In our current azure tenant we have 100's of subscriptions, user access is managed by azure AAD groups.
How can i view roles assigned to a group, Assume 1 group had access to only 1 subscription out of 100 subscriptions then from portal i need to select each and every subscription in group Azure role assignment page.
I wonder is there any direct way to fetch using powershell?
Thanks
dev
Usually we use the Get-AzRoleAssignment command to list all the role assignments that are valid on the scope. If no parameters are specified, this command will return all the role assignments made under the subscription.
For your problem, you want to use a security group to filter this list, just use the Azure AD group ObjectId parameter:
Get-AzRoleAssignment -ObjectId <your group objectid>
In MS Graph API docs there is List appRoleAssignments granted to a group : https://learn.microsoft.com/en-US/graph/api/group-list-approleassignments?view=graph-rest-1.0&tabs=http
Test it under MS Graph
You can use Microsoft Graph PowerShell SDK https://github.com/microsoftgraph/msgraph-sdk-powershell
Here are samples code - for example for fetching groups:
https://github.com/microsoftgraph/msgraph-sdk-powershell/tree/dev/samples
Related
I have over 50 Azure subscriptions under same tenant. I have created a service-principal under Azure active directory and provided the service principal 'reader' role to each subscriptions. When I make an API call from Postman I get all subscription ids but my concern is I am giving 'READ' access to all my resources on different subscriptions. I want to limit this service-principal will ONLY be able to list the subscription ids and nothing else.
I want to limit this service-principal will ONLY be able to list the
subscription ids and nothing else.
With "Reader" role, a user would be able to read all resources inside a subscription and not just subscription id.
I believe the solution to your problem is to create a custom role (let's call it SubscriptionPropertiesReader) and then give only the permission to perform read operation just at the subscription level. Based on the information provided here, I believe the permission you would want to include in this role is Microsoft.Resources/subscriptions/read.
The challenge obviously will be to create this custom role in each and every subscription and then assigning this role to your Service Principal in each subscription.
Is there a way I can fetch all users currently assigned permissions to each resource created under a subscription.
To put in other words, I want to traverse all the resources created under a subscription & get the list of all users, service principal names, SGs, AAD groups, along with their role who have access to each resource. This report would help me perform a periodic user access review .
Any leads/code would be appreciated.
You could simply get that with the powershell command Get-AzRoleAssignment.
Without any parameter, Get-AzRoleAssignment will get all the role assignments in the subscription, you can also leverage different parameters e.g. -ObjectId, -Scope to list assignments to a specific user/service principal/security group, or to list assignments on a specific resource group or resource.
For more details, see https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-powershell
Same thing also can be achieved by the REST API, Azure CLI, and SDK of different languages.
Rest API to know whether Foreign Principle (IAM) is assigned to a Tenant or Subscription in Azure
if you want to directly call the REST API from code, use the Microsoft.Authorization/roleAssignments REST API.
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version=2018-01-01-previe
If you want to check if the Foreign principal was added to your subscription, you could not do that via only one REST API.
The Role Assignments - List will list all the role assignments in your subscription, but it just returns them as Ids, the Foreign principal is a group named Foreign Principal for 'CSPPartnerName' in role 'TenantAdmins' (CSPCustomer Directory), it is not visible in your Azure AD in the portal, so it is difficult to get the ObjectId of the group to know which one is the Foreign principal.
Actually, to check if the Foreign principal was added, the easiest way is to use azure powershell Get-AzRoleAssignment .
Get-AzRoleAssignment | Where-Object {$_.DisplayName -like 'Foreign*'}
If you just want to use REST APIs, you could use the tool like Fiddler to catch the request of the command. You will find it call the Role Assignments - List and getObjectsByObjectIds.
I need to sync members of a particular Azure AD group as the owner to all other AD groups using PowerShell. Currently, I understand we cannot add an AD group as the owner to other AD groups. Please help me with a workaround so that I can fetch users from an AD group and add the members of that group as owners of all other AD groups.
This is just a design idea.
Use Get-AzureADGroupMember -ALL 1 to get the list of all members of an Azure AD group: List 1. See Get-AzureADGroupMember.
Use Get-AzureADGroup -ALL 1 to get a list of all Azure AD groups: List 2. See Get-AzureADGroup.
Exclude the particular Azure AD group from List 2: List 3.
Loop through List 1 and List 3: Add the member of List 1 as the owner to member of List 3 by using Add-AzureADGroupOwner -ObjectId {objectId} -RefObjectId {refObjectId}. See Add-AzureADGroupOwner.
I can add normal SharePoint Group to SharePoint using below HTTP request
https://imfdevdm.sharepoint.com/sites/SiteName/_api/web/lists/getByTitle('Sample Library')/items(1)/roleassignments/addroleassignment(principalid=12, roledefid=1073741827)
Similarly is there a method to add an Azure AD Group??
There is no initial principal Id for a AAD Group initially. If an AAD group is already added manually to SharePoint, then for that Group, a principal ID is generated. Else, we can't find a principal Id for the AAD Group.
If a principal Id was present, the same above HTTP request was enough to add role assignments.
Any help is appreciated. Thanks.
Updated:
I think this is not possible. The usual procedure is to add AAD Group to a SharePoint Group and then add it to SharePoint Sites/Lists
You can do this either through the Azure Portal or the O365 portal. I don't think it's possible to do this via HTTP requests and you're right that the recommended procedure is to create the Group in Azure AD and then assign it to SharePoint. You can also do this through Powershell but unless your creating a ton at once the portal is the easiest way.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial