diff --git a/src/ResourceManager/Resources/Commands.Resources/Microsoft.Azure.Commands.Resources.dll-Help.psd1 b/src/ResourceManager/Resources/Commands.Resources/Microsoft.Azure.Commands.Resources.dll-Help.psd1
index e9b165e84f9b..4296268cad3a 100644
--- a/src/ResourceManager/Resources/Commands.Resources/Microsoft.Azure.Commands.Resources.dll-Help.psd1
+++ b/src/ResourceManager/Resources/Commands.Resources/Microsoft.Azure.Commands.Resources.dll-Help.psd1
@@ -61,7 +61,7 @@ FormatsToProcess = @()
# Modules to import as nested modules of the module specified in ModuleToProcess
NestedModules = @(
- '..\..\..\Package\Debug\ResourceManager\AzureResourceManager\Resources\Microsoft.Azure.Commands.Resources.dll'
+ '..\..\..\Package\Debug\ResourceManager\AzureResourceManager\AzureRM.Resources\Microsoft.Azure.Commands.Resources.dll'
)
# Functions to export from this module
diff --git a/src/ResourceManager/Resources/Commands.Resources/Microsoft.Azure.Commands.Resources.dll-Help.xml b/src/ResourceManager/Resources/Commands.Resources/Microsoft.Azure.Commands.Resources.dll-Help.xml
index 871eedf15b07..d8b14c114b4c 100644
--- a/src/ResourceManager/Resources/Commands.Resources/Microsoft.Azure.Commands.Resources.dll-Help.xml
+++ b/src/ResourceManager/Resources/Commands.Resources/Microsoft.Azure.Commands.Resources.dll-Help.xml
@@ -2342,18 +2342,33 @@ Summary : Help desk and service management software that empowers you to pro
Get-AzureRmRoleAssignment
- Filters role assignments.
+ Lists Azure RBAC role assignments at the specified scope. By default it lists all role assignments in the selected Azure subscription. Use respective parameters to list assignments to a specific user, or to list assignments on a specific resource group or resource.
+ The Azure RBAC role that is assigned dictates what type of resources the user is allowed to manage in the scope, and what actions the user is allowed to perform on those resources. Use Get-AzureRMRoleDefinition command to list actions that a given role allows.
+
Get
- AzureRoleAssignment
+ AzureRmRoleAssignment
- This is the Description section
- Filters role assignments.
+ Use the Get-AzureRMRoleAssignment command to list all role assignments that are effective on a scope.
+
+Without any parameters, this command returns all the role assignments made under the subscription. This list can be filtered using filtering parameters for principal, role and scope.
+
+The subject of the assignment must be specified. To specify a user, use SignInName or Azure AD ObjectId parameters. To specify a security group, use Azure AD ObjectId parameter. And to specify an Azure AD application, use ServicePrincipalName or ObjectId parameters.
+ The role that is being assigned must be specified using the RoleDefinitionName parameter.
+
+The scope at which access is being granted may be specified. It defaults to the selected subscription. The scope of the assignment can be specified using one of the following parameter combinations
+ a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId>. This will filter assignments that are effective at that particular scope i.e. all assignments at that scope and above.
+ b. ResourceGroupName - Name of any resource group under the subscription. This will filter assignments effective at the specified resource group
+ c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under the subscription and will filter assignments effective at that resource scope.
+
+To determine what access a particular user has in the subscription, use the ExpandPrincipalGroups switch. This will list all roles assigned to the user, and to the groups that the user is member of.
+ Use the IncludeClassicAdministrators switch to also display the subscription admins and co-admins.
+
@@ -2361,16 +2376,16 @@ Summary : Help desk and service management software that empowers you to pro
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
@@ -2378,54 +2393,30 @@ Summary : Help desk and service management software that empowers you to pro
ObjectId
- Object id of the user, group or service principal.
+ The Azure AD ObjectId of the User, Group or Service Principal. Filters all assignments that are made to the specified principal.
Guid
-
- ResourceGroupName
-
- Resource group to assign the role to.
-
- String
-
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- Profile
-
-
-
- AzureProfile
-
-
-
- Get-AzureRmRoleAssignment
-
- ObjectId
-
- Object id of the user, group or service principal.
-
- Guid
-
-
- RoleDefinitionName
+ ExpandPrincipalGroups
- Role to assign the principals with.
+ If specified, returns roles directly assigned to the user and to the groups of which the user is a member (transitively). Supported only for a user principal.
- String
+ SwitchParameter
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
@@ -2433,51 +2424,51 @@ Summary : Help desk and service management software that empowers you to pro
ObjectId
- Object id of the user, group or service principal.
+ The Azure AD ObjectId of the User, Group or Service Principal. Filters all assignments that are made to the specified principal.
Guid
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.
String
ResourceName
- Name of the resource to assign the role to.
+ The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType, and (optionally)ParentResource parameters.
String
ResourceType
- Type of the resource to assign the role to.
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName, and (optionally)ParentResource parameters.
String
ParentResource
- Parent resource of the resource to assign the role to, if there is any.
+ The parent resource in the hierarchy of the resource specified using ResourceName parameter. Must be used in conjunction with ResourceGroupName, ResourceType, and ResourceName parameters.
String
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
@@ -2485,306 +2476,258 @@ Summary : Help desk and service management software that empowers you to pro
ObjectId
- Object id of the user, group or service principal.
+ The Azure AD ObjectId of the User, Group or Service Principal. Filters all assignments that are made to the specified principal.
Guid
-
- RoleDefinitionName
+
+ ResourceGroupName
- Role to assign the principals with.
+ The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.
String
-
- Scope
+
+ RoleDefinitionName
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
Get-AzureRmRoleAssignment
- Mail
+ ObjectId
- Mail of the user or group
+ The Azure AD ObjectId of the User, Group or Service Principal. Filters all assignments that are made to the specified principal.
- String
+ Guid
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
+
+ String
+
+
+ Scope
+
+ The Scope of the role assignment. In the format of relative URI. For e.g. /subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG. It must start with "/subscriptions/{id}". The command filters all assignments that are effective at that scope.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
Get-AzureRmRoleAssignment
- Mail
+ SignInName
- Mail of the user or group
+ The email address or the user principal name of the user. Filters all assignments that are made to the specified user.
String
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.
String
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
Get-AzureRmRoleAssignment
- Mail
+ SignInName
- Mail of the user or group
+ The email address or the user principal name of the user. Filters all assignments that are made to the specified user.
String
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.
String
ResourceName
- Name of the resource to assign the role to.
+ The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType, and (optionally)ParentResource parameters.
String
ResourceType
- Type of the resource to assign the role to.
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName, and (optionally)ParentResource parameters.
String
ParentResource
- Parent resource of the resource to assign the role to, if there is any.
+ The parent resource in the hierarchy of the resource specified using ResourceName parameter. Must be used in conjunction with ResourceGroupName, ResourceType, and ResourceName parameters.
String
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
Get-AzureRmRoleAssignment
- Mail
+ SignInName
- Mail of the user or group
+ The email address or the user principal name of the user. Filters all assignments that are made to the specified user.
String
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
Scope
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ The Scope of the role assignment. In the format of relative URI. For e.g. /subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG. It must start with "/subscriptions/{id}". The command filters all assignments that are effective at that scope.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
Get-AzureRmRoleAssignment
- UserPrincipalName
-
- UPN of the user.
-
- String
-
-
- ResourceGroupName
+ SignInName
- Resource group to assign the role to.
+ The email address or the user principal name of the user. Filters all assignments that are made to the specified user.
String
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- Profile
-
-
-
- AzureProfile
-
-
-
- Get-AzureRmRoleAssignment
-
- UserPrincipalName
-
- UPN of the user.
-
- String
-
-
- RoleDefinitionName
+ ExpandPrincipalGroups
- Role to assign the principals with.
+ If specified, returns roles directly assigned to the user and to the groups of which the user is a member (transitively). Supported only for a user principal.
- String
+ SwitchParameter
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
Get-AzureRmRoleAssignment
- UserPrincipalName
+ ServicePrincipalName
- UPN of the user.
+ The ServicePrincipalName of the service principal. Filters all assignments that are made to the specified Azure AD application.
String
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.
String
ResourceName
- Name of the resource to assign the role to.
+ The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType, and (optionally)ParentResource parameters.
String
ResourceType
- Type of the resource to assign the role to.
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName, and (optionally)ParentResource parameters.
String
ParentResource
- Parent resource of the resource to assign the role to, if there is any.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- Get-AzureRmRoleAssignment
-
- UserPrincipalName
-
- UPN of the user.
+ The parent resource in the hierarchy of the resource specified using ResourceName parameter. Must be used in conjunction with ResourceGroupName, ResourceType, and ResourceName parameters.
String
RoleDefinitionName
- Role to assign the principals with.
-
- String
-
-
- Scope
-
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
@@ -2792,51 +2735,30 @@ Summary : Help desk and service management software that empowers you to pro
ServicePrincipalName
- SPN of the service principal.
+ The ServicePrincipalName of the service principal. Filters all assignments that are made to the specified Azure AD application.
String
ResourceGroupName
- Resource group to assign the role to.
-
- String
-
-
- ResourceName
-
- Name of the resource to assign the role to.
-
- String
-
-
- ResourceType
-
- Type of the resource to assign the role to.
-
- String
-
-
- ParentResource
-
- Parent resource of the resource to assign the role to, if there is any.
+ The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.
String
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
@@ -2844,54 +2766,30 @@ Summary : Help desk and service management software that empowers you to pro
ServicePrincipalName
- SPN of the service principal.
+ The ServicePrincipalName of the service principal. Filters all assignments that are made to the specified Azure AD application.
String
RoleDefinitionName
- Role to assign the principals with.
-
- String
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- Get-AzureRmRoleAssignment
-
- ServicePrincipalName
-
- SPN of the service principal.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- ResourceGroupName
-
- Resource group to assign the role to.
-
- String
-
-
- RoleDefinitionName
+ Scope
- Role to assign the principals with.
+ The Scope of the role assignment. In the format of relative URI. For e.g. /subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG. It must start with "/subscriptions/{id}". The command filters all assignments that are effective at that scope.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
@@ -2899,30 +2797,23 @@ Summary : Help desk and service management software that empowers you to pro
ServicePrincipalName
- SPN of the service principal.
+ The ServicePrincipalName of the service principal. Filters all assignments that are made to the specified Azure AD application.
String
RoleDefinitionName
- Role to assign the principals with.
-
- String
-
-
- Scope
-
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
@@ -2930,23 +2821,23 @@ Summary : Help desk and service management software that empowers you to pro
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.
String
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
@@ -2954,44 +2845,44 @@ Summary : Help desk and service management software that empowers you to pro
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.
String
ResourceName
- Name of the resource to assign the role to.
+ The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType, and (optionally)ParentResource parameters.
String
ResourceType
- Type of the resource to assign the role to.
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName, and (optionally)ParentResource parameters.
String
ParentResource
- Parent resource of the resource to assign the role to, if there is any.
+ The parent resource in the hierarchy of the resource specified using ResourceName parameter. Must be used in conjunction with ResourceGroupName, ResourceType, and ResourceName parameters.
String
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
@@ -2999,23 +2890,23 @@ Summary : Help desk and service management software that empowers you to pro
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
Scope
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ The Scope of the role assignment. In the format of relative URI. For e.g. /subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG. It must start with "/subscriptions/{id}". The command filters all assignments that are effective at that scope.
String
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
@@ -3023,7 +2914,7 @@ Summary : Help desk and service management software that empowers you to pro
RoleDefinitionName
- Role to assign the principals with.
+ Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
@@ -3033,13 +2924,13 @@ Summary : Help desk and service management software that empowers you to pro
- Profile
+ IncludeClassicAdministrators
-
+ If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.
- AzureProfile
+ SwitchParameter
- AzureProfile
+ SwitchParameter
@@ -3047,7 +2938,7 @@ Summary : Help desk and service management software that empowers you to pro
ObjectId
- Object id of the user, group or service principal.
+ The Azure AD ObjectId of the User, Group or Service Principal. Filters all assignments that are made to the specified principal.
Guid
@@ -3056,10 +2947,22 @@ Summary : Help desk and service management software that empowers you to pro
+
+ ExpandPrincipalGroups
+
+ If specified, returns roles directly assigned to the user and to the groups of which the user is a member (transitively). Supported only for a user principal.
