How to get the role assignments of a resource through Resource Graph API?

Question

I want to use the Azure Resource Graph API to get the role assignments of a resource (who are owners, contributors, etc.). That is, I want to create a query that finds the role assignments for a specific resource id that I provide. I've been going through the documentation, but I haven't found any way to get this information.

The only thing I found was this question from a couple of years ago, where it is mentioned as something that could be done somehow ("query the RBAC of each one of those resources").

Could anyone point me to how this could be done? Or is it not possible to do in Resource Graph API, and I need to use the Management API or something else?

I searched through the Azure Resource Graph table and resource type reference and the Advanced Resource Graph query samples, but didn't find an answer

Answer 1

I tried to reproduce the same in my environment and got the results like below:

I created Azure AD Application and added API permissions:

I generated an access token by using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:xxxxxx-xxx-xxx-xxxx-xxxxxxxx
client_secret:ClientSecret
scope:https://management.azure.com//.default
grant_type:client_credentials

To list the Role assignments in the subscription scope, I used the below query:

GET https://management.azure.com/subscriptions/subscriptionId/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01

Based on your requirement you can change the scope and add the filter to get the role assignments. Refer the below MsDoc:

List Azure role assignments using the REST API - Azure RBAC

Currently it is not feasible to retrieve the role assignments via Azure Resource Graph. Alternatively, you can make use of Azure PowerShell or Azure CLI.

Get-AzRoleAssignment -Scope "/subscriptions/SubscriptionId/resourcegroups/RGName/providers/Providername/ResourceType/Resource"