Of late, I was busy learning WVD (Windows Virtual Desktop), and I am not even reached halfway in this journey. Team asked me to write a script to pull out the assignment information from all the Windows Virtual Desktop application groups and added they used the New-AzRoleAssignment cmdlet to assign the permissions for the users. So, I thought it’s easy to pull out the details using Get-AzRoleAssignment. But it failed. With no wait, I used REST and Graph API to pull out the information. Why? The reason is simple, I used developer tools to know how the portal retrieves the information, and as expected, it is through batch operations and graph API to pull user information.
Get-AzRoleAssignment: Exception of type ‘Microsoft.Rest.Azure.CloudException’ was thrown. Yes, this is a common issue. In my case, the solution is missing permission on Azure Active Directory. It’s news for me to know that there is no cmdlet in Az.DesktopVirtualization module to list assigned users from application groups. No need to spend more time in Az module, because we won’t use the Az module.
If you are new to Azure REST and Graph API, please make use of the documentation from Microsoft shared below.
param ( $SubscriptionId = "", $ResourceGroup = "", $ApplicationGroup = "" ) #region - Azure Management Headers $TenantID = Get-Secret -Name "Reporting-TenantID" -AsPlainText $ClientID = Get-Secret -Name "Reporting-ClientID" -AsPlainText $ClientSecret = Get-Secret -Name "Reporting-ClientSecret" -AsPlainText $Result = Invoke-RestMethod -Uri https://login.microsoftonline.com/$TenantID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = "$ClientID"; "client_secret" = "$ClientSecret" } $Headers = @{Authorization = "{0} {1}" -f ($result.token_type , $result.access_token)} #endregion #region - Graph API Token $GraphAPI = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" -Method Post -Body @{"grant_type" = "client_credentials"; "scope" = "https://graph.microsoft.com/.default"; "client_id" = "$ClientID"; "client_secret" = "$ClientSecret" } $GraphHeaders = @{Authorization = "{0} {1}" -f ($GraphAPI.token_type , $GraphAPI.access_token)} #endregion #region - List Assigned Users $Uri = "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroup)/providers/Microsoft.DesktopVirtualization/applicationgroups/$($ApplicationGroup)/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01" $AssignedUsers = (Invoke-RestMethod -Uri $uri -Headers $Headers).value.properties | Where-Object { $_.scope -eq "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroup)/providers/Microsoft.DesktopVirtualization/applicationgroups/$($ApplicationGroup)" } #endreigon #region - Retrieve User Information $AssignedUsers | . { process { $Body = [pscustomobject]@{ ids = @($_.principalId) types = @("user", "group") } | ConvertTo-Json -Compress $UserInformation = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/directoryObjects/getByIds" -Headers $GraphHeaders -ContentType "application/json" -Method Post -Body $Body [pscustomobject]@{ DisplayName = $UserInformation.value.displayName UserPrincipalName = $UserInformation.value.userPrincipalName Mail = $UserInformation.value.mail } } } #endregion
Output