How to audit an Azure subscription Role Based Access Control (RBAC) assignments

In the last year it occurred several times that I needed to audit and validate Role Based Access Control (RBAC) assignments for an Azure subscription. Using what is available in the portal doesn't help much. You can view assignments in the portal but it is not exportable, neither you'll be able to expand group membership. You'll need a lot of clicks here and there to fulfill this kind of quest.

Setup information

You'll need Azure PowerShell in order to use the script of this article.

  • AzureRM.Resources module v5.x or v6.x
  • Audit Azure subscription RBAC assignments script from ScriptCenter

Prepare for the audit

Open a PowerShell shell, log into Azure and position yourself on the desired subscription, here is an example on how to do so:

Login-AzureRmAccount

Set-AzureRmContext -Subscription 'Your Subscription'

Perform a non-grouped audit

$rbacAudit = .\Invoke-AzureRmSubscriptionRBACAudit.ps1 

#output the result as is
$rbacAudit

Id                 : 4506482f-23a0-4820-850b-06219f704739
DisplayName        : FirstName1 LastName1
ParentGroup        : {Id, DisplayName}
RoleDefinitionName : Reader
Scope              : /subscriptions/11111111-1111-1111-1111-111111111111
CanDelegate        : False

Id                 : dc37e4bd-1811-4b5e-ba5e-1322ff5ac29d
DisplayName        : FirstName2 LastName2
ParentGroup        : {Id, DisplayName}
RoleDefinitionName : Owner
Scope              : /subscriptions/11111111-1111-1111-1111-111111111111
CanDelegate        : False

Id                 : 8a173eb5-52a4-4a5b-b6ae-aefc3dac7489
DisplayName        : FirstName3 LastName3
ParentGroup        : {Id, DisplayName}
RoleDefinitionName : Reader
Scope              : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/stg
CanDelegate        : False

Id                 : 4e13ae9c-7e3b-49e4-a49e-e81c2dd21151
DisplayName        : FirstName4 LastName4
ParentGroup        : {Id, DisplayName}
RoleDefinitionName : Contributor
Scope              : /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/stg/providers/Microsoft.Insights/components/stg-ai-app-qjkgqezdtfjr4
CanDelegate        : False

[Optional] Output the result as JSON and save it to disk for later use

$rbacAudit | ConvertTo-Json -Depth 5 | Out-File .\rbacAudit.json

# you'll end up with a JSON file in this format
[
    {
        "Id":  "4506482f-23a0-4820-850b-06219f704739",
        "DisplayName":  "FirstName1 LastName1",
        "ParentGroup":  {
                            "Id":  "9cb7e0c1-0513-441b-b484-8b55761694fe",
                            "DisplayName":  "SecurityGroupName1"
                        },
        "RoleDefinitionName":  "Reader",
        "Scope":  "/subscriptions/11111111-1111-1111-1111-111111111111",
        "CanDelegate":  false
    },
    ...
]

Perform an audit grouped by users

Another way to invoke the script is with the -GroupRolesByUser, it will group all assignments for each user to give you a view like below:

$rbacAuditGroupedByUser = .\Invoke-AzureRmSubscriptionRBACAudit.ps1 -GroupRolesByUser

#output the result as is
$rbacAuditGroupedByUser

Count Name                         RoleDefinitions                ParentGroup
----- ----                         ---------------                -----------
    2 FirstName1 LastName1         Contributor, Reader
    1 azure-test@mycompany.com     AccountAdministrator
    1 FirstName2 LastName2         Owner
    4 FirstName3 LastName3         Contributor, Reader, Owner, Owner

Conclusion

If you need to perform an audit in the future, you now have another tool in your tool belt!

You can download the Audit Azure subscription RBAC assignments script (for free) on Microsoft Script Center

References