role assignments list for scope

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

role-assignments-list-rest.md

Latest commit, file metadata and controls, list azure role assignments using the rest api.

[!INCLUDE Azure RBAC definition list access ] This article describes how to list role assignments using the REST API.

If your organization has outsourced management functions to a service provider who uses Azure Lighthouse , role assignments authorized by that service provider won't be shown here. Similarly, users in the service provider tenant won't see role assignments for users in a customer's tenant, regardless of the role they've been assigned.

[!INCLUDE gdpr-dsr-and-stp-note ]

Prerequisites

You must use the following version:

• 2015-07-01 or later
• 2022-04-01 or later to include conditions

For more information, see API versions of Azure RBAC REST APIs .

List role assignments

In Azure RBAC, to list access, you list the role assignments. To list role assignments, use one of the Role Assignments Get or List REST APIs. To refine your results, you specify a scope and an optional filter.

Start with the following request:

Within the URI, replace {scope} with the scope for which you want to list the role assignments.

[!div class="mx-tableFixed"] Scope Type providers/Microsoft.Management/managementGroups/{groupId1} Management group subscriptions/{subscriptionId1} Subscription subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 Resource group subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 Resource

In the previous example, microsoft.web is a resource provider that refers to an App Service instance. Similarly, you can use any other resource providers and specify the scope. For more information, see Azure Resource providers and types and supported Azure resource provider operations .

Replace {filter} with the condition that you want to apply to filter the role assignment list.

[!div class="mx-tableFixed"] Filter Description $filter=atScope() Lists role assignments for only the specified scope, not including the role assignments at subscopes. $filter=assignedTo('{objectId}') Lists role assignments for a specified user or service principal. If the user is a member of a group that has a role assignment, that role assignment is also listed. This filter is transitive for groups which means that if the user is a member of a group and that group is a member of another group that has a role assignment, that role assignment is also listed. This filter only accepts an object ID for a user or a service principal. You cannot pass an object ID for a group. $filter=atScope()+and+assignedTo('{objectId}') Lists role assignments for the specified user or service principal and at the specified scope. $filter=principalId+eq+'{objectId}' Lists role assignments for a specified user, group, or service principal.

The following request lists all role assignments for the specified user at subscription scope:

The following shows an example of the output:

• Assign Azure roles using the REST API
• Azure REST API Reference

Gain insights into your Azure role assignments on subscription level

List Azure role assignments and custom role definitions recursively with PowerShell and Azure CLI.

Jump to recipe

Azure Role-Based Access Control (RBAC)

Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Using RBAC in Azure for granular permissions makes it easy to assign permissions to users, groups, service principals, or managed identities. You can assign only the amount of access that users need to perform their jobs, thereby adhering to the principle of least privilege.

You have a ton of builtin roles to choose from, and you can also create your own custom roles if none of the builtin roles fit your use case.

I will not write a thesis on Azure RBAC, as you can find the necessary information on the Azure RBAC documentation page . I will, however, highlight a few shortcomings and how I worked around some of them.

List Azure role definitions

You can list role definitions in the portal , with Azure CLI , or PowerShell .

All these links read List all roles . That is a bit misleading, as they only list the roles in your current scope with any inherited from above (management groups). Any custom roles created in different subscriptions than the current one (or the one provided in scope parameter) will not be listed. A best practice is to create custom roles higher up in management groups so that they are inherited by all subscriptions below. This is not always done, and you might end up with custom roles in different subscriptions.

List Azure role assignments

You can list role assignments in the portal , with PowerShell , or with Azure CLI . There are different ways of listing role assignments, but no way to list all role assignments in your hierarchy recursively. You can list role assignments at a certain scope, with inherited assignments included. You can also find all role assignments for a specific user or group in Azure AD .

Shortcomings

As far as I can see, there are a few shortcomings. These are not critical, and there are other issues with the RBAC model, but I will not go into them here.

• There is no central listing of role assignments for all scopes
• There is no central listing of custom role definitions for all scopes
• Role assignments and role definitions are not linked in any way other than in backend. If you try to delete a custom role definition still in use, you get an error message. You have to find all role assignments using the custom role definition and delete them first.
• Role assignments and role definitions are not listed in Azure AD

Recently I was tasked with cleaning some clickOps’ed custom role definitions and converting them to Terraform. I needed to find all custom role definitions and all role assignments in all subscriptions in all management groups. I also needed to find all role assignments using the custom role definitions I was going to delete. Because of reasons I needed to create new role definitions, and could not import them into Terraform. Because of the shortcomings mentioned above, I had to write a script to list all role definitions and role assignments for all scopes.

I did not want to click through all of the subscriptions and management groups, so I wrote a script to do it for me.

