Azure RBAC Least-Privilege Analyzer
Stop over-permissioning your Azure role assignments.
Scans Bicep & ARM templates, flags broad roles, suggests least-privilege alternatives, and generates remediation patches.
The Problem
73% of Azure subscriptions have over-permissioned role assignments (Microsoft's own data). Developers routinely assign Contributor or Owner when they need only a handful of specific actions. There is no built-in tooling that maps actual resource operations to minimum roles — until now.
What This Extension Does
| Feature |
Description |
| Bicep / ARM Scanning |
Parses your .bicep and ARM template .json files to find every Microsoft.Authorization/roleAssignments resource. |
| Over-Permission Detection |
Cross-references assigned roles against 30+ Azure built-in roles (with support for 400+). Flags assignments where a more restrictive role exists. |
| Smart Recommendations |
Infers required actions from other resources in the same template and suggests the least-privilege role that covers them. |
| Custom Role Trimming |
Analyzes custom role definitions and identifies unused actions and dataActions that can be removed. |
| Remediation Patch |
Generates a complete Bicep file with remediated role assignments and trimmed custom roles — ready to review and apply. |
| Live Activity Log Analysis |
Connects to your Azure subscription and queries the Activity Log to see which permissions were actually exercised vs. assigned. |
| Real-time Diagnostics |
Inline warnings in the editor and entries in the Problems panel as you type. |
| Quick Fix Code Actions |
One-click replacement of over-permissioned roles with least-privilege alternatives. |
| Sidebar Tree Views |
Dedicated Activity Bar panel with Role Assignments and Recommendations views. |
Installation
From VSIX
# Build the extension
npm install
npm run compile
npx @vscode/vsce package
# Install
code --install-extension azure-rbac-least-privilege-analyzer-1.0.0.vsix
Quick Start
1. Open a Bicep or ARM Template File
Open any .bicep or ARM template .json file that contains role assignments. The extension activates automatically.
2. See Diagnostics
Over-permissioned role assignments are immediately flagged with yellow squiggly underlines. Hover over the underline to see the full recommendation:
⚠ Over-permissioned: "Contributor" assigned but a more restrictive role is available.
Suggestion: use "Storage Blob Data Contributor" instead.
Role "Contributor" grants 3 action patterns but only 2 are used.
3. Apply Quick Fixes
Click the lightbulb (💡) or press Ctrl+. on a flagged assignment to see available fixes:
- Replace with "Storage Blob Data Contributor" (least-privilege) — rewrites the role GUID in place
- Generate remediation patch file — opens a new Bicep file with all fixes
4. Use Commands
Open the Command Palette (Ctrl+Shift+P) and type "Azure RBAC":
| Command |
Description |
Azure RBAC: Analyze Role Assignments in Current File |
Scan the open file for issues |
Azure RBAC: Analyze All Role Assignments in Workspace |
Scan every Bicep/ARM file in the workspace |
Azure RBAC: Generate Least-Privilege Remediation Patch |
Create a remediation Bicep file |
Azure RBAC: Analyze Live Subscription Activity Log |
Connect to Azure and analyze actual usage |
Azure RBAC: Show Role Details |
Browse built-in role definitions |
Azure RBAC: Refresh Built-in Roles Database |
Reload the built-in roles database |
Detailed Example
Before (over-permissioned)
// ⚠ Contributor grants full control-plane access to ALL resource types
// but this deployment only uses Storage and Key Vault
resource contributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(resourceGroup().id, 'b24988ac-6180-42a0-ab88-20f7382dd24c', principalId)
properties: {
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'b24988ac-6180-42a0-ab88-20f7382dd24c' // ← Contributor
)
principalId: principalId
principalType: 'ServicePrincipal'
}
}
Analyzer output:
⚠ Over-permissioned: "Contributor" assigned but a more restrictive role is
available. Suggestion: use "Storage Blob Data Contributor" instead.
After (least-privilege)
// ✅ Storage Blob Data Contributor — only grants blob read/write/delete
resource storageBlobContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(resourceGroup().id, 'ba92f5b4-2d11-453d-a403-e96b0029c9fe', principalId)
properties: {
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // ← Storage Blob Data Contributor
)
principalId: principalId
principalType: 'ServicePrincipal'
description: 'Least-privilege: Storage Blob Data Contributor'
}
}
Live Activity Log Analysis
For the most precise recommendations, the extension can connect to your Azure subscription and compare assigned permissions against actually-used operations from the Activity Log.
Prerequisites
- Azure CLI installed and authenticated (
az login)
- Read access to the Activity Log (
Monitoring Reader role or similar)
- Configure your subscription in settings or enter it when prompted
How to Use
- Run "Azure RBAC: Analyze Live Subscription Activity Log" from the Command Palette
- Enter your Subscription ID (or configure it in settings)
- The extension queries the last 90 days (configurable) of Activity Log data
- A Markdown report opens with per-principal findings:
## Principal: my-service-principal
- Assigned roles: Contributor
- Operations exercised: 12
### Contributor → Storage Blob Data Reader
- **Severity:** high
- **Reason:** Principal exercised 12 operations in the last 90 days.
Current role "Contributor" can be replaced with "Storage Blob Data Reader".
Custom Role Analysis
The analyzer detects custom role definitions (Microsoft.Authorization/roleDefinitions) and compares their actions and dataActions against what is actually needed:
ℹ Custom role "Custom Storage Manager" has 4 unused permission(s) out of 10 total.
Remove unused permissions to enforce least-privilege.
