Active Directory custom subscription owner roles should not be created¶
Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.
Portal Remediation Steps¶
Navigate to Roles and administrators.
Select the custom role.
Click the ellipsis (…) and click Delete.
CLI Remediation Steps¶
Get the list of Azure roles:
az role definition list
Check for entries with
subscription, and an action of
Verify the usage and impact of removing the role:
az role definition delete --name "rolename"