azurepowershellazure-active-directoryrbacazure-runbook

Az-GetRoleAssigments Not returning Data for DisplayName, SignInName & Object Type - Azure Powershell Runbook


I've been working on getting the list of RBAC roles assigned to an azure subscription to know which RBAC is assigned to a user or to an AD group. Based on the Microsoft website, I can do this using powershell with the following code Get-AZRoleAssignment.

My first try was creating a local powershell file to test the process of getting the data and add the output to an excel ( I was authenticating to Microsoft Entra ( AD) using my own user ). The results were as expected

enter image description here

In order to automate this and not use my own username and password ( avoiding MFA pop up ) I've decided to use Azure Automation Powershell Runbook ( use manage identity instead for the azure subscription and storage account) . The code was executed sucessfully and the excel was created BUT now there are 2 blank columns that were not blank before + Object Type column value is Unknown on all rows ( If I run the local powershell those will display data ) . The row on the below example picture is the same as picture # 1 but executed in Azure Runbook:

enter image description here

I thought maybe I was missing the AzureAD module so I added it plus some other modules like: EntraIDTools, ResolveEntraID ( these were added to my Azure Automation account because on my local powershell code, the first line installed AzureAD module ) . Nothing has work so far and the final excel output still has DisplayName & SignInName column values as blank + Object type says Uknown . I'm a bit frustrated at this point

Below is my Azure Automation Powershell Runbook 7.2

# Add needed variables
Param
(
  [Parameter (Mandatory= $true)]
  [String] $StorageAccountName
)


# Connect using a Managed Service Identity
try {
        $AzureContext = (Connect-AzAccount -Identity).context
    }
catch{
        Write-Output "There is no system-assigned user identity. Aborting."; 
        exit
    }


Get-AZRoleAssignment | 
Select-Object RoleAssignmentId,  Scope, DisplayName, SignInName, RoleDefinitionName, RoleDefinitionId, ObjectId, ObjectType, CanDelegate | 
Export-CSV -Encoding ASCII ($env:TEMP2+"MT_AZRoleAssigments.csv") -Notype

# Connect using a Managed Service Identity
try {
        $AzureContext = (Connect-AzAccount -Identity).context
    }
catch{
        Write-Output "There is no system-assigned user identity. Aborting."; 
        exit
    }

$Context = New-AzStorageContext -StorageAccountName $StorageAccountName

Set-AzStorageBlobContent -Context $Context -Container "compliance" -File ($env:TEMP2+"MT_AZRoleAssigments.csv") -Blob "MT_AZRoleAssigments.csv" -Force 

Solution

  • The documentation for Get-AzRoleAssignment is very clear on why ObjectType equal to Unknown can happen:

    The cmdlet may call below Microsoft Graph API according to input parameters:

    • GET /users/{id}
    • GET /servicePrincipals/{id}
    • GET /groups/{id}
    • GET /directoryObjects/{id}
    • POST /directoryObjects/getByIds

    Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role assignment is not found or current account has insufficient privileges to get object type.

    If you want your Managed Identity to be able to pull this information from the Role Assignments you will need to assign it the needed API Permissions, i.e.: granting Directory.Read.All should allow your MI to query any principal in Entra ID. Otherwise, if you want more granularity, User.Read.All for users only and so on.