Azure Governance Visualizer

At this point I would be remiss not to mention the Azure Governance Visualizer . It is a great tool created by Julian Hayward for visualizing your total Azure Governance. It lists all custom role definitions and every other detail you would need from your environment regarding RBAC and lot of other useful information. In this case it is too complex, and I wanted to focus on the RBAC part. Anyway, check it out if you need a great tool for visualizing your Azure Governance.

Log in with both Azure CLI and PowerShell

Recursively find all management groups and subscriptions, list all custom roles in all subscriptions, list all role assignments with relevant custom roles in all subscriptions, write everything to json files for documentation or investigation, prerequisites.

• A user with Reader role on the management group level to list all management groups.
• A user with Reader role on the subscription level to list all subscriptions and their assignments/definitions.
• Azure PowerShell installed
• Azure CLI installed

The script can be found in all its glory in GitHub . I will explain the different sections below.

I did not want the script to force a login of both PowerShell and Azure CLI every time I ran it. Therefore I needed some logic to check for login status and login if necessary.

Since there could be several management groups in different levels, I need to recursively find the management groups to list all subscriptions.

This part is a simple loop through all subscriptions and list all custom role definitions. I could have used the PowerShell cmdlet Get-AzRoleDefinition , but I wanted to use the Azure CLI command az role definition list to get some more relevant information. The other actions done for each subscription are also done in the same foreach loop.

This part is a simple loop through all custom roles in the current subscription and list all assignments. Exports them if required with exportAssignments parameter.

This part is a simple conversion from PowerShell objects to json with ConvertTo-Json and dumpt to json file.

• Azure PowerShell

Some parameters are necessary in this script to make it dynamic.

• topLvlMgmtGroup - [String] Id of your top level management group to start recursive listing.
• customRolesOnly - [String] Set to true if exporting only custom roles. Defaults to true .
• excludeRegexPattern - [String] Any exclusion RegEx pattern to use. Remember escape chars!
• rolesFolder - [String] Folder where role definitions will be exported. Defaults to output .
• exportAssignments - [Switch] Whether to export assignments to file or not.
• subscription - [String] Subscription Id or name for when exporting in a single subscription.

Resulting json

Running the script results in some output to json files.

Role Definitions

It makes sense to only export custom role definitions, because the builtin ones are already pretty well documented.

For each custom role definition found, one file will be written. This is an example role and all guids are randomly generated.

Role Assignments

All role assignments will be exported if the relevant parameter is set.

Output to a single assignments.json:

I had some fun with this task, and maybe created an over engineered solution. Also I had the chance to practice my PowerShell-skills, which is a welcomed exercise!

Please let me know if you have a one-liner for this that I can use in the future 🙂

Manage Azure Role Assignments Like a Pro with PowerShell

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Recent Update

• Writing your first Azure Terraform Configuration
• Transition from ARM Templates to Terraform with AI
• Getting started with Terraform for Azure
• Terraform Configuration Essentials: File Types, State Management, and Provider Selection
• Dynamically Managing Azure NSG Rules with PowerShell

Trending Tags

Retrieve azure resource group cost with powershell api.

The Future Of Azure Governance: Trends and Predictions

Further Reading

In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...

Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...

Custom PowerShell API for Azure Naming Policy

To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

List Azure role assignments using the Azure portal

• 3 contributors

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. This article describes how to list role assignments using the Azure portal.

If your organization has outsourced management functions to a service provider who uses Azure Lighthouse , role assignments authorized by that service provider won't be shown here. Similarly, users in the service provider tenant won't see role assignments for users in a customer's tenant, regardless of the role they've been assigned.

Prerequisites

Microsoft.Authorization/roleAssignments/read permission, such as Reader

List role assignments for a user or group

A quick way to see the roles assigned to a user or group in a subscription is to use the Azure role assignments pane.

In the Azure portal, select All services from the Azure portal menu.

Select Microsoft Entra ID and then select Users or Groups .

Click the user or group you want list the role assignments for.

Click Azure role assignments .

You see a list of roles assigned to the selected user or group at various scopes such as management group, subscription, resource group, or resource. This list includes all role assignments you have permission to read.

To change the subscription, click the Subscriptions list.

List owners of a subscription

Users that have been assigned the Owner role for a subscription can manage everything in the subscription. Follow these steps to list the owners of a subscription.

In the Azure portal, click All services and then Subscriptions .

Click the subscription you want to list the owners of.

Click Access control (IAM) .

Click the Role assignments tab to view all the role assignments for this subscription.

Scroll to the Owners section to see all the users that have been assigned the Owner role for this subscription.

List or manage privileged administrator role assignments

On the Role assignments tab, you can list and see the count of privileged administrator role assignments at the current scope. For more information, see Privileged administrator roles .

In the Azure portal, click All services and then select the scope. For example, you can select Management groups , Subscriptions , Resource groups , or a resource.

Click the specific resource.

Click the Role assignments tab and then click the Privileged tab to list the privileged administrator role assignments at this scope.

To see the count of privileged administrator role assignments at this scope, see the Privileged card.

