Get-AzRoleAssignment
Lists Azure RBAC role assignments at the specified scope.
By default it lists all role assignments in the selected Azure subscription.
Use respective parameters to list assignments to a specific user, or to list assignments on a specific resource group or resource.
The cmdlet may call below Microsoft Graph API according to input parameters:
GET /users/{id}
GET /servicePrincipals/{id}
GET /groups/{id}
GET /directoryObjects/{id}
POST /directoryObjects/getByIds
Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role assignment is not found or current account has insufficient privileges to get object type.
Syntax
EmptyParameterSet (Default)
Get-AzRoleAssignment
[-RoleDefinitionName <String>]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ObjectIdParameterSet
Get-AzRoleAssignment
-ObjectId <String>
[-RoleDefinitionName <String>]
[-ExpandPrincipalGroups]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceGroupWithObjectIdParameterSet
Get-AzRoleAssignment
-ObjectId <String>
-ResourceGroupName <String>
[-RoleDefinitionName <String>]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceWithObjectIdParameterSet
Get-AzRoleAssignment
-ObjectId <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
[-RoleDefinitionName <String>]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ScopeWithObjectIdParameterSet
Get-AzRoleAssignment
-ObjectId <String>
-Scope <String>
[-RoleDefinitionName <String>]
[-AtScope]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
RoleIdWithScopeAndObjectIdParameterSet
Get-AzRoleAssignment
-RoleDefinitionId <Guid>
[-ObjectId <String>]
[-Scope <String>]
[-AtScope]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceGroupWithSignInNameParameterSet
Get-AzRoleAssignment
-SignInName <String>
-ResourceGroupName <String>
[-RoleDefinitionName <String>]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceWithSignInNameParameterSet
Get-AzRoleAssignment
-SignInName <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
[-RoleDefinitionName <String>]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ScopeWithSignInNameParameterSet
Get-AzRoleAssignment
-SignInName <String>
-Scope <String>
[-RoleDefinitionName <String>]
[-AtScope]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
SignInNameParameterSet
Get-AzRoleAssignment
-SignInName <String>
[-RoleDefinitionName <String>]
[-ExpandPrincipalGroups]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceGroupWithSPNParameterSet
Get-AzRoleAssignment
-ServicePrincipalName <String>
-ResourceGroupName <String>
[-RoleDefinitionName <String>]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceWithSPNParameterSet
Get-AzRoleAssignment
-ServicePrincipalName <String>
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
[-RoleDefinitionName <String>]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ScopeWithSPNParameterSet
Get-AzRoleAssignment
-ServicePrincipalName <String>
-Scope <String>
[-RoleDefinitionName <String>]
[-AtScope]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
SPNParameterSet
Get-AzRoleAssignment
-ServicePrincipalName <String>
[-RoleDefinitionName <String>]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceGroupParameterSet
Get-AzRoleAssignment
-ResourceGroupName <String>
[-RoleDefinitionName <String>]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ResourceParameterSet
Get-AzRoleAssignment
-ResourceGroupName <String>
-ResourceName <String>
-ResourceType <String>
[-ParentResource <String>]
[-RoleDefinitionName <String>]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
ScopeParameterSet
Get-AzRoleAssignment
-Scope <String>
[-RoleDefinitionName <String>]
[-AtScope]
[-IncludeClassicAdministrators]
[-SkipClientSideScopeValidation]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
Description
Use the Get-AzRoleAssignment command to list all role assignments that are effective on a scope.
Without any parameters, this command returns all the role assignments made under the subscription.
This list can be filtered using filtering parameters for principal, role and scope.
The subject of the assignment must be specified.
To specify a user, use SignInName or Microsoft Entra ObjectId parameters.
To specify a security group, use Microsoft Entra ObjectId parameter.
And to specify a Microsoft Entra application, use ServicePrincipalName or ObjectId parameters.
The role that is being assigned must be specified using the RoleDefinitionName parameter.
The scope at which access is being granted may be specified.
It defaults to the selected subscription.
The scope of the assignment can be specified using one of the following parameter combinations
a.
Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId>.
This will filter assignments that are effective at that particular scope i.e.
all assignments at that scope and above.
b.
ResourceGroupName - Name of any resource group under the subscription.
This will filter assignments effective at the specified resource group
c.
ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under the subscription and will filter assignments effective at that resource scope.
To determine what access a particular user has in the subscription, use the ExpandPrincipalGroups switch.
This will list all roles assigned to the user, and to the groups that the user is member of.
Use the IncludeClassicAdministrators switch to also display the subscription admins and co-admins.
Examples
Example 1
Get-AzRoleAssignment
List all role assignments in the subscription
Example 2
Get-AzRoleAssignment -ResourceGroupName testRG -SignInName john.doe@contoso.com
Gets all role assignments made to user john.doe@contoso.com, and the groups of which he is member, at the testRG scope or above.
Example 3
Get-AzRoleAssignment -ServicePrincipalName "http://testapp1.com"
Gets all role assignments of the specified service principal
Example 4
Get-AzRoleAssignment -Scope "/subscriptions/96231a05-34ce-4eb4-aa6a-70759cbb5e83/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"
Gets role assignments at the 'site1' website scope.
Example 5
$ApplicationObject = Get-AzADServicePrincipal -DisplayName 'ApplicationDisplayName'
Get-AzRoleAssignment -ServicePrincipalName $ApplicationObject.AppId
Gets role assignments for the specified Service Principal using Get-AzAdServicePrincipal.
Parameters
-AtScope
If specified, lists role assignments for only the specified scope, not including the role assignments at subscopes.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ScopeWithObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
RoleIdWithScopeAndObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSPNParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure
Parameter properties
Type: IAzureContextContainer
Default value: None Supports wildcards: False DontShow: False Aliases: AzContext, AzureRmContext, AzureCredential
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ExpandPrincipalGroups
If specified, returns roles directly assigned to the user and to the groups of which the user is a member (transitively).
Supported only for a user principal.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
SignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-IncludeClassicAdministrators
If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
EmptyParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceGroupWithObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceWithObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ScopeWithObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceGroupWithSignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ScopeWithSignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
SignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceGroupWithSPNParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ScopeWithSPNParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
SPNParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceGroupParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ResourceParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
ScopeParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ObjectId
The Microsoft Entra ObjectId of the User, Group or Service Principal.
Filters all assignments that are made to the specified principal.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: Id, PrincipalId
Parameter sets
ObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ParentResource
The parent resource in the hierarchy of the resource specified using ResourceName parameter.
Must be used in conjunction with ResourceGroupName, ResourceType, and ResourceName parameters.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceWithObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ResourceGroupName
The resource group name.
Lists role assignments that are effective at the specified resource group.
When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceGroupWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ResourceName
The resource name.
For e.g.
storageaccountprod.
Must be used in conjunction with ResourceGroupName, ResourceType, and (optionally)ParentResource parameters.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ResourceType
The resource type.
For e.g.
Microsoft.Network/virtualNetworks.
Must be used in conjunction with ResourceGroupName, ResourceName, and (optionally)ParentResource parameters.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ResourceWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-RoleDefinitionId
Id of the Role that is assigned to the principal.
Parameter properties
Type: Guid
Default value: None Supports wildcards: False DontShow: False
Parameter sets
RoleIdWithScopeAndObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-RoleDefinitionName
Role that is assigned to the principal i.e.
Reader, Contributor, Virtual Network Administrator, etc.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
EmptyParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithObjectIdParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithSignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
SignInNameParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupWithSPNParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSPNParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
SPNParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceGroupParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeParameterSet
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Scope
The Scope of the role assignment.
In the format of relative URI.
For e.g.
/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG.
It must start with "/subscriptions/{id}".
The command filters all assignments that are effective at that scope.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
ScopeWithObjectIdParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ServicePrincipalName
The ServicePrincipalName of the service principal.
Filters all assignments that are made to the specified Microsoft Entra application.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: SPN, ApplicationId
Parameter sets
ResourceGroupWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
SPNParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-SignInName
The email address or the user principal name of the user.
Filters all assignments that are made to the specified user.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: Email, UserPrincipalName
Parameter sets
ResourceGroupWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ResourceWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
ScopeWithSignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
SignInNameParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-SkipClientSideScopeValidation
If specified, skip client side scope validation.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
Outputs
Notes
Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment
