Share via

Fetch all azure resource PIM roles in full details

BANERJEE, SUBHAM 0 Reputation points
2026-04-30T11:25:52.3566667+00:00

How to fetch all active + permanent PIM roles assigned to azure resources in management group, resource group and resource level with help of powersheell. I need to remove all active + permanent accounts to Eligible assignments except service principle, service accounts and break-glass accounts.

Azure Role-based access control
Azure Role-based access control

An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VEMULA SRISAI 13,140 Reputation points Microsoft External Staff Moderator
    2026-04-30T11:59:21.6466667+00:00

    Hello BANERJEE, SUBHAM,

    To fetch all Azure resource role assignments in full detail, there is no single cmdlet that returns everything together. For Azure resource PIM, you need to combine:

    • Get-AzRoleAssignment → regular Azure RBAC active / permanent assignments
    • Get-AzRoleAssignmentSchedule → PIM active assignments
    • Get-AzRoleEligibilitySchedule → PIM eligible assignments.

    Also, if your requirement is to cover management group, resource group, and resource level, you must query each scope separately. A management group scope query returns assignments at the management group scope, but to collect assignments below it, you need to loop through the child subscriptions / RGs / resources and run the same cmdlets for each scope. The PIM schedule cmdlets support Azure resource scopes, including management group and resource scopes.

    1. Get all standing active assignments using Get-AzRoleAssignment
    2. Get all PIM active assignments using Get-AzRoleAssignmentSchedule
    3. Get all PIM eligible assignments using Get-AzRoleEligibilitySchedule
    4. Filter out service principals / managed identities / break-glass / service accounts before remediation. Microsoft documents that eligible assignments cannot be created for applications, service principals, or managed identities.
    # Example scopes
$scopes = @(
    "/providers/Microsoft.Management/managementGroups/<mgId>",
    "/subscriptions/<subId>",
    "/subscriptions/<subId>/resourceGroups/<rgName>",
    "/subscriptions/<subId>/resourceGroups/<rgName>/providers/<RP>/<type>/<name>"
)
$result = foreach ($scope in $scopes) {
    # Permanent / active RBAC
    Get-AzRoleAssignment -Scope $scope | Select-Object `
        @{N='Source';E={'RBAC'}},
        Scope,
        RoleDefinitionName,
        RoleDefinitionId,
        ObjectId,
        ObjectType,
        DisplayName,
        SignInName
    # PIM Active
    Get-AzRoleAssignmentSchedule -Scope $scope | Select-Object `
        @{N='Source';E={'PIM-Active'}},
        Scope,
        RoleDefinitionId,
        PrincipalId,
        PrincipalType,
        StartDateTime,
        EndDateTime,
        @{N='RoleDefinitionName';E={$_.ExpandedProperties.RoleDefinition.DisplayName}},
        @{N='DisplayName';E={$_.ExpandedProperties.Principal.DisplayName}}
    # PIM Eligible
    Get-AzRoleEligibilitySchedule -Scope $scope | Select-Object `
        @{N='Source';E={'PIM-Eligible'}},
        Scope,
        RoleDefinitionId,
        PrincipalId,
        PrincipalType,
        StartDateTime,
        EndDateTime,
        @{N='RoleDefinitionName';E={$_.ExpandedProperties.RoleDefinition.DisplayName}},
        @{N='DisplayName';E={$_.ExpandedProperties.Principal.DisplayName}}
}
$result | Export-Csv .\AzureResourcePIMRoles.csv -NoTypeInformation
``

    If you want to convert active/permanent assignments to Eligible

    The supported method is:

    • create an eligible assignment using New-AzRoleEligibilityScheduleRequest
    • then remove the existing standing assignment. For active PIM assignments, removal is done through New-AzRoleAssignmentScheduleRequest -RequestType AdminRemove. Important note:

    Please do this in audit mode first, because PIM policy may restrict whether permanent eligible assignments are allowed, and you should keep service principals, managed identities, service accounts, and break-glass accounts excluded from conversion.

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-04-30T11:26:35.9533333+00:00

    Use a combination of Azure RBAC and PIM PowerShell cmdlets to:

    1. list all active permanent assignments on Azure resources at all scopes, and
    2. convert them to eligible/time-bound while excluding service principals, service accounts, and break-glass accounts.

    Below is a pattern based only on what is documented in the provided context.

