How do I programmatically get list of identities with read access (AAD) to an Azure resource, for ex. a blob container?
I've explored Microsoft Graph APIs but could not find such a capability. Am I looking into the right direction?
Asked
Active
Viewed 179 times
0
-
Do you want to list out the user-assigned managed identities with read access? – Nov 30 '21 at 03:30
-
1Managed identities and users/groups. The ultimate goal is to assign reader role to a specific user. – Elena Zgherea Nov 30 '21 at 03:49
-
If you wanna your program to assign "role access" to a user then he can use the account sign in azure portal to access the specific azure resource, I'm afraid that there's no such api. If you wanna your program has the ability to access some azure resources, and you wanna some of the users who has enough role to access those resources in your program, you need to create your own role management module to achieve your goal as graph api doesn't have this kind of feature... – Tiny Wang Nov 30 '21 at 05:56
1 Answers
0
There are 4 ways to list or read the user-assigned managed identity like Azure Portal, PowerShell, CLI and Azure Rest API.
In order to list or read them, your account assigned role should be Managed Identity Operator or Managed Identity Contributor.
Rest API (Programmatically - HTTP)
GET https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities?api-version=2015-08-31-preview HTTP/1.1
You can use Rest API programmatically from C# by following the steps from this # How to securely connect to Azure from C# and run REST APIs. and this SO Thread.
This Microsoft documentation helps you to assign the reader role or any other access role to the System-assigned managed identity and user-assigned managed identity.
To list out all the role assignments for the specified user in a subscription, then refer here.