Auditing Azure RBAC Assignments

Microsoft Azure, Powershell

I recently had a need to create a script to generate a report on Azure RBAC role assignments. The script does a number of things given the domain for your Azure AD tenant:

  • Reports on which users or AD groups have which role;
  • The scope that the role applies to (e.g. subscription, resource group, resource);
  • Where the role is assigned to an AD group, it uses the function from this blog post to recursively obtain the group membersĀ
  • The script reports on whether a user is Co-Administrator, Service Administrator or Account Administrator
  • Report on whether a user is sourced from the Azure AD Tenant or an external directory or if it appears to be an external account
The user running the script must have permissions to read permissions e.g. ‘Microsoft.Authorization/*/read’ permissions
The script can either output the results as an array of custom objects or in CSV format which can then be redirected to a file and manipulated in Excel.
The script could be run as a scheduled task or via Azure Automation if you wanted to periodically run the script in an automated fashion, it can also be extended to alert on certain cases such as when users from outside your Azure AD Tenant have access to a subscription, resource group or individual resource. The latter item is not a default feature of the script as depending on your organisation you may legitimately have external accounts (e.g. if you’re using 3rd parties to assist you with deploying/building or managing Azure).
The script has been published to my GitHub repo. Hopefully it will be of use to others.

3 thoughts on “Auditing Azure RBAC Assignments

  1. Script seems to no longer function. I get:

    Set-AzureRmContext : Cannot validate argument on parameter ‘Subscription’. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
    At C:\users\lundejd\OneDrive – Ecolab\GitHub\PowerShell\PS_Azure_HybridUse\Get-xAzureRBACRoleAssignments.ps1:108 char:42
    + Set-AzureRmContext -SubscriptionName $SubscriptionName | Out-Null
    + ~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Set-AzureRmContext], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Azure.Commands.Profile.SetAzureRMContextCommand

    or this if I specify a subscription:

    Get-AzureRmADGroupMember : Cannot convert ‘System.Object[]’ to the type ‘System.Guid’ required by parameter ‘GroupObjectId’. Specified method is not supported.
    At C:\users\lun\OneDrive – Ecolab\GitHub\PowerShell\PS_Azure_HybridUse\Get-xAzureRBACRoleAssignments.ps1:72 char:57
    + … opMembers = Get-AzureRmADGroupMember -GroupObjectId $ObjectId | Where …
    + ~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-AzureRmADGroupMember], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.Azure.Commands.ActiveDirectory.GetAzureADGroupMemberCommand

Leave a Reply to Vijay Thakorlal Cancel reply

Your email address will not be published. Required fields are marked *