Enabling Azure resource-specific admin accounts can reduce an organization’s ability to protect itself against account or service account thefts.

Full Administrator permissions fail to correctly separate duties and create potentially critical attack vectors on the impacted resources.

In case of abuse of elevated permissions, both the data on which impacted resources operate and their access traceability are at risk.

Ask Yourself Whether

• This Azure resource is essential for the information system infrastructure.
• This Azure resource is essential for mission-critical functions.
• Compliance policies require this resource to disable its administrative accounts or permissions.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Disable the administrative accounts or permissions in this Azure resource.

Sensitive Code Example

For Azure Batch Pools:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Batch/batchAccounts/pools",
      "apiVersion": "2022-10-01",
      "properties": {
        "startTask": {
          "userIdentity": {
            "autoUser": {
              "elevationLevel": "Admin"
            }
          }
        }
      }
    }
  ]
}

resource AdminBatchPool 'Microsoft.Batch/batchAccounts/pools@2022-10-01' = {
  properties: {
    startTask: {
      userIdentity: {
        autoUser: {
          elevationLevel: 'Admin' // Sensitive
        }
      }
    }
  }
}

For Azure Container Registries:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.ContainerRegistry/registries",
      "apiVersion": "2023-01-01-preview",
      "properties": {
        "adminUserEnabled": true
      }
    }
  ]
}

resource acrAdminUserDisabled 'Microsoft.ContainerRegistry/registries@2021-09-01' = {
  properties: {
    adminUserEnabled: true // Sensitive
  }
}

Compliant Solution

For Azure Batch Pools:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Batch/batchAccounts/pools",
      "apiVersion": "2022-10-01",
      "properties": {
        "startTask": {
          "userIdentity": {
            "autoUser": {
              "elevationLevel": "NonAdmin"
            }
          }
        }
      }
    }
  ]
}

resource AdminBatchPool 'Microsoft.Batch/batchAccounts/pools@2022-10-01' = {
  properties: {
    startTask: {
      userIdentity: {
        autoUser: {
          elevationLevel: 'NonAdmin'
        }
      }
    }
  }
}

For Azure Container Registries:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.ContainerRegistry/registries",
      "apiVersion": "2023-01-01-preview",
      "properties": {
        "adminUserEnabled": false
      }
    }
  ]
}

resource acrAdminUserDisabled 'Microsoft.ContainerRegistry/registries@2021-09-01' = {
  properties: {
    adminUserEnabled: false
  }
}

See

• CWE - CWE-284 - Improper Access Control