As part of the AZ-104 exam, you need to be familiar with role-based access control. As we have seen, using the built-in roles or creating your own custom roles is not too difficult. However, how do we list out members of each role assignment in Microsoft Entra ID? Let’s look at how to enumerate the role assignments in Entra ID and why this is important.

Understanding Role Assignments

One of the first things you will want to consider when looking at role assignments is the scope of the assignment. Roles assigned at the organization-wide level appear in the single application roles list. However, roles assigned to a single application do not appear in the organization-wide roles list.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

Listing Roles and Assignments using the Microsoft Entra Admin Center

Microsoft makes it easy to see the Roles and Assignments that are assigned using the Microsoft Entra Admin Center. One of the first things you can check is the role and assignment that your user currently has.

Navigate to Microsoft Entra ID > Roles and administrators. You will see at the top, the designation, Your role. Here, the user I am logged in with is a Global Administrator.

Azure Administrator

Viewing the role of the currently logged in user in the Microsoft Entra Admin Center

Download Banner

Viewing role assignments for a particular user or group

We can also look at the role assignments for a particular user in Microsoft Entra ID. Click on a user in Microsoft Entra ID.

Azure Administrator

Selecting a user in Microsoft Entra ID

Next, click on the Assigned roles link on the left. This will display Administrative roles the user has been assigned. Below we see the user is a part of the Application Administrators and Helpdesk Administrators roles.

Azure Administrator

Viewing roles a user has been assigned

You can also do the same thing with groups. When you click on a group, you can navigate to the Roles and administrators link. Here you will see if there are any roles and administrators assigned to the group.

Azure Administrator

Viewing and downloading assignments from a role

We can also take the opposite approach by clicking the role we want to view the assignments for and clicking Assignments. Below, we can see, the Application Administrator assignment contains two users from Microsoft Entra ID.

Azure Administrator

Viewing the assignments as part of a specific role in Microsoft Entra ID

Another thing we can do from this screen is Download assignments. Click the Download assignments button to begin creating a file to download, containing all the assignments for the particular role.

Azure Administrator

Click Download assignments to download the objects assigned to this role

Choose the name of the resulting CSV file or simply accept the auto-generated name and click Start.

Azure Administrator

Beginning the process to download the role assignments

You will receive a note when the file is ready. Click the link to download.

Azure Administrator

Download the CSV file of the role assignments

Viewing assignments for App registrations

Another handy capability you have from the application perspective is listing role assignments with a single application scope. This allows you to easily pinpoint which roles are assigned to a specific application.

Navigate to the Microsoft Admin Center > App registrations > All applications.

Azure Administrator

Viewing your app registrations in Microsoft Entra ID

After you click on a specific app in the All applications list, you will see a screen that looks like the following. Click the Roles and administrators link. Click the role listed.

Azure Administrator

Viewing the administrative role listed for the app registration

We can see the Assignments for the Cloud Application Administrator shown. Here we see that no users are assigned this role. From this screen, we can Add assignments or Remove assignments.

Azure Administrator

Viewing assignments for a particular role assigned to an app registration

Viewing role assignments from a Resource group level

You can also view role assignments from the resource group level in the Azure portal. Search and find Resource groups. Launch the resource groups dashboard. Click on a specific resource you have listed under the Resource groups blade. Then click the Access control (IAM) link. Finally, click the Role assignments link.

It will display the number of role assignments for this subscription, the number of privileged role assignments, along with the roles and permissions.

Azure Administrator

Viewing role assignments at the resource group level

Wrapping up

Viewing role assignments in your Microsoft Azure environment in Microsoft Entra ID is an important part of ensuring role-based access control in your environment. Using the steps listed, you can view the Roles and Assignments of your own user, other users, groups, applications, and even at the resource level in Microsoft Azure.

This can be helpful when troubleshooting permissions or other access issues and also helps to bolster the overall security and auditing of the environment.

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post