Automated Azure Role Assignment Reports via Email - Azure Automation

Managing Azure role assignments can be complex. This PowerShell script simplifies the process by generating detailed reports on Azure users, groups, and roles and automatically emailing these reports.

Posted by : on

Category : azure   powershell   guides

:book: Introduction

Azure cloud services management often requires monitoring and auditing user roles and group memberships. This script automates the generation and email distribution of detailed Azure subscription role assignments. It utilizes managed identity for Azure login, fetches role assignments, and compiles them into a comprehensive report sent via email.

:arrow_down: How to get it

You can download the script from the following links:

:classical_building: Argument List

Parameter Alias ValueFromPipeline Type Description
EmailUsername     String The username used to authenticate with the SMTP server.
EmailPassword     SecureString The secure password used for SMTP authentication.
From     String The email address from which the report will be sent.
To     Array Array of recipient email addresses to whom the report will be sent.
Cc     Array Array of CC recipient email addresses.
Subject     String The subject line of the email.
Body     String The body text of the email, describing the contents of the report. Can be HTML or plain text.
SMTPServer     String The SMTP server used for sending the email.
SubscriptionIds     Array Array of Azure subscription IDs to be included in the report.
WhatIf     Switch A switch to simulate the script execution for testing purposes without performing any actual operations.

:key: Configuring Permissions for Managed Identity

To enable the PowerShell script to retrieve detailed user information, such as ObjectType and DisplayName from Azure Active Directory, the UserManagedIdentity needs the “Directory Readers” permission. This role-based access control (RBAC) is assigned at the Microsoft Entra ID level (formerly known as Azure Active Directory), not at the subscription level. Follow these steps to assign the correct permissions:

  1. Identify the Object ID:
    • System Assigned Identity
      • Navigate to your Azure Automation Account -> Identity, select the System assigned tab. Copy the Object ID of the System Assigned identity.
        Copy the System assigned Identity Object ID
    • User Assigned Identity
      • Navigate to your Azure Automation Account -> Identity, select the User assigned tab. Click on the name of the user assigned identity you want to gather the id from. Copy the Object ID of the User Assigned identity.
        Copy the System assigned Identity Object ID
        Gather the Object ID from the User Managed Identity
  2. Set Azure role assignments
    • Select Azure role assignments
    • Select Add role assignment
    • Set the scope to: Subscription
    • Select the subscription.
    • Set the role to (use what your company allows here, this is just what I used in my testing): Reader
      Subscription reader RBAC permission
  3. Assign the Role:
    • Open Microsoft Entra Id -> Roles and Administrators.
      Azure Portal - Roles and Administrators
    • In the roles list, find and click on Directory Readers.
      Where to click for Add assignments
    • Click + Add Assignments to start the role assignment process.
  4. Add Managed Identity to Role:
    • In the assignment interface, you might not see app registrations or managed identities by default.
    • Paste the Object ID (from step 1) into the search field. This should display the name and ID of your Azure Automation Account.
    • Select your account and confirm the assignment.
      How to add a object id for assignment
  5. Verify Permissions:
    • Once the “Directory Readers” permission is assigned, the script will be able to pull the Object Type and DisplayName along with other outputs from Get-AzRoleAssignment.

This configuration is essential for the script to function correctly and securely access the necessary Azure AD data!

:page_with_curl: How to use it

In order to utilize this script in your Automation Runbook, you will need to set an encrypted variable inside of the Automation Account. This will be so we can pass the EmailPassword variable securely to the script. The script has the ability to gather this password automatically if you perform the following steps.

  1. Go to Automation Accounts -> Select the Automation Account -> Variables.
  2. Click + Add a variable
  3. New Variable
    • Name: EmailPassword
    • Description: This is the password for the Email Account used in SMTP for an Azure Automation Runbook.
    • Type: String
    • Value: <YourPassword>
    • Encrypted: Yes
      Encrypted Variables Azure Automation Account

Leave some feedback if this helped you! :v:

Page Views


Share on:
About Blake Drumm
Blake Drumm

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email :

Website :

About Blake Drumm

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

Follow @blakedrumm
Categories
  • powershell
  • projects
  • operationsManager
  • troubleshooting
  • guides
  • certificates
  • linux
  • security
  • azure
    • Useful Links
  • Home
  • About
  • Blog
  • Contact