使用 PowerShell 的 Azure RBAC 角色

---

Azure RBAC（基于角色的访问控制）角色允许您对各种 Azure 基础结构组件进行非常详细的访问委派。

您可以例如委派管理特定资源组中的虚拟网络的权利 - 甚至特定 VPN。

对于大型组织来说，（仅）将对基础设施相关部分的访问权限委托给专业团队是非常有意义的。即使规模较小的组织也可以通过限制授予的访问权限来提高安全性，例如培训生或外部顾问。

本文将向您展示如何使用 PowerShell

• 列出存在哪些 RBAC 角色
• 列出特定 RBAC 角色中包含哪些权限
• 列出分配有特定 RBAC 角色的所有用户
• 列出为特定用户分配的 RBAC 角色
• 列出分配给身份的所有 RBAC 角色

但让我们首先可视化 Azure 门户内的 RBAC 角色。

使用 Azure 门户管理 RBAC 角色

若要查看存在哪些 RBAC 角色、分配了该角色的身份以及该角色中包含哪些权限，请转到 Azure 门户。选择您的订阅，单击“访问控制 (IAM)”，然后单击“角色”以查看 RBAC 角色的完整列表：

如果您单击任何角色，您将能够查看当前分配了该角色的身份：

单击“权限”将显示资源提供者在此特定 RBAC 角色中包含哪些权限：

最后，单击各个资源提供程序将显示分配有此特定 RBAC 角色的身份可用的权限的详细信息：

如上面的屏幕截图所示，RBAC 角色模型为您提供了非常详细的控制以及对 Azure 资源的授权。

使用 PowerShell 管理 RBAC 角色

PowerShell 是一种自动执行重复任务并确保每次都以相同方式完成的好方法。这也将有利于您的 RBAC 角色管理，所以让我们开始吧！

使用 PowerShell 连接到 AzureRM

为了管理 RBAC 角色，我们将使用 PowerShell 的 Azure 资源管理器模块。如果这是首次使用，请使用以下脚本安装模块并连接到 Azure 资源管理器：

# Install the Azure Resource Manager module if this is first use
Install-Module AzureRM
# Add the AzureRM module to the PowerShell session
Import-Module AzureRM
# Connect to Azure
Connect-AzureRmAccount