Quick Fix: "Remove unused permissions from custom role" — automatically strips the unnecessary entries.
Extension Settings
Configure via File > Preferences > Settings or .vscode/settings.json:
| Setting |
Default |
Description |
azureRbac.enableDiagnostics |
true |
Enable real-time diagnostics for Bicep and ARM files |
azureRbac.severityLevel |
"Warning" |
Severity level: Error, Warning, Information, or Hint |
azureRbac.flaggedRoles |
["Owner", "Contributor", "User Access Administrator"] |
Role names that should always be flagged |
azureRbac.subscriptionId |
"" |
Azure subscription ID for Activity Log analysis |
azureRbac.activityLogDays |
90 |
Number of days of Activity Log to analyze (1–365) |
azureRbac.autoAnalyzeOnSave |
true |
Automatically analyze files when saved |
Example settings.json
{
"azureRbac.severityLevel": "Error",
"azureRbac.flaggedRoles": [
"Owner",
"Contributor",
"User Access Administrator",
"Key Vault Administrator"
],
"azureRbac.subscriptionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"azureRbac.activityLogDays": 60,
"azureRbac.autoAnalyzeOnSave": true
}
The extension adds an Azure RBAC Analyzer panel to the Activity Bar (shield icon) with two tree views:
Role Assignments
Shows all detected role assignments grouped by file. Each entry shows:
- ⚠ Over-permissioned assignments (with severity indicator)
- ✓ Properly-scoped assignments
- Expandable details with recommendations
Recommendations
A flat list of all suggested changes across the workspace:
- Role replacements (
Contributor → Storage Blob Data Reader)
- Custom role trim suggestions
- Click any item to navigate to the source location
Built-in Roles Database
The extension ships with metadata for 30+ commonly used Azure built-in roles across these categories:
| Category |
Roles Included |
| General |
Owner, Contributor, Reader, User Access Administrator |
| Storage |
Storage Blob Data Reader/Contributor/Owner, Table/Queue Data Reader/Contributor |
| Key Vault |
Key Vault Secrets Reader/Officer, Key Vault Reader/Administrator |
| Compute |
Virtual Machine Contributor |
| Networking |
Network Contributor |
| Databases |
SQL DB Contributor, SQL Server Contributor, Cosmos DB Account Reader |
| Containers |
AKS Contributor, AcrPull, AcrPush |
| Monitoring |
Monitoring Reader, Monitoring Contributor |
| Identity |
Managed Identity Contributor/Operator |
| Integration |
Event Hubs Data Receiver/Sender, Service Bus Data Receiver/Sender |
| App Configuration |
App Configuration Data Reader/Owner |
Browse any role's full permission set via "Azure RBAC: Show Role Details".
Supported File Types
| File Type |
Language ID |
Support |
Bicep (.bicep) |
bicep |
Full analysis |
ARM Templates (.json) |
json |
Full analysis (auto-detected via $schema) |
Architecture
src/
├── extension.ts # VS Code activation, commands, wiring
├── analyzers/
│ ├── bicepAnalyzer.ts # Parse Bicep files for role assignments
│ ├── armAnalyzer.ts # Parse ARM JSON templates
│ └── activityLogAnalyzer.ts # Azure Activity Log integration
├── roles/
│ ├── builtInRoles.ts # Built-in role database (30+ roles)
│ └── roleMapper.ts # Action-to-role mapping engine
├── remediation/
│ └── patchGenerator.ts # Bicep remediation patch output
└── providers/
├── diagnosticsProvider.ts # Real-time editor diagnostics
├── codeActionProvider.ts # Quick Fix code actions
└── treeViewProvider.ts # Sidebar tree views
Development
Prerequisites
- Node.js 18+
- VS Code 1.85+
Setup
cd azure-rbac-least-privilege-analyzer
npm install
Build
npm run compile
Watch Mode
npm run watch
Run Extension (Debug)
- Open the project in VS Code
- Press F5 to launch the Extension Development Host
- Open a
.bicep file to see the analyzer in action
Package for Distribution
npx @vscode/vsce package
This produces a .vsix file you can install or publish to the Marketplace.
Publish to Marketplace
npx @vscode/vsce publish
You'll need a Personal Access Token from Azure DevOps.
Example Files
The examples/ directory contains sample files for testing:
FAQ
Does this extension make changes to my Azure subscription?
No. The extension only reads and analyzes files locally. The Activity Log feature reads data from Azure but never modifies your subscription. Remediation patches are generated as new Bicep files for you to review and deploy manually.
Not yet. Currently supports Bicep and ARM templates. Terraform support is planned for a future release.
How does it know what permissions I actually need?
Two approaches:
- Static analysis: Infers required actions from other Azure resources in the same template (e.g., a Storage Account implies storage-related actions).
- Activity Log analysis: Queries actual operations from your Azure Activity Log to see what was really used.
Can I add custom roles to the database?
The built-in database ships with the extension. To extend it, you can modify src/roles/builtInRoles.ts and rebuild. A future release will support loading custom role definitions from settings.
Why doesn't it detect all 400+ built-in roles?
The extension ships with the most commonly over-permissioned roles. The role database is extensible and will grow with community contributions. For Activity Log analysis, it queries live role definitions from your subscription.
Contributing
Contributions welcome! Areas where help is appreciated:
- Adding more built-in roles to the database
- Terraform HCL support
- Improved Bicep parsing (currently regex-based; could use Bicep language service)
- UI improvements for the tree view sidebar
- Additional resource-to-action mappings
License
MIT
