Ensure that there are no custom subscription owner roles available in your Azure account in order to adhere to cloud security best practices and implement the principle of least privilege - the practice of providing every user the minimal amount of access required to perform its tasks.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Typical Azure subscription administrator roles offer basic access management. A custom subscription owner role has full administrative access as its assignable scope is the entire subscription and it can perform any action (i.e. "*"). As security best practice, it is strongly recommended that the least necessary permissions are given initially. Permissions can be added later, as needed, by the account holder. This ensures that the Azure account holder cannot perform actions which were not intended.
To determine if there are any custom owner roles available in your Microsoft Azure account, perform the following actions:
Remediation / Resolution
To remove all non-compliant custom owner roles from your Microsoft Azure cloud account, perform the following actions:Note: Before deleting the non-compliant role definition, verify the usage and the impact of removing the identified role from your Azure cloud account.
- Azure Official Documentation
- Add or change Azure subscription administrators
- Manage access to Azure resources using RBAC and the Azure portal
- Understand role definitions for Azure resources
- Create custom roles for Azure resources using Azure CLI
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Remove Custom Owner Roles
Risk level: Medium