Update : updated script to support Azure Az powershell module.
Azure Role Based Access Control (RBAC) helps us manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
It provides fine-grained access management of Azure resources. Refer here for more information on RBAC.
It is very common in any controlled IT environment to have some sort of audit on access management to determine if right person has right level of access on resources.
I wrote following script to provide a quick report of Azure RBAC system as implemented in the Azure Tenant. This script generates a CSV file with Role Name, Access details and scope.
Before start using this script, make sure you have Azure Az Module installed and imported on the system. For more information on how to install and configure Az module refer following article : https://docs.microsoft.com/en-us/powershell/azure/new-azureps-module-az?view=azps-5.5.0
$currentDir = $(Get-Location).Path
$oFile = "$($currentDir)\AzureRBAC_Details.csv"
if(Test-Path $oFile){
Remove-Item $oFile -Force
}
"roleName,roleDescription,IsCustom,actions,NotActions,dataActions,notDataActions,AssignableScopes,associatedEntity" | Out-File $oFile -Append -Encoding ASCII
$allObjects = @()
Get-AzRoleDefinition | ForEach-Object{
$object = New-Object PSObject
$roleName = $_.Name
Write-Host "Processing Role : $roleName"
$object | add-member NoteProperty roleName $roleName
$object | add-member NoteProperty roleDescription $_.Description
$object | add-member NoteProperty IsCustom $_.IsCustom
$object | add-member NoteProperty actions ($_.actions -Join " ; ")
$object | add-member NoteProperty NotActions ($_.NotActions -Join " ; ")
$object | add-member NoteProperty dataActions ($_.dataActions -Join " ; ")
$object | add-member NoteProperty notDataActions ($_.notDataActions -Join " ; ")
$object | add-member NoteProperty AssignableScopes ($_.AssignableScopes -Join " ; ")
$associatedEntity = ''
Get-AzRoleAssignment -RoleDefinitionName $roleName | ForEach-Object{
$associatedEntity = $associatedEntity +$_.DisplayName + ";"
}
$associatedEntity = $associatedEntity.TrimEnd(";")
$object | add-member NoteProperty associatedEntity $associatedEntity
$allObjects += $object
}
$allObjects | Export-Csv $oFile -NoClobber -Encoding ASCII -Append -NoTypeInformationDownload above script and save it with a .ps1 file extension. Open powershell console and, login to your Azure account using – Login-AzAccount. It will prompt you to enter your Azure credentials.
After you login to Azure, run the powershell script saved in previous step.
You will receive a csv file output like below:
