< Back
Get-AzureRmRoleAssignment
Post
NAME Get-AzureRmRoleAssignment
SYNOPSIS
Lists Azure RBAC role assignments at the specified scope. By default it lists all role assignments in the selected Azure subscription. Use
respective parameters to list assignments to a specific user, or to list assignments on a specific resource group or resource.
SYNTAX
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-ExpandPrincipalGroups] [-IncludeClassicAdministrators] -ObjectId <Guid>
[-RoleDefinitionName <String>] [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-ExpandPrincipalGroups] [-IncludeClassicAdministrators] [-RoleDefinitionName
<String>] -SignInName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-RoleDefinitionName <String>]
[<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] -ObjectId <Guid> -ResourceGroupName <String>
[-RoleDefinitionName <String>] [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] -ObjectId <Guid> [-ParentResource <String>]
-ResourceGroupName <String> -ResourceName <String> -ResourceType <String> [-RoleDefinitionName <String>] [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] -ObjectId <Guid> [-RoleDefinitionName
<String>] -Scope <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] -ResourceGroupName <String>
[-RoleDefinitionName <String>] -SignInName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-ParentResource <String>] -ResourceGroupName
<String> -ResourceName <String> -ResourceType <String> [-RoleDefinitionName <String>] -SignInName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-RoleDefinitionName <String>] -Scope
<String> -SignInName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] -ResourceGroupName <String>
[-RoleDefinitionName <String>] -ServicePrincipalName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-ParentResource <String>] -ResourceGroupName
<String> -ResourceName <String> -ResourceType <String> [-RoleDefinitionName <String>] -ServicePrincipalName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-RoleDefinitionName <String>] -Scope
<String> -ServicePrincipalName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-RoleDefinitionName <String>]
-ServicePrincipalName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] -ResourceGroupName <String>
[-RoleDefinitionName <String>] [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-ParentResource <String>] -ResourceGroupName
<String> -ResourceName <String> -ResourceType <String> [-RoleDefinitionName <String>] [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-RoleDefinitionName <String>] -Scope
<String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-ObjectId <Guid>] -RoleDefinitionId <Guid> [-Scope <String>]
[<CommonParameters>]
DESCRIPTION
Use the Get-AzureRMRoleAssignment command to list all role assignments that are effective on a scope.
Without any parameters, this command returns all the role assignments made under the subscription. This list can be filtered using filtering
parameters for principal, role and scope.
The subject of the assignment must be specified. To specify a user, use SignInName or Azure AD ObjectId parameters. To specify a security group,
use Azure AD ObjectId parameter. And to specify an Azure AD application, use ServicePrincipalName or ObjectId parameters.
The role that is being assigned must be specified using the RoleDefinitionName parameter.
The scope at which access is being granted may be specified. It defaults to the selected subscription. The scope of the assignment can be
specified using one of the following parameter combinations a. Scope - This is the fully qualified scope starting with
/subscriptions/<subscriptionId>. This will filter assignments that are effective at that particular scope i.e. all assignments at that scope and
above. b. ResourceGroupName - Name of any resource group under the subscription. This will filter assignments effective at the specified
resource group c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under
the subscription and will filter assignments effective at that resource scope.
To determine what access a particular user has in the subscription, use the ExpandPrincipalGroups switch. This will list all roles assigned to the
user, and to the groups that the user is member of.
Use the IncludeClassicAdministrators switch to also display the subscription admins and co-admins.
PARAMETERS
-DefaultProfile <IAzureContextContainer>
The credentials, account, tenant, and subscription used for communication with azure
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-ExpandPrincipalGroups [<SwitchParameter>]
If specified, returns roles directly assigned to the user and to the groups of which the user is a member (transitively). Supported only for a
user principal.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-IncludeClassicAdministrators [<SwitchParameter>]
If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-ObjectId <Guid>
The Azure AD ObjectId of the User, Group or Service Principal. Filters all assignments that are made to the specified principal.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ParentResource <String>
The parent resource in the hierarchy of the resource specified using ResourceName parameter. Must be used in conjunction with
ResourceGroupName, ResourceType, and ResourceName parameters.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceGroupName <String>
The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with
ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceName <String>
The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType, and
(optionally)ParentResource parameters.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceType <String>
The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName, and
(optionally)ParentResource parameters.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-RoleDefinitionId <Guid>
Id of the Role that is assigned to the principal.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-RoleDefinitionName <String>
Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Scope <String>
The Scope of the role assignment. In the format of relative URI. For e.g.