+
+ SwitchParameter
+
+ SwitchParameter
+
+
+
+
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.
String
@@ -3071,7 +2974,7 @@ Summary : Help desk and service management software that empowers you to pro
ResourceName
- Name of the resource to assign the role to.
+ The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType, and (optionally)ParentResource parameters.
String
@@ -3083,7 +2986,7 @@ Summary : Help desk and service management software that empowers you to pro
ResourceType
- Type of the resource to assign the role to.
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName, and (optionally)ParentResource parameters.
String
@@ -3095,7 +2998,7 @@ Summary : Help desk and service management software that empowers you to pro
ParentResource
- Parent resource of the resource to assign the role to, if there is any.
+ The parent resource in the hierarchy of the resource specified using ResourceName parameter. Must be used in conjunction with ResourceGroupName, ResourceType, and ResourceName parameters.
String
@@ -3107,7 +3010,7 @@ Summary : Help desk and service management software that empowers you to pro
Scope
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ The Scope of the role assignment. In the format of relative URI. For e.g. /subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG. It must start with "/subscriptions/{id}". The command filters all assignments that are effective at that scope.
String
@@ -3117,9 +3020,9 @@ Summary : Help desk and service management software that empowers you to pro
- Mail
+ SignInName
- Mail of the user or group
+ The email address or the user principal name of the user. Filters all assignments that are made to the specified user.
String
@@ -3129,9 +3032,9 @@ Summary : Help desk and service management software that empowers you to pro
- UserPrincipalName
+ ServicePrincipalName
- UPN of the user.
+ The ServicePrincipalName of the service principal. Filters all assignments that are made to the specified Azure AD application.
String
@@ -3140,14 +3043,14 @@ Summary : Help desk and service management software that empowers you to pro
-
- ServicePrincipalName
+
+ Profile
- SPN of the service principal.
+
- String
+ azureprofile
- String
+ azureprofile
@@ -3189,13 +3092,13 @@ Summary : Help desk and service management software that empowers you to pro
- -------------------------- Filters role assignment using UPN, Role Definition and Resource Group --------------------------
+ -------------- Example 1 -------------
PS C:\>
- PS C:\> Get-AzureRmRoleAssignment -ResourceGroupName rg1 -UPN foo@domain.com -RoleDefinitionName Reader
+ PS C:\> Get-AzureRmRoleAssignment
- gets role assignments for principal in a resource group that have Reader role definition
+ List all role assignments in the subscription
@@ -3209,13 +3112,13 @@ Summary : Help desk and service management software that empowers you to pro
- -------------------------- Filters role assignments using Service Principal Name --------------------------
+ -------------- Example 2 -------------
PS C:\>
- PS C:\> Get-AzureRmRoleAssignment -ServicePrincipalName 36f81fc3-b00f-48cd-8218-3879f51ff39f -RoleDefinitionName Contributor
+ PS C:\> Get-AzureRmRoleAssignment -ResourceGroupName testRG -SignInName john.doe@contoso.com -ExpandPrincipalGroups
- Gets role assignments of a service principal that have contribution role definition.
+ Gets all role assignments made to user john.doe@contoso.com, and the groups of which he is member, at the testRG scope or above.
@@ -3229,13 +3132,13 @@ Summary : Help desk and service management software that empowers you to pro
- -------------------------- List all role assignments in the subscription --------------------------
+ -------------- Example 3 -------------
PS C:\>
- PS C:\> Get-AzureRmRoleAssignment
+ PS C:\> Get-AzureRmRoleAssignment -ServicePrincipalName "http://testapp1.com"
- Gets all role assignments under the subscription
+ Gets all role assignments of the specified service principal
@@ -3249,13 +3152,13 @@ Summary : Help desk and service management software that empowers you to pro
- -------------------------- Filters role assignment using explict Scope --------------------------
+ -------------- Example 4 -------------
PS C:\>
- PS C:\> Get-AzureRmRoleAssignment -Mail allen.young@live.cn -RoleDefinitionName Owner -Scope "/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"
+ PS C:\> Get-AzureRmRoleAssignment -Scope "/subscriptions/96231a05-34ce-4eb4-aa6a-70759cbb5e83/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"
- gets role assignment to a live email on a resource using the generic parameter. Since the scope doens't start with "/subscriptions/{id}", the current subscription id will be used
+ Gets role assignments at the 'site1' website scope.
@@ -3289,18 +3192,17 @@ Summary : Help desk and service management software that empowers you to pro
Get-AzureRmRoleDefinition
- Filters role definitions.
+ Lists all roles that are available in Azure RBAC.
Get
- AzureRoleDefinition
+ AzureRmRoleDefinition
- This is the Description section
- Gets role definitions.
+ Use the Get-AzureRmRoleDefinition commandlet with a particular role name to view its details. To inspect individual operations that a role grants access to, review the Actions and NotActions properties of the role.
@@ -3308,31 +3210,24 @@ Summary : Help desk and service management software that empowers you to pro
Name
- Role definition name.
+ Role definition name. For e.g. Reader, Contributor, Virtual Machine Contributor.
String
Custom
-
+ If specified, only displays the custom created roles in the directory.
SwitchParameter
-
- Profile
-
-
-
- AzureProfile
-
Name
- Role definition name.
+ Role definition name. For e.g. Reader, Contributor, Virtual Machine Contributor.
String
@@ -3344,7 +3239,7 @@ Summary : Help desk and service management software that empowers you to pro
Custom
-
+ If specified, only displays the custom created roles in the directory.
SwitchParameter
@@ -3358,9 +3253,9 @@ Summary : Help desk and service management software that empowers you to pro
- AzureProfile
+ azureprofile
- AzureProfile
+ azureprofile
@@ -3402,13 +3297,13 @@ Summary : Help desk and service management software that empowers you to pro
- -------------------------- Gets a role definition --------------------------
+ -------------------------- Gets a particular role definition --------------------------
PS C:\>
PS C:\> Get-AzureRmRoleDefinition -Name Reader
- Gets a role definition with Reader name
+ Get the Reader role definition
@@ -3428,7 +3323,7 @@ Summary : Help desk and service management software that empowers you to pro
PS C:\> Get-AzureRmRoleDefinition
- Lists all role definitions
+ Lists all RBAC role definitions
@@ -5880,18 +5775,24 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
New-AzureRmRoleAssignment
- Create a role assignment to some principals at a given scope.
