How to get a list of all role assignments using the RBAC API

Question

How to get a list of all role assignments using the RBAC API

The GET request I make in the API below

https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleAssignments?api-version=2017-10-01-preview

which gives me below response format

{
            "properties": {
                "roleDefinitionId": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
                "principalId": "fdef6f38-b48f-4358-8482-b243ea935082",
                "principalType": "User",
                "scope": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/resourceGroups/GE-RGrp-Kentico",
                "createdOn": "2017-08-21T11:38:53.7973201Z",
                "updatedOn": "2017-08-21T11:38:53.7973201Z",
                "createdBy": "f418e9e8-becc-41d8-ab47-66a4c50403b5",
                "updatedBy": "f418e9e8-becc-41d8-ab47-66a4c50403b5"
            },
            "id": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/resourceGroups/GE-RGrp-Kentico/providers/Microsoft.Authorization/roleAssignments/5e6caac9-c5fd-42f0-86c6-9e96b127be51",
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "5e6caac9-c5fd-42f0-86c6-9e96b127be51"
        }

But when I make a CLI call, I get below response using

> az  role assignment list

{
    "id": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleAssignments/4096c146-b6f8-4f92-a700-a47742a5b321",
    "name": "4096c146-b6f8-4f92-a700-a47742a5b321",
    "properties": {
      "additionalProperties": {
        "createdBy": "c2024d65-cf17-45fd-b34b-09cd5c21cac7",
        "createdOn": "2017-11-07T22:03:12.4998370Z",
        "updatedBy": "c2024d65-cf17-45fd-b34b-09cd5c21cac7",
        "updatedOn": "2017-11-07T22:03:12.4998370Z"
      },
      "principalId": "780925c0-a487-4529-9eb2-837aa67a4d8a",
      "principalName": "xcavanap@genesisenergy.co.nz",
      "roleDefinitionId": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
      "roleDefinitionName": "Security Admin",
      "scope": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31"
    },

the above answer has

"roleDefinitionName": "Security Admin"

but I want to get the same answer via API, please help !!

+6

api rbac azure azure-active-directory

shab Jan 31 '18 at 3:17

source share

2 answers

Andy Shen · Answer 1 · 2018-02-04T22:27:53+0000

To get the role definition name, you need to make separate REST API calls and then make a client-side connection.

If you start network capture while the Azure PowerShell or Azure CLI is running, directly accessing the REST API calls is simple.

Role List Assignment

GET https://management.azure.com/subscriptions/ {subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01

:

"value": [
    {
        "properties": {
            "roleDefinitionId": "/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/roleDefinitions/<roleDefinitionId>",
            "principalId": "<principalId>",
            "scope": "/subscriptions/<subscriptionId>",
            "createdOn": "2017-02-03T07:55:59.6345664Z",
            "updatedOn": "2017-02-03T07:55:59.6345664Z",
            "createdBy": "7c728184-cd9e-47ad-b72f-e7ac40b80624",
            "updatedBy": "7c728184-cd9e-47ad-b72f-e7ac40b80624"
        },
        "id": "/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/roleAssignments/ea667734-e984-4726-bf0b-2116aaaedfde",
        "type": "Microsoft.Authorization/roleAssignments",
        "name": "ea667734-e984-4726-bf0b-2116aaaedfde"
    },

GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions? $filter = atScopeAndBelow() & api-version = 2015-07-01

:

    {
        "properties": {
            "roleName": "Contributor",
            "type": "BuiltInRole",
            "description": "Lets you manage everything except access to resources.",
            "assignableScopes": [
                "/"
            ],
            "permissions": [
                {
                    "actions": [
                        "*"
                    ],
                    "notActions": [
                        "Microsoft.Authorization/*/Delete",
                        "Microsoft.Authorization/*/Write",
                        "Microsoft.Authorization/elevateAccess/Action"
                    ]
                }
            ],
            "createdOn": "0001-01-01T08:00:00.0000000Z",
            "updatedOn": "2016-12-14T02:04:45.1393855Z",
            "createdBy": null,
            "updatedBy": null
        },
        "id": "/providers/Microsoft.Authorization/roleDefinitions/<roleDefinitionId>",
        "type": "Microsoft.Authorization/roleDefinitions",
        "name": "<roleDefinitionId>"
    },

AAD -

POST https://graph.windows.net//getObjectsByObjectIds?api-version=1.6

{
  "objectIds": [
    "<objectId1>",
    "<objectId2>",
    ...
  ],
  "includeDirectoryObjectReferences": true
}

Tom Sun · Answer 2 · 2018-01-31T06:46:27+0000

- REST API, roleDefinitionName. feedback . roleDefinitionName, - Get By Id .

{
  "value": [
    {
      "properties": {
        "roleDefinitionId": "/subscriptions/subId/providers/Microsoft.Authorization/roleDefinitions/roledefinitionId",
        "principalId": "Pid",
        "scope": "/subscriptions/subId/resourcegroups/rgname"
      },
      "id": "/subscriptions/subId/resourcegroups/rgname/providers/Microsoft.Authorization/roleAssignments/roleassignmentId",
      "type": "Microsoft.Authorization/roleAssignments",
      "name": "raId"
    }
  ]
}

Update:

, Role Assignments - List REST API roleDefinitionName mainName.

" " " - " API REST . objectId - mainId, - API REST

Update2:

, graph.windows.net manage.azure.com? ?

https://graph.windows.net #

string authority = "https://login.microsoftonline.com/{0}";
string graphResourceId = "https://graph.windows.net";
string tenantId = "tenantId";
string clientId = "clientId";
string secretKey = "secretKey";
authority = String.Format(authority, tenantId);
AuthenticationContext authContext = new AuthenticationContext(authority);
var accessToken = authContext.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secretKey)).Result.AccessToken;

. [Read directory data] Windows Azure Active Directory

How to get a list of all role assignments using the RBAC API

More articles: