How to Audit Azure RBAC Role Assignments

Misconfigured access controls are responsible for 80% of breaches. Regularly auditing Azure Role-Based Access Control (RBAC) can protect your cloud environment and ensure compliance with regulations like GDPR, HIPAA, and PCI DSS. Here’s how you can get started:

Key Steps to Audit RBAC:

1. Use Azure Activity Logs: Track changes to role assignments or definitions. Filter logs for actions like "Create role assignment" or "Delete role assignment" to identify permission changes.
2. Automate Audits with Azure CLI/PowerShell:
   • Use az role assignment list to retrieve role assignments for users, groups, or service principals.
   • Check nested group memberships for inherited permissions.
   • Export audit data to CSV for further analysis.
3. Leverage Privileged Identity Management (PIM):
   • Configure time-limited access for sensitive roles.
   • Conduct regular PIM access reviews to ensure permissions remain appropriate.
   • Extend audit log retention by routing PIM logs to Azure Monitor.

Best Practices:

• Follow Least Privilege: Grant only the permissions users or applications need.
• Schedule Regular Audits: Quarterly reviews work well for most organisations.
• Document Changes: Keep detailed records of role assignments and justifications.

Why It Matters: The average cost of a data breach for small businesses is £2.7 million. Regular RBAC audits reduce risks, improve security, and ensure compliance.

Read on for detailed steps, tools, and techniques to simplify your Azure RBAC audits.

Azure Governance 101 - Auditing with Activity Log

Using Azure Activity Logs to Track Role Changes

Azure Activity Logs are a reliable way to monitor changes to Role-Based Access Control (RBAC) settings. According to Microsoft, "Anytime someone makes changes to role assignments or role definitions within your subscriptions, the changes get logged in Azure Activity Log". These logs store data for up to 90 days, making them a useful resource for investigating suspicious activity or reviewing changes to permissions. Let’s look at how you can locate and use these logs via the Azure Portal.

Finding Activity Logs in the Azure Portal

To access the logs, head to the Azure Portal and navigate to Monitor > Activity Log. Here, you’ll find a chronological list of administrative actions across your subscriptions, with the most recent events displayed first. Keep in mind that timestamps are recorded in UTC, so you may need to convert them to GMT or BST for UK-based operations.

If your organisation manages multiple subscriptions, you can streamline your view by selecting a specific subscription from the dropdown menu. This is especially handy for businesses that maintain separate environments for development, staging, and production.

Filtering Logs for RBAC Events

To zero in on RBAC-related activities, start by setting the Event Category filter to "Administrative". This captures RBAC operations alongside other management actions. Then, use the Operation field to narrow the focus further. Key operations to look out for include:

• Create role assignment – Indicates new permissions were granted.
• Delete role assignment – Tracks when permissions were revoked.
• Create or update custom role definition – Logs changes to custom roles.
• Delete custom role definition – Marks the removal of custom roles.

For even greater precision, filter the Resource Provider field to "Microsoft.Authorization". This step removes unrelated administrative events from your search. Additionally, use the Timespan selector to focus on specific periods of interest, but don’t forget to adjust for the UK time zone when setting your parameters. Once filtered, the logs will be ready for detailed analysis to confirm RBAC changes.

Reading Log Entries and Key Properties

To make sense of the logs, it’s essential to understand their structure and key properties. Each RBAC-related entry contains several important details. The "authorization:action" property shows the specific operation performed, such as "Microsoft.Authorization/roleAssignments/write" for creating a role assignment. Meanwhile, the "authorization:scope" property reveals where the action took place - whether at the subscription, resource group, or resource level.

The "caller" property identifies the user or principal who initiated the change. Cross-check this against your change management records to spot any unauthorised activity. The "eventTimestamp" property logs when the action occurred, while "status:value" indicates whether it was successful, failed, or still in progress.

For tracking related operations within a single task, the "correlationId" and "operationId" properties are invaluable. Finally, the "properties" field provides a deeper dive into the event, offering details about the principal, role definition, and scope of the assignment. This level of granularity is crucial for assessing the security impact of the change.

Auditing Role Assignments with Azure CLI and PowerShell

Azure CLI and PowerShell are powerful tools for auditing role-based access control (RBAC) in Azure. They allow organisations to automate audits and maintain detailed logs, which is particularly useful for managing multiple subscriptions or ensuring compliance. These tools complement the Azure Portal by enabling automated and repeatable auditing processes.

