Azure Resource Manager offers built-in roles that can be assigned to users, groups, or service principals. Some of these roles should be carefully assigned as they grant sensitive permissions like the ability to reset passwords for all users.

An Azure account that fails to limit the use of such roles has a higher risk of being breached by a compromised owner.

This rule raises an issue when one of the following roles is assigned:

• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
• Owner (8e3af657-a8ff-443c-a75c-2fe8c4bcb635)
• User Access Administrator (18d7d88d-d35e-4fb5-a5c3-7773c20a72d9)

Ask Yourself Whether

• The user, group, or service principal doesn’t use the entirety of this extensive set of permissions to operate on a day-to-day basis.
• It is possible to follow the Separation of Duties principle and split permissions between multiple users, but it’s not enforced.

There is a risk if you answered yes to any of these questions.

Recommended Secure Coding Practices

• Limit the assignment of Owner roles to less than 3 people or service principals.
• Apply the least privilege principle by choosing a role with a limited set of permissions.
• If no built-in role meets your needs, create a custom role with as few permissions as possible.

Sensitive Code Example

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2022-04-01",
      "properties": {
        "description": "Assign the contributor role",
        "principalId": "string",
        "principalType": "ServicePrincipal",
        "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
      }
    }
  ]
}

resource symbolicname 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  scope: tenant()
  properties: {
    description: 'Assign the contributor role'
    principalId: 'string'
    principalType: 'ServicePrincipal'
    roleDefinitionId: resourceId('Microsoft.Authorization/roleAssignments', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Sensitive
  }
}

Compliant Solution

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2022-04-01",
      "properties": {
        "description": "Assign the reader role",
        "principalId": "string",
        "principalType": "ServicePrincipal",
        "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
      }
    }
  ]
}

resource symbolicname 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  scope: tenant()
  properties: {
    description: 'Assign the reader role'
    principalId: 'string'
    principalType: 'ServicePrincipal'
    roleDefinitionId: resourceId('Microsoft.Authorization/roleAssignments', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
  }
}

See

• CWE - CWE-266 - Incorrect Privilege Assignment
• Azure Documentation - Azure built-in roles
• Azure Documentation - Best practices for Azure RBAC