Description:

Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed, and only necessary privileges should be assigned instead of allowing full administrative access.


Rationale:

Classic subscription admin roles provide basic access management, including Account Administrator, Service Administrator, and Co-Administrators. Granting only the minimum required permissions and adding access as needed helps prevent unintended actions.


Impact:

Ensures that no custom role has been created with owner permissions with an assignable scope over the whole subscription, which leads to eliminating the accidental allocation of higher privileges to the user.


Default Value:

By default, no custom owner roles are created.


Pre-requisites:

  • Your account must have the Owner or User Access Administrator role

  • You have access to the Subscription (IAM) blade

  • You can view and delete custom roles

  • You have change approval (if in production)


Test Plan:

  1. Go to the Azure portal.

  2. Search for and open Subscriptions, then select the required subscription.

  3. From the left menu, click Access control (IAM) and open the Roles tab.

  4. In the Roles view, set the filter Type = CustomRole.

  1. Click on View and verifying that there are no custom roles with administrator-level permissions at the subscription level.

  2. Only built-in roles such as Owner, Contributor, and Reader should be assigned.

  3. If any custom role with administrator-level permissions is found, check the implementation Steps.


Implementation Steps:

  1. Open the Azure portal and navigate to the Subscriptions.

  2. Select the subscription you want to review.

  3. Open Access control (IAM) from the left menu.


                           


  1. Go to the Roles tab and set the filter Type = Custom role.

  2. Click View to review the role details.


                                  

  1. In the Administering Resources Lock, click on Assignments and remove the assignment at the subscription level.


Backout Plan:

  1. Go to the Azure portal and navigate to Subscriptions.

  2. Select the required subscription and open Access control (IAM).

  3. Click Add, then select Add role assignment.

  4. Assign an appropriate built-in role, such as Owner (for full administrative access), Contributor (for resource management), or User Access Administrator (for access management only).

  5. Select the affected user or group.

  6. Click Save to apply the role assignment.


Reference: