As you might know Azure Policy you are able to configure a managed identity to the Policy Assignments so, depending on the effect, the policy code has an identity and permissions to execute / remediate the settings via remeditation task…
…and if you then go back and check the settings on the assignment, you will see the GUID of the system assigned managed identity…
If you look at the Azure subscription you will see there is a GUID entry for each of these managed identities…
Imagine you would have a couple of policy assignments in place, how would you figure out where these GUIDs are coming from, respectively which Azure Policy is the source of these GUID entries. You can click on the GUIDs, but as far I know there is no relationship to reverse look up these entries to the corresponding policy. If you click on the identity, it you will redirected to the Entra ID resource…
Luckily you can use Azure CLI az commands to do the work for you.
Login to your Cloud Shell and run…
az policy assignment list –disable-scope-strict-match –query “[].{PrincipalId: identity.principalId, DisplayName: displayname, Description: description}”
…there you will see details of the assignment as well as the principal id…
…then if you check the id in the Entra ID you will see more details about it…
Conclusion:
It is realtively easy to figure out if a GUID / managed identity which is assigned on your subscription relates to an Azure policy. This post can help you identify such resources and can help you to get a better sleep at night, because you know what has access on your environment.