AI-Assisted Azure RBAC Analysis
Background
I wanted to gain a better understanding of Azure RBAC in practice while also exploring whether AI could be used to help identify excessive permissions and access-related risks.
The goal was not to build a production-ready security tool, but to combine hands-on RBAC testing with AI-assisted analysis and see what insights could be generated.
What I Built
I created a small Azure lab environment consisting of:
- Resource Groups
- Virtual Machines
- Network resources
- Users and groups
I then assigned different RBAC roles to simulate a realistic access model.
Examples:
- vm-tech → Virtual Machine Contributor
- vnet-tech → Network Contributor
RBAC assignments were exported to JSON and analyzed locally using a large language model running through Ollama.
What I Tested
The objective was to see whether the model could:
- Identify broad permissions
- Analyze RBAC scopes
- Highlight potential over-privileged access
- Suggest improvements based on least privilege principles
To achieve this, I combined exported RBAC data with a custom prompt designed to make the model evaluate role assignments from a security perspective.
Results
The project demonstrated that AI can be useful for quickly reviewing RBAC assignments and identifying areas that may warrant further investigation.
The analysis highlighted:
- Broad role assignments
- The importance of scope selection
- Potential least-privilege improvements
- Areas where permissions could potentially be reduced
Reflection
The most interesting part of the project was not the AI itself, but how much it reinforced the importance of RBAC design.
It became clear how significant scope decisions are in Azure and how easy it is to grant more access than is actually required.
The project also showed that AI can be a useful supporting tool for access reviews, but that the results still require human judgment and an understanding of the environment being analyzed.