/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG. It must start with "/subscriptions/{id}". The command filters all
assignments that are effective at that scope.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ServicePrincipalName <String>
The ServicePrincipalName of the service principal. Filters all assignments that are made to the specified Azure AD application.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SignInName <String>
The email address or the user principal name of the user. Filters all assignments that are made to the specified user.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
This cmdlet does not accept any input.
OUTPUTS
System.Collections.Generic.List`1[Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleAssignment]
NOTES
Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment
Example 1
PS C:\\> Get-AzureRmRoleAssignment
List all role assignments in the subscription
Example 2
PS C:\\> Get-AzureRmRoleAssignment -ResourceGroupName testRG -SignInName john.doe@contoso.com
Gets all role assignments made to user john.doe@contoso.com, and the groups of which he is member, at the testRG scope or above.
Example 3
PS C:\\> Get-AzureRmRoleAssignment -ServicePrincipalName "http://testapp1.com"
Gets all role assignments of the specified service principal
Example 4
PS C:\\> Get-AzureRmRoleAssignment -Scope
"/subscriptions/96231a05-34ce-4eb4-aa6a-70759cbb5e83/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"
Gets role assignments at the 'site1' website scope.
RELATED LINKS
Online Version: https://docs.microsoft.com/en-us/powers ... assignment
New-AzureRmRoleAssignment
Remove-AzureRmRoleAssignment
Get-AzureRmRoleDefinition
SYNOPSIS
Lists Azure RBAC role assignments at the specified scope. By default it lists all role assignments in the selected Azure subscription. Use
respective parameters to list assignments to a specific user, or to list assignments on a specific resource group or resource.
SYNTAX
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-ExpandPrincipalGroups] [-IncludeClassicAdministrators] -ObjectId <Guid>
[-RoleDefinitionName <String>] [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-ExpandPrincipalGroups] [-IncludeClassicAdministrators] [-RoleDefinitionName
<String>] -SignInName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-RoleDefinitionName <String>]
[<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] -ObjectId <Guid> -ResourceGroupName <String>
[-RoleDefinitionName <String>] [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] -ObjectId <Guid> [-ParentResource <String>]
-ResourceGroupName <String> -ResourceName <String> -ResourceType <String> [-RoleDefinitionName <String>] [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] -ObjectId <Guid> [-RoleDefinitionName
<String>] -Scope <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] -ResourceGroupName <String>
[-RoleDefinitionName <String>] -SignInName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-ParentResource <String>] -ResourceGroupName
<String> -ResourceName <String> -ResourceType <String> [-RoleDefinitionName <String>] -SignInName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-RoleDefinitionName <String>] -Scope
<String> -SignInName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] -ResourceGroupName <String>
[-RoleDefinitionName <String>] -ServicePrincipalName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-ParentResource <String>] -ResourceGroupName
<String> -ResourceName <String> -ResourceType <String> [-RoleDefinitionName <String>] -ServicePrincipalName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-RoleDefinitionName <String>] -Scope
<String> -ServicePrincipalName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-RoleDefinitionName <String>]
-ServicePrincipalName <String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] -ResourceGroupName <String>
[-RoleDefinitionName <String>] [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-ParentResource <String>] -ResourceGroupName
<String> -ResourceName <String> -ResourceType <String> [-RoleDefinitionName <String>] [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-IncludeClassicAdministrators] [-RoleDefinitionName <String>] -Scope
<String> [<CommonParameters>]
Get-AzureRmRoleAssignment [-DefaultProfile <IAzureContextContainer>] [-ObjectId <Guid>] -RoleDefinitionId <Guid> [-Scope <String>]
[<CommonParameters>]
DESCRIPTION
Use the Get-AzureRMRoleAssignment command to list all role assignments that are effective on a scope.
