We are excited to announce support for Azure RBAC resources in Azure Resource Graph (ARG) via the AuthorizationResources table! You can query your Role Assignments, Role Definitions, and Classic Admins resources. With this table, you’ll be able to quickly answer questions such as “how many users are using a role definition?” or “how many role assignments are used?” or “how many role definitions are used?”. Then, you can act on the results to clean up unused role definitions, remove redundant role assignments, or optimize your existing role assignments using AAD Groups. With Classic Admins set to be deprecated in August 2024, you can leverage ARG to convert Classic Admins to Role Assignments. We’ve shared scenarios and queries below to get started! You can try these queries out in the Azure Portal via the Resource Graph Explorer (tutorial).
This is just the first part of our AuthorizationResources journey. We want to build features to make your security, compliance, and audit scenarios possible, which is why we’d greatly appreciate your feedback and collaboration opportunity here. We look forward to working with you as we build out AuthorizationResources capabilities.
Scenario 1: Getting Started
You can use the AuthorizationResources table to understand how many users/service principals are using each RoleDefinition. The query below does that and serves as a starting point to understand the schema of AuthorizationResources so you can explore its potential.
AuthorizationResources
| where type =~ 'microsoft.authorization/roleassignments'
| extend principalType = tostring(properties['principalType'])
| extend principalId = tostring(properties['principalId'])
| extend roleDefinitionId = tolower(tostring(properties['roleDefinitionId']))
| join kind=inner (
AuthorizationResources
| where type =~ 'microsoft.authorization/roledefinitions'
| extend id = tolower(id)
) on $left.roleDefinitionId == $right.id
| summarize count() by roleDefinitionId, principalType
| where count_ > 1
| sort by count_ desc
Scenario 2: Cleaning Up Redundant Role Assignments
Azure supports up to 4000 role assignments per subscription. If you have hit the ‘No more role assignments can be created (code: RoleAssignmentLimitExceeded) we recommend using the two-part queries below to remove role assignments. These queries will allow you to determine where you can replace multiple role assignments with a single role assignment, using a higher scope or a security group. You can see the detailed tutorial on how to do this here.
Scenario 3: Cleaning Up Unused Role Definitions
Additionally, Azure supports up to 5000 custom roles in a directory. If you have hit the ‘Role definition limit exceeded. No more role definitions can be created (code: RoleDefinitionLimitExceeded)’ we recommend using the query below to determine role definitions with no role assignments, rendering these removable. You can see a detailed step-by-step tutorial on this scenario here.
AuthorizationResources
| where type =~ "microsoft.authorization/roledefinitions"
| where tolower(properties.type) == "customrole"
| extend rdId = tolower(id)
| extend Scope = tolower(properties.assignableScopes)
| join kind = leftouter (
AuthorizationResources
| where type =~ "microsoft.authorization/roleassignments"
| extend RoleId = tolower(tostring(properties.roleDefinitionId))
| summarize RoleAssignmentCount = count() by RoleId
) on $left.rdId == $right.RoleId
| where isempty(RoleAssignmentCount)
| project RoleDefinitionId = rdId, RoleDefinitionName = tostring(properties.roleName), Scope
More information about Azure RBAC limits can be found here.
Thank you, and happy querying!