以下脚本假定您已与 AzureRM 建立连接。

列出所有 RBAC 角色

要列出所有 RBAC 角色，您可以使用以下命令：

Get-AzureRmRoleDefinition | Sort-Object Name | ft Name,Id,Description

如果我们将输出格式化为表格，您可以很好地了解标准 RBAC 角色、它们的 ID 和描述：

Azure RM 角色

NameIdDescription AcrDeletec2f4ef07-c644-48eb-af81-4b1b4947fb11acr delete AcrImageSigner6cef56e8-d556-48e5-a04f-b8e64114680facr image signer AcrPull7f951dda-4ed3-4680-a7ca-43fe172d538dacr pull AcrPush8311e382-0749-4cb8-b61a-304f252e45ecacr push AcrQuarantineReadercdda3590-29a3-44f6-95f2-9f980659eb04acr quarantine data reader AcrQuarantineWriterc8d4ff99-41c3-41a8-9f60-21dfdad59608acr quarantine data writer API Management Service Contributor312a565d-c81f-4fd8-895a-4e21e48d571cCan manage service and the APIs API Management Service Operator Rolee022efe7-f5ba-4159-bbe4-b44f577e9b61Can manage service but not the APIs API Management Service Reader Role71522526-b88f-4d52-b57f-d31fc3546d0dRead-only access to service and APIs App Configuration Data Owner5ae67dd6-50cb-40e7-96ff-dc2bfa4b606bAllows full access to App Configuration data. App Configuration Data Reader516239f1-63e1-4d78-a4de-a74fb236a071Allows read access to App Configuration data. Application Insights Component Contributorae349356-3a1b-4a5e-921d-050484c6347eCan manage Application Insights components Application Insights Snapshot Debugger08954f03-6346-4c2e-81c0-ec3a5cfae23bGives user permission to use Application Insights Snapshot Debugger features Attestation Contributorbbf86eb8-f7b4-4cce-96e4-18cddf81d86eCan read write or delete the attestation provider instance Attestation Readerfd1bd22b-8476-40bc-a0bc-69b95687b9f3Can read the attestation provider properties Automation Job Operator4fe576fe-1146-4730-92eb-48519fa6bf9fCreate and Manage Jobs using Automation Runbooks. Automation Operatord3881f73-407a-4167-8283-e981cbba0404Automation Operators are able to start, stop, suspend, and resume jobs Automation Runbook Operator5fb5aef8-1081-4b8e-bb16-9d5d0385bab5Read Runbook properties – to be able to create Jobs of the runbook. Avere Contributor4f8fab4f-1852-4a58-a46a-8eaf358af14aCan create and manage an Avere vFXT cluster. Avere Operatorc025889f-8102-4ebf-b32c-fc0c6f0c6bd9Used by the Avere vFXT cluster to manage the cluster Azure Connected Machine Onboardingb64e21ea-ac4e-4cdf-9dc9-5b892992bee7Can onboard Azure Connected Machines. Azure Connected Machine Resource Administratorcd570a14-e51a-42ad-bac8-bafd67325302Can read, write, delete and re-onboard Azure Connected Machines. Azure Event Hubs Data Ownerf526a384-b230-433a-b45c-95f59c4a2decAllows for full access to Azure Event Hubs resources. Azure Event Hubs Data Receivera638d3c7-ab3a-418d-83e6-5f17a39d4fdeAllows receive access to Azure Event Hubs resources. Azure Event Hubs Data Sender2b629674-e913-4c01-ae53-ef4638d8f975Allows send access to Azure Event Hubs resources. Azure Kubernetes Service Cluster Admin Role0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8List cluster admin credential action. Azure Kubernetes Service Cluster User Role4abbcc35-e782-43d8-92c5-2d3f1bd2253fList cluster user credential action. Azure Kubernetes Service Contributor Roleed7f3fbd-7b88-4dd4-9017-9adb7ce333f8Grants access to read and write Azure Kubernetes Service clusters Azure Maps Data Reader (Preview)423170ca-a8f6-4b0f-8487-9e4eb8f49bfaGrants access to read map related data from an Azure maps account. Azure Sentinel Contributorab8e14d6-4a74-4a29-9ba8-549422addadeAzure Sentinel Contributor Azure Sentinel Reader8d289c81-5878-46d4-8554-54e1e3d8b5cbAzure Sentinel Reader Azure Sentinel Responder3e150937-b8fe-4cfb-8069-0eaf05ecd056Azure Sentinel Responder Azure Service Bus Data Owner090c5cfd-751d-490a-894a-3ce6f1109419Allows for full access to Azure Service Bus resources. Azure Service Bus Data Receiver4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0Allows for receive access to Azure Service Bus resources. Azure Service Bus Data Sender69a216fc-b8fb-44d8-bc22-1f3c2cd27a39Allows for send access