Azure subscription custom administrator roles should be disabled

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Subscription ownership should not include permission to create custom owner roles in order to adhere to the principle of least privilege. Instead, it is recommended to assign only the necessary privileges, such as the classic subscription admin roles of Account Administrator, Service Administrator, and Co-Administrators. By giving the account holder limited permissions initially and allowing them to add permissions as needed, inadvertent over-permissioning can be prevented.

Remediation

To remove a custom subscription owner role in Azure using the Azure portal, follow the steps below:

  1. Sign in to the Azure portal.
  2. In the left-hand pane, select Subscriptions.
  3. Click on the specific subscription where the role is applied.
  4. In the left-hand pane under Settings, click on Access control (IAM).
  5. On the Access Control pane, select Roles.
  6. On the Roles pane, you will see a list of all system and custom roles applied to the subscription.
  7. Find the custom subscription owner role you want to remove and click on it. This will open a new pane with details of the role.
  8. On the role detail pane, click on the Delete button at the top.
  9. Confirm by clicking Yes.

Note: Be careful when removing roles as it can affect access to resources for users, groups, service principles, or managed identities that are assigned to these roles.