Orphaned Role Assignments

Problem Statement

Orphaned role assignments are a common occurrence in Azure. You might ask how does this happen? When user or service principals in EntraID that have direct role assignments on Azure Resources are deleted the role assignments are not automatically removed. Orphaned role assignments in Azure can occur for couple of reasons:

  • If a user, group, or service principal that had a role assignment is deleted, the role assignment remains but becomes orphaned because the principal no longer exists.
  • When policies that create managed identities are deleted, the associated role assignments might not be cleaned up, leaving orphaned assignments.
  • When Managed Identities are deleted, the associated role assignments might not be cleaned up, leaving orphaned assignments.

The Solution

The solution to this problem is to identify and remove orphaned role assignments in Azure. This can be done by running a script that will identify and remove orphaned role assignments in Azure. You might be tempted to use a simple one liner like the one below to remove the orphaned role assignments but this needs to be done with caution as it can have unintended consequences.

Get-AzRoleAssignment | Where-Object { $_.ObjectType -eq "Unknown" } | Remove-AzRoleAssignment

WARNING: Please ensure that you have the necessary permissions to remove role assignments before running the cleanup script. The running context of the script requires both the User Access Administrator roles at the subscription scope as well as Directory Reader permission on the EntraID tenant. Not having the latter permission will likely result in the removal of all role assignments in the subscription.

Prerequisites

To remove orphaned role assignments in Azure using the following script you need to have the following:

  • The running context requires both the User Access Administrator roles at the subscription scope as well as Directory Reader permission on the EntraID tenant.
  • If you are running it locally you need to have Powershell 7 installed.
  • You need to have the Azure Powershell module installed. The following cmdlets can be used to install PowerShell 7 and the Azure Powershell module:
# Install PowerShell 7
winget install microsoft.powershell
# Install Azure PowerShell module
Install-Module -Name Az -AllowClobber -Scope CurrentUser

The cleanup script

The following cleanup script can be used to clean up orphaned role assignments in Azure Subscriptions. This script will identify all role assignments where the object type is not "Unknown" and remove them. It first role assignments where the object type is not "unknown" and sets a variable to determine if the cleanup should proceed. If the variable is set to true, it will remove all role assignments where the object type is unknown. This is to prevent the removal of all role assignments in the subscription if the context running the script does not have the necessary permissions. Then it proceeds to remove all role assignments where the object type is "unknown".

#get a list of all role assignments:
$roleAssignments = Get-AzRoleAssignment
#check if any Role Assignments where the object type is not "Unknown" exist:
if ($roleAssignments | Where-Object { $_.ObjectType -ne "Unknown" }) {
    Write-Host "Role assignments with object type other than 'Unknown' exist." -ForegroundColor Cyan
    $runCleanup = $true
}
else {
    Write-Warning "No role assignments with object type other than 'Unknown' exist. The context running this automation might be missing the directory reader role permission."
    $runCleanup = $false
}
# If the runCleanup variable is set to true, remove all role assignments where the object type is unknown:
if ($runCleanup) {
    try {
        #get a list of all role assignments where the object type is unknown:
        $unknownRoleAssignments = $roleAssignments | Where-Object { $_.ObjectType -eq "Unknown" }
        Write-Host "Cleaning up the following role assignments:" 
        $unknownRoleAssignments
        $unknownRoleAssignments | Remove-AzRoleAssignment
        Write-Host "All unknown role assignments have been removed." -ForegroundColor Green
    }
    catch {
        Write-Error "An error occurred while removing the unknown role assignments."
    }
    finally {
        Write-Host "The cleanup process has completed." -ForegroundColor Green
    }
}

Conclusion

Cleaning up orphaned role assignments in Azure will help you maintain a clean and secure environment and reduce management complexity.