I have an Azure environment with multiple subscriptions and resources. My requirement is to have a functionality where if I pass a user name or SPN name, it gives me all azure resources (from management group to azure resource) where that user/spn has access to and what access it is (reader/ data reader etc).
Major catch is - I want PIM role assignments too. Is there a way to get it?
Options explored
https://learn.microsoft.com/en-us/rest/api/authorization/role-assignments but this gives role assignments per scope. I want per user/spn
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-portal it does not cover PIM assignments and gives assignments per subscription only
Azure Resource Graph Explorer - this does not cover role assignments at all
Apart from iterating through 50 subscriptions, fetching role assignments per scope and then comparing object id, is there any better way?
You can use the below Powershell Script to get the role-assignement for a Service Principal Name in multiple Subscriptions.
Connect-AzAccount
$tenantID = "yourTenantID"
$spn = "serviceprincipalname"
$user= Get-AzADUser -UserPrincipalName $spn
$subscriptions = Get-AzSubscription -TenantId $tenantID
#$subscriptions.Id
foreach ($subscription in $subscriptions) {
$set = Set-AzContext -Subscription $subscription
$set
$roleassignment= Get-AzRoleAssignment -ObjectId $user.Id
$roleassignment
}
Output:
Reference:
Install the Azure Az PowerShell module | Microsoft Docs
This might help you:
az role assignment list --all --assignee <Pricipal_ID>
https://learn.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-list
#Gjoshevski has shared a useful command, but you still need to loop through each subscription to list the role assignments on each subscription (if you have more than one in your tenant).
The following Azure CLI commands will do the job.
spID='<ObjectID here>' # ObjectID of an Applicatin or Service Principal
$tenantId='<TenantID here>'
az login --tenant 'Your Tenant'
$sub_ids=$(az account list --query id -o tsv)
foreach ($sub_id in $sub_ids) {
az account set --subscription $sub_id
"Subscription Name: $(az account show --query name)"
az role assignment list --all --assignee $spID --include-inherited --include-groups -o table
}
Note that the above is PowerShell syntax but is using Aure CLI commands
Related
I have requirement to assign Azure Roles to multiple users on subscription scope and Reader role to Managed Identity-Storage Account.
1.Assign Azure RBAC roles to multiple users
2.Assign system assigned managed identity to existing Virtual Machine, Role Reader
Here is the script.
$vm-(Get-Azum-ResourceGroupName <Resourcegrpupname> -Name <VMName>),identity.principalid
New-AzRoleAssignment -Objectid <Objectid> -RoleDefinitionName "Reader" -Scope "/subscriptions/<Id>/resourceGroups/VResourcregroup Name>/providers/Microsoft.Storage/StoragrAccounts/<storageaccoumt>
New-AzRoleAssignment -ObjectId <ID> -RoleDefinationName <RBACRule> -Scope '/Subscription/<I'D>`
`
Script is working,butneed to assign same roles to multiple users.
Assign Azure RBAC roles to multiple users":
To assign roles to multiple users at the same time, simply form a group by adding users who need the "reader" role assignments.
Created a group under AzureAD -> Groups:
new-azroleassignment -objectID <ObjectId of group> -Roledefinitionname "Reader" -scope "/subscriptions/<subscriptionID>/resourceGroups/xxxxRG/..." #Give scope of the resource as per the requirements.
Output:
Assign system assigned managed identity to existing Virtual Machine:
Previously, System assigned identity status is Off:
If not for any particular roles, You can directly update VM configurations/identities by using below commands:
$vminfo = Get-AzVM -ResourceGroupName xxxxxxRG -Name xxxxVM
Update-AzVM -ResourceGroupName xxxxxxRG -VM $vminfo -IdentityType SystemAssigned
System assigned identity status is "ON" now:
Assign system assigned managed identity to existing Virtual Machine, Role Reader:
Using PowerShell, you may configure identities for the appropriate app roles under App services. To work with VMs, use AzCLI command
az vm identity to assign the system-assigned identity as shown here:
az vm identity assign -g xxxxResourceGroup -n xxxxVirtualMachineName --role Reader --scope /subscriptions/<subscriptionID>/resourceGroups/xxxxRG
Assigned:
Updated:
Assigning 'reader' role from VM managed identity to access a storage account:
SID=$(az resource list -n newVM --query [*].identity.principalId --out tsv)
az role assignment create --assignee $SID --role 'Reader' --scope /subscriptions/<subscriptionID>/resourceGroups/xxxxRG/providers/Microsoft.Storage/storageAccounts/<storageaccount>
Assigning Azure RBAC roles with scope as storage account:
new-azroleassignment -objectID <ObjectId of group> -Roledefinitionname "Reader" -scope "/subscriptions/<subscriptionID>/resourceGroups/xxxxRG/providers/Microsoft.Storage/storageAccounts/<storageaccount>
I am trying to automate the creation of certain azure resources via an Azure PowerShell script that is triggered from an Azure DevOps release pipeline. I want to create a function app, and automatically integrate reading right access to secrets in an already existing Key Vault. This Key Vault is in the same Azure subscription.
