1

I am using this [subscription api][https://management.azure.com/subscriptions?api-version=2020-01-01] to get the azure subscription details. but in the response we are getting authorization source has role based. How can we fetch the users present in that subscription and what are there permissions(ex- owner, reader)

enter image description here

Krishnareddy Chinthireddy
  • 41
  • 4
  • You can use this API to get all role assignment of your subscription:https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-rest But it is not so convenient as you can only get user ID and role defination ID, you will need to do some other actions if you want to get user and role display name. It will be much easier to get all the information you want if you use Azure PowerShell. – Stanley Gong Feb 16 '21 at 05:42
  • Thanks @StanleyGong but we need a Api to do this action – Krishnareddy Chinthireddy Feb 16 '21 at 08:04
  • 1
    Welcome, so do you have any more questions about it? If not, I'll summarize it as an answer :) – Stanley Gong Feb 16 '21 at 08:16
  • @StanleyGong you have mentioned that we need to do some other actions to get user and role display name please can i know what are that actions? – Krishnareddy Chinthireddy Feb 16 '21 at 08:31
  • 1
    Hi @KrishnareddyChinthireddy, Sure, I have posted all steps to get Azure subscription role assignments. Could you pls accept it if it helps you? – Stanley Gong Feb 16 '21 at 09:20
  • HI @StanleyGong Thanks a lot i have gone through the apis and it helped me a lot a quick small query by passing the role defination id in 1st api we are getting all the users list. is there any filter or parameter so i can get only my role assignment(i mean by passing user mail id has param not by passing object id)? – Krishnareddy Chinthireddy Feb 16 '21 at 10:17
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/228789/discussion-between-krishnareddy-chinthireddy-and-stanley-gong). – Krishnareddy Chinthireddy Feb 16 '21 at 10:25
  • May I know if you have any other questions? If not, please click on the check mark beside the answer to toggle it from greyed out to filled in to accept it as an answer.If you accept answers on time, others will be more glad you assist you :) – Stanley Gong Feb 22 '21 at 02:33

1 Answers1

1

Firstly, you can use this API to get the role assignment of your subscription, just as below: enter image description here

Each item record presents a role assignment. And you can find roleDefinitionId which means the role you assigned and principalId means the role assigned to which Azure AD app or user.

So if you want to get the details about the role information, you should call the API below sparately:

GET https://management.azure.com/<value of roleDefinitionId>?api-version=2018-07-01

enter image description here

And if you want to get the details information of principalId, you should call Microsoft Graph API : get directory object just as below:

enter image description here

If you just want to query a user/Azure ad application is assigned with subscription roles, it will be much easier as This API provides a $filter param for us, lets say if you have a user's object ID, you can filter this user's role by request below:

enter image description here

Stanley Gong
  • 11,522
  • 1
  • 8
  • 16