Reputation: 179
Where to see a list of Azure AD roles that a serivice princple have?
As shown in the picture, I'm in "Azure AD" -> "Enterprise applications" blade -> then open up my service principle details.
All I want to know is what Azure AD role (not Azure role RBAC) does this SP currently has.
I checked the "Roles and administrators" blade, looks like all it does is show a list of what role can be assigned to this SP but not what has already been assigned.
To me, this blade is so misleading and useless. (I was thinking this SP has already assigned this many roles....)
I even tried the "az ad sp show" command, it does not show what Azure AD role is assigned to this SP neither.
Where can I see it then?
Upvotes: 1
Views: 1336
Answers (3)
Reputation: 2040
I'm not sure that you can see this from the Portal, but you can find out with the below.
Get-AzureAdMsRoleAssignment requires the AzureADPreview module
# the Enterprise Application's object ID
$appObjectId = ""
$roles = @()
$rolesAssignedId = (Get-AzureAdMsRoleAssignment -filter "PrincipalId eq '$appObjectId'").RoleDefinitionId
foreach ($roleId in $rolesAssignedId)
{
$roleName = (Get-AzureADDirectoryRoleTemplate | where {$_.ObjectId -eq $roleId}).DisplayName
$roles += $roleName
}
$roles
Upvotes: 1
Reputation: 3814
This is not done at the SP level, you need to review role assignments at the scope they are assigned (Management Group, Subscription, etc). If you think about it, it makes sense. If you just saw the role Owner, that wouldn't mean much if you didn't see the scope it is assigned to. Owner of an RG is much different than an Owner of a Subscription.
You can download role assignments at a scope in CSV or JSON formats. Follow these steps to download role assignments at a scope.
In the Azure portal, click All services and then select the scope where you want to download the role assignments. For example, you can select Management groups, Subscriptions, Resource groups, or a resource.
- Click the specific resource.
- Click Access control (IAM).
- Click Download role assignments to open the Download role assignments pane.
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-portal
Upvotes: 0
Reputation: 3902
You have a tiny dropdown button next to Search bar, that's where you can toggle between Assignable: yes and Assignable: no.
When you set to no, you see the roles your sp is assigned at AD level.
In our case, "Directory readers" & so on., which are AD level roles rather RBAC ones.
Upvotes: 0
Related Questions
- Where are the az role assignments listed
- Retrieve App role assignments using Azure CLI
- How to view the roles and permissions granted to any database user in Azure SQL server instance?
- How can I list all of my permissions derived from roles in Azure?
- AzureAD Powershell list all available roles rather than assigned roles
- How to get list of all roles assignments using RBAC API
- Get all AppRole assignments in Azure Active Directory
- Where can I find a mapping between roles and authentication mechanisms for azure services?
- Azure Active directory Roles Management
- How to discover role instances in Azure?