Problem
Whenever an identity principal in Azure gets access to a resource, what happens in reality is that it’s assigned a role defitinion on a defined scope.
When that identity principal is removed, the assignment will still linger and show up under the IAM portion as the image below shows:
Solution
# ObjectType will be unknown
$objectType = "Unknown"
$orphanedIdentities = Get-AzRoleAssignment | Where-object -Property ObjectType -eq $objectType
foreach($identity in $orphanedIdentities) {
# Role assignment removals will require the principal, definition name/id and scope of assignment to work
Remove-AzRoleAssignment -ObjectId $identity.ObjectId -RoleDefinitionName $identity.RoleDefinitionName -Scope $identity.Scope
}
I’ve seen plenty of solutions for this, using both scripts as I’ve done above and policies. I’ve added links below to check out if you want to remove using policies, but I think the most simple solution would be to implement a simple script in a scheduled pipeline run.