internal/functions/Get-AzOpsContextPermissionCheck.ps1

function Get-AzOpsContextPermissionCheck {

    <#
        .SYNOPSIS
            Validates if context has permission specified in validatePermissionList.
        .DESCRIPTION
            Validates if context has permission specified in validatePermissionList.
        .PARAMETER contextObjectId
            The ObjectId of the Context SPN
        .PARAMETER scope
            Scope of the resource
        .PARAMETER validatePermissionList
            The permission list to perform operation.
        .EXAMPLE
            > Get-AzOpsContextPermissionCheck -contextObjectId $contextObjectId -scope $scope -validatePermissionList $validatePermissionList
            Validates if context contains anyone of permission mentioned in validatePermissionList
    #>


    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        $contextObjectId,

        [Parameter(Mandatory = $true)]
        $scope,

        [Parameter(Mandatory = $true)]
        $validatePermissionList
    )

    process {
        $roleAssignmentPermissionCheck = $false
        $roleAssignmentList = Get-AzRoleAssignment -Scope $scope -WarningAction SilentlyContinue | Where-Object { $_.ObjectId -eq $contextObjectId }
        foreach ($role in $roleAssignmentList) {
            $roleassignmentScope = $role.Scope.ToLower()
            if ((-not($scope.contains("/resourcegroups"))) -and $roleassignmentScope.contains("/resourcegroups")) {
                Continue
            }
            if ($scope.contains("/resourcegroups") -and (-not ($scope.contains("/providers")))) {
                if ($roleassignmentScope.contains("/providers") -and (-not ($roleassignmentScope.contains("/microsoft.management/managementgroups")))) {
                    Continue
                }
            }
            foreach ($item in $validatePermissionList) {
                $roledefinitionId = $role.roleDefinitionId.Substring($role.roleDefinitionId.LastIndexOf('/') + 1)
                if (Get-AzRoleDefinition -Id $roledefinitionId | Where-Object { $_.Actions -contains $item -or $_.Actions -eq "*" }) {
                    $roleAssignmentPermissionCheck = $true
                    break
                }
            }
            if ($roleAssignmentPermissionCheck -eq $true) {
                break
            }
        }
        return $roleAssignmentPermissionCheck
    }
}