Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Azure Subscription Owners

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure there are between 2 and 3 subscription owners designated for each Microsoft Azure account subscription in order to provide administrator access redundancy while limiting the potential for security breaches from a compromised privileged account.

Reliability
Security

To make a user an owner of an Azure subscription, an existing administrator assigns them the Owner role at the subscription level. The Owner role gives the user full access to all Azure resources available within the subscription, including the right to delegate access to other users. To manage access to your Azure cloud resources, you must have the appropriate administrator role. For access redundancy, a minimum of two owners should be assigned to a Microsoft Azure subscription. To minimize the potential attack surface and the risk of a security breach, a maximum of three owners should be assigned to an Azure subscription, thereby limiting the number of highly privileged accounts with full control over all subscription resources and user access.

Audit

To determine if your Microsoft Azure subscriptions have between 2 and 3 subscription owners assigned, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console as an account owner.

02 Navigate to Subscriptions blade available at https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2.

03 Click on the name (link) of the Azure subscription that you want to examine.

04 In the left navigation panel, select Access control (IAM) to access IAM settings for the subscription.

05 Choose the Role assignments main tab and select the All tab to list all the role assignments created for the selected Azure subscription.

06 To list all the members (principals) with the Owner role assigned to the selected subscription, choose Type : All, select Role : Owner, and choose Scope : This resource. Ensure a minimum of 2 and a maximum of 3 members are returned. If the number of members is not between 2 and 3, the access configuration for the selected Microsoft Azure subscription is non-compliant.

07 Repeat steps no. 3 – 5 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run role assignment list command (Windows/macOS/Linux) with the ID of the Azure subscription that you want to examine as the identifier parameter and custom output filters to list the name and type of each principal (member) configured with the Owner role, assigned to the selected subscription: 

az role assignment list
	--scope /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd
	--role "Owner"
	--output table
	--query "[].{PrincipalName:principalName, Type:principalType}"

04 The command output should return the requested Azure user names: 

PrincipalName                                      Type
-------------------------------------------------  ----
secops_domain.com#EXT#@subdomain.onmicrosoft.com"  User

Ensure a minimum of 2 and a maximum of 3 members are returned. If the number of members returned by the role assignment list command output is not between 2 and 3, the access configuration for the selected Microsoft Azure subscription is non-compliant.

05 Repeat step no. 3 and 4 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure there are between 2 and 3 subscription owners designated for each Microsoft Azure account subscription, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console as an account owner.

02 Navigate to Subscriptions blade available at https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2.

03 Click on the name (link) of the Azure subscription that you want to configure.

04 In the left navigation panel, select Access control (IAM) to access IAM settings for the selected subscription.

05 If the number of members is less than two, add a new subscription owner. Choose Add from the page top menu and select Add role assignment. On the Add role assignment configuration page, perform the following actions:

  1. For Role, select the Privileged administrator roles tab, and choose Owner. The Owner role gives the specified member full administrator access to all Azure cloud resources available in the subscription, including the permission to grant access to others. Choose Next to continue the setup.
  2. For Members, select the type of the security principal to assign the role to and provide a short description for the role assignment. Choose Next to continue.
  3. For Conditions, choose whether to add any conditions in order to reduce the privileges you assign. A condition is a way to restrict the role assignments a member can create. Choose Review + assign to continue.
  4. For Review + assign, review the role assignment information, then choose Review + assign to complete the assignment process.

06 If the number of members is greater than three, remove a subscription owner. To delete a subscription owner, perform the following actions:

  1. Choose the Role assignments main tab and select the All tab to list all the role assignments created for the selected Azure subscription.
  2. To list all the members (principals) with the Owner role assigned to the selected subscription, choose Type : All, select Role : Owner, and choose Scope : This resource.
  3. Select the role assignment that you want to remove, choose Delete, and select Yes for confirmation.

07 Repeat steps no. 3 – 6 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 If the number of members is less than two, add a new subscription owner. Run role assignment create command (Windows/macOS/Linux) with the ID of the Azure subscription that you want to configure as the identifier parameter, to create a new Owner role assignment for a member (user) with the identifier "azmanager_trendmicro\@azmanagertrendmicro.onmicrosoft.com", at the selected subscription level: 

az role assignment create
	--role "Owner"
	--assignee "azmanager_trendmicro@azmanagertrendmicro.onmicrosoft.com"
	--scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd"

04 The command output should return the new role assignment information: 

{
	"condition": null,
	"conditionVersion": null,
	"delegatedManagedIdentityResourceId": null,
	"description": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleAssignments/abcd1234-abcd-1234-abcd-abcd1234abcd",
	"name": "abcd1234-abcd-1234-abcd-abcd1234abcd",
	"principalId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
	"principalName": "azmanager_trendmicro@azmanagertrendmicro.onmicrosoft.com",
	"principalType": "User",
	"roleDefinitionId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleDefinitions/abcd1234-abcd-1234-abcd-abcd1234abcd",
	"roleDefinitionName": "Owner",
	"scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"type": "Microsoft.Authorization/roleAssignments"
}

05 Run role assignment list command (Windows/macOS/Linux) with the ID of the Azure subscription that you want to examine as the identifier parameter and custom output filters to list the name of each principal (member) configured with the Owner role and the associated role assignment ID: 

az role assignment list
	--scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd"
	--role "Owner"
	--query "[].{PrincipalName:principalName, Id:id}"

06 The command output should return the requested role assignment information: 

[
	{
		"Id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleAssignments/abcd1234-abcd-1234-abcd-abcd1234abcd",
		"PrincipalName": "azmanager_trendmicro@azmanagertrendmicro.onmicrosoft.com"
	},

	...

	{
		"Id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleAssignments/abcd1234-abcd-1234-abcd-abcd1234abcd",
		"PrincipalName": "developer@subdomain.onmicrosoft.com"
	}
]

07 If the number of members is greater than three, remove a subscription owner. To delete a subscription owner, run role assignment delete command (Windows/macOS/Linux), as shown in the example below (the command does not produce an output): 

az role assignment delete
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleAssignments/abcd1234-abcd-1234-abcd-abcd1234abcd"

08 Repeat step no. 1 and 2 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Nov 10, 2025

Related Subscriptions rules