Removing IAM Assignments - Unable to find identity

Question

Removing IAM Assignments - Unable to find identity

dave o'donohoe 191

Hi,

We have circa 200 subscriptions, organised via management groups, with a lot of IAM assignments at various levels.

The problem - there are a lot of nonexisting / legacy objects, which I'd like to clean-up / remove RBAC assignments.

Identity not found.

Unable to find identity

Could anyone recommended a method were I could possibly script / automate this process, rather than having to browse to every subscription to manually remove IAM assignments to these phantom objects?

I would assume powershell would have this capability?

Thanks.

Anonymous

2023-08-22T19:57:05.44+00:00

Hi @Anonymous , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James
Anonymous

2023-09-07T20:35:14.1566667+00:00

Hi @Anonymous , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James

Answer accepted by question author

0 additional answers

Your answer

Anonymous

2023-08-22T19:57:05.44+00:00

Hi @Anonymous , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James
Anonymous

2023-09-07T20:35:14.1566667+00:00

Hi @Anonymous , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James

Answer 1

Hi @Anonymous , you can try something like this in PowerShell. Let me know if it works:

# Connect to your Azure account
Connect-AzAccount

# Get all subscriptions
$subscriptions = Get-AzSubscription

# Loop through each subscription
foreach ($subscription in $subscriptions) {
    # Set the current subscription context
    Set-AzContext -SubscriptionId $subscription.Id

    # Get all role assignments
    $roleAssignments = Get-AzRoleAssignment

    # Loop through each role assignment
    foreach ($roleAssignment in $roleAssignments) {
        try {
            # Try to get the assigned identity (user, group, service principal, or managed identity)
            Get-AzADObject -ObjectId $roleAssignment.ObjectId -ErrorAction Stop
        } catch {
            # If the assigned identity is not found, remove the role assignment
            if ($_.Exception.Message -like "*Unable to find identity*") {
                Remove-AzRoleAssignment -ObjectId $roleAssignment.ObjectId -RoleDefinitionName $roleAssignment.RoleDefinitionName -Scope $roleAssignment.Scope -Force
            }
        }
    }
}

This script connects to your Azure account, retrieves all subscriptions, and iterates through each subscription to get all role assignments. For each role assignment, it checks if the assigned identity exists. If the identity is not found, the script removes the role assignment.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

dave o'donohoe 191 Reputation points

2023-09-08T08:48:59.1266667+00:00

Sorry for delayed response. Looks good, I will try this out later. Happy to accept as answer.
Sumanth S 5 Reputation points

2024-04-17T09:41:36.97+00:00

No, i cant run commands like Get-AzRoleAssignment and Remove-AzRoleAssignment even after connecting to Connect-AzAccount
EnterpriseArchitect 6,386 Reputation points

2024-05-08T02:12:45.2533333+00:00

What about using the below script ?

Get-AzRoleAssignment | Where ObjectType -eq 'Unknown' | Remove-AzRoleAssignment

Share via

Removing IAM Assignments - Unable to find identity

0 additional answers

Your answer