Azure managed identity has administrative privileges over resources

Set up the azure integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Azure role assignments should be restricted to the least level of privilege required to perform the duties required. The scope of the role assignment should be limited to the specific subscription, management, or resource group where these duties will take place. This rule identifies when a User has administrative level permissions at the root (most permissive) scope.

Rationale

Administrative Azure role assignments at the root scope have permissions on every Azure resource within a tenant, including all child management groups and subscriptions. This is the widest possible scope and is rarely needed. A role with these privileges could potentially, whether unknowingly or purposefully, cause security issues or data leaks. Roles with these levels of access may also be targeted by an adversary to compromise resources across the entire Azure tenant.

Remediation

Datadog recommends reducing the permissions and scope of a role assignment to the minimum necessary.