Listing Role Assignments for Users or Groups

To retrieve role assignments programmatically, the Azure CLI command az role assignment list is your go-to option. As Microsoft explains, "To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments".

For instance, to audit a user's role assignments, you can use the --assignee parameter with their email address or object ID. Here's an example command for checking assignments for the user patlong@contoso.com across all scopes:

az role assignment list --all --assignee patlong@contoso.com --output json --query '[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}'

This command returns a JSON output detailing the principalName, roleDefinitionName, and scope. Adding the --all parameter ensures that assignments across the subscription and its child resources are included. If you also want to see inherited assignments from parent scopes, you can include the --include-inherited parameter.

For auditing group-based role assignments, the --include-groups parameter is essential. This captures roles assigned through Azure AD group membership, which is particularly important as users may inherit permissions indirectly via group roles.

Checking Nested Group Memberships

Nested group structures can complicate RBAC audits since default commands only show direct group memberships. As noted, "Nested groups are natural ways to organise permissions in on-prem and Azure Active Directory. However, reporting these groups are tricky as the Get-ADGroupMember (for on-prem AD) or Get-AzADGroupMember (for Azure AD) do not return members of nested groups by default."

To overcome this, PowerShell scripts can be used to recursively explore nested group memberships. Start by identifying the top-level group with the Get-AzureADGroup cmdlet to retrieve its ObjectID. Then, use Get-AzADGroupMember to find nested groups and iterate through them. By repeating this process, you can uncover all user accounts that inherit permissions through the group hierarchy. This recursive approach is critical for compliance, as it ensures no inherited permissions go unnoticed.

Exporting Audit Data to CSV Files

Once you've gathered detailed role assignment data, exporting it into a CSV file allows for further analysis and integration with compliance tools. PowerShell's Export-Csv cmdlet makes this process straightforward. For UK organisations, ensure the export uses semicolon delimiters instead of commas to align with local Excel settings.

The Get-AzRoleAssignment cmdlet is used to retrieve role assignments, which can then be filtered and exported. Parameters like -Scope, -SignInName, or -ResourceGroupName help narrow down the results. Use Select-Object to include key details such as RoleDefinitionName, DisplayName, SignInName, and Scope.

To meet UK-specific requirements, consider automating the export process with a PowerShell script. This script can handle multiple subscriptions, specify output paths, and include logic to expand group memberships. Adding timestamps in GMT or BST and date stamps in the filenames ensures the audit data is properly organised for compliance purposes. This comprehensive approach provides a reliable record for reviews and trend analysis.

Setting Up Privileged Identity Management (PIM) for Better Auditing

Building on the principles of Role-Based Access Control (RBAC) auditing, Azure Privileged Identity Management (PIM) takes security a step further by managing privileged access more effectively. With features like just-in-time access and detailed audit trails, PIM ensures that high-risk roles are only activated when absolutely necessary. This approach minimises exposure while maintaining a comprehensive record of all activations and actions taken. Below, we’ll explore how to configure time-limited access, conduct regular reviews, and securely store audit data.

Configuring PIM for Time-Limited Role Access

Time-limited role access in PIM involves setting up activation parameters and defining strict time limits. These settings can be customised for each role depending on the level of sensitivity and the permissions involved.

To start, navigate to the Azure portal, open the Azure AD Privileged Identity Management section, and select the role you want to configure. Each role and resource can have its own tailored settings, offering precise control over activation requirements.

You can specify activation durations ranging from 1 to 24 hours, with shorter windows recommended for highly sensitive roles like Global Administrator. To add another layer of security, enforce multi-factor authentication (MFA) and require users to provide a business justification and ticket details upon activation. For critical roles, you can even mandate approval from at least two approvers before activation is granted. Additionally, time-bound eligible assignments allow users to activate roles only within a specified start and end date range.

Once time-limited access is configured, it’s essential to establish a process for regular reviews to ensure that role assignments remain appropriate over time.

Running Regular PIM Access Reviews

PIM access reviews are a structured way to periodically check whether users still need their privileged roles. Microsoft advises conducting these reviews regularly, as team shifts and role accumulation can lead to unnecessary or outdated access.