+ Assigns the specified RBAC role to the specified principal, at the specified scope.
New
- AzureRoleAssignment
+ AzureRmRoleAssignment
- This is the Description section
- Create a role assignment to some principals at a given scope.
+ Use the New-AzureRMRoleAssignment command to grant access. Access is granted by assigning the appropriate RBAC role to them at the right scope. To grant access to the entire subscription, assign a role at the subscription scope. To grant access to a specific resource group within a subscription, assign a role at the resource group scope.
+ The subject of the assignment must be specified. To specify a user, use SignInName or Azure AD ObjectId parameters. To specify a security group, use Azure AD ObjectId parameter. And to specify an Azure AD application, use ServicePrincipalName or ObjectId parameters.
+ The role that is being assigned must be specified using the RoleDefinitionName parameter.
+ The scope at which access is being granted may be specified. It defaults to the selected subscription. The scope of the assignment can be specified using one of the following parameter combinations
+ a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId>
+ b. ResourceGroupName - to grant access to the specified resource group.
+ c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource – to specify a particular resource within a resource group to grant access to.
+
@@ -5899,85 +5800,73 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
ObjectId
- Object id of the user, group or service principal.
+ Azure AD Objectid of the user, group or service principal.
Guid
Scope
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ The Scope of the role assignment. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will create the role assignment at subscription level. If specified, it should start with "/subscriptions/{id}".
+
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
-
- Profile
-
-
-
- AzureProfile
-
New-AzureRmRoleAssignment
ObjectId
- Object id of the user, group or service principal.
+ Azure AD Objectid of the user, group or service principal.
Guid
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name. Creates an assignment that is effective at the specified resource group. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
-
- Profile
-
-
-
- AzureProfile
-
New-AzureRmRoleAssignment
ObjectId
- Object id of the user, group or service principal.
+ Azure AD Objectid of the user, group or service principal.
Guid
- RoleDefinitionName
+ Scope
- Role to assign the principals with.
+ The Scope of the role assignment. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will create the role assignment at subscription level. If specified, it should start with "/subscriptions/{id}".
+
String
-
- Profile
+
+ RoleDefinitionName
-
+ Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
- AzureProfile
+ String
@@ -5985,473 +5874,240 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
ObjectId
- Object id of the user, group or service principal.
+ Azure AD Objectid of the user, group or service principal.
Guid
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name. Creates an assignment that is effective at the specified resource group. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
ResourceName
- Name of the resource to assign the role to.
+ The resource name. For e.g. storageaccountprod. Should only be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
String
ResourceType
- Type of the resource to assign the role to.
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Should only be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
String
ParentResource
- Parent resource of the resource to assign the role to, if there is any.
+ The parent resource in the hierarchy(of the resource specified using ResourceName parameter). Should only be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
-
- Profile
-
-
-
- AzureProfile
-
New-AzureRmRoleAssignment
- Mail
+ SignInName
- Mail of the user or group
+ The email address or the user principal name of the user.
String
- ResourceGroupName
+ Scope
- Resource group to assign the role to.
+ The Scope of the role assignment. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will create the role assignment at subscription level. If specified, it should start with "/subscriptions/{id}".
+
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
-
- Profile
-
-
-
- AzureProfile
-
New-AzureRmRoleAssignment
- Mail
+ SignInName
- Mail of the user or group
+ The email address or the user principal name of the user.
String
- Scope
+ ResourceGroupName
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ The resource group name. Creates an assignment that is effective at the specified resource group. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
-
- Profile
-
-
-
- AzureProfile
-
New-AzureRmRoleAssignment
- Mail
+ SignInName
- Mail of the user or group
+ The email address or the user principal name of the user.
String
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name. Creates an assignment that is effective at the specified resource group. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
ResourceName
- Name of the resource to assign the role to.
+ The resource name. For e.g. storageaccountprod. Should only be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
String
ResourceType
- Type of the resource to assign the role to.
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Should only be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
String
ParentResource
- Parent resource of the resource to assign the role to, if there is any.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- New-AzureRmRoleAssignment
-
- Mail
-
- Mail of the user or group
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- New-AzureRmRoleAssignment
-
- UserPrincipalName
-
- UPN of the user.
+ The parent resource in the hierarchy(of the resource specified using ResourceName parameter). Should only be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
-
- Profile
-
-
-
- AzureProfile
-
New-AzureRmRoleAssignment
- UserPrincipalName
+ ServicePrincipalName
- UPN of the user.
+ The ServicePrincipalName of the Azure AD application
String
Scope
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- New-AzureRmRoleAssignment
-
- UserPrincipalName
-
- UPN of the user.
-
- String
-
-
- ResourceGroupName
-
- Resource group to assign the role to.
+ The Scope of the role assignment. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will create the role assignment at subscription level. If specified, it should start with "/subscriptions/{id}".
+
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
-
- Profile
-
-
-
- AzureProfile
-
New-AzureRmRoleAssignment
- UserPrincipalName
+ ServicePrincipalName
- UPN of the user.
+ The ServicePrincipalName of the Azure AD application
String
ResourceGroupName
- Resource group to assign the role to.
-
- String
-
-
- ResourceName
-
- Name of the resource to assign the role to.
-
- String
-
-
- ResourceType
-
- Type of the resource to assign the role to.
-
- String
-
-
- ParentResource
-
- Parent resource of the resource to assign the role to, if there is any.
+ The resource group name. Creates an assignment that is effective at the specified resource group. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
-
- Profile
-
-
-
- AzureProfile
-
New-AzureRmRoleAssignment
ServicePrincipalName
- SPN of the service principal.
+ The ServicePrincipalName of the Azure AD application
String
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name. Creates an assignment that is effective at the specified resource group. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
ResourceName
- Name of the resource to assign the role to.
+ The resource name. For e.g. storageaccountprod. Should only be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
String
ResourceType
- Type of the resource to assign the role to.
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Should only be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
String
ParentResource
- Parent resource of the resource to assign the role to, if there is any.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- New-AzureRmRoleAssignment
-
- ServicePrincipalName
-
- SPN of the service principal.
