I've been working on getting the list of RBAC roles assigned to an azure subscription to know which RBAC is assigned to a user or to an AD group. Based on the Microsoft website, I can do this using powershell with the following code Get-AZRoleAssignment.
My first try was creating a local powershell file to test the process of getting the data and add the output to an excel ( I was authenticating to Microsoft Entra ( AD) using my own user ). The results were as expected
In order to automate this and not use my own username and password ( avoiding MFA pop up ) I've decided to use Azure Automation Powershell Runbook ( use manage identity instead for the azure subscription and storage account) . The code was executed sucessfully and the excel was created BUT now there are 2 blank columns that were not blank before + Object Type column value is Unknown on all rows ( If I run the local powershell those will display data ) . The row on the below example picture is the same as picture # 1 but executed in Azure Runbook:
I thought maybe I was missing the AzureAD module so I added it plus some other modules like: EntraIDTools, ResolveEntraID ( these were added to my Azure Automation account because on my local powershell code, the first line installed AzureAD module ) . Nothing has work so far and the final excel output still has DisplayName & SignInName column values as blank + Object type says Uknown . I'm a bit frustrated at this point
Below is my Azure Automation Powershell Runbook 7.2
# Add needed variables
Param
(
[Parameter (Mandatory= $true)]
[String] $StorageAccountName
)
# Connect using a Managed Service Identity
try {
$AzureContext = (Connect-AzAccount -Identity).context
}
catch{
Write-Output "There is no system-assigned user identity. Aborting.";
exit
}
Get-AZRoleAssignment |
Select-Object RoleAssignmentId, Scope, DisplayName, SignInName, RoleDefinitionName, RoleDefinitionId, ObjectId, ObjectType, CanDelegate |
Export-CSV -Encoding ASCII ($env:TEMP2+"MT_AZRoleAssigments.csv") -Notype
# Connect using a Managed Service Identity
try {
$AzureContext = (Connect-AzAccount -Identity).context
}
catch{
Write-Output "There is no system-assigned user identity. Aborting.";
exit
}
$Context = New-AzStorageContext -StorageAccountName $StorageAccountName
Set-AzStorageBlobContent -Context $Context -Container "compliance" -File ($env:TEMP2+"MT_AZRoleAssigments.csv") -Blob "MT_AZRoleAssigments.csv" -Force
The documentation for Get-AzRoleAssignment
is very clear on why ObjectType
equal to Unknown
can happen:
The cmdlet may call below Microsoft Graph API according to input parameters:
- GET
/users/{id}
- GET
/servicePrincipals/{id}
- GET
/groups/{id}
- GET
/directoryObjects/{id}
- POST
/directoryObjects/getByIds
Please notice that this cmdlet will mark
ObjectType
asUnknown
in output if the object of role assignment is not found or current account has insufficient privileges to get object type.
If you want your Managed Identity to be able to pull this information from the Role Assignments you will need to assign it the needed API Permissions, i.e.: granting Directory.Read.All
should allow your MI to query any principal in Entra ID. Otherwise, if you want more granularity, User.Read.All
for users only and so on.