Azure CLI Commands for Role Assignment Analysis Using JSON and JQ
This post provides useful Azure CLI commands combined with JSON output and JQ to analyze role assignments and gather statistics, especially for Azure Event Hub (Kafka services) environments.
Azure Role Assignment Limit
Microsoft has a hard limit on the number of role assignments per subscription, which is currently set to 4000.
If roles are incorrectly assigned or if your company requires fine-grained access control on Event Hub topics and resources, you may run out of available role assignments within a subscription.
The following Azure CLI + JQ command helps you count role assignments by filtering only Azure Event Hub (Kafka-related) role assignments.
Command
What this does
-
Lists all role assignments in the subscription
-
Filters Azure Event Hub namespace and eventhub scopes
-
Extracts role definition names
-
Counts role usage
-
Sorts roles by highest usage
This helps identify which roles consume the most assignments.
Get Azure Event Hub (Service Bus) Endpoints
This command retrieves Azure Event Hub namespace endpoints.
az eventhubs namespace list --subscription <YOUR_SUBSCRIPTION> \
| jq -r '.[].serviceBusEndpoint'
Azure Role Assignments Grouped by Provider
This command groups role assignments by Azure resource provider.
az role assignment list --all \
| jq '.[] | .id | split("providers")[1] | split("/")[1]' \
| sort | uniq -c | sort -rn
What this shows
-
Microsoft.EventHub
-
Microsoft.Storage
-
Microsoft.Compute
-
Microsoft.Network
This helps identify which Azure services consume the most role assignments.
Azure Role Assignments Based on Event Hub Naming Standards
Most organizations use naming standards such as:
com.xyz.abc.topic1
com.xyz.abc.topic2
If you need to list role assignments grouped by Event Hub naming pattern, you can use JQ and Unix commands.
Command
What this does
-
Filters Microsoft Event Hub role assignments
-
Extracts Event Hub name
-
Removes special characters
-
Groups by naming prefix
-
Counts occurrences
This helps:
-
Identify role assignment usage per domain
-
Detect over-provisioned topics
-
Optimize RBAC assignments
Azure Role Assignment Change Log
This command retrieves role assignment change logs within a given date range.
az role assignment list-changelogs \
--endtime 2025-12-31T01:01:00Z \
--start-time 2026-03-31T00:00:00Z \
| jq -r '.[].action' | sort | uniq -c
Output
120 Create
95 Delete
30 Update
This helps track:
-
RBAC changes
-
Audit activity
-
Role assignment growth
-
Governance monitoring
Login Using Azure Service Principal
Use a Service Principal to authenticate Azure CLI for automation or CI/CD pipelines.
az login \
--service-principal \
--username <APPLICATION_ID> \
--password <APPLICATION_SECRET> \
--tenant <TENANT_ID>
Useful for:
-
Automation scripts
-
CI/CD pipelines
-
Scheduled RBAC audits
-
Infrastructure monitoring
List Azure Subscriptions in Table Format
This command lists subscriptions in a clean table format.
az account list --query "[].{name:name, id:id}" -o tsv
Output
Production xxxxx-xxxx-xxxx
Development xxxxx-xxxx-xxxx
QA xxxxx-xxxx-xxxx
Useful for:
-
Multi-subscription environments
-
Governance checks
-
Automation scripting
These Azure CLI and JQ commands help organizations monitor role assignments, track RBAC usage, and avoid hitting Azure subscription limits.
They are particularly useful in environments using Azure Event Hub and Kafka, where topic-level access control can quickly consume role assignment limits.
Using these commands regularly helps maintain governance, reduce RBAC sprawl, and ensure efficient Azure resource management.
No comments:
Post a Comment