π Get notified on the addition or removal of roles and permissions in Microsoft Entra ID and Azure π
This project continously verifies if the following assets have been updated with additions and/or removals during the last 24 hours:
- Azure roles
- Entra roles
- Microsoft Graph application permissions
The latest available roles and permissions are pulled once a day from the MS Graph and ARM APIs directly, and compared to a local snapshot to detect any changes.
Point your favorite RSS reader to latest.rss.
The file is updated every time a change is detected and stays unmodified otherwise. This means the date of the latest commit corresponds to the date of the latest addition or removal of an Azure role, Entra role or Microsoft Graph application permission.
Note that AzRoleWatcher is run daily around 1:00 AM UTC to detect changes.
Setting up this project against a specific tenant can be useful to include custom roles and permissions in the monitoring.
The project can be configured against a specific Entra tenant as follows:
-
Fork this project.
-
In your tenant, create a service principal with a new Federated credential, and take note of the following:
- The tenant ID associated with the service principal
- The service principal's application/client ID
-
Grant the following application permissions to the service principal:
RoleManagement.Read.Directory(required to read Entra role definitions)Application.Read.All(required to read the definitions of application permissions)
-
In the forked GitHub project, create the following repository variables:
| Name | Value |
|---|---|
AZURE_TENANT_ID |
<value-from-step-2-i> |
AZURE_CLIENT_ID |
<value-from-step-2-ii> |
Note: in a tenant with a default configuration, service principals have permissions to read Azure role definitions by default. Therefore, the service principal should not require any additional Azure permissions.