How to get list of users who are having owner access for a azure subscription using python
Question:
I am trying to get the list of users who are having owner access for a subscription.
I tried checking for python azure sdk. But am not getting any api which does this functionality.
Subscription list api is available but it is not providing details of users who are having access to the particular subscription.
I tried the below code
subscriptionClient = SubscriptionClient(credentials)
for subscription in subscriptionClient.subscriptions.list():
print (subscription)
Any help would be appreciated
Answers:
Azure Python SDK
If you’re looking to use the Azure Python SDK then you should use AuthorizationManagementClient class
You can try to get RoleAssignments for your subscription at the scope of subscription itself.
I work closely with C#, so don’t have Python code handy, but will try to update back with Python code a little later.
UPDATE
Here’s a sample code. I hope this gives you enough to proceed.
from azure.mgmt.authorization import AuthorizationManagementClient
authorizationClient = AuthorizationManagementClient(credentials, '<your subscription guid>')
roles = authorizationClient.role_assignments.list()
for role in roles:
print(role)
REST API
If you want to directly call the REST API from code, use the Microsoft.Authorization/roleAssignments REST API.
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version=2018-01-01-preview
{scope} will be subscriptions/<your subscriptionId> to fetch roleAssignments at the subscription level.
Here is an example request to this API and response.
To find all the users who have been explicitly assigned “Owner” role at the subscription level
Request:
GET https://management.azure.com/subscriptions/{my subscription GUID}/providers/Microsoft.Authorization/roleAssignments?api-version=2018-01-01-preview
Response:
Notice That Role Definition Id in response is “8e3af657-a8ff-443c-a75c-2fe8c4bcb635”. This corresponds to built-in Owner role.
{"value":[{"properties":{"roleDefinitionId":"/subscriptions/{my Subscription GUID}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635","principalId":"{some user GUID}","principalType":"User","scope":"/subscriptions/{my Subscription GUID}","createdOn":"2018-10-03T05:12:52.7213301Z","updatedOn":"2018-10-03T05:12:52.7213301Z","createdBy":"GUID","updatedBy":"GUID"},"id":"/subscriptions/{my Subscription GUID}/providers/Microsoft.Authorization/roleAssignments/83eee76b-4a0d-4f61-8c62-409501e95457","type":"Microsoft.Authorization/roleAssignments","name":"83eee76b-4a0d-4f61-8c62-409501e95457"}]}
Once you get the response, it will contain Role Definitions IDs instead of exact names. For all Built-in Roles, you can know which Role it is before hand by visiting this Microsoft documentation. E.g. Id for Owner role is “8e3af657-a8ff-443c-a75c-2fe8c4bcb635”
this PowerShell command :
(Get-AzureRmRoleAssignment -RoleDefinitionId "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" -Scope "/subscriptions/<your azure sub ID>" | where {($_.ObjectType -EQ "user") -and ($_.Scope -EQ "/subscriptions/<your azure sub ID>") } ) | select DisplayName,SignInName
will return all Azure AD users with subscription owner role.
I have tried to captured data packages about this ps command, and it called multiple rest APIs to finish this process.
You can host this command on Azure App service webjobs, Azure function or Azure automation and explore a webhook to get the user list when you need it.
Hope it helps.
Late but this could be helpful to someone else. Here is code in python to find the number of owners in subscription:
from azure.mgmt.authorization import AuthorizationManagementClient
authorizationClient = AuthorizationManagementClient(credentials, '<your
subscription guid>')
def number_of_owners(client):
results = []
owners_list = []
subscription_scope = '/subscriptions/<your subscription guid>'
owner_role = '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' #this is the ID for the owner role in Azure
roles = client.role_assignments.list_for_scope(
scope = subscription_scope,
filter = 'atScope()'
)
for role in roles:
role_name_id = role.name
role_assignment_details = client.role_assignments.get(
scope = subscription_scope,
role_assignment_name = role_name_id
)
role_ids = role_assignment_details.properties.role_definition_id
if owner_role in role_ids:
owner_role_list = role_ids.count(owner_role)
print(owner_role_list)
I am trying to get the list of users who are having owner access for a subscription.
