Programmatically retrieve all the owners from a Azure subscription

Question

I want to retrieve the all the Owners of an azure subscription Programmatically. I don't want do it using Powershell.

And i came to know that we can achieve this using Azure Management REST API but could not find the exact API reference to retrieve the owner list from a azure subscription.

Can some one please help me on this.

Answer 1

REST APIs

You should be able to get that information using the Microsoft.Authorization/roleAssignments REST API.

GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01&$filter={filter}

In your case, since you're looking for Owners at Subscription level, the scope would be {scope} will be subscriptions/{subscriptionId}

Also,

• Once you get the response, it will contain Role Definitions IDs instead of exact names. For all Built-in Roles, you can know which Role it is before hand by visiting this Microsoft documentation. E.g. Id for Owner role is "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"

• To find the Id's for all possible Role Definitions as part of response, you can use Role Definitions - List REST API

Helpful Documentation

Read through this Microsoft Documentation which gives details on how to List out, Grant Access or Remove Access using RBAC and REST API : Manage Access Using RBAC and REST API

UPDATE (Samples and API to get to Classic Administrators as well)

I ran a few samples using my trial subscription. Here are the requests and responses.

1. To find all the users who have been explicitly assigned "Owner" role at the subscription level

   Request:

   GET https://management.azure.com/subscriptions/{my subscription GUID}/providers/Microsoft.Authorization/roleAssignments?api-version=2018-01-01-preview 
   

   Response:

NOTICE That Role Definition Id in response is "8e3af657-a8ff-443c-a75c-2fe8c4bcb635". This corresponds to built-in Owner role.

    {"value":[{"properties":{"roleDefinitionId":"/subscriptions/{my Subscription GUID}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635","principalId":"{some user GUID}","principalType":"User","scope":"/subscriptions/{my Subscription GUID}","createdOn":"2018-10-03T05:12:52.7213301Z","updatedOn":"2018-10-03T05:12:52.7213301Z","createdBy":"GUID","updatedBy":"GUID"},"id":"/subscriptions/{my Subscription GUID}/providers/Microsoft.Authorization/roleAssignments/83eee76b-4a0d-4f61-8c62-409501e95457","type":"Microsoft.Authorization/roleAssignments","name":"83eee76b-4a0d-4f61-8c62-409501e95457"}]}

2. To find all the users who are Owners by the virtue of being Classic Administrators (This is relevant for accounts that sign up for a subscription, but haven't been explicitly assigned Owner role using Azure portal RBAC)

   Request: Notice classicAdministrators at the end of URL and the API Version is an old one 2015-06-01

   GET https://management.azure.com/subscriptions/6f070baf-bbba-47a5-bbe4-a0450017cdf5/providers/Microsoft.Authorization/classicAdministrators?api-version=2015-06-01

   Response: Notice role is ServiceAdministrator;AccountAdministrator

   {"value":[{"properties":{"emailAddress":"[email protected]","role":"ServiceAdministrator;AccountAdministrator"},"id":"/subscriptions/{mysubscriptionguid}/providers/Microsoft.Authorization/classicAdministrators/00030000B1F89CF0","type":"Microsoft.Authorization/classicAdministrators","name":"00030000B1F89CF0"}]}