Azure-ActiveDirectory-No-Custom-Owner-Roles

Severity : High

Description: This control ensures that no custom subscription owner roles are created. Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. Subscription owners should not include permissions to create custom owner roles and follows the principle of least privilege.

Remediation Steps:

Perform following to remove roles assigned from subscription admins using Azure CLI :

1. list the role definition.

   1. az role definition list

2. Look for entries with assignableScopeof / or a subscription, and an action of *. Remove the identified roles with command az role definition delete --name is those roles are not required to have the permission.

Important:

Reference:

• CIS Microsoft Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #1.21

• https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator