How to check permissions assigned to Managed Identity Access Token?

Question

How to check permissions assigned to Managed Identity Access Token?

Najam ul Saqib 400

Hi,

I have an automation account on which system-assigned managed identity is enabled. In Powershell, I can fetch the access token for this MI (by running run-job and during which fetching the MI's token) and later do actions on behalf of the identity once I authenticate using it with Connect-AzAccount

The question is, in the CLI/Powershell how can I check the permissions/roles assigned to the identity/token? I can obviously go to portal, and check IAM there but what if I want to achieve this in CLI?

2 answers

Your answer

Answer 1

Ashok Gandhi Kotnana 10,115 Microsoft External Staff Moderator

HI @Najam ul Saqib,

You can list the roles/permissions assigned to the managed identity using the Get-AzRoleAssignment cmdlet.

Step 1: Get the Object ID of the system-assigned managed identity

 $automationAccount = Get-AzAutomationAccount -ResourceGroupName "<RG-Name>" -Name "<AutomationAccount-Name>" $miPrincipalId = $automationAccount.Identity.PrincipalId

Artifacts below: -

User's image

Note: Principal Id is the Object ID of the managed identity in Azure AD.

Step 2: List role assignments for the managed identity

Get-AzRoleAssignment -ObjectId $miPrincipalId

This will show all the role assignments and the scopes (e.g., subscription, resource group, specific resource) where they are applied.

User's image Please let me know if you face any challenge here, I can help you to resolve this issue further

Provide your valuable Comments.

User's image

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Najam ul Saqib 400 Reputation points

2025-05-29T11:57:42.1933333+00:00

What if the token of managed identity doesn't have access on the automation account? In my case, there's no suitable IAM role on the RG that contains the automation account therefore I can't fetch its details.

Given that, I don't have access to the automation account means I can't fetch the object ID and therefore can't see roles. Is there any alternate approach?
Ashok Gandhi Kotnana 10,115 Reputation points Microsoft External Staff Moderator

2025-05-29T12:46:36.05+00:00

HI @Najam ul Saqib,
Thanks for the response back

Why the Managed Identity Doesn't Need Access to the Automation Account Itself

The system-assigned managed identity (MI) is automatically created and managed for the Azure Automation Account.

Its purpose is to access other Azure resources (e.g., Key Vault, Storage, etc.) — it doesn't need permissions on the Automation Account itself to function.

In my case, there's no suitable IAM role on the RG that contains the automation account therefore I can't fetch its details.

What you’re trying to do is introspect its own identity (object ID) and check what permissions it has elsewhere, which is reasonable.

Given that, I don't have access to the automation account means I can't fetch the object ID and therefore can't see roles.

It fails only if the MI (or user) executing that code doesn't have Reader or higher permission on that resource group or subscription

So yes — if you're inside the runbook and the MI doesn't have Reader access on the Automation Account’s RG, then it can't retrieve its own object ID that way.

A custom role can be created if you want very granular access for specific resource actions.

Reference;

https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Given that, I don't have access to the automation account means I can't fetch the object ID and therefore can't see roles.

Reader access on subscription or resource group level is sufficient to fetch the object ID of managed identity.

To view the Permissions (Role Assignments) of a Managed Identity:

You can only see role assignments:

Within the scopes where you yourself have at least "Reader" access

Azure will not show role assignments outside your permission boundary, even if you're querying for a valid Object ID

Please let me know if you face any challenge here, I can help you to resolve this issue further

Provide your valuable Comments.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Ashok Gandhi Kotnana 10,115 Reputation points Microsoft External Staff Moderator

2025-05-30T06:51:42.0466667+00:00

HI @Najam ul Saqib,

Just want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Najam ul Saqib 400 Reputation points

2025-06-05T07:19:46.7566667+00:00

It is possible using https://gist.github.com/njmulsqb/536e052aec5aa3d1f3f28fd5bdc1eb7e

Answer 2

Najam ul Saqib 400

I was able to fetch the roles using this gist: https://gist.github.com/njmulsqb/536e052aec5aa3d1f3f28fd5bdc1eb7e

Share via

How to check permissions assigned to Managed Identity Access Token?

2 answers

Your answer