How to get list of all roles assignments using RBAC API

Question

The GET request i am making to the below API

https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleAssignments?api-version=2017-10-01-preview

which gives me below format of response

{
            "properties": {
                "roleDefinitionId": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
                "principalId": "fdef6f38-b48f-4358-8482-b243ea935082",
                "principalType": "User",
                "scope": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/resourceGroups/GE-RGrp-Kentico",
                "createdOn": "2017-08-21T11:38:53.7973201Z",
                "updatedOn": "2017-08-21T11:38:53.7973201Z",
                "createdBy": "f418e9e8-becc-41d8-ab47-66a4c50403b5",
                "updatedBy": "f418e9e8-becc-41d8-ab47-66a4c50403b5"
            },
            "id": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/resourceGroups/GE-RGrp-Kentico/providers/Microsoft.Authorization/roleAssignments/5e6caac9-c5fd-42f0-86c6-9e96b127be51",
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "5e6caac9-c5fd-42f0-86c6-9e96b127be51"
        }

But when i do the CLI call i get below response using

> az  role assignment list

{
    "id": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleAssignments/4096c146-b6f8-4f92-a700-a47742a5b321",
    "name": "4096c146-b6f8-4f92-a700-a47742a5b321",
    "properties": {
      "additionalProperties": {
        "createdBy": "c2024d65-cf17-45fd-b34b-09cd5c21cac7",
        "createdOn": "2017-11-07T22:03:12.4998370Z",
        "updatedBy": "c2024d65-cf17-45fd-b34b-09cd5c21cac7",
        "updatedOn": "2017-11-07T22:03:12.4998370Z"
      },
      "principalId": "780925c0-a487-4529-9eb2-837aa67a4d8a",
      "principalName": "xcavanap@genesisenergy.co.nz",
      "roleDefinitionId": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
      "roleDefinitionName": "Security Admin",
      "scope": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31"
    },

the above response does have the

"roleDefinitionName": "Security Admin"

but i want same response through API, please Help!!

Answer 1

To get the role definition name, you need to make separate REST API calls and then perform a join on the client side.

If you run a network capture while running the Azure PowerShell or Azure CLI, it is straightforward to see the REST API calls.

List Role Assignments

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01

Sample response:

"value": [
    {
        "properties": {
            "roleDefinitionId": "/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/roleDefinitions/<roleDefinitionId>",
            "principalId": "<principalId>",
            "scope": "/subscriptions/<subscriptionId>",
            "createdOn": "2017-02-03T07:55:59.6345664Z",
            "updatedOn": "2017-02-03T07:55:59.6345664Z",
            "createdBy": "7c728184-cd9e-47ad-b72f-e7ac40b80624",
            "updatedBy": "7c728184-cd9e-47ad-b72f-e7ac40b80624"
        },
        "id": "/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/roleAssignments/ea667734-e984-4726-bf0b-2116aaaedfde",
        "type": "Microsoft.Authorization/roleAssignments",
        "name": "ea667734-e984-4726-bf0b-2116aaaedfde"
    },

List Role Definitions

GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?$filter=atScopeAndBelow()&api-version=2015-07-01

Sample response:

    {
        "properties": {
            "roleName": "Contributor",
            "type": "BuiltInRole",
            "description": "Lets you manage everything except access to resources.",
            "assignableScopes": [
                "/"
            ],
            "permissions": [
                {
                    "actions": [
                        "*"
                    ],
                    "notActions": [
                        "Microsoft.Authorization/*/Delete",
                        "Microsoft.Authorization/*/Write",
                        "Microsoft.Authorization/elevateAccess/Action"
                    ]
                }
            ],
            "createdOn": "0001-01-01T08:00:00.0000000Z",
            "updatedOn": "2016-12-14T02:04:45.1393855Z",
            "createdBy": null,
            "updatedBy": null
        },
        "id": "/providers/Microsoft.Authorization/roleDefinitions/<roleDefinitionId>",
        "type": "Microsoft.Authorization/roleDefinitions",
        "name": "<roleDefinitionId>"
    },

Get AAD Objects - including principal name

POST https://graph.windows.net//getObjectsByObjectIds?api-version=1.6

{
  "objectIds": [
    "<objectId1>",
    "<objectId2>",
    ...
  ],
  "includeDirectoryObjectReferences": true
}

Answer 2

According to the Role Assignments - List REST API, there is no roleDefinitionName in the response. You could give your feedback to azure team. If want to get roleDefinitionName, we could use Role Definitions - Get By Id to do that.

{
  "value": [
    {
      "properties": {
        "roleDefinitionId": "/subscriptions/subId/providers/Microsoft.Authorization/roleDefinitions/roledefinitionId",
        "principalId": "Pid",
        "scope": "/subscriptions/subId/resourcegroups/rgname"
      },
      "id": "/subscriptions/subId/resourcegroups/rgname/providers/Microsoft.Authorization/roleAssignments/roleassignmentId",
      "type": "Microsoft.Authorization/roleAssignments",
      "name": "raId"
    }
  ]
}

Update:

Unfortunately, there is no roleDefinitionName and principalName in the Role Assignments - List REST API response.

For 'principalName' we could use Service Principals - Get REST API to get it. The objectId value is the principalId that you get from Role Assignments - List REST API

Update2:

it seem the access token for graph.windows.net is different from management.azure.com? how i can find the token for graph?

The acquired access token resource should be https://graph.windows.net The following is c# code demo to acquired the access token

string authority = "https://login.microsoftonline.com/{0}";
string graphResourceId = "https://graph.windows.net";
string tenantId = "tenantId";
string clientId = "clientId";
string secretKey = "secretKey";
authority = String.Format(authority, tenantId);
AuthenticationContext authContext = new AuthenticationContext(authority);
var accessToken = authContext.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secretKey)).Result.AccessToken;

Note: You also need to grant [Read directory data] Permissions for Windows Azure Active Directory in the azure portal