Frequency matters - most organisations in the UK find quarterly reviews sufficient, but industries with stricter regulations, like financial services, may benefit from more frequent checks. PIM sends automatic notifications to reviewers at the start of each review cycle, ensuring the process is consistent and timely.

During the review, permissions are recorded as they stand at the beginning of the cycle. Any changes made during the review are automatically reflected in future cycles. Reviewers can be assigned based on organisational structure: for Azure resource roles, you’ll need Owner or User Access Administrator permissions, while Microsoft Entra roles require at least Privileged Role Administrator access. Involving direct managers and security team members often leads to more thorough oversight.

The review interface simplifies decision-making with smart recommendations, highlighting whether access should be retained or revoked. Progress and outcomes are clearly displayed, and users whose access is denied are typically removed from roles shortly after the review concludes. These changes are logged, adding another layer of accountability.

Storing PIM Audit Trails for Compliance

PIM’s audit history provides a detailed view of role activations and assignments, but the default retention period is just 30 days. For organisations in the UK dealing with GDPR or other regulatory requirements, longer retention periods are crucial. To address this, you can configure Azure Monitor to route PIM audit logs to an Azure storage account, enabling extended retention.

The audit logs capture key details such as who activated privileged roles, when the activations occurred, and the actions performed. This level of detail is invaluable for compliance reporting and investigating security incidents.

Using Azure Monitor and Log Analytics, you can collect and analyse audit trails in real time. Set up automated alerts for critical activities, such as non-PIM role assignments or disabled MFA. Alerts can be configured to send email notifications or integrate with SIEM systems via the Graph API for enhanced monitoring. For real-time analysis of access patterns, consider connecting Microsoft Entra logs to tools like Microsoft Sentinel or Azure Event Hubs. If your organisation uses third-party SIEM solutions like Splunk, PIM audit data can also be exported for broader security analytics and incident management.

Ensure that all audit data is exported in a format ready for analysis, making it easier to meet compliance requirements and improve security operations.

Best Practices for RBAC Management

Building on the auditing techniques discussed earlier, implementing these best practices can help you manage Role-Based Access Control (RBAC) more effectively. By establishing clear processes and maintaining consistent oversight, you can ensure your Azure environment remains secure and aligned with compliance requirements. These steps work hand-in-hand with earlier methods to create a comprehensive RBAC audit framework.

Creating a Regular Audit Schedule

Set up a consistent schedule for audits, such as quarterly reviews, to align with UK business cycles and compliance reporting needs. Azure's Access Reviews feature is a great tool for automating much of this process. It can send notifications to reviewers, track progress, and flag discrepancies for remediation. Keeping a regular rhythm is key - one that your team can stick to. For smaller businesses, starting with bi-annual reviews and increasing the frequency as your Azure usage expands might be more practical.

Document all audit findings and actions taken, using tools like spreadsheets or Azure-generated reports. This not only supports compliance but also helps identify recurring issues that may need addressing. Assign clear responsibilities for the audits and set calendar reminders to ensure they’re conducted on time.

Following Least Privilege Access Rules

Applying the principle of least privilege is one of the most effective ways to reduce your organisation's attack surface. This means granting users and applications only the permissions they need to perform their roles - nothing more. Account compromise, particularly for users with elevated privileges, is a major security risk.

Start by auditing permissions to identify and remove unnecessary access. Replace overly broad roles with more specific ones tailored to the tasks at hand. For applications and service accounts, review API calls and adjust their permissions to align with the least privilege principle.

Consider adding just-in-time access for roles that don’t require constant permissions. This approach grants access only when needed and automatically revokes it afterward, minimising exposure windows. Regularly re-evaluate permissions, especially when team members switch roles or leave the organisation. Periodic spot checks can help ensure that access remains appropriate and secure.

Working with Teams on RBAC Changes

Effective RBAC management often requires collaboration across teams. Assigning roles to groups rather than individual users can simplify management and scale better as your organisation grows. For example, when a new employee joins, adding them to the appropriate group is far more efficient than configuring permissions individually.

Establish clear approval workflows for all RBAC changes. Tools like Microsoft Teams can be used to create dedicated channels for access requests and approvals, providing a transparent audit trail. This ensures that changes are reviewed by multiple stakeholders before implementation.

