As you may (or may not, I ain’t judging) know, Azure uses 2 sets of roles for permission management – Azure AD Roles to grant permissions on Azure AD (Users, Groups, etc), and RBAC Roles to grant permissions on pertaining to Azure Resource Manager (or ARM for short); That is, permissions on Resources, Resource Groups, Subscriptions, and Management Groups.
A while ago I demonstrated to my students how to analyze an RBAC role definition with PowerShell, and one of them asked how they would go about doing this with Azure AD roles. The answer is… Not as simple as I would’ve liked it to be, and therefore I bring you this post, in hopes that it saves some time to someone who stumbles upon the same issue.
Azure AD roles work a little differently from RBAC Roles, in that RBAC roles contain allowed operations (under the Actions field) and disallowed ones (under the NotActions field). In Azure AD roles, however, only the allowed operations are referenced.
An example would be to compare the most privileged role in RBAC (Owner) with the most privileged role in Azure AD (Global Administrator). The Owner role will simply have
* in the Actions field (denoting all operations are permitted), while the Global Administrator will have all possible operations explicitly detailed in its AllowedResourceActions field.
To view Azure AD role definitions, install the AzureAD module:
After that, you will need to import the module (newer PowerShell versions do it automatically when you first invoke a cmdlet from the module, but… You know, just in case):
Now we need to connect to Azure AD, we can do that with the following cmdlet:
You should be presented with an external authentication prompt against Microsoft Online. After authenticating, we can start performing operations against Azure AD. In order to to look at the definitions of Azure AD roles, we need to use the
Get-ADMSRoleDefinition cmdlet. Let’s say we want to look at the Global Administrator role:
# Assign role definition to variable RoleDefinition $RoleDefinition = Get-AzureADMSRoleDefinition -Filter "DisplayName eq 'Global Administrator'" # Allowed actions reside in a nested property $AllowedActions = $RoleDefinition.RolePermissions.AllowedResourceActions # Allowed actions now assigned to Variable AllowedActions Write-Host $AllowedActions # Output microsoft.directory/accessReviews/allProperties/allTasks microsoft.directory/administrativeUnits/allProperties/allTasks microsoft.directory/applications/allProperties/allTasks ...
There you have it folks.
To be honest, I got the idea to write this post back when this Cmdlets were only available in the AzureADPreview module, and I had to dig through endless Google Search results until I landed on the right solution. Now that they’re available in the generally-available AzureAD module, life will be much easier for all of us.