to Azure Service Bus resources. Azure Stack Registration Owner6f12a6df-dd06-4f3e-bcb1-ce8be600526aLets you manage Azure Stack registrations. Backup Contributor5e467623-bb1f-42f4-a55d-6e525e11384bLets you manage backup service,but can’t create vaults and give access to others Backup Operator00c29273-979b-4161-815c-10b084fb9324Lets you manage backup services, except removal of backup, vault creation and giving … Backup Readera795c7a0-d4a2-40c1-ae25-d81f01202912Can view backup services, but can’t make changes Billing Readerfa23ad8b-c56e-40d8-ac0c-ce449e1d2c64Allows read access to billing data BizTalk Contributor5e3c6656-6cfa-4708-81fe-0de47ac73342Lets you manage BizTalk services, but not access to them. Blockchain Member Node Access (Preview)31a002a1-acaf-453e-8a5b-297c9ca1ea24Allows for access to Blockchain Member nodes Blueprint Contributor41077137-e803-4205-871c-5a86e6a753b4Can manage blueprint definitions, but not assign them. Blueprint Operator437d2ced-4a38-4302-8479-ed2bcb43d090Can assign existing published blueprints, but cannot create new blueprints. NOTE: thi… CDN Endpoint Contributor426e0c7f-0c7e-4658-b36f-ff54d6c29b45Can manage CDN endpoints, but can’t grant access to other users. CDN Endpoint Reader871e35f6-b5c1-49cc-a043-bde969a0f2cdCan view CDN endpoints, but can’t make changes. CDN Profile Contributorec156ff8-a8d1-4d15-830c-5b80698ca432Can manage CDN profiles and their endpoints, but can’t grant access to other users. CDN Profile Reader8f96442b-4075-438f-813d-ad51ab4019afCan view CDN profiles and their endpoints, but can’t make changes. Classic Network Contributorb34d265f-36f7-4a0d-a4d4-e158ca92e90fLets you manage classic networks, but not access to them. Classic Storage Account Contributor86e8f5dc-a6e9-4c67-9d15-de283e8eac25Lets you manage classic storage accounts, but not access to them. Classic Storage Account Key Operator Service Role985d6b00-f706-48f5-a6fe-d0ca12fb668dClassic Storage Account Key Operators are allowed to list and regenerate keys on Clas… Classic Virtual Machine Contributord73bb868-a0df-4d4d-bd69-98a00b01fccbLets you manage classic virtual machines, but not access to them, and not the virtual… ClearDB MySQL DB Contributor9106cda0-8a86-4e81-b686-29a22c54effeLets you manage ClearDB MySQL databases, but not access to them. Cognitive Services Contributor25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68Lets you create, read, update, delete and manage keys of Cognitive Services. Cognitive Services Data Reader (Preview)b59867f0-fa02-499b-be73-45a86b5b3e1cLets you read Cognitive Services data. Cognitive Services Usera97b65f3-24c7-4388-baec-2e87135dc908Lets you read and list keys of Cognitive Services. Contributorb24988ac-6180-42a0-ab88-20f7382dd24cLets you manage everything except access to resources. Cosmos DB Account Reader Rolefbdf93bf-df7d-467e-a4d2-9458aa1360c8Can read Azure Cosmos DB Accounts data Cosmos DB Operator230815da-be43-4aae-9cb4-875f7bd000aaLets you manage Azure Cosmos DB accounts, but not access data in them. Prevents acces… CosmosBackupOperatordb7b14f2-5adf-42da-9f96-f2ee17bab5cbCan submit restore request for a Cosmos DB database or a container for an account Cost Management Contributor434105ed-43f6-45c7-a02f-909b2ba83430Can view costs and manage cost configuration (e.g. budgets, exports) Cost Management Reader72fafb9e-0641-4937-9268-a91bfd8191a3Can view cost data and configuration (e.g. budgets, exports) Data Box Contributoradd466c9-e687-43fc-8d98-dfcf8d720be5Lets you manage everything under Data Box Service except giving access to others. Data Box Reader028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027Lets you manage Data Box Service except creating order or editing order details and g… Data Factory Contributor673868aa-7521-48a0-acc6-0f60742d39f5Create and manage data factories, as well as child resources within them. Data Lake Analytics Developer47b7735b-770e-4598-a7da-8b91488b4c88Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake… Data Purger150f5e0c-0603-4f03-8c7f-cf70034c4e90Can purge analytics data Desktop Virtualization User1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63Allows user to use the applications in an application group. DevTest Labs User76283e04-6283-4c54-8f91-bcf1374a3c64Lets you connect, start, restart, and shutdown your virtual machines in your Azure De… DNS Zone Contributorbefefa01-2a29-4197-83a8-272ff33ce314Lets you manage DNS zones and record sets in Azure DNS, but does not let you control … DocumentDB Account Contributor5bd9cd88-fe45-4216-938b-f97437e15450Lets you manage DocumentDB accounts, but not access to them. EventGrid EventSubscription Contributor428e0ff0-5e57-4d9c-a221-2c70d0e0a443Lets you manage EventGrid event subscription operations. EventGrid EventSubscription Reader2414bbcf-6497-4faf-8c65-045460748405Lets you read EventGrid event subscriptions. Experimentation Administrator7f646f1b-fa08-80eb-a33b-edd6ce5c915cExperimentation Administrator Experimentation Contributor7f646f1b-fa08-80eb-a22b-edd6ce5c915cExperimentation Contributor Graph Ownerb60367af-1334-4454-b71e-769d9a4f83d9Create and manage all aspects of the Enterprise Graph – Ontology, Schema mapping, Con… HDInsight Cluster Operator61ed4efc-fab3-44fd-b111-e24485cc132aLets you read and modify HDInsight cluster configurations. HDInsight Domain Services Contributor8d8d5a11-05d3-4bda-a417-a08778121c7cCan Read, Create, Modify and Delete Domain Services related operations needed for HDI… Hybrid Server Onboarding5d1e5ee4-7c68-4a71-ac8b-0739630a3dfbCan onboard new Hybrid servers to the Hybrid Resource Provider. Hybrid Server Resource Administrator48b40c6e-82e0-4eb3-90d5-19e40f49b624Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. Integration Service Environment Contributora41e2c5b-bd99-4a07-88f4-9bf657a760b8Lets you manage integration service environments, but not access to them. Integration Service Environment Developerc7aa55d3-1abb-444a-a5ca-5e51e485d6ecAllows developers to create and update workflows, integration accounts and API connec… Intelligent Systems Account Contributor03a6d094-3444-4b3d-88af-7477090a9e5eLets you manage Intelligent Systems accounts, but not access to them. Key Vault Contributorf25e0fa2-a7c8-4377-a976-54943a77a395Lets you manage key vaults, but not access to them. Knowledge Consumeree361c5d-f7b5-4119-b4b6-892157c8f64cKnowledge Read permission to consume Enterprise Graph Knowledge using entity search a… Kubernetes Cluster – Azure Arc Onboarding34e09817-6cbe-4d01-b1a2-e0eac5743d41Role definition to authorize any user/service to create connectedClusters resource Lab Creatorb97fb8bc-a8b2-4522-a38b-dd33c7e65eadLets you create, manage, delete your managed labs under your Azure Lab Accounts. Log Analytics Contributor92aaf0da-9dab-42b6-94a3-d43ce8d16293Log Analytics Contributor can read all monitoring data and edit monitoring settings. … Log Analytics Reader73c42c96-874c-492b-b04d-ab87d138a893Log Analytics Reader can view and search all monitoring data as well as and view moni… Logic App Contributor87a39d53-fc1b-424a-814c-f7e04687dc9eLets you manage logic app, but not access to them. Logic App Operator515c2055-d9d4-4321-b1b9-bd0c9a0f79feLets you read, enable and disable logic app. Managed Application Contributor Role641177b8-a67a-45b9-a033-47bc880bb21eAllows for creating managed application resources. Managed Application Operator Rolec7393b34-138c-406f-901b-d8cf2b17e6aeLets you read and perform actions on Managed Application resources Managed Applications Readerb9331d33-8a36-4f8c-b097-4f54124fdb44Lets you read resources in a managed app and request JIT access. Managed Identity Contributore40ec5ca-96e0-45a2-b4ff-59039f2c2b59Create, Read, Update, and Delete User Assigned Identity Managed Identity Operatorf1a07417-d97a-45cb-824c-7a7467783830Read and Assign User Assigned Identity Managed Services Registration assignment Delete