Export role assignments for all Azure subscriptions

By | July 20, 2021
1 Comment

Microsoft has done it straightforward to get an overview of Azure role assignments for a subscription. They have added the Download role assignments button in the Azure portal under Subscriptions.
When I’m working with customers that have many subscriptions, I’ll like to get an overview of all the subscriptions at once. Therefore I use PowerShell the export role assignments for all Azure subscriptions at once.

Script parameters

There are 2 parameters in the script, $OutputPath and $SelectCurrentSubscription.
None of them are mandatory.

$OutputPath: If defined, a CSV file will be exported to the chosen location.
Example: .\Export-RoleAssignments.ps1 -OutputPath C:\temp

$SelectCurrentSubscription: Will only export role assignments from the subscription that are selected.
Example: .\Export-RoleAssignments.ps1 -SelectCurrentSubscription

Run Get-Azcontext to view which subscription is selected.

Script Output

Besides getting an overview of the overall role assignments in an Azure subscription, I also like to know if a role is a Custom or Built-in role. The script will check each assignment if CustomRole is True or False.

Output Example in Powershell Console

Output Example to CSV File

The PowerShell Script

The Powershell script will be available on my account Github.
Go there for the latest updates (article script will not be synced with the GitHub version).

#Parameters
Param (
    [Parameter(Mandatory=$false)]    
    [string]$OutputPath = '',
    [Parameter(Mandatory=$false)]    
    [Switch]$SelectCurrentSubscription
	
)

#Get Current Context
$CurrentContext = Get-AzContext

#Get Azure Subscriptions
if ($SelectCurrentSubscription) {
  #Only selection current subscription
  Write-Verbose "Only running for selected subscription $($CurrentContext.Subscription.Name)" -Verbose
  $Subscriptions = Get-AzSubscription -SubscriptionId $CurrentContext.Subscription.Id -TenantId $CurrentContext.Tenant.Id

}else {
  Write-Verbose "Running for all subscriptions in tenant" -Verbose
  $Subscriptions = Get-AzSubscription -TenantId $CurrentContext.Tenant.Id
}


#Get Role roles in foreach loop
$report = @()

foreach ($Subscription in $Subscriptions) {
    #Choose subscription
    Write-Verbose "Changing to Subscription $($Subscription.Name)" -Verbose

    $Context = Set-AzContext -TenantId $Subscription.TenantId -SubscriptionId $Subscription.Id -Force
    $Name     = $Subscription.Name
    $TenantId = $Subscription.TenantId
    $SubId    = $Subscription.SubscriptionId  

    #Getting information about Role Assignments for choosen subscription
    Write-Verbose "Getting information about Role Assignments..." -Verbose
    $roles = Get-AzRoleAssignment | Select-Object RoleDefinitionName,DisplayName,SignInName,ObjectId,ObjectType,Scope,
    @{name="TenantId";expression = {$TenantId}},@{name="SubscriptionName";expression = {$Name}},@{name="SubscriptionId";expression = {$SubId}}


         foreach ($role in $roles){
            #            
            $DisplayName = $role.DisplayName
            $SignInName = $role.SignInName
            $ObjectType = $role.ObjectType
            $RoleDefinitionName = $role.RoleDefinitionName
            $AssignmentScope = $role.Scope
            $SubscriptionName = $Context.Subscription.Name
            $SubscriptionID = $Context.Subscription.SubscriptionId

            #Check for Custom Role
            $CheckForCustomRole = Get-AzRoleDefinition -Name $RoleDefinitionName
            $CustomRole = $CheckForCustomRole.IsCustom
            
            #New PSObject
            $obj = New-Object -TypeName PSObject
            $obj | Add-Member -MemberType NoteProperty -Name SubscriptionName -value $SubscriptionName
		      	$obj | Add-Member -MemberType NoteProperty -Name SubscriptionID -value $SubscriptionID			
            
			      $obj | Add-Member -MemberType NoteProperty -Name DisplayName -Value $DisplayName
			      $obj | Add-Member -MemberType NoteProperty -Name SignInName -Value $SignInName
			      $obj | Add-Member -MemberType NoteProperty -Name ObjectType -value $ObjectType
            
            $obj | Add-Member -MemberType NoteProperty -Name RoleDefinitionName -value $RoleDefinitionName
            $obj | Add-Member -MemberType NoteProperty -Name CustomRole -value $CustomRole
		      	$obj | Add-Member -MemberType NoteProperty -Name AssignmentScope -value $AssignmentScope
            
            
			
			$Report += $obj
           

    }
}

if ($OutputPath) {
  #Export to CSV file
  Write-Verbose "Exporting CSV file to $OutputPath" -Verbose
  $Report | Export-Csv $OutputPath\RoleExport-$(Get-Date -Format "yyyy-MM-dd").csv

}else {
  $Report
}
Post Views: 918

One thought on “Export role assignments for all Azure subscriptions

  1. Reda Brik

    Can you edit the script that when roles assigned to groups the group members are also exported in that csv?

    Thanks ๐Ÿ™‚

    Reply

Leave a Reply

Your email address will not be published.