forked from MicrosoftDocs/azure-docs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
role-assignments-list-portal.yml
256 lines (199 loc) · 15.4 KB
/
role-assignments-list-portal.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
### YamlMime:HowTo
---
metadata:
title: List Azure role assignments using the Azure portal - Azure RBAC
description: Learn how to determine what resources users, groups, service principals, or managed identities have access to using the Azure portal and Azure role-based access control (Azure RBAC).
author: rolyon
ms.author: rolyon
manager: amycolannino
ms.date: 06/27/2024
ms.service: role-based-access-control
ms.topic: how-to
ms.custom:
- ge-structured-content-pilot
title: |
List Azure role assignments using the Azure portal
introduction: |
[!INCLUDE [Azure RBAC definition list access](../../includes/role-based-access-control/definition-list.md)] This article describes how to list role assignments using the Azure portal.
> [!NOTE]
> If your organization has outsourced management functions to a service provider who uses [Azure Lighthouse](../lighthouse/overview.md), role assignments authorized by that service provider won't be shown here. Similarly, users in the service provider tenant won't see role assignments for users in a customer's tenant, regardless of the role they've been assigned.
prerequisites:
summary: |
`Microsoft.Authorization/roleAssignments/read` permission, such as [Reader](./built-in-roles/general.md#reader)
procedureSection:
- title: |
List role assignments for a user or group
summary: |
A quick way to see the roles assigned to a user or group in a subscription is to use the **Azure role assignments** pane.
steps:
- |
In the Azure portal, select **All services** from the Azure portal menu.
- |
Select **Microsoft Entra ID** and then select **Users** or **Groups**.
- |
Click the user or group you want list the role assignments for.
- |
Click **Azure role assignments**.
You see a list of roles assigned to the selected user or group at various scopes such as management group, subscription, resource group, or resource. This list includes all role assignments you have permission to read.
![Screenshot of role assignments for a user.](./media/role-assignments-list-portal/azure-role-assignments-user.png)
- |
To change the subscription, click the **Subscriptions** list.
- title: |
List owners of a subscription
summary: |
Users that have been assigned the [Owner](built-in-roles.md#owner) role for a subscription can manage everything in the subscription. Follow these steps to list the owners of a subscription.
steps:
- |
In the Azure portal, click **All services** and then **Subscriptions**.
- |
Click the subscription you want to list the owners of.
- |
Click **Access control (IAM)**.
- |
Click the **Role assignments** tab to view all the role assignments for this subscription.
- |
Scroll to the **Owners** section to see all the users that have been assigned the Owner role for this subscription.
![Screenshot of subscription Access control and Role assignments tab.](./media/role-assignments-list-portal/sub-access-control-role-assignments-owners.png)
- title: |
List or manage privileged administrator role assignments
summary: |
On the **Role assignments** tab, you can list and see the count of privileged administrator role assignments at the current scope. For more information, see [Privileged administrator roles](role-assignments-steps.md#privileged-administrator-roles).
steps:
- |
In the Azure portal, click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.
- |
Click the specific resource.
- |
Click **Access control (IAM)**.
- |
Click the **Role assignments** tab and then click the **Privileged** tab to list the privileged administrator role assignments at this scope.
:::image type="content" source="./media/role-assignments-list-portal/access-control-role-assignments-privileged.png" alt-text="Screenshot of Access control page, Role assignments tab, and Privileged tab showing privileged role assignments." lightbox="./media/role-assignments-list-portal/access-control-role-assignments-privileged.png":::
- |
To see the count of privileged administrator role assignments at this scope, see the **Privileged** card.
- |
To manage privileged administrator role assignments, see the **Privileged** card and click **View assignments**.
On the **Manage privileged role assignments** page, you can add a condition to constrain the privileged role assignment or remove the role assignment. For more information, see [Delegate Azure role assignment management to others with conditions](delegate-role-assignments-portal.md).
:::image type="content" source="./media/role-assignments-list-portal/access-control-role-assignments-privileged-manage.png" alt-text="Screenshot of Manage privileged role assignments page showing how to add conditions or remove role assignments." lightbox="./media/role-assignments-list-portal/access-control-role-assignments-privileged-manage.png":::
- title: |
List role assignments at a scope
summary: |
> [!IMPORTANT]
> Azure role assignment integration with Privileged Identity Management is currently in PREVIEW.
> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Follow these steps:
steps:
- |
In the Azure portal, click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.
- |
Click the specific resource.
- |
Click **Access control (IAM)**.
- |
Click the **Role assignments** tab to view the role assignments at this scope.
If you have a Microsoft Entra ID Free or Microsoft Entra ID P1 license, your **Role assignments** tab is similar to the following screenshot.
:::image type="content" source="./media/role-assignments-list-portal/rg-access-control-role-assignments.png" alt-text="Screenshot of Access control and Role assignments tab." lightbox="./media/role-assignments-list-portal/rg-access-control-role-assignments.png":::
If you have a Microsoft Entra ID P2 or Microsoft Entra ID Governance license, your **Role assignments** tab is similar to the following screenshot. This capability is being deployed in stages, so it might not be available yet in your tenant or your interface might look different.
:::image type="content" source="./media/role-assignments-list-portal/sub-access-control-role-assignments-eligible.png" alt-text="Screenshot of Access control and Active assignments and Eligible assignments tabs." lightbox="./media/role-assignments-list-portal/sub-access-control-role-assignments-eligible.png":::
You see a **State** column with one of the following states:
| State | Description |
| --- | --- |
| Active permanent | A role assignment where a user can always use the role without performing any actions. |
| Active time-bound | A role assignment where a user can use the role without performing any actions only within start and end dates. |
| Eligible permanent | A role assignment where a user is always eligible to activate the role. |
| Eligible time-bound | A role assignment where a user is eligible to activate the role only within start and end dates. |
It's possible to set the start date in the future.
