Whenever an identity principal in Azure gets access to a resource, what happens in reality is that it’s assigned a role defitinion on a defined scope.

When that identity principal is removed, the assignment will still linger and show up under the IAM portion as the image below shows:


# ObjectType will be unknown
$objectType = "Unknown"
$orphanedIdentities = Get-AzRoleAssignment | Where-object -Property ObjectType -eq $objectType
foreach($identity in $orphanedIdentities) {
   # Role assignment removals will require the principal, definition name/id and scope of assignment to work
   Remove-AzRoleAssignment -ObjectId $identity.ObjectId -RoleDefinitionName $identity.RoleDefinitionName -Scope $identity.Scope

I’ve seen plenty of solutions for this, using both scripts as I’ve done above and policies. I’ve added links below to check out if you want to remove using policies, but I think the most simple solution would be to implement a simple script in a scheduled pipeline run.