-
- String
-
-
- Scope
-
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- New-AzureRmRoleAssignment
-
- ServicePrincipalName
-
- SPN of the service principal.
+ The parent resource in the hierarchy(of the resource specified using ResourceName parameter). Should only be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
-
- Profile
-
-
-
- AzureProfile
-
-
-
- New-AzureRmRoleAssignment
-
- ServicePrincipalName
-
- SPN of the service principal.
-
- String
-
-
- ResourceGroupName
-
- Resource group to assign the role to.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Profile
-
-
-
- AzureProfile
-
ObjectId
- Object id of the user, group or service principal.
+ Azure AD Objectid of the user, group or service principal.
Guid
@@ -6463,7 +6119,8 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
Scope
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ The Scope of the role assignment. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will create the role assignment at subscription level. If specified, it should start with "/subscriptions/{id}".
+
String
@@ -6475,7 +6132,7 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role that needs to be assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
@@ -6484,22 +6141,10 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
-
- Profile
-
-
-
- AzureProfile
-
- AzureProfile
-
-
-
-
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name. Creates an assignment that is effective at the specified resource group. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
@@ -6511,7 +6156,7 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
ResourceName
- Name of the resource to assign the role to.
+ The resource name. For e.g. storageaccountprod. Should only be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
String
@@ -6523,7 +6168,7 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
ResourceType
- Type of the resource to assign the role to.
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Should only be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
String
@@ -6535,7 +6180,7 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
ParentResource
- Parent resource of the resource to assign the role to, if there is any.
+ The parent resource in the hierarchy(of the resource specified using ResourceName parameter). Should only be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.
String
@@ -6545,9 +6190,9 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
- Mail
+ SignInName
- Mail of the user or group
+ The email address or the user principal name of the user.
String
@@ -6557,9 +6202,9 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
- UserPrincipalName
+ ServicePrincipalName
- UPN of the user.
+ The ServicePrincipalName of the Azure AD application
String
@@ -6568,14 +6213,14 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
-
- ServicePrincipalName
+
+ Profile
- SPN of the service principal.
+
- String
+ azureprofile
- String
+ azureprofile
@@ -6617,13 +6262,39 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
- -------------------------- Create new role assignment using UPN --------------------------
+ -------------- Example 1 -------------
+
+ PS C:\>
+
+ PS C:\> New-AzureRmRoleAssignment -ResourceGroupName rg1 -SignInName allen.young@live.com -RoleDefinitionName Reader
+
+ Grant Reader role access to a user at a resource group scope
+
+
+
+
+
+
+
+
+
+
+
+
+
+ -------------- Example 2 -------------
PS C:\>
- PS C:\> New-AzureRmRoleAssignment -ResourceGroupName rg1 -UPN foo@domain.com -RoleDefinitionName Reader
+ PS C:\> Get-AzureRMADGroup -SearchString "Christine Koch Team"
+
+DisplayName Type ObjectId
+----------- ---- --------
+Christine Koch Team 2f9d4375-cbf1-48e8-83c9-2a0be4cb33fb
+
+PS C:\> New-AzureRmRoleAssignment -ObjectId 2f9d4375-cbf1-48e8-83c9-2a0be4cb33fb -RoleDefinitionName Contributor -ResourceGroupName rg1
- add role assignment to a principal for a resource group using the separate parameters
+ Grant access to a security group
@@ -6637,13 +6308,13 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
- -------------------------- Create new role assignment using Service Principal Name --------------------------
+ -------------- Example 3 -------------
PS C:\>
- PS C:\> New-AzureRmRoleAssignment -ServicePrincipalName 36f81fc3-b00f-48cd-8218-3879f51ff39f -RoleDefinitionName Contributor
+ PS C:\> New-AzureRmRoleAssignment -SignInName john.doe@contoso.com -RoleDefinitionName Owner -Scope "/subscription/86f81fc3-b00f-48cd-8218-3879f51ff362/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"
- add role assignment to a service principal for a subscription.
+ Grant access to a user at a resource (website)
@@ -6657,13 +6328,13 @@ PS C:\>New-AzureRmResourceGroupDeployment -ResourceGroupName ContosoRG01 -Tem
- -------------------------- Create new role assignment using explict Scope --------------------------
+ -------------- Example 4 -------------
PS C:\>
- PS C:\> New-AzureRmRoleAssignment -Mail allen.young@live.cn -RoleDefinitionName Owner -Scope "/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"
+ PS C:\> New-AzureRMRoleAssignment -ObjectId 5ac84765-1c8c-4994-94b2-629461bd191b -RoleDefinitionName "Virtual Machine Contributor" -ResourceName Devices-Engineering-ProjectRND -ResourceType Microsoft.Network/virtualNetworks/subnets -ParentResource virtualNetworks/VNET-EASTUS-01 -ResourceGroupName Network
- add role assignment to a principal for a resource using the generic parameter. Since the scope doens't start with "/subscriptions/{id}", the current subscription id will be used
+ Grant access to a group at a nested resource (subnet)
@@ -7746,18 +7417,25 @@ True
Remove-AzureRmRoleAssignment
- Removes a role assignment.
+ Removes a role assignment to the specified principal who is assigned to a particular role at a particular scope.
+ Use the Get-AzureRMRoleAssignment commandlet to retrieve assignments under the subscription
+
Remove
- AzureRoleAssignment
+ AzureRmRoleAssignment
- This is the Description section
- Removes a role assignments.
+ Use the Remove-AzureRmRoleAssignment commandlet to revoke access to any principal at given scope and given role.
+ The object of the assignment i.e. the principal MUST be specified. The principal can be a user (use SignInName or ObjectId parameters to identify a user), security group (use ObjectId parameter to identify a group) or service principal (use ServicePrincipalName or ObjectId parameters to identify a ServicePrincipal.
+ The role that the principal is assigned to MUST be specified using the RoleDefinitionName parameter.
+ The scope of the assignment MAY be specified and if not specified, defaults to the subscription scope i.e. it will try to delete an assignment to the specified principal and role at the subscription scope. The scope of the assignment can be specified using one of the following parameters.
+a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId>
+b. ResourceGroupName - Name of any resource group under the subscription.
+c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under the subscription.
@@ -7765,72 +7443,113 @@ True
ObjectId
- Object id of the user, group or service principal.
+ Azure AD ObjectId of the user, group or service principal.
