Using PowerShell to query Azure RBAC assignments

Azure admins know the importance of enforcing role-based access control (RBAC), so finding an easy way to keep tabs on permissions for specific users can be useful. You can, of course, check the identity and access management (IAM) blades available on your resource groups and subscriptions, but for larger organizations, this can take time. Let PowerShell do the heavy lifting and query your RBAC assignments for you.

This elegant PowerShell tip comes from Microsoft cloud advocate Sonia Cuff. Sonia says these examples were run in Cloud Shell in the Azure Portal “to keep things simple.”

The command you’ll be using for this tip is Get-AzRoleAssignment. Sonia notes that this cmdlet is “going to query Azure for some information and return the results to us.”

One caveat: Sonia says that if you have several Azure subscriptions, “Cloud Shell will default to one of them, and your commands will query that subscription and its associated resources.” If that’s the case with you, simply run this command to change to the subscription you want to query:

Set-AzContext -SubscriptionName "My other subscription"

Because you are looking for RBAC assignments for a specific user, you will have to add some parameters to the PowerShell cmdlet. In this example, we’re adding SignInName of the specific user, who in this case is [email protected].

Here’s the command:

Get-AzRoleAssignment -SignInName [email protected]

And here’s the result displayed by PowerShell:

Using PowerShell to query Azure RBAC assignments — Microsoft

There’s a lot of information there — maybe too much information! But Sonia has the solution. This neat cmdlet will give you the information you want in a more readable format.

Get-AzRoleAssignment -SignInName [email protected] | FL DisplayName, RoleDefinitionName, Scope

And here is how that will look: