Reputation: 194
Using Azure Resource Graph to get other user's Resources
I am trying to query with an app ID all the resources a user has. My current implementation is to get all the resources my app has access to, and then query the RBAC of each one of those resources to see if the user has access. It seems to be way too many calls for something it can be done for my current user using Azure Resource Graph. Is there a way to use Azure Resource Graph but specify which user I want to get the resources for (assuming my app has reader access to all resources in the tenant)?
Upvotes: 1
Views: 2211
Answers (1)
Reputation: 42063
From your description, want you need to find is the role assignments in your subscription, its resource type is Microsoft.Authorization/roleAssignments, which is not included in the Azure Resource Graph.
Your option is to use the REST API - Role Assignments - List, filter with the ObjectId of the user in Azure AD. To get the access token to call the REST API with the AD App(the AppId you mentioned), you need to use the client credential flow, refer to this link.
Sample:
Check the scope in the response, they are the resources the user can access.
GET https://management.azure.com/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleAssignments?$filter=principalId eq '<object-id>'&api-version=2018-09-01-preview
Upvotes: 1
Related Questions
- Get users and groups that have access to Azure resource
- Is it possible to create Azure RBAC role via Microsoft Graph
- How to find the list of individual resources that have access to a given SPN?
- How to use microsoft graph api for assigning role to the user in azure ad
- Azure Resource Group Access
- Microsoft Graph list RBACRoleAssignments by resourceScope
- Resource owner grant flow - Microsoft Graph
- How to access another user's data via the Graph API?
- Querying Microsoft Graph API for user sourced from other Azure AD
- Azure - Finding resources I am an owner of in another azure account