Use Role-Based Access Control for Azure DNS Zones

Risk Level: High (not acceptable risk)

To promote the Principle of Least Privilege (POLP) and implement proper Azure Role-Based Access Control (RBAC), ensure that your Microsoft Azure DNS zones don't have privileged administrative permissions. Overly permissive access to DNS zones can allow unauthorized modifications to critical DNS records, which can affect service availability and security.

Security

Granting broad, privileged administrator roles to users and groups can introduce significant security risks. Unintended access, data breaches, and misuse of resources are all potential outcomes. Instead, you should use Azure RBAC to limit permissions to the minimum necessary for a specific task. This approach follows the Principle of Least Privilege, which enhances overall security by reducing the attack surface and minimizing the potential damage from unauthorized access. With Azure RBAC, you can precisely control who can do what within your Azure environment, ensuring that users only have the access they need, and nothing more. This is a fundamental practice for maintaining a secure and well-managed cloud infrastructure.

Audit

To determine if your Azure DNS zones are configured with admin privileges, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and DNS zone for Value, then choose Apply to list the Azure DNS zones available in the selected subscription.

05 Click on the name (link) of the Azure DNS zone that you want to examine.

06 In the resource navigation panel, choose Access control (IAM), and select the Role assignments tab.

07 Choose This resource from the Scope : All scopes filter box and select the All tab to view the role assignments for the selected Azure DNS zone.

08 Check the Role column to determine if there are any role assignments with privileged administrator roles such as "Owner", "Contributor", "User Access Administrator", and "Role Based Access Control Administrator". You can also click on the role name (link) to view the role permissions. If one or more role assignments are using privileged administrator roles, the identities associated with those roles has administrative permissions over the selected Microsoft Azure DNS zone.

09 Repeat steps no. 5 – 8 for each Azure DNS zone created within the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each Azure subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network dns zone list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure DNS zone available in the selected subscription:

az network dns zone list
	--query '[*].id'

05 The command output should return the requested DNS zone identifiers (IDs):

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/client.trendmicro.com"
]

06 Run role assignment list command (Windows/macOS/Linux) with the ID of the Azure DNS zone that you want to examine as the identifier parameter, to describe the role assignments for the selected DNS zone:

az role assignment list
	--scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com"
	--query "[].{Principal:principalName,PrincipalId:principalId,PrincipalType:principalType,Role:roleDefinitionName,Scope:scope}"

07 The command output should return the role assignments available for the selected resource:

[
	{
		"Principal": "user@domain.com",
		"PrincipalId": "1234abcd-1234-abcd-1234-abcd1234abcd",
		"PrincipalType": "User",
		"Role": "Owner",
		"Scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnsZones/trendmicro.com"
	},
	{
		"Principal": "user@domain.com",
		"PrincipalId": "1234abcd-1234-abcd-1234-abcd1234abcd",
		"PrincipalType": "User",
		"Role": "Contributor",
		"Scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnsZones/trendmicro.com"
	}
]

Check the "Role" attribute value for each role assignment returned by the role assignment list command output to determine if your DNS zone has any role assignments with privileged administrator roles such as "Owner", "Contributor", "User Access Administrator", and "Role Based Access Control Administrator". If one or more role assignments are using privileged administrator roles, the identities associated with those roles has administrative permissions over the selected Microsoft Azure DNS zone.

08 Repeat steps no. 6 and 7 for each Azure DNS zone created within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To implement secure Role-Based Access Control (RBAC) for your Microsoft Azure DNS zones, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

05 Click on the name (link) of the Azure DNS zone that you want to configure.

06 In the resource navigation panel, choose Access control (IAM), and select the Role assignments tab.

07 Choose This resource from the Scope : All scopes filter box and select the All tab to list the role assignments for the selected Azure DNS zone.

08 Select the role assignments that are using privileged administrator roles (i.e., "Owner", "Contributor", "User Access Administrator", and "Role Based Access Control Administrator" roles) and choose Delete to remove the overly permissive role assignments. In the Remove role assignments box, choose Yes for confirmation.

09 To add a new role assigment that follows the Principle of Least Privilege (POLP), choose Add from the page top menu, select Add role assigment, and perform the following actions to create a new role assignment for your DNS zone:

For Role, select the Job function roles tab, and choose the appropriate, non-privileged role that you want to attach. For example, you can choose the DNS Zone Contributor built-in role. The DNS Zone Contributor role lets you manage your DNS zone and record sets, but does not let you control who has access to them. Choose Next to continue.
For Members, choose User, group, or service principal next to Assign access to, choose Select members next to Members, and select the appropriate identity (member). Choose Next to continue.
For Review + assign, choose Review + assign to complete the role assigment process.

10 Repeat steps no. 5 - 9 for each Azure DNS zone that you want to configure, deployed in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run role assignment delete command (OSX/Linux/UNIX) to remove the overly permissive role assignments from your Azure DNS zone. The following command deletes all role assignments with "Owner" role at the DNS zone level (if the request is successful, the command does not produce an output):

az role assignment delete
	--scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com"
	--role "Owner"

05 Run role assignment create command (OSX/Linux/UNIX) to add a new role assigment that follows the Principle of Least Privilege to your Azure DNS zone. Use the --role parameter to specify the name of the non-privileged role that you want to assign. For example, you can choose the DNS Zone Contributor built-in role. The DNS Zone Contributor role lets you manage your DNS zone and record sets, but does not let you control who has access to them:

az role assignment create
	--assignee "1234abcd-1234-abcd-1234-abcd1234abcd"
	--role "DNS Zone Contributor"
	--scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com"

06 Once the assignment process is completed, the command output should return the information available for the new role assignment:

{
	"condition": null,
	"conditionVersion": null,
	"createdBy": null,
	"createdOn": "2025-08-14T11:57:03.505698+00:00",
	"delegatedManagedIdentityResourceId": null,
	"description": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com/providers/Microsoft.Authorization/roleAssignments/1234abcd-1234-abcd-1234-abcd1234abcd",
	"name": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"principalId": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"principalType": "User",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"roleDefinitionId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-1234-abcd-1234-abcd1234abcd",
	"scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com",
	"type": "Microsoft.Authorization/roleAssignments",
	"updatedBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"updatedOn": "2025-08-14T11:57:03.728696+00:00"
}

07 Repeat steps no. 4 - 6 for each Azure DNS zone that you want to configure, deployed in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each Azure subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
What is Azure role-based access control (Azure RBAC)?
How to protect DNS zones and records

Azure Command Line Interface (CLI) Documentation
az account list
az account set
az network dns zone list
az role assignment list
az role assignment delete
az role assignment create

Publication date Aug 18, 2025

Audit

Using Azure Console

Using Azure CLI

Remediation / Resolution

Using Azure Console

Using Azure CLI

References

Related DNS rules