Azure Active Directory
      Back to home
      1. CNS Policies
      2. Azure Knowledge Base
      3. Azure Active Directory

      Custom Owner Roles

      Risk Level: Medium

      Description: 

      The plugin ensures that the subscription owners have not set custom owner rules to specify user permissions. 

      About the Service

      Active Directory: Active Directory in azure is an identity and access management platform for administrators and service owners. Using Azure AD, several users and employees can be assigned different roles and responsibilities within the organization through a single user id and password. 

      Impact

      The custom owner role by default gives complete control over the management and administrative responsibilities of the Azure subscription. Thus, it is never recommended that admins provide a custom owner role for the users. Instead, the permissions need to be provided manually as per necessity.

      Steps to Reproduce

      1. Login to the Azure portal.
      2. From services go to Subscriptions.
      3. Select a subscription for which issue has to be examined.
      4. From the navigation window, go to Access control (IAM).
      5. Select the View tab, then click on “custom roles” from the type: dropdown menu.
      6. If any role(s) appears on the screen, select view under Details to examine the permissions defined in that role
      7. If all the three permissions namely, read, write and delete are defined for the rule, visit the steps to remediation section.
      8. Repeat steps for others as well.

      Steps for Remediation

      1. Log in to the Azure portal.
      2. From services go to Subscriptions.
      3. Select a subscription for which issue has to be examined.
      4. From the navigation window, go to Access control (IAM).
      5. Select the View tab, then click on “custom roles” from the type: dropdown menu.
      6. Now, there are two options for the admin, either delete the custom role or minimize the permissions. Follow step 8 to delete the custom role. Else, go to the next step.
      7. Click on the menu option in front of the custom role, select edit. Go to the permissions tab and delete excess permissions. Select Review+create. Select Update.
      8. To delete the role, select the options menu and click on delete. Wait for a few minutes for the changes to get saved.
      9. Click on the menu option for which issue has to be remediated.