How to audit an Azure subscription Role Based Access Control (RBAC) assignments
In the last year it occurred several times that I needed to audit and validate Role Based Access Control (RBAC) assignments for an Azure subscription. Using what is available in the portal doesn't help much. You can view assignments in the portal but it is not exportable, neither you'll be able to expand group membership. You'll need a lot of clicks here and there to fulfill this kind of quest.
Setup information
You'll need Azure PowerShell in order to use the script of this article.
- AzureRM.Resources module v5.x or v6.x
- Audit Azure subscription RBAC assignments script from ScriptCenter
Prepare for the audit
Open a PowerShell shell, log into Azure and position yourself on the desired subscription, here is an example on how to do so:
Login-AzureRmAccount
Set-AzureRmContext -Subscription 'Your Subscription'
Perform a non-grouped audit
$rbacAudit = .\Invoke-AzureRmSubscriptionRBACAudit.ps1
#output the result as is
$rbacAudit
Id : 4506482f-23a0-4820-850b-06219f704739
DisplayName : FirstName1 LastName1
ParentGroup : {Id, DisplayName}
RoleDefinitionName : Reader
Scope : /subscriptions/11111111-1111-1111-1111-111111111111
CanDelegate : False
Id : dc37e4bd-1811-4b5e-ba5e-1322ff5ac29d
DisplayName : FirstName2 LastName2
ParentGroup : {Id, DisplayName}
RoleDefinitionName : Owner
Scope : /subscriptions/11111111-1111-1111-1111-111111111111
CanDelegate : False
Id : 8a173eb5-52a4-4a5b-b6ae-aefc3dac7489
DisplayName : FirstName3 LastName3
ParentGroup : {Id, DisplayName}
RoleDefinitionName : Reader
Scope : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/stg
CanDelegate : False
Id : 4e13ae9c-7e3b-49e4-a49e-e81c2dd21151
DisplayName : FirstName4 LastName4
ParentGroup : {Id, DisplayName}
RoleDefinitionName : Contributor
Scope : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/stg/providers/Microsoft.Insights/components/stg-ai-app-qjkgqezdtfjr4
CanDelegate : False
[Optional] Output the result as JSON and save it to disk for later use
$rbacAudit | ConvertTo-Json -Depth 5 | Out-File .\rbacAudit.json
# you'll end up with a JSON file in this format
[
{
"Id": "4506482f-23a0-4820-850b-06219f704739",
"DisplayName": "FirstName1 LastName1",
"ParentGroup": {
"Id": "9cb7e0c1-0513-441b-b484-8b55761694fe",
"DisplayName": "SecurityGroupName1"
},
"RoleDefinitionName": "Reader",
"Scope": "/subscriptions/11111111-1111-1111-1111-111111111111",
"CanDelegate": false
},
...
]
Perform an audit grouped by users
Another way to invoke the script is with the -GroupRolesByUser
, it will group all assignments for each user to give you a view like below:
$rbacAuditGroupedByUser = .\Invoke-AzureRmSubscriptionRBACAudit.ps1 -GroupRolesByUser
#output the result as is
$rbacAuditGroupedByUser
Count Name RoleDefinitions ParentGroup
----- ---- --------------- -----------
2 FirstName1 LastName1 Contributor, Reader
1 azure-test@mycompany.com AccountAdministrator
1 FirstName2 LastName2 Owner
4 FirstName3 LastName3 Contributor, Reader, Owner, Owner
Conclusion
If you need to perform an audit in the future, you now have another tool in your tool belt!
You can download the Audit Azure subscription RBAC assignments script (for free) on Microsoft Script Center