If you want to list the start time and end time for role assignments, click **Edit columns** and then select **Start time** and **End time**.
:::image type="content" source="./media/role-assignments-list-portal/role-assignments-list-edit-columns.png" alt-text="Screenshot of Columns pane showing Start time and End time check boxes." lightbox="./media/role-assignments-list-portal/role-assignments-list-edit-columns.png":::
Notice that some roles are scoped to **This resource** while others are **(Inherited)** from another scope. Access is either assigned specifically to this resource or inherited from an assignment to the parent scope.
- title: |
List role assignments for a user at a scope
summary: |
To list access for a user, group, service principal, or managed identity, you list their role assignments. Follow these steps to list the role assignments for a single user, group, service principal, or managed identity at a particular scope.
steps:
- |
In the Azure portal, click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.
- |
Click the specific resource.
- |
Click **Access control (IAM)**.
![Screenshot of resource group access control and Check access tab.](./media/shared/rg-access-control.png)
- |
On the **Check access** tab, click the **Check access** button.
- |
In the **Check access** pane, click **User, group, or service principal** or **Managed identity**.
- |
In the search box, enter a string to search the directory for display names, email addresses, or object identifiers.
![Screenshot of Check access select list.](./media/shared/rg-check-access-select.png)
- |
Click the security principal to open the **assignments** pane.
On this pane, you can see the access for the selected security principal at this scope and inherited to this scope. Assignments at child scopes are not listed. You see the following assignments:
- Role assignments added with Azure RBAC.
- Deny assignments added using Azure Blueprints or Azure managed apps.
- Classic Service Administrator or Co-Administrator assignments for classic deployments.
![Screenshot of assignments pane.](./media/shared/rg-check-access-assignments-user.png)
- title: |
List role assignments for a managed identity
summary: |
You can list role assignments for system-assigned and user-assigned managed identities at a particular scope by using the **Access control (IAM)** blade as described earlier. This section describes how to list role assignments for just the managed identity.
### System-assigned managed identity
steps:
- |
In the Azure portal, open a system-assigned managed identity.
- |
In the left menu, click **Identity**.
![Screenshot of system-assigned managed identity.](./media/shared/identity-system-assigned.png)
- |
Under **Permissions**, click **Azure role assignments**.
You see a list of roles assigned to the selected system-assigned managed identity at various scopes such as management group, subscription, resource group, or resource. This list includes all role assignments you have permission to read.
![Screenshot of role assignments for a system-assigned managed identity.](./media/shared/role-assignments-system-assigned.png)
- |
To change the subscription, click the **Subscription** list.
### User-assigned managed identity
1. In the Azure portal, open a user-assigned managed identity.
1. Click **Azure role assignments**.
You see a list of roles assigned to the selected user-assigned managed identity at various scopes such as management group, subscription, resource group, or resource. This list includes all role assignments you have permission to read.
![Screenshot of role assignments for a user-assigned managed identity.](./media/shared/role-assignments-user-assigned.png)
1. To change the subscription, click the **Subscription** list.
- title: |
List number of role assignments
summary: |
You can have up to **4000** role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. [Eligible role assignments](./role-assignments-portal.yml#step-6-select-assignment-type-(preview)) and role assignments scheduled in the future do not count towards this limit. To help you keep track of this limit, the **Role assignments** tab includes a chart that lists the number of role assignments for the current subscription.
![Screenshot of Access control and number of role assignments chart.](./media/role-assignments-list-portal/access-control-role-assignments-chart.png)
If you are getting close to the maximum number and you try to add more role assignments, you'll see a warning in the **Add role assignment** pane. For ways that you can reduce the number of role assignments, see [Troubleshoot Azure RBAC limits](troubleshoot-limits.md).
![Screenshot of Access control and Add role assignment warning.](./media/role-assignments-list-portal/add-role-assignment-warning.png)
## Download role assignments
You can download role assignments at a scope in CSV or JSON formats. This can be helpful if you need to inspect the list in a spreadsheet or take an inventory when migrating a subscription.
When you download role assignments, you should keep in mind the following criteria:
- If you don't have permissions to read the directory, such as the Directory Readers role, the DisplayName, SignInName, and ObjectType columns will be blank.
- Role assignments whose security principal has been deleted are not included.
- Access granted to classic administrators are not included.
Follow these steps to download role assignments at a scope.
steps:
- |
In the Azure portal, click **All services** and then select the scope where you want to download the role assignments. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.
- |
Click the specific resource.
- |
Click **Access control (IAM)**.
- |
Click **Download role assignments** to open the Download role assignments pane.
![Screenshot of Access control and Download role assignments.](./media/role-assignments-list-portal/download-role-assignments.png)
- |
Use the check boxes to select the role assignments you want to include in the downloaded file.
- **Inherited** - Include inherited role assignments for the current scope.
- **At current scope** - Include role assignments for the current scope.
- **Children** - Include role assignments at levels below the current scope. This check box is disabled for management group scope.
- |
Select the file format, which can be comma-separated values (CSV) or JavaScript Object Notation (JSON).
- |
Specify the file name.
- |
Click **Start** to start the download.
The following show examples of the output for each file format.
![Screenshot of download role assignments as CSV.](./media/role-assignments-list-portal/download-role-assignments-csv.png)
![Screenshot of the downloaded role assignments as in JSON format.](./media/role-assignments-list-portal/download-role-assignments-json.png)
relatedContent:
- text: Assign Azure roles using the Azure portal
url: role-assignments-portal.yml
- text: Troubleshoot Azure RBAC
url: troubleshooting.md