Role91c1777a-f3dc-4fae-b103-61d183457e46Managed Services Registration Assignment Delete Role allows the managing tenant users… Management Group Contributor5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4cManagement Group Contributor Role Management Group Readerac63b705-f282-497d-ac71-919bf39d939dManagement Group Reader Role Marketplace Admindd920d6d-f481-47f1-b461-f338c46b2d9fAdministrator of marketplace resource provider Monitoring Contributor749f88d5-cbae-40b8-bcfc-e573ddc772faCan read all monitoring data and update monitoring settings. Monitoring Metrics Publisher3913510d-42f4-4e42-8a64-420c390055ebEnables publishing metrics against Azure resources Monitoring Reader43d0d8ad-25c7-4714-9337-8ba259a9fe05Can read all monitoring data. Network Contributor4d97b98b-1d4f-4787-a291-c67834d212e7Lets you manage networks, but not access to them. New Relic APM Account Contributor5d28c62d-5b37-4476-8438-e587778df237Lets you manage New Relic Application Performance Management accounts and application… Owner8e3af657-a8ff-443c-a75c-2fe8c4bcb635Lets you manage everything, including access to resources. Policy Insights Data Writer (Preview)66bb4e9e-b016-4a94-8249-4c0511c2be84Allows read access to resource policies and write access to resource component policy… Private DNS Zone Contributorb12aa53e-6015-4669-85d0-8515ebb3ae7fLets you manage private DNS zone resources, but not the virtual networks they are lin… QnA Maker Editorf4cc2bf9-21be-47a1-bdf1-5c5804381025 QnA Maker Reader466ccd10-b268-4a11-b098-b4849f024126 Readeracdd72a7-3385-48ef-bd42-f606fba81ae7Lets you view everything, but not make any changes. Reader and Data Accessc12c1c16-33a1-487b-954d-41c89c60f349Lets you view everything but will not let you delete or create a storage account or c… Redis Cache Contributore0f68234-74aa-48ed-b826-c38b57376e17Lets you manage Redis caches, but not access to them. Remote Rendering Administrator3df8b902-2a6f-47c7-8cc5-360e9b272a7eProvides user with conversion, manage session, rendering and diagnostics capabilities… Remote Rendering Clientd39065c4-c120-43c9-ab0a-63eed9795f0aProvides user with manage session, rendering and diagnostics capabilities for Azure R… Resource Policy Contributor36243c78-bf99-498c-9df9-86d9f8d28608Users with rights to create/modify resource policy, create support ticket and read re… Scheduler Job Collections Contributor188a0f2f-5c9e-469b-ae67-2aa5ce574b94Lets you manage Scheduler job collections, but not access to them. Search Service Contributor7ca78c08-252a-4471-8644-bb5ff32d4ba0Lets you manage Search services, but not access to them. Security Adminfb1c8493-542b-48eb-b624-b4c8fea62acdSecurity Admin Role Security Assessment Contributor612c2aa1-cb24-443b-ac28-3ab7272de6f5Lets you push assessments to Security Center Security Manager (Legacy)e3d13bf0-dd5a-482e-ba6b-9b8433878d10This is a legacy role. Please use Security Administrator instead Security Reader39bc4728-0917-49c7-9d2c-d95423bc2eb4Security Reader Role SignalR AccessKey Reader04165923-9d83-45d5-8227-78b77b0a687eRead SignalR Service Access Keys SignalR Contributor8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761Create, Read, Update, and Delete SignalR service resources Site Recovery Contributor6670b86e-a3f7-4917-ac9b-5d6ab1be4567Lets you manage Site Recovery service except vault creation and role assignment Site Recovery Operator494ae006-db33-4328-bf46-533a6560a3caLets you failover and failback but not perform other Site Recovery management operations Site Recovery Readerdbaa88c4-0c30-4179-9fb3-46319faa6149Lets you view Site Recovery status but not perform other management operations Spatial Anchors Account Contributor8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827Lets you manage spatial anchors in your account, but not delete them Spatial Anchors Account Owner70bbe301-9835-447d-afdd-19eb3167307cLets you manage spatial anchors in your account, including deleting them Spatial Anchors Account