last sync: 2024-May-23 18:02:58 UTC

[Deprecated]: Custom subscription owner roles should not exist

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Deprecated]: Custom subscription owner roles should not exist
Id 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9
Version 2.0.0-deprecated
Details on versioning
Category General
Microsoft Learn
Description This policy is deprecated.
Mode All
Type BuiltIn
Preview False
Deprecated True
Effect Default
Audit
Allowed
Audit, Disabled
RBAC role(s) none
Rule aliases IF (4)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Authorization/roleDefinitions/assignableScopes[*] Microsoft.Authorization roleDefinitions properties.assignableScopes[*] false
Microsoft.Authorization/roleDefinitions/permissions.actions[*] Microsoft.Authorization roleDefinitions properties.permissions.actions[*] false
Microsoft.Authorization/roleDefinitions/permissions[*].actions[*] Microsoft.Authorization roleDefinitions properties.permissions[*].actions[*] false
Microsoft.Authorization/roleDefinitions/type Microsoft.Authorization roleDefinitions properties.type false
Rule resource types IF (1)
Microsoft.Authorization/roleDefinitions
Compliance
The following 1 compliance controls are associated with this Policy definition '[Deprecated]: Custom subscription owner roles should not exist' (10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v2.0 PA-7 Azure_Security_Benchmark_v2.0_PA-7 Azure Security Benchmark PA-7 Privileged Access Follow just enough administration (least privilege principle) Customer Azure role-based access control (Azure RBAC) allows you to manage Azure resource access through role assignments. You can assign these roles to users, group service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges complement the just in time (JIT) approach of Microsoft Entra Privileged Identity Management (PIM), and those privileges should be reviewed periodically. Use built-in roles to allocate permission and only create custom role when required. What is Azure role-based access control (Azure RBAC): https://docs.microsoft.com/azure/role-based-access-control/overview How to configure Azure RBAC: https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal How to use Microsoft Entra identity and access reviews: https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview n/a link 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-01-21 21:53:22 change Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC