Exporting Subscriptions and Role Assignments Issue

Question

Exporting Subscriptions and Role Assignments Issue

H Raja 346

I'm trying to Export all my Subscriptions and Role Assignments in my tenants. I've tried via PowerShell and using Co-Pilot :-). hopefully Screenshot has some justice. Each time it runs it shows error 'Continnous access evaluation resulted in challenge............ for each subscription.

Anyone that has a script that can give me for each Subscription, the roles assignment assigned and details of group or SPN assigned. thanks

8949c86b-4b94-4aea-92ae-dde4a67220d0

0 comments

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Hello H Raja,

The error you’re seeing is due to CAE interrupting the session during a long run, not an issue with your script.

The clean way around it is to use a service principal instead of interactive login.

Create an app registration and assign:

Reader on all subscriptions (or at management group level)
Directory Reader (optional, for resolving names)

Then run this:

$path = "C:\Temp\RBAC_Export.csv"

$tenantId = "<tenant-id>"
$appId    = "<app-id>"
$secret   = "<client-secret>"

$secureSecret = ConvertTo-SecureString $secret -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($appId, $secureSecret)

Connect-AzAccount -ServicePrincipal -Tenant $tenantId -Credential $cred

if (!(Test-Path "C:\Temp")) {
    New-Item -ItemType Directory -Path "C:\Temp" | Out-Null
}

$result = @()

foreach ($sub in Get-AzSubscription) {

    if ($sub.State -ne "Enabled") { continue }

    Set-AzContext -SubscriptionId $sub.Id | Out-Null

    foreach ($a in Get-AzRoleAssignment -Scope "/subscriptions/$($sub.Id)") {
        $result += [PSCustomObject]@{
            SubscriptionName = $sub.Name
            SubscriptionId   = $sub.Id
            RoleName         = $a.RoleDefinitionName
            PrincipalName    = $a.DisplayName
            PrincipalType    = $a.ObjectType
            Scope            = $a.Scope
        }
    }
}

$result | Export-Csv $path -NoTypeInformation

Write-Host "Export completed: $path"

This will run through all subscriptions and export everything into a single file without the CAE interruptions.

H Raja 346 Reputation points

2026-04-01T17:44:33.0833333+00:00

@Sridevi Machavarapu Thanks, thats worked by adding a SPN with Reader role and Tenant Root.
Sridevi Machavarapu 26,355 Reputation points Microsoft External Staff Moderator

2026-04-01T17:53:29.19+00:00

Hello H Raja,

Glad to know it worked!

Answer 2

For exporting subscription-level role assignments with full principal details, there are two supported approaches in the provided material: using the Azure portal for Azure RBAC roles and using Microsoft Entra ID for directory roles. Both avoid the continuous access evaluation issue seen in custom scripts.

Export Azure RBAC role assignments per subscription in the Azure portal

This gives all role assignments (built‑in and custom) at a chosen scope, including users, groups, and service principals.

Steps:

In the Azure portal, go to All services and select the scope:
- Subscriptions → choose the subscription whose assignments are needed.
Open the subscription and select Access control (IAM).
Select Download role assignments to open the download pane.
Choose which assignments to include:
- Inherited – include assignments inherited from higher scopes.
- At current scope – include assignments defined directly on the subscription.
- Children – include assignments on child resource groups and resources.
Select file format CSV (best for analysis) or JSON.
Provide a file name and select Start.

The CSV/JSON output contains, for each assignment:

Role definition
Scope
Principal information (user, group, or service principal)
Additional metadata

If directory read permissions are missing (for example, no Directory Readers role), the DisplayName, SignInName, and ObjectType columns will be blank; in that case, grant appropriate directory read permissions and re-export.

Repeat this for each subscription in the tenant to build a complete inventory of subscription-level Azure RBAC assignments.

Export Microsoft Entra role assignments (directory roles)

If the requirement also includes Microsoft Entra directory roles (Global Administrator, etc.), these can be exported centrally.

To export all active directory role assignments across all roles:

In the Microsoft Entra admin center, go to Entra ID → Roles & admins.
On Roles and administrators, select All roles.
Select Download assignments.
Specify a file name and select Start bulk operation.

A CSV file is downloaded listing all role assignments at all scopes for all directory roles, including the assigned user, group, or service principal.

To export assignments for a single directory role:

On Roles and administrators, select the specific role.
Select Download assignments (or Export if using PIM experience).
A CSV file is downloaded listing all assignments for that role at all scopes.
Export user and group assignments to service principals (enterprise apps)

For a tenant-wide view of which users and groups are assigned to enterprise applications (service principals), Microsoft Entra PowerShell can export this to CSV:

Connect with sufficient permissions (for example, Cloud Application Administrator):
```
   Connect-Entra -Scopes 'Directory.Read.All', 'Application.Read.All'
```
Run the documented script that:
- Retrieves all service principals.
- Collects user and group assignments for each service principal.
- Exports to CSV with service principal name, assigned users, and assigned groups.

This complements the Azure RBAC export by giving application assignment details for all service principals in the tenant.

Using these built-in export capabilities avoids the continuous access evaluation challenges that can interrupt long-running custom scripts and provides the requested mapping of subscriptions to role assignments and principals (users, groups, and service principals).

References:

H Raja 346 Reputation points

2026-03-30T17:51:58.4833333+00:00

This does not help, as i dont want to individually pull details for each subscription. I’m looking for a code version that will give me details of 100+ subscriptions
Sridevi Machavarapu 26,355 Reputation points Microsoft External Staff Moderator

2026-03-30T19:04:06+00:00

Hello H Raja,

You don’t need to pull each subscription separately. You can loop through all subscriptions and export everything in one run.

The Continuous Access Evaluation error you’re seeing is usually due to the session expiring during a long run, not an issue with RBAC.

Here’s a simple script that should work:

$path = "C:\Temp\RBAC_Export.csv" Connect-AzAccount if (!(Test-Path "C:\Temp")) { New-Item -ItemType Directory -Path "C:\Temp" | Out-Null } $result = @() foreach ($sub in Get-AzSubscription) { Set-AzContext -SubscriptionId $sub.Id | Out-Null foreach ($a in Get-AzRoleAssignment -Scope "/subscriptions/$($sub.Id)") { $result += [PSCustomObject]@{ SubscriptionName = $sub.Name SubscriptionId = $sub.Id RoleName = $a.RoleDefinitionName PrincipalName = $a.DisplayName PrincipalType = $a.ObjectType Scope = $a.Scope } } } $result | Export-Csv $path -NoTypeInformation Write-Host "Export completed: $path"

This will give you a single CSV with role assignments across all subscriptions.

If the CAE error still comes up, run the script using a service principal instead of interactive login to avoid session interruptions.
H Raja 346 Reputation points

2026-03-31T07:56:01.94+00:00

@Sridevi Machavarapu looks like i’m still getting the CAE error! :-) whats best way using an SPN and adding to above and what roles would it need

Share via

Exporting Subscriptions and Role Assignments Issue

1 additional answer

Your answer