Reader5d51204f-eb77-4b1c-b86a-2ec626c49413Lets you locate and read properties of spatial anchors in your account SQL DB Contributor9b7fa17d-e63e-47b0-bb0a-15c516ac86ecLets you manage SQL databases, but not access to them. Also, you can’t manage their s… SQL Managed Instance Contributor4939a1f6-9ae0-4e48-a1e0-f2cbe897382dLets you manage SQL Managed Instances and required network configuration, but can’t g… SQL Security Manager056cd41c-7e88-42e1-933e-88ba6a50c9c3Lets you manage the security-related policies of SQL servers and databases, but not a… SQL Server Contributor6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437Lets you manage SQL servers and databases, but not access to them, and not their secu… Storage Account Contributor17d1049b-9a84-46fb-8f53-869881c3d3abLets you manage storage accounts, including accessing storage account keys which prov… Storage Account Key Operator Service Role81a9662b-bebf-436f-a333-f67b29880f12Storage Account Key Operators are allowed to list and regenerate keys on Storage Acco… Storage Blob Data Contributorba92f5b4-2d11-453d-a403-e96b0029c9feAllows for read, write and delete access to Azure Storage blob containers and data Storage Blob Data Ownerb7e6dc6d-f1e8-4753-8033-0f276bb0955bAllows for full access to Azure Storage blob containers and data, including assigning… Storage Blob Data Reader2a2b9908-6ea1-4ae2-8e65-a410df84e7d1Allows for read access to Azure Storage blob containers and data Storage Blob Delegatordb58b8e5-c6ad-4a2a-8342-4190687cbf4aAllows for generation of a user delegation key which can be used to sign SAS tokens Storage File Data SMB Share Contributor0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bbAllows for read, write, and delete access in Azure Storage file shares over SMB Storage File Data SMB Share Elevated Contributora7264617-510b-434b-a828-9731dc254ea7Allows for read, write, delete and modify NTFS permission access in Azure Storage fil… Storage File Data SMB Share Readeraba4ae5f-2193-4029-9191-0cb91df5e314Allows for read access to Azure File Share over SMB Storage Queue Data Contributor974c5e8b-45b9-4653-ba55-5f855dd0fb88Allows for read, write, and delete access to Azure Storage queues and queue messages Storage Queue Data Message Processor8a0f0c08-91a1-4084-bc3d-661d67233fedAllows for peek, receive, and delete access to Azure Storage queue messages Storage Queue Data Message Senderc6a89b2d-59bc-44d0-9896-0f6e12d7b80aAllows for sending of Azure Storage queue messages Storage Queue Data Reader19e7f393-937e-4f77-808e-94535e297925Allows for read access to Azure Storage queues and queue messages Support Request Contributorcfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24eLets you create and manage Support requests Tag Contributor4a9ae827-6dc8-4573-8ac7-8239d42aa03fLets you manage tags on entities, without providing access to the entities themselves. Traffic Manager Contributora4b10055-b0c7-44c2-b00f-c7b5b3550cf7Lets you manage Traffic Manager profiles, but does not let you control who has access… User Access Administrator18d7d88d-d35e-4fb5-a5c3-7773c20a72d9Lets you manage user access to Azure resources. Virtual Machine Administrator Login1c0163c0-47e6-4577-8991-ea5c82e286e4View Virtual Machines in the portal and login as administrator Virtual Machine Contributor9980e02c-c2be-4d73-94e8-173b1dc7cf3cLets you manage virtual machines, but not access to them, and not the virtual network… Virtual Machine User Loginfb879df8-f326-4884-b1cf-06f3ad86be52View Virtual Machines in the portal and login as a regular user. Web Plan Contributor2cc479cb-7b4d-49a8-b449-8c00fd0f0a4bLets you manage the web plans for websites, but not access to them. Website Contributorde139f84-1756-47ae-9be6-808fbbe84772Lets you manage websites (not web plans), but not access to them. Workbook Contributore8ddcd69-c73f-4f9f-9844-4100522f16adCan save shared workbooks. Workbook Readerb279062a-9be3-42a0-92ae-8b3cf002ec4dCan read workbooks.

