Group has admin level privileges at the subscription scope

Description

This rule identifies when an Azure AD Group has administrative-level permissions at the subscription scope.

Rationale

Administrative Azure role assignments at the subscription scope grant extensive privileges that can affect all resources within the subscription. This broad access increases the risk of accidental or malicious changes.

Remediation

Datadog recommends reducing the permissions and scope of a role assignment to the minimum necessary. Where possible, assign roles at the resource-group or individual-resource level and use built-in roles with limited privileges tailored to operational requirements.