使用 Azure PowerShell 列出 Azure 角色分配List Azure role assignments using Azure PowerShell

Azure 基于角色的访问控制 (RBAC) 是用于管理对 Azure 资源的访问权限的授权系统。Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. 若要确定用户、组、服务主体或托管标识有权访问的资源,请列出其角色分配。To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. 本文介绍如何使用 Azure PowerShell 列出角色分配。Azure 基于角色的访问控制 (RBAC) 是用于管理对 Azure 资源的访问权限的授权系统。Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. 若要确定用户、组、服务主体或托管标识有权访问的资源,请列出其角色分配。To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. This article describes how to list role assignments using Azure PowerShell.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

列出当前订阅的角色分配List role assignments for the current subscription

若要获取当前订阅中所有角色分配的列表(包括从根和管理组继承的角色分配),最简单的方法是使用不带任何参数的 Get-AzRoleAssignmentThe easiest way to get a list of all the role assignments in the current subscription (including inherited role assignments from root and management groups) is to use Get-AzRoleAssignment without any parameters.

Get-AzRoleAssignment
PS C:\> Get-AzRoleAssignment

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName        : Alain
SignInName         : alain@example.com
RoleDefinitionName : Storage Blob Data Reader
RoleDefinitionId   : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-3333-333333333333
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
DisplayName        : Marketing
SignInName         :
RoleDefinitionName : Contributor
RoleDefinitionId   : b24988ac-6180-42a0-ab88-20f7382dd24c
ObjectId           : 22222222-2222-2222-2222-222222222222
ObjectType         : Group
CanDelegate        : False

...

列出订阅的角色分配List role assignments for a subscription

若要列出订阅范围内的所有角色分配,请使用 Get-AzRoleAssignmentTo list all role assignments at a subscription scope, use Get-AzRoleAssignment. 若要获取订阅 ID,可以在 Azure 门户中的“订阅”边栏选项卡上找到它,也可以使用 Get-AzSubscriptionTo get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use Get-AzSubscription.

Get-AzRoleAssignment -Scope /subscriptions/<subscription_id>
PS C:\> Get-AzRoleAssignment -Scope /subscriptions/00000000-0000-0000-0000-000000000000

列出用户的角色分配List role assignments for a user

若要列出分配给指定用户的所有角色,请使用 Get-AzRoleAssignmentTo list all the roles that are assigned to a specified user, use Get-AzRoleAssignment.

Get-AzRoleAssignment -SignInName <email_or_userprincipalname>
PS C:\> Get-AzRoleAssignment -SignInName isabella@example.com | FL DisplayName, RoleDefinitionName, Scope

DisplayName        : Isabella Simonsen
RoleDefinitionName : BizTalk Contributor
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

若要列出分配给指定用户的所有角色和分配给该用户所属组的所有角色,请使用 Get-AzRoleAssignmentTo list all the roles that are assigned to a specified user and the roles that are assigned to the groups to which the user belongs, use Get-AzRoleAssignment.

Get-AzRoleAssignment -SignInName <email_or_userprincipalname> -ExpandPrincipalGroups
Get-AzRoleAssignment -SignInName isabella@example.com -ExpandPrincipalGroups | FL DisplayName, RoleDefinitionName, Scope

列出资源组的角色分配List role assignments for a resource group

若要列出资源组范围内的所有角色分配,请使用 Get-AzRoleAssignmentTo list all role assignments at a resource group scope, use Get-AzRoleAssignment.

Get-AzRoleAssignment -ResourceGroupName <resource_group_name>
PS C:\> Get-AzRoleAssignment -ResourceGroupName pharma-sales | FL DisplayName, RoleDefinitionName, Scope

DisplayName        : Alain Charon
RoleDefinitionName : Backup Operator
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

DisplayName        : Isabella Simonsen
RoleDefinitionName : BizTalk Contributor
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

DisplayName        : Alain Charon
RoleDefinitionName : Virtual Machine Contributor
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

列出管理组的角色分配List role assignments for a management group

若要列出管理组范围内的所有角色分配,请使用 Get-AzRoleAssignmentTo list all role assignments at a management group scope, use Get-AzRoleAssignment. 若要获取管理组 ID,可以在 Azure 门户中的“管理组”边栏选项卡上找到它,也可以使用 Get-AzManagementGroupTo get the management group ID, you can find it on the Management groups blade in the Azure portal or you can use Get-AzManagementGroup.

Get-AzRoleAssignment -Scope /providers/Microsoft.Management/managementGroups/<group_id>
PS C:\> Get-AzRoleAssignment -Scope /providers/Microsoft.Management/managementGroups/marketing-group

列出经典服务管理员和共同管理员的角色分配List role assignments for classic service administrator and co-administrators

若要列出经典订阅管理员和共同管理员的角色分配,请使用 Get-AzRoleAssignmentTo list role assignments for the classic subscription administrator and co-administrators, use Get-AzRoleAssignment.

Get-AzRoleAssignment -IncludeClassicAdministrators

列出托管标识的角色分配List role assignments for a managed identity

  1. 获取系统分配的或用户分配的托管标识的对象 ID。Get the object ID of the system-assigned or user-assigned managed identity.

    若要获取用户分配的托管标识的对象 ID,可以使用 Get-AzADServicePrincipalTo get the object ID of a user-assigned managed identity, you can use Get-AzADServicePrincipal.

    Get-AzADServicePrincipal -DisplayNameBeginsWith "<name> or <vmname>"
    
  2. 若要列出角色分配,请使用 Get-AzRoleAssignmentTo list the role assignments, use Get-AzRoleAssignment.

    Get-AzRoleAssignment -ObjectId <objectid>
    

后续步骤Next steps