last sync: 2023-Jun-09 17:46:13 UTC

Azure Policy definition

[Deprecated]: Custom subscription owner roles should not exist

Name [Deprecated]: Custom subscription owner roles should not exist
Azure Portal
Id 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9
Version 2.0.0-deprecated
details on versioning
Category General
Microsoft docs
Description This policy is deprecated.
Mode All
Type BuiltIn
Preview FALSE
Deprecated True
Effect Default
Audit
Allowed
Audit, Disabled
RBAC
Role(s)
none
Rule
Aliases
IF (4)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Authorization/roleDefinitions/assignableScopes[*] Microsoft.Authorization roleDefinitions properties.assignableScopes[*] false
Microsoft.Authorization/roleDefinitions/permissions.actions[*] Microsoft.Authorization roleDefinitions properties.permissions.actions[*] false
Microsoft.Authorization/roleDefinitions/permissions[*].actions[*] Microsoft.Authorization roleDefinitions properties.permissions[*].actions[*] false
Microsoft.Authorization/roleDefinitions/type Microsoft.Authorization roleDefinitions properties.type false
Rule
ResourceTypes
IF (1)
Microsoft.Authorization/roleDefinitions
Compliance The following 1 compliance controls are associated with this Policy definition '[Deprecated]: Custom subscription owner roles should not exist' (10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v2.0 PA-7 Azure_Security_Benchmark_v2.0_PA-7 Azure Security Benchmark PA-7 Privileged Access Follow just enough administration (least privilege principle) Customer Azure role-based access control (Azure RBAC) allows you to manage Azure resource access through role assignments. You can assign these roles to users, group service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges complement the just in time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privileges should be reviewed periodically. Use built-in roles to allocate permission and only create custom role when required. What is Azure role-based access control (Azure RBAC): https://docs.microsoft.com/azure/role-based-access-control/overview How to configure Azure RBAC: https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal How to use Azure AD identity and access reviews: https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview n/a link 3
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-01-21 21:53:22 change Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
JSON