使用 Azure PowerShell 列出 Azure 角色分配List Azure role assignments using Azure PowerShell

Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要确定用户、组、服务主体或托管标识有权访问的资源,请列出其角色分配。To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. 本文介绍如何使用 Azure PowerShell 列出角色分配。Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要确定用户、组、服务主体或托管标识有权访问的资源,请列出其角色分配。To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. This article describes how to list role assignments using Azure PowerShell.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

列出当前订阅的角色分配List role assignments for the current subscription

若要获取当前订阅中所有角色分配的列表(包括从根和管理组继承的角色分配),最简单的方法是使用不带任何参数的 Get-AzRoleAssignmentThe easiest way to get a list of all the role assignments in the current subscription (including inherited role assignments from root and management groups) is to use Get-AzRoleAssignment without any parameters.

Get-AzRoleAssignment
PS C:\> Get-AzRoleAssignment

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName        : Alain
SignInName         : alain@example.com
RoleDefinitionName : Storage Blob Data Reader
RoleDefinitionId   : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
ObjectId           : 44444444-4444-4444-4444-444444444444
ObjectType         : User
CanDelegate        : False

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-3333-333333333333
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
DisplayName        : Marketing
SignInName         :
RoleDefinitionName : Contributor
RoleDefinitionId   : b24988ac-6180-42a0-ab88-20f7382dd24c
ObjectId           : 22222222-2222-2222-2222-222222222222
ObjectType         : Group
CanDelegate        : False

...

列出订阅的角色分配List role assignments for a subscription

若要列出订阅范围内的所有角色分配,请使用 Get-AzRoleAssignmentTo list all role assignments at a subscription scope, use Get-AzRoleAssignment. 若要获取订阅 ID,可以在 Azure 门户中的“订阅”边栏选项卡上找到它,也可以使用 Get-AzSubscriptionTo get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use Get-AzSubscription.

Get-AzRoleAssignment -Scope /subscriptions/<subscription_id>
PS C:\> Get-AzRoleAssignment -Scope /subscriptions/00000000-0000-0000-0000-000000000000

列出用户的角色分配List role assignments for a user

若要列出分配给指定用户的所有角色,请使用 Get-AzRoleAssignmentTo list all the roles that are assigned to a specified user, use Get-AzRoleAssignment.

Get-AzRoleAssignment -SignInName <email_or_userprincipalname>
PS C:\> Get-AzRoleAssignment -SignInName isabella@example.com | FL DisplayName, RoleDefinitionName, Scope

DisplayName        : Isabella Simonsen
RoleDefinitionName : BizTalk Contributor
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

若要列出分配给指定用户的所有角色和分配给该用户所属组的所有角色,请使用 Get-AzRoleAssignmentTo list all the roles that are assigned to a specified user and the roles that are assigned to the groups to which the user belongs, use Get-AzRoleAssignment.

Get-AzRoleAssignment -SignInName <email_or_userprincipalname> -ExpandPrincipalGroups
Get-AzRoleAssignment -SignInName isabella@example.com -ExpandPrincipalGroups | FL DisplayName, RoleDefinitionName, Scope

列出资源组的角色分配List role assignments for a resource group

若要列出资源组范围内的所有角色分配,请使用 Get-AzRoleAssignmentTo list all role assignments at a resource group scope, use Get-AzRoleAssignment.

Get-AzRoleAssignment -ResourceGroupName <resource_group_name>
PS C:\> Get-AzRoleAssignment -ResourceGroupName pharma-sales | FL DisplayName, RoleDefinitionName, Scope

DisplayName        : Alain Charon
RoleDefinitionName : Backup Operator
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

DisplayName        : Isabella Simonsen
RoleDefinitionName : BizTalk Contributor
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

DisplayName        : Alain Charon
RoleDefinitionName : Virtual Machine Contributor
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales

列出管理组的角色分配List role assignments for a management group

若要列出管理组范围内的所有角色分配,请使用 Get-AzRoleAssignmentTo list all role assignments at a management group scope, use Get-AzRoleAssignment. 若要获取管理组 ID,可以在 Azure 门户中的“管理组”边栏选项卡上找到它,也可以使用 Get-AzManagementGroupTo get the management group ID, you can find it on the Management groups blade in the Azure portal or you can use Get-AzManagementGroup.

Get-AzRoleAssignment -Scope /providers/Microsoft.Management/managementGroups/<group_id>
PS C:\> Get-AzRoleAssignment -Scope /providers/Microsoft.Management/managementGroups/marketing-group

列出资源的角色分配List role assignments for a resource

若要列出特定资源的角色分配,请使用 Get-AzRoleAssignment-Scope 参数。To list role assignments for a specific resource, use Get-AzRoleAssignment and the -Scope parameter. 范围将因资源而异。The scope will be different depending on the resource. 若要获取作用域,可以运行不带任何参数的 Get-AzRoleAssignment 来列出所有角色分配,然后查找要列出的作用域。To get the scope, you can run Get-AzRoleAssignment without any parameters to list all of the role assignments and then find the scope you want to list.

Get-AzRoleAssignment -Scope "/subscriptions/<subscription_id>/resourcegroups/<resource_group_name>/providers/<provider_name>/<resource_type>/<resource>

以下示例演示如何列出存储帐户的角色分配。This following example shows how to list the role assignments for a storage account. 请注意,此命令还会列出应用于此存储帐户的更高作用域(如资源组和订阅)内的角色分配。Note that this command also lists role assignments at higher scopes, such as resource groups and subscriptions, that apply to this storage account.

PS C:\> Get-AzRoleAssignment -Scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/storage-test-rg/providers/Microsoft.Storage/storageAccounts/storagetest0122"

如果只想列出直接分配到资源上的角色分配,可以使用 Where-Object 命令来筛选列表。If you want to just list role assignments that are assigned directly on a resource, you can use the Where-Object command to filter the list.

PS C:\> Get-AzRoleAssignment | Where-Object {$_.Scope -eq "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/storage-test-rg/providers/Microsoft.Storage/storageAccounts/storagetest0122"}

列出经典服务管理员和共同管理员的角色分配List role assignments for classic service administrator and co-administrators

若要列出经典订阅管理员和共同管理员的角色分配,请使用 Get-AzRoleAssignmentTo list role assignments for the classic subscription administrator and co-administrators, use Get-AzRoleAssignment.

Get-AzRoleAssignment -IncludeClassicAdministrators

列出托管标识的角色分配List role assignments for a managed identity

  1. 获取系统分配的或用户分配的托管标识的对象 ID。Get the object ID of the system-assigned or user-assigned managed identity.

    若要获取用户分配的托管标识的对象 ID,可以使用 Get-AzADServicePrincipalTo get the object ID of a user-assigned managed identity, you can use Get-AzADServicePrincipal.

    Get-AzADServicePrincipal -DisplayNameBeginsWith "<name> or <vmname>"
    
  2. 若要列出角色分配,请使用 Get-AzRoleAssignmentTo list the role assignments, use Get-AzRoleAssignment.

    Get-AzRoleAssignment -ObjectId <objectid>
    

后续步骤Next steps