I've noticed some unknown managed identities and service principals assigned as owners and contributors at the subscription level. Their names seem like random strings of characters and numbers, which makes it hard to identify their purpose. I'm trying to figure out how to determine if we can safely remove them or what might happen if we unassign these roles. Any advice on how to investigate this?
8 Answers
r
J
One good way to start is by checking their sign-in logs and activity logs. This will help you see if they've actually done anything or if they're just sitting there inactive. If you notice no activity tied to them, that might give you more confidence in possibly removing their roles.
C
If you're using a Cloud Service Provider, check if the assigned principal ID shows up in your Entra Tenant when you run Get-AzRoleAssignment or az role assignment list. That can tell you a lot about whether it's safe to remove them.
a
Make sure to check if these are 'Foreign Groups' before deleting them. If they are, it's better to leave them alone as they might impact something in ways you can't predict right now.
c
Interesting! Actually, the Type column does say Managed Identity, and when I click on it, it redirects me to an Enterprise Application with the same name but no sign-in activity. Does that change anything?