RBAC delete role assignments with 'Identity not found'
Table of content
If you want to create your own or to contribute to an existing GitHub project you are on the right page.
If you see the Identiy not found in your RBAC assignments, it means that these identitiy have been deleted from your Entra ID, whether it is a user, a group or a SPN.
However, Azure does not clean up for you, and it’s up to you and it is just ugly in the portal.
You must clean-up any orphaned role assignments on a regular basis.
Here is a Powershell script to clean up:
1[CmdletBinding()]
2param (
3 [switch] $CheckOnly,
4 [Parameter(Mandatory = $false)]
5 [string] $Scope = ""
6)
7
8[array]$Assignments = @()
9
10if ("" -eq $Scope) {
11 Write-Output "No Scope defined, getting all assignments."
12 $Assignments = Get-AzRoleAssignment | Where-Object { $_.ObjectType -eq "Unknown" }
13} else {
14 Write-Output "Scope is: $Scope"
15 $Assignments = Get-AzRoleAssignment -Scope $Scope | Where-Object { $_.ObjectType -eq "Unknown" }
16}
17
18Write-Output "Total: $($Assignments.Count) Unknown Identity found"
19
20Foreach ($Assignment in $Assignments) {
21
22 Write-Output "---------------------------"
23 Write-Output "Scope: $($Assignment.Scope)"
24 Write-Output "Object Type: $($Assignment.ObjectType)"
25 Write-Output "Display Name: $($Assignment.DisplayName)"
26 Write-Output "SignIn Name: $($Assignment.SignInName)"
27 Write-Output "Role Definition Name: $($Assignment.RoleDefinitionName)"
28 Write-Output "Role Definition Id: $($Assignment.RoleDefinitionId)"
29 Write-Output "Role Assignment Id: $($assignment.RoleAssignmentId)"
30 Write-Output "---------------------------"
31 Write-Output ""
32
33 if (-not $CheckOnly) {
34 Write-Output "Removing assignment: $($Assignment.RoleAssignmentId)"
35 $Assignment | Remove-AzRoleAssignment -Verbose
36 }
37
38}