I'm trying to get the role assignments from Microsoft purview using the following REST API:
api_endpoint = f"https://{pv_account_name}.purview.azure.com/policystore/metadataroles"
With this I am able to obtain the ids, and role name but I am unable to obtain the names of users, service principals, etc. I am writing a python script to get the data, but I have hit a wall. I am unsure how to go about it as this is my first time trying this.
How do I get the role assignments like data curators, collection admins and the name of the users and service principals.
I tried writing a python script like the following code:
import requests
import json
# Replace these with your actual values
pv_account_name = "purview"
api_version = "2021-07-01"
# Azure AD credentials
client_id = "b"
client_secret = "L"
tenant_id = "e"
resource = "https://purview.azure.net"
# Construct the token request URL
token_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/token"
# Set up the token request parameters
token_params = {
"client_id": client_id,
"client_secret": client_secret,
"grant_type": "client_credentials",
"resource": resource
}
# Make the token request to get an access token
token_response = requests.post(token_url, data=token_params)
# Check the token response status
if token_response.status_code == 200:
token_data = token_response.json()
access_token = token_data.get("access_token")
# Construct the API endpoint for role assignments
api_endpoint = f"https://{pv_account_name}.purview.azure.com/policystore/metadataroles"
# Set up headers with the access token
headers = {
"Authorization": f"Bearer {access_token}",
"Content-Type": "application/json",
}
# Set up parameters for the request
params = {
"api-version": api_version,
# Add any additional parameters as needed
}
# Make the GET request to retrieve role assignments
response = requests.get(api_endpoint, headers=headers, params=params)
# Check the response status
if response.status_code == 200:
role_assignments = response.json()
# Initialize a list to store role assignments with user or service principal information
role_assignments_with_names = []
# Function to retrieve user or service principal information
def get_user_info(unique_identifier):
# Make a request to the Azure AD Graph API to retrieve user or service principal info
user_info_endpoint = f"https://graph.microsoft.com/v1.0/users/{unique_identifier}"
user_info_response = requests.get(user_info_endpoint, headers=headers)
if user_info_response.status_code == 200:
user_info = user_info_response.json()
return user_info
for assignment in role_assignments.get("values", []):
unique_identifier = assignment.get("principalId")
if unique_identifier:
user_info = get_user_info(unique_identifier)
if user_info:
# Combine role assignment and user info
role_assignment_with_name = {
"role_assignment": assignment,
"user_info": user_info,
}
role_assignments_with_names.append(role_assignment_with_name)
# Now, role_assignments_with_names contains role assignments with user or service principal info
print(role_assignments_with_names)
else:
print(f"Error: {response.status_code}")
print(response.text)
else:
print(f"Error: {token_response.status_code}")
print(token_response.text)
This return an empty set.
You need to make below calls to get the name of the users and service principals.
These two Ids are User Id and Service Principal Id respectively, as I have added a User and a service principal.
POST https://graph.microsoft.com/v1.0/$batch.Request Body-
Please note, while generating token you need to use
resource : https://purview.azure.netfor Purview andresource : https://graph.microsoft.comfor Graph API call.