Private/Scanning/Get-MgAssignments.ps1
|
function Get-MgAssignments { <# .SYNOPSIS Get policy assignments for a specific Management Group. .DESCRIPTION Retrieves all policy assignments directly assigned to the specified Management Group (does not include child MGs or inherited assignments). .PARAMETER ManagementGroupId The Management Group ID to query. .EXAMPLE $assignments = Get-MgAssignments -ManagementGroupId "MyRootMG" .OUTPUTS Array of policy assignment objects #> [CmdletBinding()] param( [Parameter(Mandatory = $true)] [string]$ManagementGroupId ) Write-Host " ├─ Scanning assignments at MG level..." -ForegroundColor DarkCyan $scope = "/providers/Microsoft.Management/managementGroups/$ManagementGroupId" $mgAssignments = Invoke-AzCommandWithRetry -Command { Get-AzPolicyAssignment -Scope $scope -ErrorAction SilentlyContinue } -OperationName "PolicyAssignment" # Track API type if ($script:ApiCallStats) { $script:ApiCallStats.PolicyAssignmentCalls++ } Write-Host (" │ └─ Found {0} assignments" -f $mgAssignments.Count) -ForegroundColor DarkGray return $mgAssignments } |