Merge pull request #263076 from rolyon/rolyon-rbac-troubleshoot-limits-query-condition-tabs

[Azure RBAC] Add conditions to troubleshoot limit queries as tabs

Author: v-dirichards

articles/governance/includes/resource-graph/query/authorization-same-principal-scope-condition.md

@@ -0,0 +1,29 @@
+---
+author: rolyon
+ms.service: resource-graph
+ms.topic: include
+ms.date: 01/12/2024
+ms.author: rolyon
+---
+
+```kusto
+AuthorizationResources
+| where type =~ "microsoft.authorization/roleassignments"
+| where id startswith "/subscriptions"
+| extend PrincipalId = tostring(properties.principalId) 
+| extend Scope = tolower(properties.scope)
+| extend RoleDefinitionId = tolower(tostring(properties.roleDefinitionId))
+| extend condition = tostring(properties.condition)
+| join kind = leftouter (
+  AuthorizationResources
+  | where type =~ "microsoft.authorization/roledefinitions"
+  | extend RoleName = tostring(properties.roleName)
+  | extend RoleId = tolower(id)
+  | extend RoleType = tostring(properties.type) 
+  | where RoleType == "BuiltInRole"
+  | extend RoleId_RoleName = pack(RoleId, RoleName)
+) on $left.RoleDefinitionId == $right.RoleId
+| summarize count_ = count(), AllRD = make_set(RoleId_RoleName) by PrincipalId, Scope, condition
+| where count_ > 1
+| order by count_ desc
+```

articles/governance/includes/resource-graph/query/authorization-same-role-principal-condition.md

@@ -0,0 +1,28 @@
+---
+author: rolyon
+ms.service: resource-graph
+ms.topic: include
+ms.date: 01/12/2024
+ms.author: rolyon
+---
+
+```kusto
+authorizationresources
+| where type =~ "microsoft.authorization/roleassignments"
+| where id startswith "/subscriptions"
+| extend RoleDefinitionId = tolower(tostring(properties.roleDefinitionId))
+| extend PrincipalId = tolower(properties.principalId)
+| extend RoleDefinitionId_PrincipalId = strcat(RoleDefinitionId, "_", PrincipalId)
+| extend condition = tostring(properties.condition)
+| join kind = leftouter (
+  authorizationresources
+  | where type =~ "microsoft.authorization/roledefinitions"
+  | extend RoleDefinitionName = tostring(properties.roleName)
+  | extend rdId = tolower(id)
+  | project RoleDefinitionName, rdId
+) on $left.RoleDefinitionId == $right.rdId
+| summarize count_ = count(), Scopes = make_set(tolower(properties.scope)) by RoleDefinitionId_PrincipalId,RoleDefinitionName
+| project RoleDefinitionId = split(RoleDefinitionId_PrincipalId, "_", 0)[0], RoleDefinitionName, PrincipalId = split(RoleDefinitionId_PrincipalId, "_", 1)[0], count_, Scopes, condition
+| where count_ > 1
+| order by count_ desc
+```

articles/governance/includes/resource-graph/query/authorization-same-role-scope-condition.md

@@ -0,0 +1,27 @@
+---
+author: rolyon
+ms.service: resource-graph
+ms.topic: include
+ms.date: 01/12/2024
+ms.author: rolyon
+---
+
+```kusto
+authorizationresources
+| where type =~ "microsoft.authorization/roleassignments"
+| where id startswith "/subscriptions"
+| extend RoleId = tolower(tostring(properties.roleDefinitionId))
+| extend condition = tostring(properties.condition)
+| join kind = leftouter (
+  authorizationresources
+  | where type =~ "microsoft.authorization/roledefinitions"
+  | extend RoleDefinitionName = tostring(properties.roleName)
+  | extend RoleId = tolower(id)
+  | project RoleDefinitionName, RoleId
+) on $left.RoleId == $right.RoleId
+| extend principalId = tostring(properties.principalId)
+| extend principal_to_ra = pack(principalId, id)
+| summarize count_ = count(), AllPrincipals = make_set(principal_to_ra) by RoleDefinitionId = RoleId, Scope = tolower(properties.scope), RoleDefinitionName, condition
+| where count_ > 1
+| order by count_ desc
+```

articles/role-based-access-control/troubleshoot-limits.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 12/01/2023
+ms.date: 01/12/2024
 ms.author: rolyon
 ---
 