Guid
- Mail
+ Scope
- Mail of the user or group
+ The Scope of the role assignment to be deleted. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will attempt to delete the role at subscription level. If specified, it should start with "/subscriptions/{id}".
String
-
- UserPrincipalName
+
+ RoleDefinitionName
- UPN of the user.
+ Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
-
- ServicePrincipalName
+
+ Force
- SPN of the service principal.
+ If specified, the command does not prompt for a confirmation before deleting the role assignment.
- String
+ SwitchParameter
-
- ResourceGroupName
+
+ PassThru
- Resource group to assign the role to.
+ If specified, displays the deleted role assignment
- String
+ SwitchParameter
+
+
+
+ Remove-AzureRmRoleAssignment
+
+ ObjectId
+
+ Azure AD ObjectId of the user, group or service principal.
+
+ Guid
- Scope
+ ResourceGroupName
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ The resource group name that the role is assigned to. Attempts to delete an assignment at the specified resource group scope. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
Force
-
+ If specified, the command does not prompt for a confirmation before deleting the role assignment.
SwitchParameter
PassThru
-
+ If specified, displays the deleted role assignment
SwitchParameter
+
+
+ Remove-AzureRmRoleAssignment
+
+ ObjectId
+
+ Azure AD ObjectId of the user, group or service principal.
+
+ Guid
+
+
+ Scope
+
+ The Scope of the role assignment to be deleted. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will attempt to delete the role at subscription level. If specified, it should start with "/subscriptions/{id}".
+
+ String
+
+
+ RoleDefinitionName
+
+ Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
+
+ String
+
- Profile
+ Force
-
+ If specified, the command does not prompt for a confirmation before deleting the role assignment.
- AzureProfile
+ SwitchParameter
+
+
+ PassThru
+
+ If specified, displays the deleted role assignment
+
+ SwitchParameter
@@ -7838,873 +7557,336 @@ True
ObjectId
- Object id of the user, group or service principal.
+ Azure AD ObjectId of the user, group or service principal.
Guid
-
+
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name that the role is assigned to. Attempts to delete an assignment at the specified resource group scope. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
ResourceName
- Name of the resource to assign the role to.
+ The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters, to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that scope.
String
ResourceType
- Type of the resource to assign the role to.
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that resource scope.
String
ParentResource
- Parent resource of the resource to assign the role to, if there is any.
+ The parent resource in the hierarchy(of the resource specified using ResourceName parameter), if any. Must be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource.
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
Force
-
+ If specified, the command does not prompt for a confirmation before deleting the role assignment.
SwitchParameter
PassThru
-
+ If specified, displays the deleted role assignment
SwitchParameter
-
- Profile
-
-
-
- AzureProfile
-
Remove-AzureRmRoleAssignment
- ObjectId
+ SignInName
- Object id of the user, group or service principal.
+ The email address or the user principal name of the user.
- Guid
+ String
- ResourceGroupName
+ Scope
- Resource group to assign the role to.
+ The Scope of the role assignment to be deleted. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will attempt to delete the role at subscription level. If specified, it should start with "/subscriptions/{id}".
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
Force
-
+ If specified, the command does not prompt for a confirmation before deleting the role assignment.
SwitchParameter
PassThru
-
+ If specified, displays the deleted role assignment
SwitchParameter
-
- Profile
-
-
-
- AzureProfile
-
Remove-AzureRmRoleAssignment
- ObjectId
+ SignInName
- Object id of the user, group or service principal.
+ The email address or the user principal name of the user.
- Guid
+ String
- Scope
+ ResourceGroupName
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ The resource group name that the role is assigned to. Attempts to delete an assignment at the specified resource group scope. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
Force
-
+ If specified, the command does not prompt for a confirmation before deleting the role assignment.
SwitchParameter
PassThru
-
+ If specified, displays the deleted role assignment
SwitchParameter
-
- Profile
-
-
-
- AzureProfile
-
Remove-AzureRmRoleAssignment
- ObjectId
+ SignInName
- Object id of the user, group or service principal.
+ The email address or the user principal name of the user.
- Guid
+ String
- RoleDefinitionName
+ ResourceGroupName
- Role to assign the principals with.
+ The resource group name that the role is assigned to. Attempts to delete an assignment at the specified resource group scope. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
-
- Force
-
-
-
- SwitchParameter
-
-
- PassThru
-
-
-
- SwitchParameter
-
-
- Profile
+
+ ResourceName
-
+ The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters, to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that scope.
- AzureProfile
+ String
-
-
- Remove-AzureRmRoleAssignment
-
- Mail
+
+ ResourceType
- Mail of the user or group
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that resource scope.
String
- ResourceGroupName
+ ParentResource
- Resource group to assign the role to.
+ The parent resource in the hierarchy(of the resource specified using ResourceName parameter), if any. Must be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource.
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
Force
-
+ If specified, the command does not prompt for a confirmation before deleting the role assignment.
SwitchParameter
PassThru
-
+ If specified, displays the deleted role assignment
SwitchParameter
-
- Profile
-
-
-
- AzureProfile
-
Remove-AzureRmRoleAssignment
-
- Mail
+
+ ServicePrincipalName
- Mail of the user or group
+ The ServicePrincipalName of the Azure AD application
String
-
+
ResourceGroupName
- Resource group to assign the role to.
+ The resource group name that the role is assigned to. Attempts to delete an assignment at the specified resource group scope. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
ResourceName
- Name of the resource to assign the role to.
+ The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters, to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that scope.
String
ResourceType
- Type of the resource to assign the role to.
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that resource scope.
String
ParentResource
- Parent resource of the resource to assign the role to, if there is any.
+ The parent resource in the hierarchy(of the resource specified using ResourceName parameter), if any. Must be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource.
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
Force
-
+ If specified, the command does not prompt for a confirmation before deleting the role assignment.
SwitchParameter
PassThru
-
+ If specified, displays the deleted role assignment
SwitchParameter
-
- Profile
-
-
-
- AzureProfile
-
Remove-AzureRmRoleAssignment
-
- Mail
+
+ ServicePrincipalName
- Mail of the user or group
+ The ServicePrincipalName of the Azure AD application
String
- Scope
+ ResourceGroupName
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ The resource group name that the role is assigned to. Attempts to delete an assignment at the specified resource group scope. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
Force
-
+ If specified, the command does not prompt for a confirmation before deleting the role assignment.
