azureazure-powershellazure-cliazure-resource-graph

Search-AzQuery querying authorizationresources returns 0 records


I want to query all the builtin Azure role definitions using Search-AzQuery. I have the Az.ResourceGroup module v1.0.0 installed.

This query works fine in the Azure Portal's Azure Resource Graph Explorer and returns 5 records:

authorizationresources | where type == "microsoft.authorization/roledefinitions" | where properties["type"] == "BuiltInRole" | limit 5

If I run the same query locally using Search-AzQuery (or az graph query for that matter), I get zero records.

Search-AzGraph -Query 'authorizationresources | where type == "microsoft.authorization/roledefinitions" | where properties["type"] == "BuiltInRole" | limit 5'

However, if I remove the second where, then it does return records.

Search-AzGraph -Query 'authorizationresources | where type == "microsoft.authorization/roledefinitions" | limit 5'

I've also tried the =~ operator (to ignore case when comparing) but that makes no difference.

What am I doing wrong?


Solution

  • Search-AzGraph -Query "authorizationresources | where type == 'microsoft.authorization/roledefinitions' | where properties['type'] == 'BuiltInRole' | limit 5" -UseTenantScope 
    

    You should add UseTenantScope, I tried a lot and found that this method works.

    Why it works:

    roledefinitions has the resource id some like this /providers/Microsoft.Authorization/RoleDefinitions/aabbc5dd-1af0-458b-a942-81af88f9c138, which not be related to a certain subscription. It is a Basic tenant query reference

    enter image description here

    Has the difference to Basic query, need to pass subscriptionIds array. enter image description here