Get-AzKeyVaultRoleAssignment

Get or list role assignments of a managed HSM. Use respective parameters to list assignments to a specific user or a role definition.

Syntax

Get-AzKeyVaultRoleAssignment
   [-HsmName] <String>
   [-Scope <String>]
   [-RoleDefinitionName <String>]
   [-RoleDefinitionId <String>]
   [-ObjectId <String>]
   [-SignInName <String>]
   [-ApplicationId <String>]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
Get-AzKeyVaultRoleAssignment
   [-HsmName] <String>
   [-Scope <String>]
   -RoleAssignmentName <String>
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Description

Use the Get-AzKeyVaultRoleAssignment command to list all role assignments that are effective on a scope. Without any parameters, this command returns all the role assignments made under the managed HSM. This list can be filtered using filtering parameters for principal, role and scope. The subject of the assignment must be specified. To specify a user, use SignInName or Microsoft Entra ObjectId parameters. To specify a security group, use Microsoft Entra ObjectId parameter. And to specify a Microsoft Entra application, use ApplicationId or ObjectId parameters. The role that is being assigned must be specified using the RoleDefinitionName or RoleDefinitionId parameter. The scope at which access is being granted may be specified. It defaults to "/".

The cmdlet may call below Microsoft Graph API according to input parameters:

  • GET /directoryObjects/{id}
  • GET /users/{id}
  • GET /servicePrincipals/{id}
  • GET /groups/{id}

Examples

Example 1

Get-AzKeyVaultRoleAssignment -HsmName myHsm

RoleDefinitionName         DisplayName                      ObjectType Scope
------------------         -----------                      ---------- -----
Managed HSM Administrator  User 1 ([email protected])     User       /
Managed HSM Crypto Auditor User 2 ([email protected])     User       /keys
Managed HSM Backup         User 2 ([email protected])     User       /
Managed HSM Administrator  User 2 ([email protected])     User       /

This example lists all role assignments of "myHsm" on all the scope.

Example 2

Get-AzKeyVaultRoleAssignment -HsmName myHsm -SignInName [email protected] -Scope "/keys"

RoleDefinitionName         DisplayName                      ObjectType Scope
------------------         -----------                      ---------- -----
Managed HSM Crypto Auditor User 1 ([email protected])     User       /keys
Managed HSM Backup         User 1 ([email protected])     User       /keys

This example lists all role assignments of "myHsm" on "/keys" scope and filters the result by user sign-in name.

Parameters

-ApplicationId

The app SPN.

Type:String
Aliases:SPN, ServicePrincipalName
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-HsmName

Name of the HSM.

Type:String
Position:1
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-ObjectId

The user or group object id.

Type:String
Aliases:Id, PrincipalId
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-RoleAssignmentName

Name of the role assignment.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-RoleDefinitionId

Role Id the principal is assigned to.

Type:String
Aliases:RoleId
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-RoleDefinitionName

Name of the RBAC role to assign the principal with.

Type:String
Aliases:RoleName
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Scope

Scope at which the role assignment or definition applies to, e.g., '/' or '/keys' or '/keys/{keyName}'. '/' is used when omitted.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SignInName

The user SignInName.

Type:String
Aliases:Email, UserPrincipalName
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None

Outputs

PSKeyVaultRoleAssignment