This post was most recently updated on December 7th, 2021.
4 min read.This article describes a solution to an age-old question of mine: how can I add an Azure Active Directory object – like a security group – to multiple resource groups at once? I’ve had to do this multiple times, and manual work takes quite a while. And who likes multiple manual steps?
To be fair, this article could also be called something like: “Using Azure CLI to spend a lot of time unnecessarily complicating a mind-numbingly boring task of adding one Azure AD group to multiple Resource Groups in Azure, which should be easy but isn’t”. A true damned if you do, damned if you don’t situation since you can only choose between boredom (possibly accompanied with CTS) and frustration (possibly accompanied with your keyboard broken in half).
Oh well. Out of those 2, I’ll certainly opt for frustration. I’ve got plenty of spare keyboards, but I hate boredom.
Problem
A step back – what was the problem again?
I had ten or so resource groups that had a few different users assigned to them. They were all related to a single service – and there was a clear need to unify the access and centralize managing it.
Well – that’s an easy fix, right? Just lump the users in an Azure AD group and assign that group to each resource group, right?
Yes – that’s exactly what I decided to do. But doing that manually is slow – what’s a better way to do it?
We’ll need to dig in a bit.
Solution
Obviously, you could just use Azure Portal, but it takes a dozen clicks, a copy-paste option, and a lot of small amounts of waiting to add a group to ONE resource group. It takes perhaps a minute or so. Adding a group to 20 resource groups will take around 20 minutes. That’s way too much for a redundant, simple task like this!
Azure CLI to the rescue. It offers you tools to do this – just somehow, this seems so much more complicated than it should be. But let’s take a look.
With Azure CLI, you can find your resource groups, grab your favorite AD group, and clumsily associate them together.
Clumsily? Why clumsily?
Well – like any decent CLI, Azure CLI supports different kinds of query languages and selectors at different times. So that’s good. One thing seems fairly consistent, though: you form a query, send it server, and the server regurgitates back some text it understands nothing about and provides substandard options for passing the value forward.
So you need to run some extra spells to make the regurgitation turn into JSON.
Does that sound like a happy marriage to you? It’s more of an uneasy, forced cohabitation if you ask me.
Anyway – enough chitchat. Let’s take a look at the steps.
Time needed: 45 minutes
How to use Azure CLI to assign an AD group to multiple resource groups at once?
- Log in
First, we need to log in to establish the connection to Azure.
az login - Select your account
There seems to be no way to query across subscriptions in az group. So I suppose you’ll just need to select the one you like the most. If you’ve got resource groups spanning across multiple subscriptions, you’ll just hate to iterate.
az account set -subscription [subscription name here] - Query for your resource groups
Next, we’ll need to grab all of the resource groups we want to apply this against. Naturally, this will require some JMESPATH, which has zero tooling support so you’ll just need to craft your query online or google for great samples. But you can always make a guess, wait for a painful moment when the server crunches through your query, and then try and readjust.
See below for what I came up with:$groups = az group list --query "[?contains(name, 'myproject')].[id]" -o tsv
Pretty? Eh, should be good enough. - Grab your favorite security group
We’ll only need the id/objectId of this group in AAD, as that’s what the role assignment command takes later on.
So we’ll run something like this to get it, if we know the name of the group:$g = (az ad group list --display-name "My AAD Group" | ConvertFrom-JSON).objectId
Granted, this only works if there is only one group returned – so ensure that you find something that will only return one group! - Assign the group to resource groups
Okay, so this is kind of the pretty part – grab the resource groups, iterate through them, and assign your group to each. This is what it’ll look like:
foreach ($rg in $groups.Split([Environment]::NewLine)) { az role assignment create --assignee $g --role "Contributor" --scope $rg }
Cool, huh? It’ll do.
And there we go!
It might be somewhat obvious, but I have a few problems with Az CLI, and nowadays also Azure commandlets in PowerShell. Or maybe it’s just one problem – my attitude.
Don’t get me wrong – it’s cool to get new toys. It’s awesome that Microsoft publishes new and reimagined versions of the existing tools. One would just hope the toys and tools were somehow better than what we already had. Or maybe the issues we had with old tools would be fixed – either in the old or at least in the new tools.
But I digress.
Anyway – if you feel like easing my pain, let me know if there’s an easier way to do this – again, would love to make things easier. That’s kind of the point of this blog. 🤷♂️
References
- JMESPATH is used to query most resources (–query) when using Az CLI. I’ll leave googling the origins of THAT name up to you.
He's been a developer from 2004 (starting with PHP and Java), and he's been working on .NET projects, Azure, Office 365, SharePoint and a lot of other stuff. He's also Microsoft MVP for Azure.
This is his personal professional (e.g. professional, but definitely personal) blog.
- CSOM suddenly throwing exceptions when trying to access list contents in SharePoint? A weird fix. - April 2, 2024
- “Predefined type ‘System.Object’ is not defined or imported” and other System stuff missing in your solution? - March 26, 2024
- How to import GraphQL schema to Postman in Windows? - March 19, 2024