SwitchParameter
PassThru
-
+ If specified, displays the deleted role assignment
SwitchParameter
-
- Profile
-
-
-
- AzureProfile
-
Remove-AzureRmRoleAssignment
+
+ ServicePrincipalName
+
+ The ServicePrincipalName of the Azure AD application
+
+ String
+
- Mail
+ Scope
- Mail of the user or group
+ The Scope of the role assignment to be deleted. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will attempt to delete the role at subscription level. If specified, it should start with "/subscriptions/{id}".
String
RoleDefinitionName
- Role to assign the principals with.
+ Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
Force
-
+ If specified, the command does not prompt for a confirmation before deleting the role assignment.
SwitchParameter
PassThru
-
+ If specified, displays the deleted role assignment
SwitchParameter
-
- Profile
-
-
-
- AzureProfile
-
-
-
- Remove-AzureRmRoleAssignment
-
- UserPrincipalName
-
- UPN of the user.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Force
-
-
-
- SwitchParameter
-
-
- PassThru
-
-
-
- SwitchParameter
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- Remove-AzureRmRoleAssignment
-
- UserPrincipalName
-
- UPN of the user.
-
- String
-
-
- ResourceGroupName
-
- Resource group to assign the role to.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Force
-
-
-
- SwitchParameter
-
-
- PassThru
-
-
-
- SwitchParameter
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- Remove-AzureRmRoleAssignment
-
- UserPrincipalName
-
- UPN of the user.
-
- String
-
-
- ResourceGroupName
-
- Resource group to assign the role to.
-
- String
-
-
- ResourceName
-
- Name of the resource to assign the role to.
-
- String
-
-
- ResourceType
-
- Type of the resource to assign the role to.
-
- String
-
-
- ParentResource
-
- Parent resource of the resource to assign the role to, if there is any.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Force
-
-
-
- SwitchParameter
-
-
- PassThru
-
-
-
- SwitchParameter
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- Remove-AzureRmRoleAssignment
-
- UserPrincipalName
-
- UPN of the user.
-
- String
-
-
- Scope
-
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Force
-
-
-
- SwitchParameter
-
-
- PassThru
-
-
-
- SwitchParameter
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- Remove-AzureRmRoleAssignment
-
- ServicePrincipalName
-
- SPN of the service principal.
-
- String
-
-
- ResourceGroupName
-
- Resource group to assign the role to.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Force
-
-
-
- SwitchParameter
-
-
- PassThru
-
-
-
- SwitchParameter
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- Remove-AzureRmRoleAssignment
-
- ServicePrincipalName
-
- SPN of the service principal.
-
- String
-
-
- ResourceGroupName
-
- Resource group to assign the role to.
-
- String
-
-
- ResourceName
-
- Name of the resource to assign the role to.
-
- String
-
-
- ResourceType
-
- Type of the resource to assign the role to.
-
- String
-
-
- ParentResource
-
- Parent resource of the resource to assign the role to, if there is any.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Force
-
-
-
- SwitchParameter
-
-
- PassThru
-
-
-
- SwitchParameter
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- Remove-AzureRmRoleAssignment
-
- ServicePrincipalName
-
- SPN of the service principal.
-
- String
-
-
- Scope
-
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Force
-
-
-
- SwitchParameter
-
-
- PassThru
-
-
-
- SwitchParameter
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- Remove-AzureRmRoleAssignment
-
- ServicePrincipalName
-
- SPN of the service principal.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Force
-
-
-
- SwitchParameter
-
-
- PassThru
-
-
-
- SwitchParameter
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- Remove-AzureRmRoleAssignment
-
- ResourceName
-
- Name of the resource to assign the role to.
-
- String
-
-
- ResourceType
-
- Type of the resource to assign the role to.
-
- String
-
-
- ParentResource
-
- Parent resource of the resource to assign the role to, if there is any.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Force
-
-
-
- SwitchParameter
-
-
- PassThru
-
-
-
- SwitchParameter
-
-
- Profile
-
-
-
- AzureProfile
-
-
-
- Remove-AzureRmRoleAssignment
-
- Scope
-
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
-
- String
-
-
- RoleDefinitionName
-
- Role to assign the principals with.
-
- String
-
-
- Force
-
-
-
- SwitchParameter
-
-
- PassThru
-
-
-
- SwitchParameter
-
-
- Profile
-
-
-
- AzureProfile
-
ObjectId
- Object id of the user, group or service principal.
+ Azure AD ObjectId of the user, group or service principal.
Guid
@@ -8714,9 +7896,9 @@ True
- Mail
+ Scope
- Mail of the user or group
+ The Scope of the role assignment to be deleted. In the format of relative URI. For e.g. "/subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG". If not specified, will attempt to delete the role at subscription level. If specified, it should start with "/subscriptions/{id}".
String
@@ -8725,10 +7907,10 @@ True
-
- UserPrincipalName
+
+ RoleDefinitionName
- UPN of the user.
+ Name of the RBAC role for which the assignment needs to be deleted i.e. Reader, Contributor, Virtual Network Administrator, etc.
String
@@ -8737,34 +7919,34 @@ True
-
- ServicePrincipalName
+
+ Force
- SPN of the service principal.
+ If specified, the command does not prompt for a confirmation before deleting the role assignment.
- String
+ SwitchParameter
- String
+ SwitchParameter
-
- ResourceGroupName
+
+ PassThru
- Resource group to assign the role to.
+ If specified, displays the deleted role assignment
- String
+ SwitchParameter
- String
+ SwitchParameter
- Scope
+ ResourceGroupName
- Scope of the role assignment. In the format of relative URI. If not specified, will assign the role at subscription level. If specified, it can either start with "/subscriptions/{id}" or the part after that. If it's latter, the current subscription id will be used.
+ The resource group name that the role is assigned to. Attempts to delete an assignment at the specified resource group scope. When used in conjunction with ResourceName, ResourceType and (optionally)ParentResource parameters, the command constructs a hierarchical scope in the form of a relative URI that identifies a resource.
String
@@ -8774,9 +7956,9 @@ True
- RoleDefinitionName
+ ResourceName
- Role to assign the principals with.