I tried checking for python azure sdk. But am not getting any api which does this functionality.
Subscription list api is available but it is not providing details of users who are having access to the particular subscription.
I tried the below code
subscriptionClient = SubscriptionClient(credentials)
for subscription in subscriptionClient.subscriptions.list():
print (subscription)
Any help would be appreciated
Azure Python SDK
If you’re looking to use the Azure Python SDK then you should use AuthorizationManagementClient class
You can try to get RoleAssignments for your subscription at the scope of subscription itself.
I work closely with C#, so don’t have Python code handy, but will try to update back with Python code a little later.
UPDATE
Here’s a sample code. I hope this gives you enough to proceed.
from azure.mgmt.authorization import AuthorizationManagementClient
authorizationClient = AuthorizationManagementClient(credentials, '<your subscription guid>')
roles = authorizationClient.role_assignments.list()
for role in roles:
print(role)
REST API
If you want to directly call the REST API from code, use the Microsoft.Authorization/roleAssignments REST API.
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version=2018-01-01-preview
{scope} will be subscriptions/<your subscriptionId> to fetch roleAssignments at the subscription level.
Here is an example request to this API and response.
To find all the users who have been explicitly assigned “Owner” role at the subscription level
Request:
GET https://management.azure.com/subscriptions/{my subscription GUID}/providers/Microsoft.Authorization/roleAssignments?api-version=2018-01-01-preview
Response:
Notice That Role Definition Id in response is “8e3af657-a8ff-443c-a75c-2fe8c4bcb635”. This corresponds to built-in Owner role.
{"value":[{"properties":{"roleDefinitionId":"/subscriptions/{my Subscription GUID}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635","principalId":"{some user GUID}","principalType":"User","scope":"/subscriptions/{my Subscription GUID}","createdOn":"2018-10-03T05:12:52.7213301Z","updatedOn":"2018-10-03T05:12:52.7213301Z","createdBy":"GUID","updatedBy":"GUID"},"id":"/subscriptions/{my Subscription GUID}/providers/Microsoft.Authorization/roleAssignments/83eee76b-4a0d-4f61-8c62-409501e95457","type":"Microsoft.Authorization/roleAssignments","name":"83eee76b-4a0d-4f61-8c62-409501e95457"}]}
Once you get the response, it will contain Role Definitions IDs instead of exact names. For all Built-in Roles, you can know which Role it is before hand by visiting this Microsoft documentation. E.g. Id for Owner role is “8e3af657-a8ff-443c-a75c-2fe8c4bcb635”
this PowerShell command :
(Get-AzureRmRoleAssignment -RoleDefinitionId "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" -Scope "/subscriptions/<your azure sub ID>" | where {($_.ObjectType -EQ "user") -and ($_.Scope -EQ "/subscriptions/<your azure sub ID>") } ) | select DisplayName,SignInName
will return all Azure AD users with subscription owner role.
I have tried to captured data packages about this ps command, and it called multiple rest APIs to finish this process.
You can host this command on Azure App service webjobs, Azure function or Azure automation and explore a webhook to get the user list when you need it.
Hope it helps.
Late but this could be helpful to someone else. Here is code in python to find the number of owners in subscription:
from azure.mgmt.authorization import AuthorizationManagementClient
authorizationClient = AuthorizationManagementClient(credentials, '<your
subscription guid>')
def number_of_owners(client):
results = []
owners_list = []
subscription_scope = '/subscriptions/<your subscription guid>'
owner_role = '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' #this is the ID for the owner role in Azure
roles = client.role_assignments.list_for_scope(
scope = subscription_scope,
filter = 'atScope()'
)
for role in roles:
role_name_id = role.name
role_assignment_details = client.role_assignments.get(
scope = subscription_scope,
role_assignment_name = role_name_id
)
role_ids = role_assignment_details.properties.role_definition_id
if owner_role in role_ids:
owner_role_list = role_ids.count(owner_role)
print(owner_role_list)