I want to query all the builtin Azure role definitions using Search-AzQuery
. I have the Az.ResourceGroup
module v1.0.0 installed.
This query works fine in the Azure Portal's Azure Resource Graph Explorer and returns 5 records:
authorizationresources | where type == "microsoft.authorization/roledefinitions" | where properties["type"] == "BuiltInRole" | limit 5
If I run the same query locally using Search-AzQuery
(or az graph query
for that matter), I get zero records.
Search-AzGraph -Query 'authorizationresources | where type == "microsoft.authorization/roledefinitions" | where properties["type"] == "BuiltInRole" | limit 5'
However, if I remove the second where
, then it does return records.
Search-AzGraph -Query 'authorizationresources | where type == "microsoft.authorization/roledefinitions" | limit 5'
I've also tried the =~
operator (to ignore case when comparing) but that makes no difference.
What am I doing wrong?
Search-AzGraph -Query "authorizationresources | where type == 'microsoft.authorization/roledefinitions' | where properties['type'] == 'BuiltInRole' | limit 5" -UseTenantScope
You should add UseTenantScope
, I tried a lot and found that this method works.
Why it works:
roledefinitions
has the resource id some like this /providers/Microsoft.Authorization/RoleDefinitions/aabbc5dd-1af0-458b-a942-81af88f9c138
, which not be related to a certain subscription. It is a Basic tenant query
reference
Has the difference to Basic query
, need to pass subscriptionIds array.