How can I remove duplicates assignment roles in subscriptions? I have a few scopes - inherited (subscription) and this resource. How can better do remove duplicate with scope "this resource" or scope inherited? How can I recognize these scopes?

@asemencha Thank you for your post! When it comes to the different scopes used within Azure RBAC , you can remove an inherited role by selecting the hyperlinked scope and removing the role from IAM there. For example, if you're in a Resource Group's IAM, you might see Management Group (Inherited), or Subscription (Inherited), you can select the hyperlink for the specific scope, go to IAM, and remove the role. Note: Please keep in mind when removing IAM roles - make sure that the user you're removing doesn't need that specific role at that scope. i.e. Owner at the Subscription level. To better help with role assignments, I'd recommend referencing our Azure RBAC Best Practices documentation, specifically the Assign roles to groups, not users section, which talks about assigning roles to groups. If you have any other questions, please let me know. Thank you for your time and patience throughout this issue. ---------- Please remember to " Accept Answer " if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

How can I remove duplicates assignment roles in subscriptions?

Accepted answer

JamesTran-MSFT 36,621 Reputation points Microsoft Employee

2021-07-13T22:44:57.127+00:00

@asemencha
Thank you for your post!

When it comes to the different scopes used within Azure RBAC, you can remove an inherited role by selecting the hyperlinked scope and removing the role from IAM there. For example, if you're in a Resource Group's IAM, you might see Management Group (Inherited), or Subscription (Inherited), you can select the hyperlink for the specific scope, go to IAM, and remove the role.

Note: Please keep in mind when removing IAM roles - make sure that the user you're removing doesn't need that specific role at that scope. i.e. Owner at the Subscription level.

To better help with role assignments, I'd recommend referencing our Azure RBAC Best Practices documentation, specifically the Assign roles to groups, not users section, which talks about assigning roles to groups.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Please sign in to rate this answer.

1 person found this answer helpful.
asemencha 21 Reputation points

2021-07-14T05:50:06.357+00:00

Hello, James!

Thank you for your answer! I will review best practices for Azure RBAC.
Also, I would like to know how I can do it through PowerShell?
I guess I didn't give some important information in the initial question.
I have a lot of subscriptions with duplicated assignment roles. Where they have two scopes - inherited and "this resource".
And I'd like to remove them with PowerShell, but I'm not sure in output comandlet Get-AzRoleAssignment.
Unfortunately, I can't understand and recognize which role is inherited or "this resource".

JamesTran-MSFT 36,621 Reputation points Microsoft Employee

2021-07-14T22:55:05.997+00:00

@asemencha
Thank you for the quick follow up!

As you mentioned, you can use the Get-AzRoleAssignment PowerShell command to get role assignments. In order to read the output you can break it down into sections.

<# -I'm using this PS command to return all role assignments for a given resource group (i.e. VirtualMachines). -Since I'm looking for role assignments at the Resource Group level, any scope outside of "/subscriptions/(subscriptionID)/resourceGroups/VirtualMachines" will be Inherited. #> Get-AzRoleAssignment -ResourceGroupName "VirtualMachines"

Scope: This will typically be at the top of the role assignment output.

"/" will be used for the root management group scope.

"/providers/Microsoft.Management/managementGroups/..." will be a role assignment assigned to the management group level.

"/subscriptions/..." is a subscription level role.

"/subscriptions/<subscriptionID>/resourceGroups/VirtualMachines" will be the specific resource group level.

I hope this helps!

asemencha 21 Reputation points

2021-07-15T06:52:26.3+00:00

Thank you for your answer!
Now, I got it. Thank you for your help!

JamesTran-MSFT 36,621 Reputation points Microsoft Employee

2021-07-15T16:44:31.45+00:00

@asemencha
I'm glad that I was able to help you resolve this issue, and thank you for your time and patience throughout!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How can I remove duplicates assignment roles in subscriptions?

0 additional answers

Your answer