AzureI suppose that in your Azure account, you have already come across the famous Identiy not found in your RBAC assignments
All of these identities have been deleted from your Entra ID, whether it is a user, a group or a SPN. However, Azure does not clean up for you, and it’s up to you. But good news it doesn’t count in the role of effective assignments and therefore within the limits it is just ugly in the portal.
So here is a small script to clean up:
[CmdletBinding()]
param (
[switch] $DryRun,
[PSDefaultValue(Help='Current subscription')]
[Parameter(Mandatory = $false, HelpMessage="Use a valid azure scope")]
[string] $scope = ""
)
Connect-MgGraph -Scopes "Directory.Read.All" -NoWelcome
[array]$assignments = @()
if ("" -eq $scope) {
$assignments = Get-AzRoleAssignment
} else {
$assignments = Get-AzRoleAssignment -Scope $scope
}
Write-Output "Found $($assignments.Count) assignments"
foreach ($assignment in $assignments) {
Write-Verbose "Processing $($assignment.RoleAssignmentId)"
if ($null -eq (Get-MgDirectoryObject -DirectoryObjectId $assignment.ObjectId -ErrorAction SilentlyContinue)) {
Write-Output "Removing $($assignment.RoleAssignmentId)"
if (-not $DryRun) {
$assignment | Remove-AzRoleAssignment
}
}
}
Comments
Post comment