What Are Orphaned Role Assignments?
In Azure, role assignments are used to grant users, groups, or service principals access to resources. Sometimes, these entities are deleted (e.g., an employee leaves the company, or an app registration is removed), but their role assignments remain. These are called orphaned role assignments. They:
- clutter the environment
- create audit trail noise
- may cause confusion during access reviews
- rarely, might even cause access issues for automation scripts relying on service principals
Why Do They Happen?
Orphaned assignments occur because Azure does not automatically remove role assignments when the associated identity is deleted. This is by design, to avoid unintended consequences in distributed or automated environments.
What can we do to prevent it?
1. Use Azure AD Groups Instead of Direct Assignments
Assign roles to Azure AD groups instead of users or service principals directly. That way, if a user leaves, you just remove them from the group, and the group remains intact.
Benefit: Group stays alive even if individual members change.
2. Automate Identity Lifecycle Management
Integrate your Azure AD with HR systems or identity governance tools like:
- Microsoft Entra ID Lifecycle Workflows (preview or P1)
- Third-party IAM platforms (like Okta or SailPoint)
Automatically remove or disable identities when they leave the organization.
3. Use Managed Identities Instead of App Registrations
When possible, use Managed Identities for services rather than App Registrations. Managed Identities are automatically cleaned up when the Azure resource is deleted.
Helps avoid leftover service principals.
4. Schedule Periodic Reviews
Use tools like:
- Azure AD Access Reviews
- PIM (Privileged Identity Management) for eligible/just-in-time roles
- Custom scripts (like the one below) via an Azure Automation Runbook or Logic App
Prevents old and unused role assignments from going unnoticed.
5. Tag or Document Assignments
Apply tags or naming conventions to track the origin and purpose of role assignments. This makes manual reviews easier. Example: Use Description or custom metadata in CMDB.
6. Audit App and User Deletions
Ensure that when a user or app is deleted:
- Aassignments are reviewed and removed.
- Any lingering RBAC ties are handled by a standard offboarding playbook.
How to Detect Them (Script)
Below is a PowerShell script using the Azure CLI to list and identify orphaned role assignments:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$roleAssignments = az role assignment list --all --output json | ConvertFrom-Json
$orphanedAssignments = @()
foreach ($assignment in $roleAssignments) {
$principalId = $assignment.principalId
$user = az ad user show --id $principalId --output none 2>$null
$group = az ad group show --group $principalId --output none 2>$null
$sp = az ad sp show --id $principalId --output none 2>$null
if (-not $user -and -not $group -and -not $sp) {
Write-Warning "ORPHANED: $principalId"
$orphanedAssignments += $assignment
}
}
$orphanedAssignments | ConvertTo-Json -Depth 10 | Out-File "orphaned-role-assignments.json"
Write-Host "`nOrphaned assignments saved into 'orphaned-role-assignments.json'"
What to Do Next?
Once you’ve confirmed the list, you can clean them manually or script the removal using:
1
2
3
4
5
6
7
foreach ($orphan in $orphanedAssignments) {
$scope = $orphan.scope
$role = $orphan.roleDefinitionName
$principalId = $orphan.principalId
az role assignment delete --assignee $principalId --role "$role" --scope "$scope"
Write-Host "Removed orphaned role assignment: $principalId at $scope ($role)"
}
Final Thoughts
Regularly reviewing your role assignments is a good practice in any Azure environment. This helps maintain clarity and improves your security posture.