While I can create most resources following the documentation, there seems to be a lack of documentation regarding the creation of certain resources using Azure PowerShell (or I can't find it).
If I follow the sample from this link, I can accomplish it without a problem by using the UI in the Azure Portal, but I can't find any documentation on Microsoft Docs to do it using PowerShell.
Write-Host "Creating Function App..."
$fnApp = New-AzFunctionApp -Name $functionAppName `
-ResourceGroupName $emailFunctionRg `
-Location "$(AzureRegion)" `
-StorageAccount $storageName `
-Runtime dotnet `
-FunctionsVersion '3' `
-IdentityType SystemAssigned
Write-Host "Function App created!"
Write-Host "Assigning Key Vault access..."
$appId = Get-AzADServicePrincipal -DisplayName $functionAppName
Set-AzKeyVaultAccessPolicy -VaultName EmailSettings -ServicePrincipalName $appId -PermissionsToSecrets Get,List
Write-Host "Key Vault access granted!"
Running Set-AzKeyVaultAccessPolicy fails with "Insufficient privileges to complete the operation.". But I am not sure if this is the right path to follow, it was just a guess, based on the available functions in the documentation.
Any ideas?
Two potential issues to check out here:
your app creation assigns the result to $fnApp. perhaps $fnApp or as commented above, $fnApp.ApplicationId is what you should be using for the -ServicePrincipalName parameter on the access policy grant.
you don't have privileges to assign RBAC roles. Go to the Key Vault, choose Access Control, then click the Role Assignments tab and verify that your user appears in the list as an Administrator, User Access Administrator, or Owner.
Edit: With respect to the RBAC privilege, since this is running in Azure Powershell from Azure DevOps, you need to check the role assignment for the Service Connection's service principal - under Azure Active Directory in the Azure Portal, look up the principal used to create the service connection, and make sure THAT gets the correct Role on the key vault.
After a little of trial and error I just came to the conclusion I was not using the right parameter for the Set-AzKeyVaultAccessPolicy cmdlet.
The following script will work (if the service principle running it has the appropriate role, like WaitingForGuacamole mentioned in his/her answer):
Write-Host "Creating Function App..."
$fnApp = New-AzFunctionApp -Name <FnAppName> `
-ResourceGroupName <ResourceGroupName> `
-Location <AzureRegion> `
-StorageAccount <StorageAccount> `
-Runtime dotnet `
-FunctionsVersion '3' `
-IdentityType SystemAssigned
Write-Host "Function App created!"
Write-Host "Assigning Key Vault access..."
Set-AzKeyVaultAccessPolicy -VaultName <NameOfTheKeyVault> -ObjectId (Get-AzADServicePrincipal -DisplayName <FnAppName>).Id -PermissionsToSecrets <Get, List, etc...>
Write-Host "Key Vault access granted!"
Using Powershell in an Azure DevOps pipeline, I am trying to assign the key vault's principal the role Storage Account Key Operator Service Role to a storage account.
Command Line
The command line is run after I connected Azure with the service principal:
$credentials = New-Object -TypeName System.Management.Automation.PSCredential($servicePrincipalApplicationId, $clientSecret)
Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant $tenantId
Here is the command line that I execute :
New-AzRoleAssignment -ApplicationId $keyVaultServicePrincipalId -ResourceGroupName $resourceGroupName -ResourceName $storageAccountName -ResourceType "Microsoft.Storage/storageAccounts" -RoleDefinitionName "Storage Account Key Operator Service Role"
Where:
$keyVaultServicePrincipalId is the pre-registered principal ID for Key Vault. Its value is cfa8b339-82a2-471a-a3c9-0fc0be7a4093.
