure AD role assignments, not Azure RBAC ones.

[john-ske]

Thanks for the quick reply and explanation. so what I am trying to get is RBAC then, I need list of all users for each subscription, under IAM including users and groups and i should be able to automate this using app registration. so can we do this with Graph API? if not could you please provide any solution?

[tld6764]

If you are automating with a runbook, it should have the Az PowerShell module already available. You could use the "Get-AzRoleAssignment" command to pull that data: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-powershell#list-role-assignments-for-a-user

[john-ske]

Thanks. I have tried getting the list of roles assignments using AzRoleAssignment when i run it locally. i used below script and it works fine.
https://pedholtlab.com/export-role-assignments-for-all-azure-subscriptions/

But if I want to automate it using SPN app registration, it seems I need directory.read.all and some other permissions which are not available in Azure AD. it seems they are available in graph api only.

what is the best way to get these RBAC roles under IAM for every subscription with automation?

Any help is much appreciated. Thanks.

[tld6764]

"directory.read.all" is a permission. Specifically, an API Permission. It depends on what you are using to authenticate with. If it's an Azure App, you can grant it under "App Registrations" in the Azure portal ( portal.azure.com). For example (I have "directory.readwrite.all" for my app, but same idea applies): [image: image.png] [image: image.png] If you're authenticating with a managed identity, then you need to grant your managed identity rights to do what it needs like you would any other user account.

…

On Tue, Sep 12, 2023 at 1:08 PM john-ske ***@***.***> wrote: Thanks. I have tried getting the list of roles assignments using AzRoleAssignment when i run it locally. i used below script and it works fine. https://pedholtlab.com/export-role-assignments-for-all-azure-subscriptions/ But if I want to automate it using SPN app registration, it seems I need directory.read.all and some other permissions which are not available in Azure AD. it seems they are available in graph api only. what is the best way to get these RBAC role assignments for every subscription with automation? Any help is much appreciated. Thank. — Reply to this email directly, view it on GitHub <#18 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AZFBPF3GTOE5XJ5TOX3DPRTX2CQK7ANCNFSM6AAAAAA4T35IXA> . You are receiving this because you commented.Message ID: ***@***.***>

[john-ske]

yes i have tried that in my app. but if i want to read the groups under IAM i think i need below permissions. but these permissions are not available in azure ad when i try to add these in a custom role i created.

Microsoft.directory/groups/allProperties/read
Microsoft.directory/users/appRoleAssignments/read
Microsoft.directory/users/memberOf/read

is there a way to get RBAC with automation using SPN?