question

asemencha avatar image
0 Votes"
asemencha asked JamesTran-MSFT commented

How can I remove duplicates assignment roles in subscriptions?

How can I remove duplicates assignment roles in subscriptions?
I have a few scopes - inherited (subscription) and this resource.
How can better do remove duplicate with scope "this resource" or scope inherited?
How can I recognize these scopes?

azure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesTran-MSFT avatar image
1 Vote"
JamesTran-MSFT answered JamesTran-MSFT commented

@asemencha
Thank you for your post!

When it comes to the different scopes used within Azure RBAC, you can remove an inherited role by selecting the hyperlinked scope and removing the role from IAM there. For example, if you're in a Resource Group's IAM, you might see Management Group (Inherited), or Subscription (Inherited), you can select the hyperlink for the specific scope, go to IAM, and remove the role.

Note: Please keep in mind when removing IAM roles - make sure that the user you're removing doesn't need that specific role at that scope. i.e. Owner at the Subscription level.

114289-removeiam.gif

To better help with role assignments, I'd recommend referencing our Azure RBAC Best Practices documentation, specifically the Assign roles to groups, not users section, which talks about assigning roles to groups.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


removeiam.gif (576.3 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello, James!

Thank you for your answer! I will review best practices for Azure RBAC.
Also, I would like to know how I can do it through PowerShell?
I guess I didn't give some important information in the initial question.
I have a lot of subscriptions with duplicated assignment roles. Where they have two scopes - inherited and "this resource".
And I'd like to remove them with PowerShell, but I'm not sure in output comandlet Get-AzRoleAssignment.
Unfortunately, I can't understand and recognize which role is inherited or "this resource".

0 Votes 0 ·

@asemencha
Thank you for the quick follow up!

As you mentioned, you can use the Get-AzRoleAssignment PowerShell command to get role assignments. In order to read the output you can break it down into sections.

 <#
 -I'm using this PS command to return all role assignments for a given resource group (i.e. VirtualMachines).
 -Since I'm looking for role assignments at the Resource Group level, any scope outside of "/subscriptions/(subscriptionID)/resourceGroups/VirtualMachines" will be Inherited.
 #>
 Get-AzRoleAssignment -ResourceGroupName "VirtualMachines"

Scope: This will typically be at the top of the role assignment output.

  • "/" will be used for the root management group scope.
    List item

  • "/providers/Microsoft.Management/managementGroups/..." will be a role assignment assigned to the management group level.
    114660-image.png

  • "/subscriptions/..." is a subscription level role.
    114707-image.png

  • "/subscriptions/<subscriptionID>/resourceGroups/VirtualMachines" will be the specific resource group level.
    114746-image.png

114747-image.png

I hope this helps!

1 Vote 1 ·
image.png (3.7 KiB)
image.png (5.2 KiB)
image.png (2.9 KiB)
image.png (6.1 KiB)
image.png (89.5 KiB)

Thank you for your answer!
Now, I got it. Thank you for your help!

0 Votes 0 ·
Show more comments