Azure Active Directory offers built-in roles that can be assigned to users, groups, or service principals. Some of these roles should be carefully
assigned as they grant sensitive permissions like the ability to reset passwords for all users.
An Azure account that fails to limit the use of such roles has a higher risk of being breached by a compromised owner.
This rule raises an issue when one of the following roles is assigned:
- Application Administrator
- Authentication Administrator
- Cloud Application Administrator
- Global Administrator
- Groups Administrator
- Helpdesk Administrator
- Password Administrator
- Privileged Authentication Administrator
- Privileged Role Administrator
- User Administrator
Ask Yourself Whether
- The user, group, or service principal doesn’t use the entirety of this extensive set of permissions to operate on a day-to-day basis.
- It is possible to follow the Separation of Duties principle and split permissions between multiple users, but it’s not enforced.
There is a risk if you answered yes to any of these questions.
Recommended Secure Coding Practices
- Limit the assignment of Global Administrator roles to less than five people or service principals.
- Apply the least privilege principle by choosing a role with a limited set of permissions.
- If no built-in role meets your needs, create a custom role with as few permissions as possible.
Sensitive Code Example
resource "azuread_directory_role" "example" {
display_name = "Privileged Role Administrator" # Sensitive
}
resource "azuread_directory_role_member" "example" {
role_object_id = azuread_directory_role.example.object_id
member_object_id = data.azuread_user.example.object_id
}
Compliant Solution
resource "azuread_directory_role" "example" {
display_name = "Usage Summary Reports Reader"
}
resource "azuread_directory_role_member" "example" {
role_object_id = azuread_directory_role.example.object_id
member_object_id = data.azuread_user.example.object_id
}
See