Azure-ActiveDirectory-No-Custom-Owner-Roles

Severity : High

Description: This control ensures that no custom subscription owner roles are created. Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. Subscription owners should not include permissions to create custom owner roles and follows the principle of least privilege.

Remediation Steps:

Perform following to remove roles assigned from subscription admins using Azure CLI :

  1. list the role definition.

    1. az role definition list

  2. Look for entries with assignableScopeof / or a subscription, and an action of *. Remove the identified roles with command az role definition delete --name is those roles are not required to have the permission.

Important:

Reference:

Blue Hexagon Proprietary