Getting Started

We want to make everything as simple as possible for you, this page will tell you everything you need to know to get up and running in minutes

Content

Signing Up

Our philosophy is to make things as simple as possible, and signing up is no different. RoleSense uses Microsoft Authentication to ensure that you can login with your existing work accounts quickly without any fuss. This also enables your IT teams to choose how they control access to the RoleSense application.

If you would like to start using RoleSense, follow the instructions below -

  1. Select the Login or Register Today buttons found on the website.
  2. A Microsoft login prompt will appear, sign in with your normal work account.
  3. Approve the requested permissions, which are required to allow RoleSense to view basic information about your users and your Azure tenant.
  4. Upon successfull signin, you will be taken to the Getting Started page which walks you through any additional required setup, including granting RoleSense read-only access to the Subscriptions you plan to review.
  5. By default, you are assigned a Free licence which allows you to generate limited reports for your Azure environment to see how RoleSense works.

Prerequisites

By default, RoleSense has no access to your Azure environment, to analyse Audit Logs, User Accounts and Service Principals, please follow the steps below.

Azure Configuration

Assign Directory Reader Role

To successfully audit your environment, RoleSense requires that the Directory Readers role is assigned to the RoleSense Service Principal in Entra ID. This role allows RoleSense to retrieve information about your tenant and users, which is required to perform an access audit.

  1. Access the Azure Admin Portal using an account with the necessary permissions to assign roles in Entra ID.
  2. Navigate to Entra ID and access the Roles and administrators page.
  3. Locate the Directory Readers role in the list and access it.
  4. Select Add assignments then assign the Directory Readers role to the RoleSense application.

Assign Subscription Access

You must explicitly grant the Reader role to the RoleSense Service Principal within each Subscription you plan to review. This ensures that RoleSense is able to audit your Activity Logs and to suggest security improvements. You can optionally assign the Reader role at a Management Group level instead to provide access to multiple Subscriptions.

  1. Access each Subscription that you plan to audit.
  2. Assign the Reader role to the RoleSense service principal.

Generating a Report

RoleSense allows you to audit all direct role assignments on users and service principals in a given Subscription, identifying roles that may no longer be required and role assignments that can be reduced based on actual usage.

To generate a report, first ensure that all prerequisites have been met and then follow the instructions below -

  1. Navigate to the Home page.
  2. Under the Start Role Analysis heading, select a Subscriptionwhich determines the Subscription that will be analysed.
    • If no Subscriptions appear, ensure the RoleSense application has at least the Reader role at the Subscription level.
  3. Optionally, select a Resource Group to view role assignments at that level.
  4. If you have configured Activity Log Linking, you may also select a date to modify the lookback period of the report.
  5. Click Analyse.
  6. A report appears in the Reports list with the Requested status. This will change as the report is processed and will finally change to Ready status which indicates that the report has finished processing and is ready to view. This can take some time depending on the quantity of activity logs available.

Although RoleSense queries the Graph API directly by default to generate reports, the API has a limited retention period of 30 days. If you need a longer lookback period, you can link RoleSense to a Log Analytics Workspace which contains exported Azure Activity Logs.

  1. Navigate to the Activity Log Linkpage.
  2. Under the Log Analytics Workspace Linkheading, select the Subscriptionwhich contains the Workspace.
    • If no Subscriptions appear, ensure the RoleSense application has at least the Reader role at the Subscription level.
  3. Select the Workspace name which contains the Activity Logs.
  4. Click Link. RoleSense will now authenticate to the Workspace, ensuring that there are valid Activity Logs.
  5. Once the page reloads, the oldest available log date will be displayed. RoleSense will continue to query the Graph API until the Workspace has a minimum of 30 days of logs.

Understanding Licencing

Free Licence

By default, your account will be on a free licence which allows you to generate a single report at a time and to view up to 25 individual role assignments per report.

How Licencing Works

RoleSense offers a simple licencing model based on the number of principals you need to manage. Each user licence costs £1 per user per month and grants you the ability to view all role assignments linked to a single "principal". A principal can be either a user account or a service principal.

For example, if your environment contains 50 unique principals with role assignments:

  • If you purchase 50 user licences, you can view all role assignments for all principals, no matter how many roles they are assigned.
  • If you purchase only 40 user licences, you can view role assignments for up to 40 principals. Reports will show if there are any role assignments which you're not able to view with your current licence count.

This system allows you to tailor your licences to the number of users and service principals you need to monitor, making it both cost-effective and flexible.

Estimating Required Number of Licences

Determining how many licences you need for any software can be difficult, and we want to change that, so we've made it as simple as possible.

Navigate to the Billing page, you will see a recommendation for the number of required licences. This recommendation is a total count of unique principals with direct role assignments found across all Subscriptions which RoleSense has been granted access to.

The recommended quantity is reevaluated each time you navigate to Billing and provides the simplest way to ensure you have only the number of licences that you need at any time.