Azure won't show roleDefinition for directory roles
I'm using the following API, it works with regular roles such as "Reader":"acdd72a7-3385-48ef-bd42-f606fba81ae7".
az rest --method get --url 'https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7?api-version=2022-04-01'
However it won't work with directory roles such as this https://www.azadvertizer.net/azentraidroles/e8611ab8-c189-46e8-94e1-60213ab1f814.html
az rest `
--method get `
--url "https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?`$filter=roleName+eq+'Privileged Role Administrator'&api-version=2022-04-01"
# nothing
az rest --method get --url 'https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions/e8611ab8-c189-46e8-94e1-60213ab1f814?api-version=2022-04-01'
# Not Found({"error":{"code":"RoleDefinitionDoesNotExist","message":"The specified role definition with ID 'e8611ab8-c189-46e8-94e1-60213ab1f814' does not exist."}})
The query will always return an empty value. How can I list the roleDefinition and data actions for such a role?
Solution
You can only retrieve Azure RBAC roles via ARM’s /roleDefinitions endpoint. Initially, I too got same results:
az rest `
--method get `
--url "https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?`$filter=roleName+eq+'Privileged Role Administrator'&api-version=2022-04-01"
az rest --method get --url 'https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions/e8611ab8-c189-46e8-94e1-60213ab1f814?api-version=2022-04-01'
Instead, call Microsoft Graph’s roleManagement/directory API to fetch unified directory roles and their permissions.
To retrieve Privileged Role Administrator role definition, make use of below call:
az rest --method GET --uri 'https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayName eq ''Privileged Role Administrator'''
Reference:
- How do I persist logs from a Dockerized .NET Core app in Azure DevOps and save them as artifacts?
- Azure won't show roleDefinition for directory roles
- How do we change the TLS version of Azure IoT Hub which is already created and deployed?
- Microsoft Graph API ADB2C signInActivity update lag
- How does Azure App Service manage port binding with docker container? Does it recognize Expose?
- Has there been a recent change to Invoke-Sqlcmd that break it, and if so what's the fix?
- Is using AddAzureClients and a clientFactory for Azure ServiceBus DI preferred over a singleton implementation?
- Redeploy .NET Aspire project after resource cleanup
- SocketException permission denied when trying to bind port 80 or 443 to Kestrel in Azure Container Instance with .NET 8
- Azure Functions with docker: How change port?
- Azure - How to update the password profile of a user in Azure AD B2C using the Microsoft Graph API?
- Unable to filter the service principals by appOwnerOrganizationId property
- How can I upload an image to Azure from an Azure Function with a BlobTrigger
- How can I see which mechanism granted the user the ability to activate roles via Azure Privileged Identity Management (PIM)
- How to resolve an "Invalid operands found for operator -eq" error in Microsoft Entra ID PowerShell code
- You don’t appear to have an active Azure subscription when creating new Kubernetes service connection in Azure DevOps
- Azure Application Insights JavaScript SDK loader script security
- How to fix 'Unable to Obtain Authentication Token' in Active Directory Authentication to Azure Analysis Server
- Python script to join 2 csv files with an existing excel file in Azure blob storage
- Can one use DPO (direct preference optimization) of GPT via CLI or Python on Azure?
- azure function via terraform: how to connect to service bus
- Azure WebJob is failing after some period of time on Linux plan
- Retry policy on blob leasing
- Azure auth for Outlook Graph API
- Copying storage data from one Azure account to another
- Windows Azure SDK for Node.js SQL Azure Provider
- Pipeline for stored procedure dedicated sql pool
- Webpack @azure/storage-blob node-fetch AbortSignal issue
- What is the Azure equivalent of GCP's Cloud Run?
- How stop execution of a stored procedure if the client closes the connection in SQL Azure database?