🛡️ Azure Owner Role has less than 2 or grater than 3 assignments🟢

• Contextual name: 🛡️ Owner Role has less than 2 or grater than 3 assignments🟢
• ID: /ce/ca/azure/subscription/owner-role-assignments
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Authorization Role
  • 🔌 Azure Authorization Role - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

The Owner role in Azure grants full control over all resources in a subscription, including the ability to assign roles to others.

Rationale

Limit the number of security principals (users, groups, service principals, and managed identities) assigned the Owner role to between 2 and 3. If groups are used, ensure their membership is tightly controlled and regularly reviewed to avoid privilege sprawl.

Impact

Implementation may require changes in administrative workflows or the redistribution of roles and responsibilities. The recommendation to have between 2 and 3 Owners per subscription must account for all security principals that can be assigned the Owner role, not just individual users. This includes:

• User accounts
• Entra ID groups
• Service principals (used by applications or automation)
• Managed identities (system-assigned or user-assigned)

Audit

This policy marks an Owner Azure Authorization Role as INCOMPLIANT if the role has fewer than 2 or more that 3 related Azure Authorization Role Assignments.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Subscriptions.
2. Click the name of a subscription.
3. Click Access Controls (IAM).
4. Click Role assignments.
5. Click Role : All.
6. Click the arrow next to All.
7. Click Owner.
8. Check the box next to members from whom the owner role should be removed.
9. Click Delete.
10. Click Yes.
11. Repeat steps 1-10 for each subscription requiring remediation.

From Azure CLI

Run the following command to delete role assignments by role assignment id:

az role assignment delete --ids {{id1 id2}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 5.27 Ensure there are between 2 and 3 subscription owners (Automated)			1		no data
💼 Cloudaware Framework → 💼 Role-Based Access Control (RBAC) Management			18		no data