获取有权访问 Azure 资源的用户和组

发布于 2025-01-10 12:28:13 字数 1297 浏览 0 评论 0原文

我有一个名为 devtest 的资源。我想从 IAM -> 获取列表使用 azure cli 或 REST API 的角色分配刀片：

如何检索该信息（group-id, <代码>显示名称等）以编程方式？是否可以获取有权访问资源的用户和组的列表？

例如，使用 graph im 允许获取签名用户所属的组：

POST https://graph.microsoft.com/v1.0/me/getMemberGroups
Request Body:
{
    "securityEnabledOnly": true
}

Response:
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
    "value": [
        // group ids here
    ]
}

但是如何对资源执行类似的操作并获取在该资源中具有角色的用户和组的列表？

编辑：

当我们转到角色分配刀片时，Azure调用端点：

POST https://graph.windows.net/{subscriptionId}/getObjectsByObjectIds

Request body:
{ "objectIds":[ "bunch unknown ids here" ],"includeDirectoryObjectReferences":true }

并且我收到如下响应：

这与我相关在角色中看到作业 选项卡，但并非所有位置都会返回。在这个回复中，我们没有关于角色的信息，如何挖掘它们？

原文

I have a resource named devtest. I want to get list from IAM -> Role assignments blade using azure cli or REST API:

How to retrieve that information (group-id, display name etc) in programmatically way? Is it possible to get list of users and groups that have access to resource?

For example, using graph im allowed to get groups that signed user belongs to:

POST https://graph.microsoft.com/v1.0/me/getMemberGroups
Request Body:
{
    "securityEnabledOnly": true
}

Response:
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
    "value": [
        // group ids here
    ]
}

But how to do something similar for resource and get list of users and groups that have role in that resource?

EDIT:

When we go to Role Assignments blade, Azure calls endpoint:

POST https://graph.windows.net/{subscriptionId}/getObjectsByObjectIds

Request body:
{ "objectIds":[ "bunch unknown ids here" ],"includeDirectoryObjectReferences":true }

And i am getting response like:

That is related for what i am seeing in Role assignments tab, but not all positions are returned. In this responses we dont have information about role, how to dig into them?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

心安伴我暖 2025-01-17 12:28:13

您可以使用以下 cmdlet 列出资源和资源的所有角色分配：他们各自的组（如果角色分配的对象类型不是用户，它不会给您任何输出）。

这是脚本：

 connect-azuread  # Manadatory to authenticate with azuread & to further run Get-azureadusermembership cmdlet
$rbac=Get-AzRoleAssignment -ResourceGroupName '<RgName>' -ResourceName '<ResourceName>' -ResourceType 'Microsoft.KeyVault/vaults' | Where-Object -Property ObjectType -EQ User| select -Property SignInName,ObjectId,RoleDefinitionName
Write-output $rbac
foreach($item in $rbac)
{
    Get-AzureADUserMembership -ObjectId $item.ObjectId | select -Property *
}

这是供参考的示例输出：

You can use the below cmdlets, to list all the role assignments of a resource & their respective groups (if the object type of the role assignment is other than User it wont give you any output).

Here is the Script:

 connect-azuread  # Manadatory to authenticate with azuread & to further run Get-azureadusermembership cmdlet
$rbac=Get-AzRoleAssignment -ResourceGroupName '<RgName>' -ResourceName '<ResourceName>' -ResourceType 'Microsoft.KeyVault/vaults' | Where-Object -Property ObjectType -EQ User| select -Property SignInName,ObjectId,RoleDefinitionName
Write-output $rbac
foreach($item in $rbac)
{
    Get-AzureADUserMembership -ObjectId $item.ObjectId | select -Property *
}

Here is the sample output for reference:

回复收藏 0 原文

~没有更多了~