01 Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure OpenAI service instance available in the current subscription:
az cognitiveservices account list
--output table
--query '[?(kind==`OpenAI`)].{name:name, resourceGroup:resourceGroup}'
02 The command output should return the requested OpenAI service instance identifiers:
Name ResourceGroup
--------------------------- ------------------------------
tm-openai-project5-instance cloud-shell-storage-westeurope
tm-openai-workspace-server cloud-shell-storage-westeurope
03 Run cognitiveservices account identity show command (Windows/macOS/Linux) with the name of the Azure OpenAI service instance that you want to examine as the identifier parameter and custom output filters to describe the user-assigned managed identities associated with the selected OpenAI instance:
az cognitiveservices account identity show
--name tm-openai-project5-instance
--resource-group cloud-shell-storage-westeurope
--query 'userAssignedIdentities'
04 The command output should return the information available for the associated identities (including the identity full ID and the ID of the associated principal). If the cognitiveservices account identity show command does not return an output, there are no user-assigned managed identities configured for your instance and the Audit process ends here. To add user-assigned identities to your OpenAI instance, follow the instructions outlined on this page:
{
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tm-project5-managed-identity": {
"clientId": "1234abcd-1234-abcd-1234-abcd1234abcd",
"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234"
}
}
05 Run role assignment list command (Windows/macOS/Linux) to describe the role assignments for the principal associated with your user-assigned managed identity. Set --assignee parameter value to the "principalId" attribute value returned at the previous step:
az role assignment list
--assignee abcd1234-abcd-1234-abcd-1234abcd1234
--all
06 The command output should return the role assignments for the selected principal:
[
{
"roleDefinitionName": "Owner",
"roleDefinitionId": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-1234-abcd-1234-abcd1234abcd",
"condition": null,
"conditionVersion": null,
"createdBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
"createdOn": "2024-06-20T08:11:52.463577+00:00",
"delegatedManagedIdentityResourceId": null,
"description": null,
"name": "1234abcd-1234-abcd-1234-abcd1234abcd",
"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
"principalName": "1234abcd-1234-abcd-1234-abcd1234abcd",
"principalType": "ServicePrincipal",
"resourceGroup": "cloud-shell-storage-westeurope",
"scope": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/tm-openai-project5-instance",
"type": "Microsoft.Authorization/roleAssignments",
"updatedBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
"updatedOn": "2024-06-20T08:11:52.463577+00:00"
},
{
"roleDefinitionName": "User Access Administrator",
"roleDefinitionId": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-1234-abcd-1234-abcd1234abcd",
"condition": null,
"conditionVersion": null,
"createdBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
"createdOn": "2024-06-15T08:00:52.463577+00:00",
"delegatedManagedIdentityResourceId": null,
"description": null,
"name": "1234abcd-1234-abcd-1234-abcd1234abcd",
"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
"principalName": "1234abcd-1234-abcd-1234-abcd1234abcd",
"principalType": "ServicePrincipal",
"resourceGroup": "cloud-shell-storage-westeurope",
"scope": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/tm-openai-project5-instance",
"type": "Microsoft.Authorization/roleAssignments",
"updatedBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
"updatedOn": "2024-06-15T08:00:52.463577+00:00"
}
]
Check the
"roleDefinitionName" attribute value for each role assignment returned by the
role assignment list command output to determine if the associated identity has privileged administrator roles such as
"Owner",
"Contributor",
"User Access Administrator", and
"Role Based Access Control Administrator". If one or more privileged administrator roles are assigned to the user-assigned managed identity associated with your instance, the selected Azure OpenAI service instance is configured with admin privileges.
07 Repeat step no. 3 - 6 for each Azure OpenAI instance available in the selected Azure subscription.
08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.