Managing role assignments in Azure can be a complex task, especially when dealing with multiple subscriptions and ensuring that only eligible users have the necessary permissions. In this blog post, we’ll walk through a PowerShell script that helps you audit Azure role assignments by retrieving all eligible role assignments across your subscriptions. This script is particularly useful for administrators who need to maintain a secure and well-organized Azure environment.
Script Breakdown
Connect to Azure
First, we need to connect to our Azure account using the Connect-AzAccount command. Make sure to replace xxxxxxxxxx with your actual tenant ID.
# Connect Az $TenantId = "xxxxxxxxxx" # Add your Tenant Id here Connect-AzAccount -Tenant $TenantId
This command authenticates your session with Azure, allowing you to interact with your subscriptions and resources.
Get all enabled subscriptions
Next, we retrieve all enabled subscriptions in your Azure account using the Get-AzSubscription command.
# Get all enabled subscriptions
$Subscriptions = Get-AzSubscription | Where-Object {$_.State -eq "Enabled"}
This ensures that we only work with active subscriptions.
Initialize array for eligible Azure assignments
We initialize an empty array to store the eligible Azure role assignments.
# Get All Eligible Azure Assignments $EligibleAzureUserData = @()
This array will hold the data we collect from each subscription.
Loop through each subscription
We loop through each subscription, set the context to the current subscription, and retrieve the role eligibility schedules.
foreach ($Subscription in $Subscriptions)
{
$Scope = $Subscription.Id
Set-AzContext -Subscription $Scope | Out-Null
$RoleEligibilitySchedules = Get-AzRoleEligibilitySchedule -Scope "/subscriptions/$Scope"
$EligibleAzureUserData += $RoleEligibilitySchedules
}
This section ensures that we gather role eligibility data from all active subscriptions.
Displaying results in Grid View
We select specific properties from the eligible Azure role assignments and display them in a grid view for easy viewing.
$EligibleAzureUserData | Select PrincipalDisplayName, PrincipalEmail, PrincipalId, ScopeDisplayName, RoleDefinitionDisplayName | Out-GridView
This command provides a user-friendly interface to review the collected data.
Export results to CSV (Optional)
Optionally, you can export the results to a CSV file for further analysis or record-keeping. Uncomment the lines and specify the desired file path to save the data.
# Export to CSV (unhash and change $Path if needed) #$Path = "C:\Temp\Azure-Get-Eligible-Role-Assignments.csv" #$EligibleAzureUserData | Select PrincipalDisplayName, PrincipalEmail, PrincipalId, ScopeDisplayName, RoleDefinitionDisplayName | Export-Csv -Path $Path -NoTypeInformation
This step is useful for creating reports or sharing the data with other team members.
Conclusion
In this blog post, we’ve walked through a PowerShell script that helps you audit Azure role assignments by retrieving eligible role assignments across your subscriptions. This script is a valuable tool for administrators looking to maintain a secure and well-organized Azure environment.
Script Source
Complete script as always is available for download on azure365addict GitHub. Feel free to customize the script to fit your specific needs and improve your device management processes. If you have any questions or need further assistance, feel free to reach out!
Happy scripting!
