Get all users and applications with Reader role under subscription in Azure Python SDK
I need to fetch users and applications assigned the "Reader" role under a specific Azure subscription using the Azure Python SDK. The AuthorizationManagementClient is being used along with the role_assignments.list_for_scope() method to list role assignments, but an issue arises with the filter query.
Here’s the code that’s being used:
from azure.identity import ClientSecretCredential
from azure.mgmt.authorization import AuthorizationManagementClient
scope = f"subscriptions/{subscription_id}"
reader_role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
credential = ClientSecretCredential(
tenant_id=tenant_id,
client_id=client_id,
client_secret=client_secret
)
authorization_client = AuthorizationManagementClient(credential, subscription_id)
try:
print("\nFetching users and applications with 'Reader' role in the subscription...")
role_assignments = authorization_client.role_assignments.list_for_scope(
scope=scope,
filter=f"atScope() and roleDefinitionId eq '{reader_role_definition_id}'"
)
print("Users or applications with Reader Role:")
for assignment in role_assignments:
print(f"Principal ID: {assignment.principal_id}")
except Exception as e:
print("Failed to fetch users or applications with 'Reader' role:", str(e))
However, upon executing the code, I receive following error message:
Fetching users and applications with 'Reader' role in the subscription...
Users or applications with Reader Role:
Failed to fetch users or applications with 'Reader' role: (UnsupportedQuery) The filter 'atScope() and roleDefinitionId eq '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7'' is not supported. Supported filters are either 'atScope()' or 'principalId eq '{value}' or assignedTo('{value}')'.
Code: UnsupportedQuery
Message: The filter 'atScope() and roleDefinitionId eq '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7'' is not supported. Supported filters are either 'atScope()' or 'principalId eq '{value}' or assignedTo('{value}')'.
Solution
The error occurred as filtering on roleDefinitionId property is not supported. The supported values of $filter query parameter are atScope() or principalId eq '{value}' or assignedTo('{value}')
I have below users and applications with Reader role assigned under subscription:
To fetch these details using Azure Python SDK, you can make use of below sample code:
from azure.mgmt.authorization import AuthorizationManagementClient
from azure.identity import ClientSecretCredential
tenant_id = "tenantId"
client_id = "appId"
client_secret = "secret"
subscription_id = "subId"
credentials = ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret)
authorization_client = AuthorizationManagementClient(credentials, subscription_id)
def list_readers(client):
results = []
subscription_scope = f'/subscriptions/{subscription_id}'
reader_role_id = 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
roles = client.role_assignments.list_for_scope(scope=subscription_scope, filter='atScope()')
for role in roles:
if reader_role_id in role.role_definition_id:
results.append({
"principal_id": role.principal_id,
"principal_type": role.principal_type
})
return results
try:
readers = list_readers(authorization_client)
for reader in readers:
print(f"Principal ID: {reader['principal_id']}, Principal Type: {reader['principal_type']}")
except Exception as e:
print("Failed to fetch users or applications with 'Reader' role:", str(e))
Response:
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?