正如您所看到的，有相当多的可用角色，正如我们之前在 Azure 门户中看到的那样，每个角色都可能拥有针对多个资源提供者设置的广泛权限列表。

列出特定 RBAC 角色的所有权限

我们之前查看了 Azure 门户中“虚拟机贡献者”角色的权限。让我们看看使用 PowerShell 会是什么样子。

使用以下脚本列出“虚拟机贡献者”角色中包含的权限：

(Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor").Actions

输出将如下所示：

PS C:\> (Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor").Actions
Microsoft.Authorization/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/locations/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/virtualMachineScaleSets/*
Microsoft.Compute/disks/write
Microsoft.Compute/disks/read
Microsoft.Compute/disks/delete
Microsoft.DevTestLab/schedules/*
Microsoft.Insights/alertRules/*
Microsoft.Network/applicationGateways/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Microsoft.Network/loadBalancers/inboundNatPools/join/action
Microsoft.Network/loadBalancers/inboundNatRules/join/action
Microsoft.Network/loadBalancers/probes/join/action
Microsoft.Network/loadBalancers/read
Microsoft.Network/locations/*
Microsoft.Network/networkInterfaces/*
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/publicIPAddresses/join/action
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.RecoveryServices/locations/*
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write
Microsoft.RecoveryServices/Vaults/backupPolicies/read
Microsoft.RecoveryServices/Vaults/backupPolicies/write
Microsoft.RecoveryServices/Vaults/read
Microsoft.RecoveryServices/Vaults/usages/read
Microsoft.RecoveryServices/Vaults/write
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.SqlVirtualMachine/*
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/read
Microsoft.Support/*

正如您所看到的，权限通常表示资源名称路径（例如“Microsoft.Network/virtualNetworks”）和权限类型（例如“读取”）。

列出具有特定 RBAC 角色的所有用户

要列出分配有特定 RBAC 角色的所有用户，请使用以下 PowerShell 命令：

Get-AzureRmRoleAssignment | ? {$_.RoleDefinitionName -eq 'Virtual Machine Contributor'} | ft RoleDefinitionName,DisplayName

该命令将生成类似于以下内容的输出：

RoleDefinitionName          DisplayName
------------------          -----------
Virtual Machine Contributor Tycho Brahe
Virtual Machine Contributor Ole Roemer

列出特定用户的所有 RBAC 角色

要查看分配给单个用户（或其他身份类型）的所有 RBAC 角色，请使用以下 PowerShell 命令：

Get-AzureRmRoleAssignment | ? {$_.DisplayName -eq 'Tycho Brahe'} | ft RoleDefinitionName,DisplayName

该命令将生成类似于以下内容的输出：

RoleDefinitionName          DisplayName
------------------          -----------
SQL Server Contributor      Tycho Brahe
Virtual Machine Contributor Tycho Brahe

列出为所有身份分配的所有 RBAC 角色

要列出所有分配的 RBAC 角色，请使用类似以下 PowerShell 命令：

Get-AzureRmRoleAssignment | ft RoleDefinitionName,DisplayName

该命令的输出可能类似于以下内容：

RoleDefinitionName          DisplayName
------------------          -----------
Virtual Machine Contributor Tycho Brahe
Virtual Machine Contributor Ole Roemer
SQL Server Contributor      Tycho Brahe

概括

希望本文为您使用 PowerShell 使用 Azure RBAC 角色提供了一个良好的起点。从这些基本构建块开始，我相信您很快就能用一些漂亮的脚本让您的同事惊叹不已！ ?