Use the Get-AzKeyVaultRoleAssignment command to list all role assignments that are effective on a scope.
Without any parameters, this command returns all the role assignments made under the managed HSM.
This list can be filtered using filtering parameters for principal, role and scope.
The subject of the assignment must be specified.
To specify a user, use SignInName or Microsoft Entra ObjectId parameters.
To specify a security group, use Microsoft Entra ObjectId parameter.
And to specify a Microsoft Entra application, use ApplicationId or ObjectId parameters.
The role that is being assigned must be specified using the RoleDefinitionName or RoleDefinitionId parameter.
The scope at which access is being granted may be specified. It defaults to "/".
The cmdlet may call below Microsoft Graph API according to input parameters:
GET /directoryObjects/{id}
GET /users/{id}
GET /servicePrincipals/{id}
GET /groups/{id}
Examples
Example 1
Get-AzKeyVaultRoleAssignment -HsmName myHsm
RoleDefinitionName DisplayName ObjectType Scope
------------------ ----------- ---------- -----
Managed HSM Administrator User 1 (user1@microsoft.com) User /
Managed HSM Crypto Auditor User 2 (user2@microsoft.com) User /keys
Managed HSM Backup User 2 (user2@microsoft.com) User /
Managed HSM Administrator User 2 (user2@microsoft.com) User /
This example lists all role assignments of "myHsm" on all the scope.
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters.
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
