Active Directory custom subscription owner roles should not be created


Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.

Portal Remediation Steps

CLI Remediation Steps

  • Get the list of Azure roles:

az role definition list
  • Check for entries with assignableScope of / or a subscription, and an action of *

    • Verify the usage and impact of removing the role:

az role definition delete --name "rolename"