What would be best way to export all subscriptions with their RBAC but focusing on AAD groups and resolving user membership? I seems to be lost in if statement.
Get-AzSubscription |
foreach-object {
Write-Verbose -Message "Changing to Subscription $($_.Name)" -Verbose
Set-AzContext -TenantId $_.TenantId -SubscriptionId $_.Id -Force
$Name = $_.Name
$TenantId = $_.TenantId
$SubId = $_.SubscriptionId
Get-AzRoleAssignment -IncludeClassicAdministrators | Select-Object RoleDefinitionName,DisplayName,SignInName,ObjectType,Scope,
@{name="TenantId";expression = {$TenantId}},@{name="SubscriptionName";expression = {$Name}},@{name="SubscriptionId";expression = {$SubId}
}
if(Get-AzRoleAssignment.ObjectType -eq "Group")
{
Get-AzADGroup -ObjectId.Id | Select-Object DisplayName,SignInName,ObjectType,Scope | foreach-object { Get-AzADUser | Select-Object UserPrincipalName,ObjectType,Id
}
}
else { continue }
}
-OutVariable ra
$ra | Export-Csv -Path .\Export-SubAzRolesGroups-$Name.csv -NoTypeInformation
}
Easiest / quickest way would probably be to use powershell with the az module, write a little script to, get all subscriptions that account has access to (hopefully using some kind of tenant wide reading permission user), then get all role assignments for each subscription, and do whatever you need to do get the groups, and get members for each group. the write it all out to files.
the powershell commands you want to look into is: get-azsubscription get-azroleassignment get-azadgroup get-azaduser
other options include, you can use azure resource manager Rest API, or some other azurerm library to write an application that does the same.
hopefully that gets you started.
UPDATE