Description:
Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.
Rationale:
Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions that were not intended.
Impact:
Ensures that no custom role has been created with owner permissions with an assignable scope over the whole subscription, this leads to eliminating the accidental allocation of higher privileges of the user.
Default Value:
By default, no custom owner roles are created.
Pre-requisites:
Azure account
Azure CLI
Remediation:
Test Plan:
Using Azure Command-Line Interface 2.0
az role definition list
Check for entries with assignableScope of / or a subscription, and an action of * Verify the usage and impact of removing the role identified
Using Powershell
Connect-AzAccount Get-AzRoleDefinition |Where-Object {($.IsCustom -eq $true) -and ($.Name -like "Owner")}
Review output for each returned role's 'AssignableScopes' value for '/' or the current subscription, and 'Actions' containing the '*' wildcard character
Implementation:
Using Azure Command-Line Interface 2.0
az role definition list
Check for entries with assignableScope of / or a subscription, and an action of * Verify the usage and impact of removing the role identified
az role definition delete --name "rolename"
Deletes the role (role name) mentioned
Backout Plan:
Azure allows us to create a custom role for our use cases. However, the permissions allocated to the role should be chosen from the predefined set of permissions in Azure from the Roles+Administrators tab of AAD.
Using Azure Command-Line Interface 2.0
az role definition list
Check for entries with assignable Scope of / or a subscription, and an action of * Verify the usage and impact of removing the role identified
az role definition delete --name "rolename"