$resourceGroupName is the name of the resource group in which the storage is located. Its value is accountsmanager-test-global-rg.
$storageAccountName is the name of my storage account. Its value is accountsmanagertest.
Service Principal
Here are the permission of the service principal under which the command is run:
The command is run as a Service Principal that has the Owner role in the subscription:
The resource group created in that subscription is also owned by that Service Principal:
Question
When I run the command, I get the following error:
New-AzRoleAssignment: The provided information does not map to an AD object id.
Why do I get the error The provided information does not map to an AD object id. when executing the command New-AzRoleAssignment?
I can also reproduce this on my side, there are two issues.
1.In your command, the ResourceType should be Microsoft.Storage/storageAccounts, not Microsoft.Storage/storageAccount.
2.In the API permission of your AD App related to the service principal used in the DevOps servcie connection, you need to add the Application permission Directory.Read.All in Azure Active Directory Graph, not Microsoft Graph.
After a while to take effect, it will work fine.
I have a container created by someone and I'm using it load the data. In the manage access tab I see my user name and also $superuser(Owner) and $superuser(Owning Group) with different level of ACLs set.
How to find who is the superuser for that container? I tried Get Properties API but still seeing the response as $superuser
You could use the Az powershell command to get $superuser(Owner), it returns the Object ID of the Owner, which could be a user, group, service principal in Azure AD.
Connect-AzAccount
$storageAccount = Get-AzStorageAccount -ResourceGroupName <group-name> -AccountName <storage-account-name>
$ctx = $storageAccount.Context
$filesystemName = "<container-name>"
$filesystem = Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystemName
$filesystem.Owner
If you want to get the details of the Object ID, you could use the AzureAD command below.
Connect-AzureAD
Get-AzureADObjectByObjectId -ObjectIds $filesystem.Owner
Update:
Yes, you could use the azure cli command az storage blob directory access show, first you need to add the storage-preview extension.
az extension add -n storage-preview
az login
az storage blob directory access show -d '/' -c '<container-name>' --account-name '<account-name>'
It also returns the Object ID of the $superuser(Owner), but in azure cli, there is no built-in command to get the directory object with Object ID, you can get the details about the object with az ad user show, az ad sp show, az ad group show, you need to know the type of the object previously.
If you don't know the type of the object, you can just use az rest to call Microsoft Graph to get the details.
az rest --method get --uri https://graph.microsoft.com/v1.0/directoryObjects/<Object ID>
like to know all the sites in Azure that are currently associated to our Azure Tenant includes full URL,azure web apps,azure SQL,Storage accounts,Datalake,Cosmosdb,container registries
Tried Get-AzureADTenantDetail and also az resource list but not able find it
Any Powershell script will help
You can use
Azure CLI
az resource list
Powershell
Get-AzureRmResource
You can use Get-AzureRmResource to get the list of resources in an Azure Subscription. By default this Cmdlet will list all resources in an Azure Subscription. To get a list of certain resource types, you can specify an OData filter query.
For example, the Cmdlet below will list all storage accounts and webapps in an Azure Subscription:
Get-AzureRmResource -ODataQuery "ResourceType eq 'Microsoft.Storage/storageAccounts' or ResourceType eq 'Microsoft.Web/sites'" | ft
You will need to find the proper resource type values for each kind of resource that you want to find.
Another thing to notice is that this Cmdlet is scoped to a single Azure Subscription. If your Azure Tenant serves as authentication/authorization source for multiple subscriptions, you would need to run this Cmdlet for each subscription separately.
If you have multiple tenants, you can switch between tenants and get resources within them (subscription by subscription) via
connect-azaccount -Tenant [different tenant id]
$context = Get-AzSubscription [subscriptionid in different tenant id]
set-azcontext $context
get-azresource > resources.tenantname.subcription.txt
where tenantname and subscription are the names of the tenant and subscription in english form (instead of id's).
you should probably not use those azurerm commands anymore, they will stop working sometime in 2024. use the az equivalents (basically replace azurerm with az (yeah, i could delete urerm but that seems weirder!))