Edit

Share via


Get-AzKeyVaultRoleAssignment

Get or list role assignments of a managed HSM. Use respective parameters to list assignments to a specific user or a role definition.

Syntax

List (Default)

Get-AzKeyVaultRoleAssignment
    [-HsmName] <String>
    [-Scope <String>]
    [-RoleDefinitionName <String>]
    [-RoleDefinitionId <String>]
    [-ObjectId <String>]
    [-SignInName <String>]
    [-ApplicationId <String>]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

GetByName

Get-AzKeyVaultRoleAssignment
    [-HsmName] <String>
    -RoleAssignmentName <String>
    [-Scope <String>]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

Description

Use the Get-AzKeyVaultRoleAssignment command to list all role assignments that are effective on a scope. Without any parameters, this command returns all the role assignments made under the managed HSM. This list can be filtered using filtering parameters for principal, role and scope. The subject of the assignment must be specified. To specify a user, use SignInName or Microsoft Entra ObjectId parameters. To specify a security group, use Microsoft Entra ObjectId parameter. And to specify a Microsoft Entra application, use ApplicationId or ObjectId parameters. The role that is being assigned must be specified using the RoleDefinitionName or RoleDefinitionId parameter. The scope at which access is being granted may be specified. It defaults to "/".

The cmdlet may call below Microsoft Graph API according to input parameters:

  • GET /directoryObjects/{id}
  • GET /users/{id}
  • GET /servicePrincipals/{id}
  • GET /groups/{id}

Examples

Example 1

Get-AzKeyVaultRoleAssignment -HsmName myHsm
RoleDefinitionName         DisplayName                      ObjectType Scope
------------------         -----------                      ---------- -----
Managed HSM Administrator  User 1 (user1@microsoft.com)     User       /
Managed HSM Crypto Auditor User 2 (user2@microsoft.com)     User       /keys
Managed HSM Backup         User 2 (user2@microsoft.com)     User       /
Managed HSM Administrator  User 2 (user2@microsoft.com)     User       /

This example lists all role assignments of "myHsm" on all the scope.

Example 2

Get-AzKeyVaultRoleAssignment -HsmName myHsm -SignInName user1@microsoft.com -Scope "/keys"
RoleDefinitionName         DisplayName                      ObjectType Scope
------------------         -----------                      ---------- -----
Managed HSM Crypto Auditor User 1 (user1@microsoft.com)     User       /keys
Managed HSM Backup         User 1 (user1@microsoft.com)     User       /keys

This example lists all role assignments of "myHsm" on "/keys" scope and filters the result by user sign-in name.

Parameters

-ApplicationId

The app SPN.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:SPN, ServicePrincipalName

Parameter sets

List
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Parameter properties

Type:IAzureContextContainer
Default value:None
Supports wildcards:False
DontShow:False
Aliases:AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-HsmName

Name of the HSM.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:1
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ObjectId

The user or group object id.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:Id, PrincipalId

Parameter sets

List
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-RoleAssignmentName

Name of the role assignment.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

GetByName
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-RoleDefinitionId

Role Id the principal is assigned to.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:RoleId

Parameter sets

List
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-RoleDefinitionName

Name of the RBAC role to assign the principal with.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:RoleName

Parameter sets

List
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Scope

Scope at which the role assignment or definition applies to, e.g., '/' or '/keys' or '/keys/{keyName}'. '/' is used when omitted.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignInName

The user SignInName.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:Email, UserPrincipalName

Parameter sets

List
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

None

Outputs

PSKeyVaultRoleAssignment