Azure-Scripts/Get-SystemAssignedManagedIdentityRBACRoleAssignments.ps1 at main · Pri3st/Azure-Scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
$resourceGroupName = "your-resource-group-name"
$functionAppName = "your-function-app-name"
$subscriptionId = (Get-AzContext).Subscription.Id

$scope = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/$functionAppName"

$managedIdentity = Get-AzSystemAssignedIdentity -Scope $scope

if ($managedIdentity -eq $null) {
    Write-Host "System Assigned Managed Identity not found." -ForegroundColor Red
    return
}

$managedIdentityId = $managedIdentity.PrincipalId  # Get the Principal ID of the system-assigned identity

$armtoken = (Get-AzAccessToken -ResourceTypeName Arm).Token
$apiVersion = '2022-04-01'

$uri = "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Authorization/roleAssignments?api-version=$apiVersion&`$filter=assignedTo('$managedIdentityId')"

$requestParams = @{
    Method  = 'GET'
    Uri     = $uri
    Headers = @{
        'Authorization' = "Bearer $armtoken"
    }
}

$response = Invoke-RestMethod @requestParams

foreach ($assignment in $response.value) {
    $roleDefinitionId = $assignment.properties.roleDefinitionId
    $roleDefinitionIdParts = $roleDefinitionId -split '/'
    $roleDefinitionIdFinal = $roleDefinitionIdParts[-1]

    $roleDefinition = Get-AzRoleDefinition -Id $roleDefinitionIdFinal
    $roleDefinition | Format-List *
}