Azure subscription custom administrator roles should be disabled



Subscription ownership should not include permission to create custom owner roles in order to adhere to the principle of least privilege. Instead, it is recommended to assign only the necessary privileges, such as the classic subscription admin roles of Account Administrator, Service Administrator, and Co-Administrators. By giving the account holder limited permissions initially and allowing them to add permissions as needed, inadvertent over-permissioning can be prevented.


To remove a custom subscription owner role in Azure using the Azure portal, follow the steps below:

  1. Sign in to the Azure portal.
  2. In the left-hand pane, select Subscriptions.
  3. Click on the specific subscription where the role is applied.
  4. In the left-hand pane under Settings, click on Access control (IAM).
  5. On the Access Control pane, select Roles.
  6. On the Roles pane, you will see a list of all system and custom roles applied to the subscription.
  7. Find the custom subscription owner role you want to remove and click on it. This will open a new pane with details of the role.
  8. On the role detail pane, click on the Delete button at the top.
  9. Confirm by clicking Yes.

Note: Be careful when removing roles as it can affect access to resources for users, groups, service principles, or managed identities that are assigned to these roles.