Share via

Identity unused managed identity via Azure cli

Nivazzz 0 Reputation points
2025-01-14T16:27:32.0633333+00:00

Hello,

We do have lot of user managed identity created in our resource group and only few identity has been assigned to machine learning compute.

Im working on a task to identity the list of unused managed identity via azure cli.

I can able to list all the user managed identity under RG, but cant able to filter out the unused one ( eg: where the resource attached to the managed identity = 0 ). Please help me to sort out the cli command. Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,731 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Leo Visser 321 Reputation points MVP
    2025-01-14T17:09:54.4133333+00:00

    To solve this you will need to loop through all azure resources and check if they have the specific account assigned. As far as I know the property is not stored in the managed identity itself as it can be connected to many different resources.

    There is a preview feature now to retrieve it via the REST API, so if you don't mind using the REST API you can look at this:
    https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-view-associated-resources-for-an-identity

    0 comments
  2. Akhilesh Vallamkonda 13,055 Reputation points Microsoft External Staff
    2025-01-17T19:43:49.3366667+00:00

    Hi @Helan Nivas

    Thank you for reaching Microsoft Q&A Forum!

    If I understand correctly, you are looking for a way to get the list of unused managed identity via azure cli.

    You may not achieve this via azure CLI. however, you can get the unused managed identity via PowerShell.
    The below script helps you to get the lists of managed identity in a CSV file

    az login --tenant TENANT_UUID
# Initialize an empty list to store names
$nameList = [System.Collections.Generic.List[string]]::new()
# Get the list of resource groups
$resourceGroups = az group list --query "[].{name:name}" -o tsv
foreach ($resourceGroup in $resourceGroups) {
    Write-Output "Checking resource group: $resourceGroup"
    # List all user-assigned managed identities in the current resource group
    $identities = az identity list --resource-group $resourceGroup --query "[].{name:name, principalId:principalId}" | ConvertFrom-Json
    # Loop through each identity and check if it is used
    foreach ($identity in $identities) {
        $name = $identity.name
        $principalId = $identity.principalId
        # Check if the principalId is associated with any resources
        $usage = az role assignment list --assignee $principalId --query "[].{role:roleDefinitionName, scope:scope}" | ConvertFrom-Json
        if ($usage.Count -eq 0) {
            Write-Output "Unused managed identity: $name"
            # Add the unused managed identity name to the list
            $nameList.Add($name)
        }
    }
}
# Export the list to a CSV file
$nameList | Export-Csv -Path "C:\path\to\your\list.csv" -NoTypeInformation

    Hope this helps. Do let us know if you any further queries by responding in the comments section.

    Thanks,

    Akhilesh V.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.