As part of the AZ-104 exam, you need to be familiar with role-based access control. As we have seen, using the built-in roles or creating your own custom roles is not too difficult. However, how do we list out members of each role assignment in Microsoft Entra ID? Let’s look at how to enumerate the role assignments in Entra ID and why this is important.
Understanding Role Assignments
One of the first things you will want to consider when looking at role assignments is the scope of the assignment. Roles assigned at the organization-wide level appear in the single application roles list. However, roles assigned to a single application do not appear in the organization-wide roles list.
Listing Roles and Assignments using the Microsoft Entra Admin Center
Microsoft makes it easy to see the Roles and Assignments that are assigned using the Microsoft Entra Admin Center. One of the first things you can check is the role and assignment that your user currently has.
Navigate to Microsoft Entra ID > Roles and administrators. You will see at the top, the designation, Your role. Here, the user I am logged in with is a Global Administrator.
Viewing role assignments for a particular user or group
We can also look at the role assignments for a particular user in Microsoft Entra ID. Click on a user in Microsoft Entra ID.
Next, click on the Assigned roles link on the left. This will display Administrative roles the user has been assigned. Below we see the user is a part of the Application Administrators and Helpdesk Administrators roles.
You can also do the same thing with groups. When you click on a group, you can navigate to the Roles and administrators link. Here you will see if there are any roles and administrators assigned to the group.
Viewing and downloading assignments from a role
We can also take the opposite approach by clicking the role we want to view the assignments for and clicking Assignments. Below, we can see, the Application Administrator assignment contains two users from Microsoft Entra ID.
Another thing we can do from this screen is Download assignments. Click the Download assignments button to begin creating a file to download, containing all the assignments for the particular role.
Choose the name of the resulting CSV file or simply accept the auto-generated name and click Start.
You will receive a note when the file is ready. Click the link to download.
Viewing assignments for App registrations
Another handy capability you have from the application perspective is listing role assignments with a single application scope. This allows you to easily pinpoint which roles are assigned to a specific application.
Navigate to the Microsoft Admin Center > App registrations > All applications.
After you click on a specific app in the All applications list, you will see a screen that looks like the following. Click the Roles and administrators link. Click the role listed.
We can see the Assignments for the Cloud Application Administrator shown. Here we see that no users are assigned this role. From this screen, we can Add assignments or Remove assignments.
Viewing role assignments from a Resource group level
You can also view role assignments from the resource group level in the Azure portal. Search and find Resource groups. Launch the resource groups dashboard. Click on a specific resource you have listed under the Resource groups blade. Then click the Access control (IAM) link. Finally, click the Role assignments link.
It will display the number of role assignments for this subscription, the number of privileged role assignments, along with the roles and permissions.
Wrapping up
Viewing role assignments in your Microsoft Azure environment in Microsoft Entra ID is an important part of ensuring role-based access control in your environment. Using the steps listed, you can view the Roles and Assignments of your own user, other users, groups, applications, and even at the resource level in Microsoft Azure.
This can be helpful when troubleshooting permissions or other access issues and also helps to bolster the overall security and auditing of the environment.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.