@@ -66,8 +66,18 @@ To reduce the number of role assignments in the subscription, add principals (us
 
     This query checks active role assignments and doesn't consider eligible role assignments in [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
 
+    If you are using [role assignment conditions](conditions-overview.md) or [delegating role assignment management with conditions](delegate-role-assignments-overview.md), you should use the Conditions query. Otherwise, use the Default query.
+
+    # [Default](#tab/default)
+
     [!INCLUDE [resource-graph-query-authorization-same-role-scope](../governance/includes/resource-graph/query/authorization-same-role-scope.md)]
 
+    # [Conditions](#tab/conditions)
+
+    [!INCLUDE [resource-graph-query-authorization-same-role-scope-condition](../governance/includes/resource-graph/query/authorization-same-role-scope-condition.md)]
+
+    ---
+
     The following shows an example of the results. The **count_** column is the number of principals assigned the same role and at the same scope. The count is sorted in descending order.
 
     :::image type="content" source="media/troubleshoot-limits/authorization-same-role-scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows role assignments with the same role and at the same scope, but for different principals." lightbox="media/troubleshoot-limits/authorization-same-role-scope.png":::
@@ -140,8 +150,18 @@ To reduce the number of role assignments in the subscription, remove redundant r
 
     This query checks active role assignments and doesn't consider eligible role assignments in [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
 
+    If you are using [role assignment conditions](conditions-overview.md) or [delegating role assignment management with conditions](delegate-role-assignments-overview.md), you should use the Conditions query. Otherwise, use the Default query.
+
+    # [Default](#tab/default)
+
     [!INCLUDE [resource-graph-query-authorization-same-role-principal](../governance/includes/resource-graph/query/authorization-same-role-principal.md)]
 
+    # [Conditions](#tab/conditions)
+
+    [!INCLUDE [resource-graph-query-authorization-same-role-principal-condition](../governance/includes/resource-graph/query/authorization-same-role-principal-condition.md)]
+
+    ---
+
     The following shows an example of the results. The **count_** column is the number of different scopes for role assignments with the same role and same principal. The count is sorted in descending order.
 
     :::image type="content" source="media/troubleshoot-limits/authorization-same-role-principal.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows role assignments for the same role and same principal, but at different scopes." lightbox="media/troubleshoot-limits/authorization-same-role-principal.png":::
@@ -200,8 +220,18 @@ To reduce the number of role assignments in the subscription, replace multiple b
 
     This query checks active role assignments and doesn't consider eligible role assignments in [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
 
+    If you are using [role assignment conditions](conditions-overview.md) or [delegating role assignment management with conditions](delegate-role-assignments-overview.md), you should use the Conditions query. Otherwise, use the Default query.
+
+    # [Default](#tab/default)
+
     [!INCLUDE [resource-graph-query-authorization-same-principal-scope](../governance/includes/resource-graph/query/authorization-same-principal-scope.md)]
 
+    # [Condition](#tab/conditions)
+
+    [!INCLUDE [resource-graph-query-authorization-same-principal-scope-condition](../governance/includes/resource-graph/query/authorization-same-principal-scope-condition.md)]
+
+    ---
+
     The following shows an example of the results. The **count_** column is the number of different built-in role assignments with the same principal and same scope. The count is sorted in descending order.
 
     :::image type="content" source="media/troubleshoot-limits/authorization-same-principal-scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows role assignments for with the same principal and same scope." lightbox="media/troubleshoot-limits/authorization-same-principal-scope.png":::