Managing Azure RBAC Assignments at Scale with PowerShell

Updated: March 12, 2026 | 0 comments | Tags: , , ,

As Azure environments grow, keeping role assignments consistent and compliant becomes a significant operational challenge. Drifted permissions, orphaned identities, and undocumented manual assignments all create security risk. Using PowerShell to audit and enforce RBAC at scale gives you the control and visibility you need.

Prerequisites

Connect to Azure with the Az PowerShell module. You will need the User Access Administrator role at the scope you intend to manage.

Install-Module Az -Scope CurrentUser
Connect-AzAccount
Set-AzContext -SubscriptionId "your-subscription-id"

Auditing All Role Assignments

Export every role assignment across a subscription to CSV so you have a clear picture of who has access to what.

$assignments = Get-AzRoleAssignment
$report = $assignments | Select-Object `
    DisplayName, SignInName, RoleDefinitionName, Scope, ObjectType

$report | Export-Csv "RBAC-Audit-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Exported $($report.Count) assignments"

Finding Orphaned Assignments

Orphaned assignments (where the principal has been deleted) appear with ObjectType of Unknown. Identify and remove them to reduce attack surface.

$orphaned = Get-AzRoleAssignment | Where-Object {$_.ObjectType -eq "Unknown"}
foreach ($a in $orphaned) {
    Write-Host "Removing orphaned: $($a.RoleDefinitionName) on $($a.Scope)"
    Remove-AzRoleAssignment -ObjectId $a.ObjectId `
        -RoleDefinitionName $a.RoleDefinitionName `
        -Scope $a.Scope
}

Bulk Assigning Roles from a Definition File

Define your desired state in a CSV and use PowerShell to apply it — this is the foundation of RBAC as code.

# desired-rbac.csv: UPN, Role, Scope
$desired = Import-Csv "desired-rbac.csv"
foreach ($row in $desired) {
    $user = Get-AzADUser -UserPrincipalName $row.UPN
    New-AzRoleAssignment `
        -ObjectId    $user.Id `
        -RoleDefinitionName $row.Role `
        -Scope       $row.Scope `
        -ErrorAction SilentlyContinue
    Write-Host "Assigned $($row.Role) to $($row.UPN)"
}

Summary

Treating RBAC assignments as code — defined in a file, applied through automation, and reviewed in pull requests — is the most reliable way to keep large Azure environments secure and compliant. Schedule this script weekly to catch drift before it becomes an audit finding.

Submit a Comment

Your email address will not be published. Required fields are marked *