Recent Posts

Most Used Categories

Azure PowerShell, Azure RBAC (Role Based Access Control), Microsoft Azure

Export RBAC role assigned to users, groups of your AAD and list the group members

by Manu Philip

Following PS cmdlet will export the RBAC role assigned to users, groups of your AAD as well as the group members details to a csv file. Make changes in the variables as per your AAD

$subscriptions = Get-AzSubscription -SubscriptionID "sub id"
$allRoleAssignments = @()
Write-Host "Fetching role assignments for subscription: $($subscription.Name)" -ForegroundColor Cyan
# Set the context to the current subscription
Set-AzContext -SubscriptionId $subscriptions.Id
# Get role assignments for the current subscription
$roleAssignments = Get-AzRoleAssignment | ForEach-Object {
    # Initialize an array for group members
    $groupMembers = @()
    # Initialize the group display name
    $groupDisplayName = $null
    # Debug: Output PrincipalId and PrincipalType to verify if it is a Group
    Write-Host "Checking role assignment for PrincipalType: $($_.PrincipalType), ObjectId: $($_.ObjectId)" -ForegroundColor Yellow
    # Check if the role assignment is tied to a group
    if ($_.ObjectType -eq "Group") {
        try {
            # Get the group display name by using the group ObjectId (PrincipalId)
            $groupId = $_.ObjectId
            Write-Host "Fetching group with ObjectId (PrincipalId): $PrincipalId" -ForegroundColor Yellow       
            # Get the group details using ObjectId (PrincipalId)
            $group = Get-AzADGroup -ObjectId $groupId
            $groupDisplayName = $group.DisplayName
            # Debug: Confirm the group display name
            Write-Host "Group DisplayName: $groupDisplayName" -ForegroundColor Green
            # Get members of the group
            $members = Get-AzADGroupMember -GroupObjectId $groupId
            if ($members) {
                # Add each member's UserPrincipalName to the groupMembers array
                $groupMembers = $members | ForEach-Object { $_.UserPrincipalName }
            } else {
                Write-Host "No members found for group: $groupDisplayName" -ForegroundColor Yellow
            }
        } catch {
            Write-Host "Error fetching group members for group ID $($_.ObjectId): $_" -ForegroundColor Red
        }
    }
    # Create a custom object for role assignment with group display name and group members
    [PSCustomObject]@{
        SubscriptionName   = $subscriptions.Name
        SubscriptionId     = $subscriptions.Id
        PrincipalName      = $_.SignInName
        PrincipalType      = $_.PrincipalType
        RoleDefinitionName = $_.RoleDefinitionName
        Scope              = $_.Scope
        DisplayName        = if ($_.ObjectType -eq "Group") { $groupDisplayName } else { $_.DisplayName }
        GroupMembers       = $groupMembers -join ","  # Concatenate group members as a string
    } | Export-CSV "C:\azure\RoleAssignmentDetails.csv" -NoTypeInformation -Append
}
Post Views: 37

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Install Apple macOS computer on Azure Virtual Machine

March 10, 2025

You don’t have permission to register applications in the Default Directory

February 25, 2025