Let’s be honest.. Even though we have excellent tools to manage permissions for our Azure resources, sometimes we don’t know exactly what a given user or group has access to. There is however an easy way of checking this:
Go to Azure Active Directory –> Users & Groups –> Users –> Find the user (in this case an external consultant):
Select Azure Resources:
As you can see, this user has Owner access to one of my subscriptions. Better get that fixed! 
If you click the role assignment, you get the option to delete it:
Quick and easy! And the same thing can be done for groups of users.
Cloudpuzzles 