Export Azure Resource Manager (ARM) Role Based Access Control (RBAC) Assignments

This script allows you to export the current Azure Resource Manager (ARM) Role Based Access Control (RBAC) Permissions.It will loop through all subscriptions that you have access to and export the permissions.It will create an individual CSV file on the desktop per subscription.T

1,771 times
Add to favorites
Windows Azure
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question

  • Convert from AzureRM to Az?
    10 Posts | Last post Tue 2:32 AM
    • Hi Ben, thanks for this script.  Any plans to convert this from AzureRM to Az module?
    • I would just recommend adding this to your profile then the existing script will work.
      you can also just add that line to the top of the script.
    • also just remove the #requires lines at the top
    • Hi Ben. Great and very useful script. However it doesn't seem to switch to next subscription in the loop. It looks like set new context but it produces csv with same role assignment for every subscription. Any idea why?
    • It should have a different file (output) for each subscription ?
    • I am not sure if your subscription names might be the same or if you may need to choose an different property to name the file Etc. ?
    • Yes, it nicely output into different csv files but they have all identical RBAC roles, however with different name and subscription ids, weird?
      Every sub is named differently.
      I looked into property but can't find anything.
      I rewrited the code to Az modules and also used original RM with Alias but no luck :(
      Wonder if there is something to do with actual Select-AzSubscription properties?
      Get-AzSubscription | foreach-object {
          Write-Verbose -Message "Changing to Subscription $($_.Name)" -Verbose
          Select-AzSubscription -TenantId $_.TenantId -Name $_.Id -Force
          $Name     = $_.Name
          $TenantId = $_.TenantId
          Get-AzRoleAssignment -IncludeClassicAdministrators | Select-Object RoleDefinitionName,DisplayName,SignInName,ObjectType,Scope,
          @{name="TenantId";expression = {$TenantId}},@{name="SubscriptionName";expression = {$Name}} -OutVariable ra
          # Also export the individual subscriptions to excel documents on your Desktop.
          # One file per subscription
          $ra | Export-Csv -Path $home\Desktop\$Name.csv -NoTypeInformation
    • hmm it sounds like it's not swapping subscriptions or something.
    • Fixed, i need to select correct subscription property that seems to changed to SubscriptionId ;)
      so instead before:
      Select-AzSubscription -TenantId $_.TenantId -Name $_.Id -Force
      now it should be and work like a charm ;)
      Set-AzContext -TenantId $_.TenantId -SubscriptionId $_.Id -Force
    • perfect, nice job and thanks for the follow up.
  • Use as Azure runbook
    2 Posts | Last post February 22, 2018
    • Hi. Found this script via the Azure portal runbook gallery. It errors when running as a runbook (login errors), but works as a stand alone script. Is this supposed to work as a runbook or have I misunderstood?
    • This is not specifically designed to be a runbook. However you can run any script as a Powershell runbook.
      Use the test scripts (that are created in runbooks section) to get the code, that allows you to authenticate against Azure using the service principal. The you could put that at the top of any script to authenticate.