Skip to main content

Export Custom Roles from Azure

· 3 min read

The script below enables you to quickly export all your custom roles from Azure to either JSON or YAML files.

It will loop through all the subscriptions you have access to and get the custom roles.

By default it will write one JSON file for each custom role.

e.g.

.\export-azroledefinitions.ps1 

Or you can use the parameters to either get YAML files or to combine all roles into one file.

e.g.

.\export-azroledefinitions.ps1 -useYaml $true -singleFile $true

export-azroledefinitions.ps1

### Read custom roles from azure and save to json or yaml file

param (
[boolean] $useYaml = $false,
[boolean] $singleFile = $false
)

$CustomRoles = [System.Collections.Generic.List[pscustomobject]]::new()
[hashtable] $CustomRolesHash = # used to ensure no duplicates as role definitions may appear in multiple subscriptions

# get custom roles from all subscriptions
foreach ($context in Get-AzContext -ListAvailable) {
Write-Host "Processing Subscription $($context.subscription.Name)"

$result = Get-AzRoleDefinition -custom -DefaultProfile $context -WarningAction SilentlyContinue

foreach ($role in $result) {
if ($CustomRolesHash.ContainsKey($role.id)) {
# already loaded
} else {
$CustomRolesHash[$role.id] = 1
$CustomRoles.add($role)
}
}
}

# Write output files
if ($singleFile) {
$jsonData = ($CustomRoles | Sort-Object -Property name | convertto-json)
$yamlData = ($jsonData | ConvertFrom-Json | ConvertTo-yaml)

if ($useYaml) {
Write-Host "Writing to file: customRoles.yaml"
$yamlData | Out-File "customRoles.yaml"
} else {
Write-Host "Writing to file: customRoles.json"
$jsonData | Out-File "customRoles.json"
}

} else {
foreach ($role in $CustomRoles) {
$jsonData = ($role | convertto-json)
$yamlData = ($jsonData | ConvertFrom-Json | ConvertTo-yaml)

if ($useYaml) {
Write-Host "Writing to file: customRoles_$($role.name).yaml"
$yamlData | Out-File "customRoles_$($role.name).yaml"
} else {
Write-Host "Writing to file: customRoles_$($role.name).json"
$jsonData | Out-File "customRoles_$($role.name).json"
}
}
}

Output

The JSON or YAML file(s) will be created in the same folder you run the script in.

Example combined file with two custom roles.

---
- Name: Osservante RBAC - Apply
Id: e8dc5efd-d2c2-4655-900c-688c4d0217c2
IsCustom: true
Description: Manage RBAC and Tags
Actions:
- Microsoft.Authorization/roleAssignments/*
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/write
- Microsoft.Resources/subscriptions/resourceGroups/resources/read
- Microsoft.Resources/subscriptions/resources/read
- Microsoft.Resources/tags/*
NotActions: []
DataActions: []
NotDataActions: []
AssignableScopes:
- /providers/Microsoft.Management/managementGroups/OSX-MG-MAIN
- Name: Osservante RBAC - Read
Id: 97845fef-1b3e-4196-9534-d441fab688ec
IsCustom: true
Description: Manage RBAC and Tags
Actions:
- Microsoft.Authorization/roleAssignments/read
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/resources/read
- Microsoft.Resources/subscriptions/resources/read
- Microsoft.Resources/tags/read
NotActions: []
DataActions: []
NotDataActions: []
AssignableScopes:
- /providers/Microsoft.Management/managementGroups/OSX-MG-MAIN

Now you have your azure custom roles exported to code what next?

If you're intending to start deploying Azure custom roles from code then click the link below to see my other blog: Deploying Azure Custom Roles from Code