-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAzure-Get-Eligible-Role-Assignments.ps1
38 lines (27 loc) · 1.34 KB
/
Azure-Get-Eligible-Role-Assignments.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<#
Description:
Script connects to Az and gets all users with Eligible roles assigned within all (Enabled) subscriptions
Requirements:
- Az.Accounts PowerShell module
- Az.Resources PowerShell module
More details:
https://azure365addict.com/2025/03/04/auditing-azure-role-assignments-with-powershell/
#>
# Connect Az
$TenantId = "xxxxxxxxxx" # Add your Tenant Id here
Connect-AzAccount -Tenant $TenantId
# Get all enabled subscriptions
$Subscriptions = Get-AzSubscription | Where-Object {$_.State -eq "Enabled"}
# Get All Eligible Azure Assignments
$EligibleAzureUserData = @()
foreach ($Subscription in $Subscriptions)
{
$Scope = $Subscription.Id
Set-AzContext -Subscription $Scope | Out-Null
$RoleEligibilitySchedules = Get-AzRoleEligibilitySchedule -Scope "/subscriptions/$Scope"
$EligibleAzureUserData += $RoleEligibilitySchedules
}
$EligibleAzureUserData | Select PrincipalDisplayName, PrincipalEmail, PrincipalId, ScopeDisplayName, RoleDefinitionDisplayName | Out-GridView
# Export to CSV (unhash and change $Path if needed)
#$Path = "C:\Temp\Azure-Get-Eligible-Role-Assignments.csv"
#$EligibleAzureUserData | Select PrincipalDisplayName, PrincipalEmail, PrincipalId, ScopeDisplayName, RoleDefinitionDisplayName | Export-Csv -Path $Path -NoTypeInformation