Azure Function has administrative privileges over resources

Set up the azure integration.



This rule ensures that none of your Azure functions have administrative roles with root management group scope attached to them.


Administrative Azure role assignments at the root scope have permissions on every Azure resource within a tenant, including all child management groups and subscriptions. This is the widest possible scope and is rarely needed. A role with these privileges could potentially, whether unknowingly or purposefully, cause security issues or data leaks. Roles with these levels of access may also be targeted by an adversary to compromise resources across the entire Azure tenant.


Datadog recommends reducing the permissions and scope of a role assignment to the minimum necessary.