functions/Get-AzUserRoleAssignments.ps1
|
function Get-AzUserRoleAssignments { <# Gets all user role assignments in all subscriptions in the target tenant. Defines which Policy as Code (PAC) environment we are using, if omitted, the script prompts for a value. The values are read from `$DefinitionsRootFolder/global-settings.jsonc. Definitions folder path. Defaults to environment variable `$env:PAC_DEFINITIONS_FOLDER or './Definitions'. Output file name. Defaults to environment variable `$env:PAC_OUTPUT_FOLDER/Users/RoleAssignments.csv or './Outputs/Users/RoleAssignments.csv'. Set to false if used non-interactive .\Get-AzUserRoleAssignments.ps1 -PacEnvironmentSelector "dev" -DefinitionsRootFolder "C:\Src\Definitions" -OutputFolder "C:\Src\Outputs" -Interactive $true Gets all user role assignments in all subscriptions in the target tenant. .\Get-AzUserRoleAssignments.ps1 -Interactive $true Gets all user role assignments in all subscriptions in the target tenant. The script prompts for the PAC environment and uses the default definitions and output folders. #> [CmdletBinding()] param( [parameter(Mandatory = $false, HelpMessage = "Defines which Policy as Code (PAC) environment we are using, if omitted, the script prompts for a value. The values are read from `$DefinitionsRootFolder/global-settings.jsonc.", Position = 0)] [string] $PacEnvironmentSelector, [Parameter(Mandatory = $false, HelpMessage = "Definitions folder path. Defaults to environment variable `$env:PAC_DEFINITIONS_FOLDER or './Definitions'.")] [string]$DefinitionsRootFolder, [Parameter(Mandatory = $false, HelpMessage = "Output file name. Defaults to environment variable `$env:PAC_OUTPUT_FOLDER/Users/RoleAssignments.csv or './Outputs/Users/RoleAssignments.csv'.")] [string] $OutputFileName, [Parameter(Mandatory = $false, HelpMessage = "Set to false if used non-interactive")] [bool] $Interactive = $true ) # Dot Source Helper Scripts $InformationPreference = "Continue" Invoke-AzCli config set extension.use_dynamic_install=yes_without_prompt -SuppressOutput $pacEnvironment = Select-PacEnvironment $PacEnvironmentSelector -DefinitionsRootFolder $DefinitionsRootFolder -OutputFolder $OutputFolder -Interactive $Interactive $null = Set-AzCloudTenantSubscription -Cloud $pacEnvironment.cloud -TenantId $pacEnvironment.tenantId -subscriptionId $pacEnvironment.defaultSubscriptionId -Interactive $pacEnvironment.interactive $targetTenant = $environment.targetTenant if ($OutputFileName -eq "") { $OutputFileName = "$($environment.outputFolder)/Users/RoleAssignments.csv" } Write-Information "===================================================================================================" Write-Information "Processing" Write-Information "===================================================================================================" $subs = Get-AzSubscription -TenantId $targetTenant | Where-Object { $_.state -EQ "Enabled" } $assignments = @() foreach ($sub in $subs) { Set-AzContext -Subscription $sub.name Write-Output $sub.Name $assignments += Get-AzRoleAssignment | Where-Object { $_.ObjectType -eq "User" -and $_.Scope -notlike "*managementGroups*" } | Select-Object displayname, signinname, RoleDefinitionName, scope, @{ Name = 'Subscription' Expression = { $sub.Name } } } if ($OutputFileName) { if (-not (Test-Path $OutputFileName)) { New-Item $OutputFileName -Force } Export-Csv -Path $OutputFileName -NoTypeInformation } else { $assignments } } |