Fix role assignment check in cleanup script

jaredfholgate · jaredfholgate · commit 05b61a7ba982 · 2025-12-03T13:10:56.000Z
diff --git a/.github/tests/cleanup-scripts/cleanup_azure_resouces.ps1 b/.github/tests/cleanup-scripts/cleanup_azure_resouces.ps1
@@ -1,5 +1,15 @@
 # This file can be used to clean up Resource Groups if there has been an issue with the End to End tests.
 # CAUTION: Make sure you are connected to the correct subscription before running this script!
+
+# Check for and install the resource-graph extension if not already installed
+$installedExtensions = az extension list --query "[].name" -o tsv
+if ($installedExtensions -notcontains "resource-graph") {
+    Write-Host "Installing Azure CLI resource-graph extension..."
+    az extension add --name resource-graph
+} else {
+    Write-Host "Azure CLI resource-graph extension is already installed."
+}
+
 $managementGroupFilter = "alz-r"
 if($managementGroupFilter -eq "")
 {
@@ -70,13 +80,15 @@ $managementGroups | ForEach-Object -Parallel {
     } -ThrottleLimit 10
 
     $roleDefinitionsFilter = $using:roleDefinitionsFilter
-    $subscriptions = $using:subscriptions
+
     $roleDefinitions = az role definition list --custom-role-only true --scope "/providers/Microsoft.Management/managementGroups/$managementGroup" --query "[].{name:name,roleName:roleName,id:id,assignableScopes:assignableScopes}" -o json  | ConvertFrom-Json | Where-Object { $_.roleName -like "*$roleDefinitionsFilter*" -and $_.assignableScopes -contains "/providers/Microsoft.Management/managementGroups/$managementGroup" }
     $roleDefinitions | ForEach-Object -Parallel {
         $managementGroup = $using:managementGroup
         $roleDefinition = $_
 
-        $roleAssignments = az role assignment list --role $roleDefinition.name --scope "/providers/Microsoft.Management/managementGroups/$managementGroup" --query "[].{id:id,principalName:principalName,principalId:principalId}" -o json | ConvertFrom-Json
+        Write-Host "$($roleDefinition.roleName) - $($managementGroup): Querying role assignments using Resource Graph for role definition $($roleDefinition.name)"
+        $query = "authorizationresources | where type == 'microsoft.authorization/roleassignments' | where properties.roleDefinitionId == '/providers/Microsoft.Authorization/RoleDefinitions/$($roleDefinition.name)' | order by ['name'] asc"
+        $roleAssignments = az graph query -q $query --query "data[].{id:id,principalId:properties.principalId}" -o json | ConvertFrom-Json
         $roleAssignments | ForEach-Object -Parallel {
             $managementGroup = $using:managementGroup
             $roleDefinition = $using:roleDefinition
@@ -85,19 +97,14 @@ $managementGroups | ForEach-Object -Parallel {
             az role assignment delete --ids $roleAssignment.id
         } -ThrottleLimit 10
 
-        foreach ($subscription in $using:subscriptions) {
-            $subscriptionRoleAssignments = az role assignment list --role $roleDefinition.name --subscription $subscription --query "[].{id:id,principalName:principalName,principalId:principalId}" -o json | ConvertFrom-Json
-            $subscriptionRoleAssignments | ForEach-Object -Parallel {
-                $roleDefinition = $using:roleDefinition
-                $subscription = $using:subscription
-                $roleAssignment = $_
-                Write-Host "Deleting role assignment: $($roleAssignment.id) for role definition: $($roleDefinition.roleName) in subscription: $subscription"
-                az role assignment delete --ids $roleAssignment.id
-            } -ThrottleLimit 10
-        }
-
         Write-Host "Deleting custom role definition: $($roleDefinition.roleName) in management group: $managementGroup"
-        az role definition delete --name $roleDefinition.name --scope "/providers/Microsoft.Management/managementGroups/$managementGroup"
+        $result = az role definition delete --name $roleDefinition.name --scope "/providers/Microsoft.Management/managementGroups/$managementGroup" 2>&1
+        if($result -like "*ERROR*")
+        {
+            Write-Warning "Role definition $($roleDefinition.roleName) in management group: $managementGroup could not be deleted...$([Environment]::NewLine)$result"
+        } else {
+            Write-Host "Role definition $($roleDefinition.roleName) in management group: $managementGroup deleted successfully."
+        }
 
     } -ThrottleLimit 10
 } -ThrottleLimit 10
