Menu
The GET request i am making to the below API
https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleAssignments?api-version=2017-10-01-preview
which gives me below format of response
{
"properties": {
"roleDefinitionId": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "fdef6f38-b48f-4358-8482-b243ea935082",
"principalType": "User",
"scope": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/resourceGroups/GE-RGrp-Kentico",
"createdOn": "2017-08-21T11:38:53.7973201Z",
"updatedOn": "2017-08-21T11:38:53.7973201Z",
"createdBy": "f418e9e8-becc-41d8-ab47-66a4c50403b5",
"updatedBy": "f418e9e8-becc-41d8-ab47-66a4c50403b5"
},
"id": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/resourceGroups/GE-RGrp-Kentico/providers/Microsoft.Authorization/roleAssignments/5e6caac9-c5fd-42f0-86c6-9e96b127be51",
"type": "Microsoft.Authorization/roleAssignments",
"name": "5e6caac9-c5fd-42f0-86c6-9e96b127be51"
}
But when i do the CLI call i get below response using
> az role assignment list
{
"id": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleAssignments/4096c146-b6f8-4f92-a700-a47742a5b321",
"name": "4096c146-b6f8-4f92-a700-a47742a5b321",
"properties": {
"additionalProperties": {
"createdBy": "c2024d65-cf17-45fd-b34b-09cd5c21cac7",
"createdOn": "2017-11-07T22:03:12.4998370Z",
"updatedBy": "c2024d65-cf17-45fd-b34b-09cd5c21cac7",
"updatedOn": "2017-11-07T22:03:12.4998370Z"
},
"principalId": "780925c0-a487-4529-9eb2-837aa67a4d8a",
"principalName": "[email protected]",
"roleDefinitionId": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
"roleDefinitionName": "Security Admin",
"scope": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31"
},
the above response does have the
"roleDefinitionName": "Security Admin"
but i want same response through API, please Help!!
259
The first method to find out your current RBAC permissions is using Azure Portal. Click on the user icon located on the upper left corner, and then click on My permissions. A new blade will show up with a drop-down menu with the Subscriptions.
In the Azure portal, click All services and then Subscriptions. Click the subscription you want to list the owners of. Click Access control (IAM). Click the Role assignments tab to view all the role assignments for this subscription.
To assign a role, use the az role assignment create command.
To get the role definition name, you need to make separate REST API calls and then perform a join on the client side.
If you run a network capture while running the Azure PowerShell or Azure CLI, it is straightforward to see the REST API calls.
List Role Assignments
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01
Sample response:
"value": [
{
"properties": {
"roleDefinitionId": "/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/roleDefinitions/<roleDefinitionId>",
"principalId": "<principalId>",
"scope": "/subscriptions/<subscriptionId>",
"createdOn": "2017-02-03T07:55:59.6345664Z",
"updatedOn": "2017-02-03T07:55:59.6345664Z",
"createdBy": "7c728184-cd9e-47ad-b72f-e7ac40b80624",
"updatedBy": "7c728184-cd9e-47ad-b72f-e7ac40b80624"
},
"id": "/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/roleAssignments/ea667734-e984-4726-bf0b-2116aaaedfde",
"type": "Microsoft.Authorization/roleAssignments",
"name": "ea667734-e984-4726-bf0b-2116aaaedfde"
},
List Role Definitions
GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?$filter=atScopeAndBelow()&api-version=2015-07-01
Sample response:
{
"properties": {
"roleName": "Contributor",
"type": "BuiltInRole",
"description": "Lets you manage everything except access to resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action"
]
}
],
"createdOn": "0001-01-01T08:00:00.0000000Z",
"updatedOn": "2016-12-14T02:04:45.1393855Z",
"createdBy": null,
"updatedBy": null
},
"id": "/providers/Microsoft.Authorization/roleDefinitions/<roleDefinitionId>",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "<roleDefinitionId>"
},
Get AAD Objects - including principal name
POST https://graph.windows.net//getObjectsByObjectIds?api-version=1.6
{
"objectIds": [
"<objectId1>",
"<objectId2>",
...
],
"includeDirectoryObjectReferences": true
}
According to the Role Assignments - List REST API, there is no roleDefinitionName in the response. You could give your feedback to azure team. If want to get roleDefinitionName, we could use Role Definitions - Get By Id to do that.
{
"value": [
{
"properties": {
"roleDefinitionId": "/subscriptions/subId/providers/Microsoft.Authorization/roleDefinitions/roledefinitionId",
"principalId": "Pid",
"scope": "/subscriptions/subId/resourcegroups/rgname"
},
"id": "/subscriptions/subId/resourcegroups/rgname/providers/Microsoft.Authorization/roleAssignments/roleassignmentId",
"type": "Microsoft.Authorization/roleAssignments",
"name": "raId"
}
]
}
Update:
Unfortunately, there is no roleDefinitionName and principalName in the Role Assignments - List REST API response.
For 'principalName' we could use Service Principals - Get REST API to get it. The objectId value is the principalId that you get from Role Assignments - List REST API
Update2:
it seem the access token for graph.windows.net is different from management.azure.com? how i can find the token for graph?
The acquired access token resource should be https://graph.windows.net
The following is c# code demo to acquired the access token
string authority = "https://login.microsoftonline.com/{0}";
string graphResourceId = "https://graph.windows.net";
string tenantId = "tenantId";
string clientId = "clientId";
string secretKey = "secretKey";
authority = String.Format(authority, tenantId);
AuthenticationContext authContext = new AuthenticationContext(authority);
var accessToken = authContext.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secretKey)).Result.AccessToken;
Note: You also need to grant [Read directory data] Permissions for Windows Azure Active Directory in the azure portal
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