+ The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType and (optionally)ParentResource parameters, to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that scope.
String
@@ -8785,46 +7967,34 @@ True
-
- Force
-
-
-
- SwitchParameter
-
- SwitchParameter
-
-
-
-
-
- PassThru
+
+ ResourceType
-
+ The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource and delete an assignment at that resource scope.
- SwitchParameter
+ String
- SwitchParameter
+ String
-
- Profile
+
+ ParentResource
-
+ The parent resource in the hierarchy(of the resource specified using ResourceName parameter), if any. Must be used in conjunction with ResourceGroupName, ResourceType and ResourceName parameters to construct a hierarchical scope in the form of a relative URI that identifies the resource.
- AzureProfile
+ String
- AzureProfile
+ String
- ResourceName
+ SignInName
- Name of the resource to assign the role to.
+ The email address or the user principal name of the user.
String
@@ -8834,9 +8004,9 @@ True
- ResourceType
+ ServicePrincipalName
- Type of the resource to assign the role to.
+ The ServicePrincipalName of the Azure AD application
String
@@ -8845,14 +8015,14 @@ True
-
- ParentResource
+
+ Profile
- Parent resource of the resource to assign the role to, if there is any.
+
- String
+ azureprofile
- String
+ azureprofile
@@ -8894,13 +8064,33 @@ True
- -------------------------- Removes role assignment using UPN, Role Definition and Resource Group --------------------------
+ -------------- Example 1 -------------
+
+ PS C:\>
+
+ PS C:\> Remove-AzureRmRoleAssignment -ResourceGroupName rg1 -SignInName john.doe@contoso.com -RoleDefinitionName Reader
+
+ Removes a role assignment for john.doe@contoso.com who is assigned to the Reader role at the rg1 resourcegroup scope.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ -------------- Example 2 -------------
PS C:\>
- PS C:\> Remove-AzureRmRoleAssignment -ResourceGroupName rg1 -UPN foo@domain.com -RoleDefinitionName Reader
+ PS C:\> Remove-AzureRmRoleAssignment -ObjectId 36f81fc3-b00f-48cd-8218-3879f51ff39f -RoleDefinitionName Reader
- Removes a role assignment for principal in a resource group that have Reader role definition
+ Removes the role assignment to the group principal identified by the ObjectId and assigned to the Reader role. Defaults to using the current subscription as the scope to find the assignment to be deleted.
diff --git a/src/ResourceManager/Resources/Commands.Resources/ResourceManagerStartup.ps1 b/src/ResourceManager/Resources/Commands.Resources/ResourceManagerStartup.ps1
index cf030ed34086..bdb140883a2c 100644
--- a/src/ResourceManager/Resources/Commands.Resources/ResourceManagerStartup.ps1
+++ b/src/ResourceManager/Resources/Commands.Resources/ResourceManagerStartup.ps1
@@ -30,6 +30,83 @@
# This commandlet gets all events for the "Microsoft.Authorization" resource provider by calling the "Get-AzureRmResourceProviderLog" commandlet
function Get-AzureRmAuthorizationChangeLog {
+<#
+
+.SYNOPSIS
+
+Gets access change history for the selected subscription for the specified time range i.e. role assignments that were added or removed, including classic administrators (co-administrators and service administrators).
+Maximum duration that can be queried is 15 days (going back up to past 90 days).
+
+
+.DESCRIPTION
+
+The Get-AzureRmAuthorizationChangeLog produces a report of who granted (or revoked) what role to whom at what scope within the subscription for the specified time range.
+
+The command queries all role assignment events from the Insights resource provider of Azure Resource Manager. Specifying the time range is optional. If both StartTime and EndTime parameters are not specified, the default query interval is the past 1 hour. Maximum duration that can be queried is 15 days (going back up to past 90 days).
+
+
+.PARAMETER StartTime
+
+Start time of the query. Optional.
+
+
+.PARAMETER EndTime
+
+End time of the query. Optional
+
+
+.EXAMPLE
+
+Get-AzureRmAuthorizationChangeLog
+
+Gets the access change logs for the past hour.
+
+
+.EXAMPLE
+
+Get-AzureRmAuthorizationChangeLog -StartTime "09/20/2015 15:00" -EndTime "09/24/2015 15:00"
+
+Gets all access change logs between the specified dates
+
+Timestamp : 2015-09-23 21:52:41Z
+Caller : admin@rbacCliTest.onmicrosoft.com
+Action : Revoked
+PrincipalId : 54401967-8c4e-474a-9fbb-a42073f1783c
+PrincipalName : testUser
+PrincipalType : User
+Scope : /subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/testresource
+ScopeName : testresource
+ScopeType : Resource
+RoleDefinitionId : /subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c
+RoleName : Contributor
+
+
+.EXAMPLE
+
+Get-AzureRmAuthorizationChangeLog -StartTime ([DateTime]::Now - [TimeSpan]::FromDays(5)) -EndTime ([DateTime]::Now) | FT Caller, Action, RoleName, PrincipalName, ScopeType
+
+Gets access change logs for the past 5 days and format the output
+
+Caller Action RoleName PrincipalName ScopeType
+------ ------ -------- ------------- ---------
+admin@contoso.com Revoked Contributor User1 Subscription
+admin@contoso.com Granted Reader User1 Resource Group
+admin@contoso.com Revoked Contributor Group1 Resource
+
+.LINK
+
+New-AzureRmRoleAssignment
+
+.LINK
+
+Get-AzureRmRoleAssignment
+
+.LINK
+
+Remove-AzureRmRoleAssignment
+
+#>
+
[CmdletBinding()]
param(
[parameter(Mandatory=$false, ValueFromPipelineByPropertyName=$true, HelpMessage = "The start time. Optional
@@ -42,7 +119,7 @@ function Get-AzureRmAuthorizationChangeLog {
)
PROCESS {
# Get all events for the "Microsoft.Authorization" provider by calling the Insights commandlet
- $events = Get-AzureRmResourceProviderLog -ResourceProvider "Microsoft.Authorization" -DetailedOutput -StartTime $StartTime -EndTime $EndTime
+ $events = Get-AzureRmLog -ResourceProvider "Microsoft.Authorization" -DetailedOutput -StartTime $StartTime -EndTime $EndTime
$startEvents = @{}
$endEvents = @{}