Problem

Whenever an identity principal in Azure gets access to a resource, what happens in reality is that it’s assigned a role defitinion on a defined scope.

When that identity principal is removed, the assignment will still linger and show up under the IAM portion as the image below shows:

Solution

# ObjectType will be unknown
$objectType = "Unknown"
$orphanedIdentities = Get-AzRoleAssignment | Where-object -Property ObjectType -eq $objectType
foreach($identity in $orphanedIdentities) {
   # Role assignment removals will require the principal, definition name/id and scope of assignment to work
   Remove-AzRoleAssignment -ObjectId $identity.ObjectId -RoleDefinitionName $identity.RoleDefinitionName -Scope $identity.Scope
}

I’ve seen plenty of solutions for this, using both scripts as I’ve done above and policies. I’ve added links below to check out if you want to remove using policies, but I think the most simple solution would be to implement a simple script in a scheduled pipeline run.

Source

• Script
• Stackoverflow thread
• Removing Unknown Azure RBAC Role Assignments with PowerShell @ jloudon.com
• Orphaned Azure Security Principals Clean-up & Azure Policy Managed Identity Role Assignment Automation