Where possible, delegate access management tasks to department heads or team leads. This reduces the burden on central IT teams and empowers departments to manage their own resources. However, maintain oversight through regular reporting and audits to ensure compliance.

Avoid granting overly broad roles, even if it seems more convenient initially. Instead, segregate duties within your team to reduce risk. When creating custom roles, involve end-users to ensure the roles are accurate and not overly permissive.

Finally, document all RBAC changes with detailed business justifications. This not only helps future administrators understand the reasoning behind specific permissions but also proves invaluable during audits.

Conclusion

Keeping a close eye on Azure RBAC role assignments is a must for safeguarding your cloud resources. Misconfigured access controls are responsible for a staggering 80% of breaches, highlighting just how critical regular audits are.

To recap the key points, tools like Azure Activity Logs, Azure CLI/PowerShell, and Privileged Identity Management (PIM) work together to offer continuous oversight of your access controls. This proactive approach not only enhances security but also helps organisations comply with regulations that require strict control over privileged access.

For organisations with fewer than 500 employees, the average cost of a data breach is a jaw-dropping £2.7 million. Clearly, prevention is far more cost-effective than dealing with the aftermath. Regularly auditing RBAC settings ensures accountability within your team and helps address the root causes of breaches. In fact, unauthorised access has been the leading cause of breaches for three years running, accounting for 43% of incidents in 2020.

By consistently reviewing role assignments, removing unnecessary permissions, and ensuring former employees no longer have access, you’re tackling some of the most common attack vectors head-on. Combining automated tools like PIM with manual oversight adds multiple layers of protection. Microsoft underscores this in their Azure Policy documentation:

"Azure Policy ensures that resource state is compliant to your business rules without concern for who made the change or who has permission to make a change."

This same principle applies to your RBAC strategy: consistent governance is key to maintaining a secure environment, no matter who’s managing it. Auditing RBAC roles isn’t a one-time task - it’s an ongoing commitment. With the right mix of automated tools and regular reviews, you’re building a scalable and secure foundation for your Azure environment.

FAQs

How can I ensure my Azure RBAC role assignments meet compliance requirements like GDPR and HIPAA?

To keep your Azure RBAC role assignments aligned with regulations like GDPR and HIPAA, it's crucial to carry out regular audits of both role assignments and permissions. Tools like Activity Logs can help you monitor changes, while Azure Policy allows you to enforce compliance with established security standards.

Implement the principle of least privilege, ensuring users only have access necessary for their specific roles. This approach limits the chances of unauthorised access, safeguards sensitive information such as Protected Health Information (PHI), and meets GDPR's data protection requirements. Consistently reviewing and updating permissions is key to protecting your Azure environment and staying compliant.

What are the advantages of using Privileged Identity Management (PIM) for managing Azure RBAC roles?

Privileged Identity Management (PIM) in Azure

Privileged Identity Management (PIM) simplifies the management of Azure RBAC roles while strengthening security. Here's how it helps:

• Just-in-Time (JIT) access: Roles are activated only when they're needed, cutting down on unnecessary or excessive permissions.
• Time-limited and approval-based activation: Role assignments can be set to expire or require approval, reducing the risks tied to prolonged elevated access.
• Improved security and monitoring: Every privileged action is logged and monitored, ensuring compliance with security policies.
• Regular access reviews: PIM supports the principle of least privilege by helping organisations review and adjust elevated permissions regularly.

With PIM, organisations can tighten security, minimise risks of unauthorised access, and maintain better oversight of privileged accounts in Azure.

How often should I review Azure RBAC role assignments to ensure security and compliance?

To keep your security and compliance measures in check, it's a good idea to review Azure RBAC role assignments every 3 to 6 months. These regular audits ensure that permissions stay in line with current roles, responsibilities, and the evolving needs of your organisation.

If your business operates in a fast-paced environment with frequent role changes, conducting reviews every quarter might be a smarter approach. Taking a proactive stance with these audits can help reduce risks and ensure you're adhering to security best practices.

Related posts

• 5 Azure Security Best Practices for SMBs
• Ultimate Guide to Azure Data Security Auditing
• Azure Custom Roles: Least Privilege Setup Guide
• Azure RBAC: Cost-Saving Best Practices