Export Custom Roles from Azure
· 3 min read
The script below enables you to quickly export all your custom roles from Azure to either JSON or YAML files.
It will loop through all the subscriptions you have access to and get the custom roles.
By default it will write one JSON file for each custom role.
e.g.
.\export-azroledefinitions.ps1
Or you can use the parameters to either get YAML files or to combine all roles into one file.
e.g.
.\export-azroledefinitions.ps1 -useYaml $true -singleFile $true
export-azroledefinitions.ps1
### Read custom roles from azure and save to json or yaml file
param (
[boolean] $useYaml = $false,
[boolean] $singleFile = $false
)
$CustomRoles = [System.Collections.Generic.List[pscustomobject]]::new()
[hashtable] $CustomRolesHash = # used to ensure no duplicates as role definitions may appear in multiple subscriptions
# get custom roles from all subscriptions
foreach ($context in Get-AzContext -ListAvailable) {
Write-Host "Processing Subscription $($context.subscription.Name)"
$result = Get-AzRoleDefinition -custom -DefaultProfile $context -WarningAction SilentlyContinue
foreach ($role in $result) {
if ($CustomRolesHash.ContainsKey($role.id)) {
# already loaded
} else {
$CustomRolesHash[$role.id] = 1
$CustomRoles.add($role)
}
}
}
# Write output files
if ($singleFile) {
$jsonData = ($CustomRoles | Sort-Object -Property name | convertto-json)
$yamlData = ($jsonData | ConvertFrom-Json | ConvertTo-yaml)
if ($useYaml) {
Write-Host "Writing to file: customRoles.yaml"
$yamlData | Out-File "customRoles.yaml"
} else {
Write-Host "Writing to file: customRoles.json"
$jsonData | Out-File "customRoles.json"
}
} else {
foreach ($role in $CustomRoles) {
$jsonData = ($role | convertto-json)
$yamlData = ($jsonData | ConvertFrom-Json | ConvertTo-yaml)
if ($useYaml) {
Write-Host "Writing to file: customRoles_$($role.name).yaml"
$yamlData | Out-File "customRoles_$($role.name).yaml"
} else {
Write-Host "Writing to file: customRoles_$($role.name).json"
$jsonData | Out-File "customRoles_$($role.name).json"
}
}
}
Output
The JSON or YAML file(s) will be created in the same folder you run the script in.
Example combined file with two custom roles.
- YAML
- JSON
---
- Name: Osservante RBAC - Apply
Id: e8dc5efd-d2c2-4655-900c-688c4d0217c2
IsCustom: true
Description: Manage RBAC and Tags
Actions:
- Microsoft.Authorization/roleAssignments/*
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/write
- Microsoft.Resources/subscriptions/resourceGroups/resources/read
- Microsoft.Resources/subscriptions/resources/read
- Microsoft.Resources/tags/*
NotActions: []
DataActions: []
NotDataActions: []
AssignableScopes:
- /providers/Microsoft.Management/managementGroups/OSX-MG-MAIN
- Name: Osservante RBAC - Read
Id: 97845fef-1b3e-4196-9534-d441fab688ec
IsCustom: true
Description: Manage RBAC and Tags
Actions:
- Microsoft.Authorization/roleAssignments/read
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/resources/read
- Microsoft.Resources/subscriptions/resources/read
- Microsoft.Resources/tags/read
NotActions: []
DataActions: []
NotDataActions: []
AssignableScopes:
- /providers/Microsoft.Management/managementGroups/OSX-MG-MAIN
[
{
"Name": "Osservante RBAC - Apply",
"Id": "e8dc5efd-d2c2-4655-900c-688c4d0217c2",
"IsCustom": true,
"Description": "Manage RBAC and Tags",
"Actions": [
"Microsoft.Authorization/roleAssignments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read",
"Microsoft.Resources/subscriptions/resources/read",
"Microsoft.Resources/tags/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/providers/Microsoft.Management/managementGroups/OSX-MG-MAIN"
]
},
{
"Name": "Osservante RBAC - Read",
"Id": "97845fef-1b3e-4196-9534-d441fab688ec",
"IsCustom": true,
"Description": "Manage RBAC and Tags",
"Actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read",
"Microsoft.Resources/subscriptions/resources/read",
"Microsoft.Resources/tags/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/providers/Microsoft.Management/managementGroups/OSX-MG-MAIN"
]
}
]
Now you have your azure custom roles exported to code what next?
If you're intending to start deploying Azure custom roles from code then click the link below to see my other blog: Deploying Azure Custom Roles from Code