Without any parameters, this command returns all the role assignments made under the subscription. This list can be filtered using filtering
parameters for principal, role and scope.
The subject of the assignment must be specified. To specify a user, use SignInName or Azure AD ObjectId parameters. To specify a security group,
use Azure AD ObjectId parameter. And to specify an Azure AD application, use ServicePrincipalName or ObjectId parameters.
The role that is being assigned must be specified using the RoleDefinitionName parameter.
The scope at which access is being granted may be specified. It defaults to the selected subscription. The scope of the assignment can be
specified using one of the following parameter combinations a. Scope - This is the fully qualified scope starting with
/subscriptions/<subscriptionId>. This will filter assignments that are effective at that particular scope i.e. all assignments at that scope and
above. b. ResourceGroupName - Name of any resource group under the subscription. This will filter assignments effective at the specified
resource group c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under
the subscription and will filter assignments effective at that resource scope.
To determine what access a particular user has in the subscription, use the ExpandPrincipalGroups switch. This will list all roles assigned to the
user, and to the groups that the user is member of.
Use the IncludeClassicAdministrators switch to also display the subscription admins and co-admins.
PARAMETERS
-DefaultProfile <IAzureContextContainer>
The credentials, account, tenant, and subscription used for communication with azure
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-ExpandPrincipalGroups [<SwitchParameter>]
If specified, returns roles directly assigned to the user and to the groups of which the user is a member (transitively). Supported only for a
user principal.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-IncludeClassicAdministrators [<SwitchParameter>]
If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-ObjectId <Guid>
The Azure AD ObjectId of the User, Group or Service Principal. Filters all assignments that are made to the specified principal.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ParentResource <String>
The parent resource in the hierarchy of the resource specified using ResourceName parameter. Must be used in conjunction with
ResourceGroupName, ResourceType, and ResourceName parameters.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceGroupName <String>
The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with
ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceName <String>
The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType, and
(optionally)ParentResource parameters.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceType <String>
The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName, and
(optionally)ParentResource parameters.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-RoleDefinitionId <Guid>
Id of the Role that is assigned to the principal.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-RoleDefinitionName <String>
Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Scope <String>
The Scope of the role assignment. In the format of relative URI. For e.g.
/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG. It must start with "/subscriptions/{id}". The command filters all
assignments that are effective at that scope.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ServicePrincipalName <String>
The ServicePrincipalName of the service principal. Filters all assignments that are made to the specified Azure AD application.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SignInName <String>
The email address or the user principal name of the user. Filters all assignments that are made to the specified user.
Required? true
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
This cmdlet does not accept any input.
OUTPUTS
System.Collections.Generic.List`1[Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleAssignment]
NOTES
Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment
Example 1
PS C:\\> Get-AzureRmRoleAssignment
List all role assignments in the subscription
Example 2
PS C:\\> Get-AzureRmRoleAssignment -ResourceGroupName testRG -SignInName john.doe@contoso.com
Gets all role assignments made to user john.doe@contoso.com, and the groups of which he is member, at the testRG scope or above.
Example 3
PS C:\\> Get-AzureRmRoleAssignment -ServicePrincipalName "http://testapp1.com"
Gets all role assignments of the specified service principal
Example 4
PS C:\\> Get-AzureRmRoleAssignment -Scope
"/subscriptions/96231a05-34ce-4eb4-aa6a-70759cbb5e83/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"
Gets role assignments at the 'site1' website scope.
RELATED LINKS
Online Version: https://docs.microsoft.com/en-us/powers ... assignment
New-AzureRmRoleAssignment
Remove-AzureRmRoleAssignment
Get-AzureRmRoleDefinition