    1. Discover all PIM-based eligible and time‑bound assignments

    Use the PIM schedule cmdlets to list all eligible and active time‑bound assignments per scope (management group, subscription, resource group, resource):

    # Example: list eligible and time‑bound assignments at subscription scope
$subscriptionId = '<subscriptionId>'

# Eligible (permanent + time‑bound)
$eligible = Get-AzRoleEligibilitySchedule -Scope "/subscriptions/$subscriptionId"

# Active time‑bound
$activeTimeBound = Get-AzRoleAssignmentSchedule -Scope "/subscriptions/$subscriptionId" |
    Where-Object { $_.EndDateTime -ne $null }

$allPimAssignments = @($eligible + $activeTimeBound)

    Repeat with the appropriate -Scope for:

    • Management group: /providers/Microsoft.Management/managementGroups/<group_id>
    • Resource group: /subscriptions/<subscriptionId>/resourceGroups/<rgName>
    • Individual resource scopes as needed.

    This pattern follows the documented example:

    Get-AzRoleEligibilitySchedule -Scope /subscriptions/<subscriptionId>
Get-AzRoleAssignmentSchedule -Scope /subscriptions/<subscriptionId> | Where-Object {$_.EndDateTime -ne $null }

    2. Export all PIM role assignments (including children) for audit

    If using PIM for Azure resources, export all active and eligible assignments including child scopes from the Entra admin center:

    1. Sign in to the Microsoft Entra admin center.
    2. Go to ID Governance > Privileged Identity Management > Azure resources.
    3. Select the management group or subscription.
    4. Select Assignments.
    5. Select Export > Export all members to get a CSV of all active and eligible assignments for that scope and all child resource groups/resources.

    This CSV can be filtered to identify:

    • Active permanent assignments (standard Azure RBAC without PIM).
    • PIM eligible and time‑bound assignments.

    3. List all Azure RBAC role assignments (active permanent)

    Use Get-AzRoleAssignment to list all RBAC assignments (including inherited) at each scope:

    # All assignments in current subscription
Get-AzRoleAssignment

# Subscription scope
Get-AzRoleAssignment -Scope "/subscriptions/$subscriptionId"

# Management group scope
Get-AzRoleAssignment -Scope "/providers/Microsoft.Management/managementGroups/<group_id>"

# Resource group scope
Get-AzRoleAssignment -ResourceGroupName '<resource_group_name>'

    These results include active permanent assignments (standard RBAC) and any PIM-created active assignments that are currently in effect.

    4. Identify accounts to convert vs. exclude

    From the combined data (PIM schedules + RBAC assignments):

    1. Filter out principals that must remain active:
      • Service principals.
      • Service accounts.
      • Break‑glass accounts.
    2. The remaining user/group assignments that are:
      • Active permanent (RBAC), or
      • Active time‑bound (PIM),
      are the candidates to convert to eligible.

    5. Convert eligible/time‑bound assignments to active permanent (if needed)

    If the goal is to remove PIM usage and make assignments active permanent, the documented pattern is:

    1. Export all eligible and time‑bound assignments.
    2. Remove eligible assignments using New-AzRoleEligibilityScheduleRequest with AdminRemove.

    Example:

    $guid = New-Guid
New-AzRoleEligibilityScheduleRequest -Name $guid `
    -Scope <Scope> `
    -PrincipalId <PrincipalId> `
    -RoleDefinitionId <RoleDefinitionId> `
    -RequestType AdminRemove
    1. Recreate the same assignments as active permanent using standard Azure RBAC role assignment creation (not shown in the context).

    Important: Removing role assignments can cause disruptions; ensure the impact is understood before running these steps.

    6. Update or remove existing PIM resource role assignments

    For Azure resource roles managed by PIM:

    1. Open Microsoft Entra Privileged Identity Management.
    2. Select Azure resources.
    3. Select the management group, subscription, resource group, or resource.
    4. Under Manage, select Roles and then the specific role.
    5. On Eligible roles or Active roles tabs, locate the assignment.
    6. Update or remove the assignment as needed (for example, to adjust conditions or durations, or to remove active assignments and re‑assign as eligible).

    This UI path is useful to validate or adjust specific assignments after bulk PowerShell work.

    7. Plan which roles must be PIM‑managed

    Use PIM deployment planning guidance to decide which roles must be converted to eligible:

    • Minimize Owner and User Access Administrator assignments.
    • Manage all Subscription Owner and User Access Administrator roles using PIM.
    • Prioritize high‑risk subscriptions/resources for PIM.

    This planning step ensures that after converting active permanent assignments to eligible, the right roles remain protected by PIM.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.