To manage privileged administrator role assignments, see the Privileged card and click View assignments .

On the Manage privileged role assignments page, you can add a condition to constrain the privileged role assignment or remove the role assignment. For more information, see Delegate Azure role assignment management to others with conditions .

List role assignments at a scope

Follow these steps:

Click the Role assignments tab to view the role assignments at this scope.

If you have a Microsoft Entra ID Free or Microsoft Entra ID P1 license, your Role assignments tab is similar to the following screenshot.

If you have a Microsoft Entra ID P2 or Microsoft Entra ID Governance license, your Role assignments tab is similar to the following screenshot for management group, subscription, and resource group scopes. This capability is being deployed in stages, so it might not be available yet in your tenant or your interface might look different.

You see a State column with one of the following states:

It's possible to set the start date in the future.

If you want to list the start time and end time for role assignments, click Edit columns and then select Start time and End time .

Notice that some roles are scoped to This resource while others are (Inherited) from another scope. Access is either assigned specifically to this resource or inherited from an assignment to the parent scope.

List role assignments for a user at a scope

To list access for a user, group, service principal, or managed identity, you list their role assignments. Follow these steps to list the role assignments for a single user, group, service principal, or managed identity at a particular scope.

On the Check access tab, click the Check access button.

In the Check access pane, click User, group, or service principal or Managed identity .

In the search box, enter a string to search the directory for display names, email addresses, or object identifiers.

Click the security principal to open the assignments pane.

On this pane, you can see the access for the selected security principal at this scope and inherited to this scope. Assignments at child scopes are not listed. You see the following assignments:

• Role assignments added with Azure RBAC.
• Deny assignments added using Azure Blueprints or Azure managed apps.
• Classic Service Administrator or Co-Administrator assignments for classic deployments.

List role assignments for a managed identity

You can list role assignments for system-assigned and user-assigned managed identities at a particular scope by using the Access control (IAM) blade as described earlier. This section describes how to list role assignments for just the managed identity.

System-assigned managed identity

In the Azure portal, open a system-assigned managed identity.

In the left menu, click Identity .

Under Permissions , click Azure role assignments .

You see a list of roles assigned to the selected system-assigned managed identity at various scopes such as management group, subscription, resource group, or resource. This list includes all role assignments you have permission to read.

To change the subscription, click the Subscription list.

User-assigned managed identity

In the Azure portal, open a user-assigned managed identity.

You see a list of roles assigned to the selected user-assigned managed identity at various scopes such as management group, subscription, resource group, or resource. This list includes all role assignments you have permission to read.

List number of role assignments

You can have up to 4000 role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. Eligible role assignments and role assignments scheduled in the future do not count towards this limit. To help you keep track of this limit, the Role assignments tab includes a chart that lists the number of role assignments for the current subscription.

If you are getting close to the maximum number and you try to add more role assignments, you'll see a warning in the Add role assignment pane. For ways that you can reduce the number of role assignments, see Troubleshoot Azure RBAC limits .

Download role assignments

You can download role assignments at a scope in CSV or JSON formats. This can be helpful if you need to inspect the list in a spreadsheet or take an inventory when migrating a subscription.

When you download role assignments, you should keep in mind the following criteria:

• If you don't have permissions to read the directory, such as the Directory Readers role, the DisplayName, SignInName, and ObjectType columns will be blank.
• Role assignments whose security principal has been deleted are not included.
• Access granted to classic administrators are not included.

Follow these steps to download role assignments at a scope.

In the Azure portal, click All services and then select the scope where you want to download the role assignments. For example, you can select Management groups , Subscriptions , Resource groups , or a resource.

Click Download role assignments to open the Download role assignments pane.

Use the check boxes to select the role assignments you want to include in the downloaded file.

• Inherited - Include inherited role assignments for the current scope.
• At current scope - Include role assignments for the current scope.
• Children - Include role assignments at levels below the current scope. This check box is disabled for management group scope.

Select the file format, which can be comma-separated values (CSV) or JavaScript Object Notation (JSON).

Specify the file name.

Click Start to start the download.

The following show examples of the output for each file format.

Related content

• Assign Azure roles using the Azure portal
• Troubleshoot Azure RBAC

Was this page helpful?

Additional resources

Easy way to set Azure RBAC roles in Bicep

When deploying resources in Azure using Bicep, occasionally you will have to assign rights to a user or principal to perform certain actions. For example, authorizing an app service to access a storage account.

Initially you would create something like this:

I came up with the following Bicep module which shows a nice way to hide the nasty details such as the role guids in a module.

This makes the Bicep files a lot more readable, especially when you have to assign roles more often.

Creating a module to do this also has the advantage that you can change the scope, for example when the storage account is part of a different resource group.

Cleaned up initial example:

I hope someone has some use for this as well.

Update 18-07-2023: Updated to include principalType in template.

Forum Discussion

A Beginner's Guide To Role-Based Access Control on Azure.