Table: azure_role_assignment - Query Azure Role Assignments using SQL
Azure Role Assignments are a critical component of Azure's access control capabilities. They determine what actions a security principal (like a user, group, or service principal) can perform on a specific Azure resource. Each role assignment is a combination of a security principal, a role definition, and a scope.
Table Usage Guide
The azure_role_assignment
table provides insights into role assignments within Azure. As a security administrator, you can explore details of role assignments through this table, including the assigned roles, the associated security principals, and the scope of the assignments. Use it to monitor and manage access control within your Azure environment, ensuring that only the appropriate users, groups, or service principals have access to specific resources.
Examples
Basic info
Explore which roles are assigned to different principals in your Azure environment. This can help you manage access control and understand who has permissions to what resources, enhancing your security posture.
select name, id, principal_id, principal_typefrom azure_role_assignment;
select name, id, principal_id, principal_typefrom azure_role_assignment;
List of role assignments which has permission at root level
Discover the segments that are assigned roles with root level access. This is useful for auditing security and access controls in your Azure environment.
select name, id, scopefrom azure_role_assignmentwhere scope = '/';
select name, id, scopefrom azure_role_assignmentwhere scope = '/';
List of role assignments which has subscription level permission and full access to the subscription
This query is useful for identifying roles that have full access permissions at the subscription level within your Azure environment. It helps in maintaining security and managing access by revealing potential over-permissions.
select ra.name as roll_assignment_name, rd.role_namefrom azure_role_assignment ra join azure_role_definition rd on ra.role_definition_id = rd.id cross join jsonb_array_elements(rd.permissions) as permwhere ra.scope like '/subscriptions/%' and perm -> 'actions' = '["*"]';
select ra.name as roll_assignment_name, rd.role_namefrom azure_role_assignment ra join azure_role_definition rd on ra.role_definition_id = rd.id, json_each(rd.permissions) as permwhere ra.scope like '/subscriptions/%' and json_extract(perm.value, '$.actions') = '["*"]';
Query examples
Control examples
- A maximum of 3 owners should be designated for your subscription
- All Controls > Active Directory > IAM users should not have built in contributor role
- Blocked accounts with owner permissions on Azure resources should be removed
- Blocked accounts with read and write permissions on Azure resources should be removed
- CIS v2.1.0 > 1 Identity and Access Management > 1.2 Conditional Access > 1.2.7 Ensure Multifactor Authentication is Required to access Microsoft Admin Portals
- CIS v3.0.0 > 2 Identity > 2.2 Conditional Access > 2.2.8 Ensure Multifactor Authentication is Required to access Microsoft Admin Portals
- Guest accounts with owner permissions on Azure resources should be removed
- Guest accounts with read permissions on Azure resources should be removed
- Guest accounts with write permissions on Azure resources should be removed
- There should be more than one owner assigned to your subscription
Schema for azure_role_assignment
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
cloud_environment | text | The Azure Cloud Environment. | |
created_on | timestamp with time zone | Time it was created. | |
id | text | = | Contains ID to identify a role assignment uniquely. |
name | text | The friendly name that identifies the role assignment. | |
principal_id | text | Contains the principal id. | |
principal_type | text | Principal type of the assigned principal ID. | |
role_definition_id | text | Name of the assigned role definition. | |
scope | text | Current state of the role assignment. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
title | text | Title of the resource. | |
type | text | Contains the resource type. | |
updated_on | timestamp with time zone | Time it was updated. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure
You can pass the configuration to the command with the --config
argument:
steampipe_export_azure --config '<your_config>' azure_role_assignment