forked from Azure/enterprise-azure-policy-as-code
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Get-AzUserRoleAssignments.ps1
82 lines (61 loc) · 3.63 KB
/
Get-AzUserRoleAssignments.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
<#
.SYNOPSIS
Gets all user role assignments in all subscriptions in the target tenant.
.PARAMETER PacEnvironmentSelector
Defines which Policy as Code (PAC) environment we are using, if omitted, the script prompts for a value. The values are read from `$DefinitionsRootFolder/global-settings.jsonc.
.PARAMETER DefinitionsRootFolder
Definitions folder path. Defaults to environment variable `$env:PAC_DEFINITIONS_FOLDER or './Definitions'.
.PARAMETER OutputFileName
Output file name. Defaults to environment variable `$env:PAC_OUTPUT_FOLDER/Users/RoleAssignments.csv or './Outputs/Users/RoleAssignments.csv'.
.PARAMETER Interactive
Set to false if used non-interactive
.EXAMPLE
.\Get-AzUserRoleAssignments.ps1 -PacEnvironmentSelector "dev" -DefinitionsRootFolder "C:\Src\Definitions" -OutputFolder "C:\Src\Outputs" -Interactive $true
Gets all user role assignments in all subscriptions in the target tenant.
.EXAMPLE
.\Get-AzUserRoleAssignments.ps1 -Interactive $true
Gets all user role assignments in all subscriptions in the target tenant. The script prompts for the PAC environment and uses the default definitions and output folders.
#>
[CmdletBinding()]
param(
[parameter(Mandatory = $false, HelpMessage = "Defines which Policy as Code (PAC) environment we are using, if omitted, the script prompts for a value. The values are read from `$DefinitionsRootFolder/global-settings.jsonc.", Position = 0)]
[string] $PacEnvironmentSelector,
[Parameter(Mandatory = $false, HelpMessage = "Definitions folder path. Defaults to environment variable `$env:PAC_DEFINITIONS_FOLDER or './Definitions'.")]
[string]$DefinitionsRootFolder,
[Parameter(Mandatory = $false, HelpMessage = "Output file name. Defaults to environment variable `$env:PAC_OUTPUT_FOLDER/Users/RoleAssignments.csv or './Outputs/Users/RoleAssignments.csv'.")]
[string] $OutputFileName,
[Parameter(Mandatory = $false, HelpMessage = "Set to false if used non-interactive")]
[bool] $Interactive = $true
)
# Dot Source Helper Scripts
. "$PSScriptRoot/../Helpers/Add-HelperScripts.ps1"
$InformationPreference = "Continue"
Invoke-AzCli config set extension.use_dynamic_install=yes_without_prompt -SuppressOutput
$pacEnvironment = Select-PacEnvironment $PacEnvironmentSelector -DefinitionsRootFolder $DefinitionsRootFolder -OutputFolder $OutputFolder -Interactive $Interactive
$null = Set-AzCloudTenantSubscription -Cloud $pacEnvironment.cloud -TenantId $pacEnvironment.tenantId -subscriptionId $pacEnvironment.defaultSubscriptionId -Interactive $pacEnvironment.interactive
$targetTenant = $environment.targetTenant
if ($OutputFileName -eq "") {
$OutputFileName = "$($environment.outputFolder)/Users/RoleAssignments.csv"
}
Write-Information "==================================================================================================="
Write-Information "Processing"
Write-Information "==================================================================================================="
$subs = Get-AzSubscription -TenantId $targetTenant | Where-Object { $_.state -EQ "Enabled" }
$assignments = @()
foreach ($sub in $subs) {
Set-AzContext -Subscription $sub.name
Write-Output $sub.Name
$assignments += Get-AzRoleAssignment | Where-Object { $_.ObjectType -eq "User" -and $_.Scope -notlike "*managementGroups*" } | Select-Object displayname, signinname, RoleDefinitionName, scope, @{
Name = 'Subscription'
Expression = { $sub.Name }
}
}
if ($OutputFileName) {
if (-not (Test-Path $OutputFileName)) {
New-Item $OutputFileName -Force
}
Export-Csv -Path $OutputFileName -NoTypeInformation
}
else {
$assignments
}