Azure-ActiveDirectory-No-Custom-Owner-Roles
Severity : High
Description: This control ensures that no custom subscription owner roles are created. Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. Subscription owners should not include permissions to create custom owner roles and follows the principle of least privilege.
Remediation Steps:
Perform following to remove roles assigned from subscription admins using Azure CLI :
list the role definition.
az role definition list
Look for entries with assignableScopeof / or a subscription, and an action of *. Remove the identified roles with command
az role definition delete --name
is those roles are not required to have the permission.
Important:
Reference:
CIS Microsoft Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #1.21
https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator
Blue Hexagon Proprietary