Azure RBAC roles can be assigned to users, groups, or service principals. A role assignment grants permissions on a predefined set of resources
called "scope".
The widest scopes a role can be assigned to are:
- Subscription: a role assigned with this scope grants access to all resources of this Subscription.
- Management Group: a scope assigned with this scope grants access to all resources of all the Subscriptions in this Management Group.
In case of security incidents involving a compromised identity (user, group, or service principal), limiting its role assignment to the narrowest
scope possible helps separate duties and limits what resources are at risk.
Ask Yourself Whether
- The user, group, or service principal doesn’t use the entirety of the resources in the scope to operate on a day-to-day basis.
- It is possible to follow the Separation of Duties principle and split the scope into multiple role assignments with a narrower scope.
There is a risk if you answered yes to any of these questions.
Recommended Secure Coding Practices
- Limit the scope of the role assignment to a Resource or Resource Group.
- Apply the least privilege principle by assigning roles granting as few permissions as possible.
Sensitive Code Example
targetScope = 'subscription' // Sensitive
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscription().id, 'exampleRoleAssignment')
}
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(subscription().id, 'exampleRoleAssignment')]"
}
]
}
Compliant Solution
targetScope = 'resourceGroup'
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(resourceGroup().id, 'exampleRoleAssignment')
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(resourceGroup().id, 'exampleRoleAssignment')]"
}
]
}
See