.github/workflows/get-assignments-report.yml

name: get-assignments-report
on:
  #schedule:
    #- cron:  '0 8 * * *'  # runs every morning 8am
    #- cron: '5 4 * * 1' # runs at 04:05 on Monday.
  workflow_dispatch:
    inputs:
      remarks:
        description: 'Reason for triggering the workflow run'
        required: false
        default: 'Executing Assignment Report'
jobs:
  get-assignments-report:
    runs-on: ubuntu-latest
    steps:

    - name: Login to Azure
      uses: azure/login@v1
      with:
        creds: ${{secrets.POLICY_COMPLIANCE_SCAN}}
        enable-AzPSSession: true
        allow-no-subscriptions: true
        
    - name: Get Assignments
      uses: azure/powershell@v1
      with:
        azPSVersion: "latest"
        inlineScript: |
          if(-not (Get-Module Az.ResourceGraph -ListAvailable))
          {
            Install-Module Az.ResourceGraph -Scope CurrentUser -Force
          }
          $query = "policyresources
          | where type == 'microsoft.authorization/policyassignments'
          | project AssignmentName = tostring(properties.displayName), policyDefinitionId = tostring(properties.policyDefinitionId), scope = tostring(properties.scope), notScopes = properties.notScopes
          | join kind = leftouter  ( resourcecontainers 
              | project scope = id, ScopeName = name, Scopetype = case(type endswith 'subscriptions', 'Subscription', type endswith 'resourcegroups', 'Resource Group', type endswith 'managementgroups', 'Management Group', 'Root Management Group'))
              on scope
          | join kind = leftouter  ( policyresources 
              | where type == 'microsoft.authorization/policydefinitions' or type == 'microsoft.authorization/policysetdefinitions'
              | project policyDefinitionId = id, PolicyName = properties.displayName, kind, PolicyType = properties.policyType ) 
              on policyDefinitionId
          | project ['Assignment Name'] = AssignmentName, ['Policy Name'] = PolicyName, Kind = case(kind=='policysetdefinitions', 'Initiative', 'Policy'), ['Policy Type'] = PolicyType, Scope = scope, ['Scope Name'] = iff(isempty(ScopeName), 'Tenant Root Group', ScopeName), ['Scope Type'] = iff(isempty(Scopetype), 'Root Management Group', Scopetype), notScopes
          | order by ['Assignment Name'] asc"

          $results = Search-AzGraph -Query $query -UseTenantScope -First 1000
          $results | Select-Object `
                      'Assignment Name', `
                      'Policy Name', `
                      Kind, `
                      'Policy Type', `
                      Scope, `
                      'Scope Name', `
                      'Scope Type', `
                      @{Name='notScopes';Expression={($_.notScopes) -join(" | ")}} `
                      | Export-Csv -Path "./assignmentsReport.csv"

    - name: Upload Artifact
      uses: actions/upload-artifact@v3.1.0
      with:
        name: assignments_report
        path: ./assignmentsReport.csv