Az-GetRoleAssigments Not returning Data for DisplayName, SignInName & Object Type - Azure Powershell Runbook
I've been working on getting the list of RBAC roles assigned to an azure subscription to know which RBAC is assigned to a user or to an AD group. Based on the Microsoft website, I can do this using powershell with the following code Get-AZRoleAssignment.
My first try was creating a local powershell file to test the process of getting the data and add the output to an excel ( I was authenticating to Microsoft Entra ( AD) using my own user ). The results were as expected
In order to automate this and not use my own username and password ( avoiding MFA pop up ) I've decided to use Azure Automation Powershell Runbook ( use manage identity instead for the azure subscription and storage account) . The code was executed sucessfully and the excel was created BUT now there are 2 blank columns that were not blank before + Object Type column value is Unknown on all rows ( If I run the local powershell those will display data ) . The row on the below example picture is the same as picture # 1 but executed in Azure Runbook:
I thought maybe I was missing the AzureAD module so I added it plus some other modules like: EntraIDTools, ResolveEntraID ( these were added to my Azure Automation account because on my local powershell code, the first line installed AzureAD module ) . Nothing has work so far and the final excel output still has DisplayName & SignInName column values as blank + Object type says Uknown . I'm a bit frustrated at this point
Below is my Azure Automation Powershell Runbook 7.2
# Add needed variables
Param
(
[Parameter (Mandatory= $true)]
[String] $StorageAccountName
)
# Connect using a Managed Service Identity
try {
$AzureContext = (Connect-AzAccount -Identity).context
}
catch{
Write-Output "There is no system-assigned user identity. Aborting.";
exit
}
Get-AZRoleAssignment |
Select-Object RoleAssignmentId, Scope, DisplayName, SignInName, RoleDefinitionName, RoleDefinitionId, ObjectId, ObjectType, CanDelegate |
Export-CSV -Encoding ASCII ($env:TEMP2+"MT_AZRoleAssigments.csv") -Notype
# Connect using a Managed Service Identity
try {
$AzureContext = (Connect-AzAccount -Identity).context
}
catch{
Write-Output "There is no system-assigned user identity. Aborting.";
exit
}
$Context = New-AzStorageContext -StorageAccountName $StorageAccountName
Set-AzStorageBlobContent -Context $Context -Container "compliance" -File ($env:TEMP2+"MT_AZRoleAssigments.csv") -Blob "MT_AZRoleAssigments.csv" -Force
The documentation for Get-AzRoleAssignment is very clear on why ObjectType equal to Unknown can happen:
The cmdlet may call below Microsoft Graph API according to input parameters:
- GET
/users/{id}- GET
/servicePrincipals/{id}- GET
/groups/{id}- GET
/directoryObjects/{id}- POST
/directoryObjects/getByIdsPlease notice that this cmdlet will mark
ObjectTypeasUnknownin output if the object of role assignment is not found or current account has insufficient privileges to get object type.
If you want your Managed Identity to be able to pull this information from the Role Assignments you will need to assign it the needed API Permissions, i.e.: granting Directory.Read.All should allow your MI to query any principal in Entra ID. Otherwise, if you want more granularity, User.Read.All for users only and so on.
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?