Here are a few ways to automate the reporting of Azure AD role assignments:
- Use PowerShell scripts:
The Get-AzRoleAssignmentReport.ps1 script fetches role assignments and compiles them into a comprehensive report sent via email.
It requires the managed identity used by the script to have the “Directory Readers” permission assigned at the Microsoft Entra ID level (formerly Azure AD). - Leverage the Microsoft Graph API:
The Microsoft Graph PowerShell SDK can be used to retrieve a list of all Azure AD role assignments.
It requires the “Directory Readers” permission to be assigned to the managed identity used by the script. - Utilize Azure Monitor:
Azure Monitor provides built-in roles like “Monitoring Reader” and “Monitoring Contributor” for monitoring permissions.
You can create custom roles with granular permissions to monitor specific aspects of Azure AD, such as an “Activity Log Reader” role. - Automate with Azure Policy and Terraform:
Azure Policy can be used to assign RBAC roles based on resource tags.
Terraform can be used in conjunction with Azure Policy to automate the assignment of roles. - List role assignments using the Azure portal:
Click on “Azure role assignments” in the Azure portal to see a list of roles assigned to the selected user or group at various scopes.
By leveraging these tools and techniques, you can effectively automate the reporting of Azure AD role assignments to ensure users have only the necessary permissions to perform their tasks.