Script Release: Azure Access Reviews

• 5/23/2026
• One-minute read

Background

Continuing the theme of identity management, let’s take a look at [Get-AzureRoleAssignments]. The genesis of this tool was a seemingly simple request from my Security Operations team.

What resources and permissions does the Security Analysts L1 group provide?

At the time this group had only ever been used in the subscription that housed our Sentinel instance. This made the request easier, I wrote this script to enumerate the assignments for a specific group on a specific subscription. Later when we started doing actual access reviews it grew into the chonk that’s being released today.

Usage

In the simplest case, we can use the following syntax to connect to the specified tenant, iterate through all subscriptions, and enumerate all role assignments.

Get-AzureRoleAssignments.ps1 -tenantId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -PrincipalDisplayNames Finance

This will drop a report in the current directory that will look something like this.

1
2
3
4
5
6

"PrincipalDisplayName","PrincipalObjectId","PrincipalType","Type","RoleOrApp","Scope","ScopeLevel","Subscription","SubscriptionId"
"Scott Pack","${GUID}","User","Azure Role","Owner","/subscriptions/${SUB_ID}","Subscription","Azure subscription 1","${SUB_ID}"
"Scott Pack","${GUID}","User","Azure Role","Owner","/subscriptions/${SUB_ID}","Subscription","Azure subscription 1","${SUB_ID}"
"Product and Design","${GUID}","Group","Azure Role","Reader","/subscriptions/${SUB_ID}","Subscription","Azure subscription 1","${SUB_ID}"
"Product and Design","${GUID}","Group","Azure Role","Contributor","/subscriptions/${SUB_ID}/resourceGroups/rg-test-iam","ResourceGroup","Azure subscription 1","${SUB_ID}"
"Finance","${GUID}","Group","Azure Role","Billing Reader","/subscriptions/${SUB_ID}/resourceGroups/rg-test-iam","ResourceGroup","Azure subscription 1","${SUB_ID}"

Additional arguments and use cases are available in the script’s README and Help output.

Related Posts

• Tool Library Announcement
• Better Use of Office 365 as a Smart Host with Postfix
• “My Neckbeard Grew Three Sizes That Day” or How I Beat a GNU tool with Perl