Azure role-based access control (RBAC) restricts what actions users, groups, and service principals can perform on resources and should not be disabled.
Role-Based Access Control (RBAC) is an authorization mechanism that limits what actions users, groups, and service principals can perform on Azure resources. When RBAC is disabled, broader, less targeted access policies may take effect, violating the principle of least privilege. Azure resources such as Kubernetes clusters and Key Vaults expose explicit properties to enable or disable RBAC; leaving these disabled removes a critical layer of access control that helps keep permissions maintainable, auditable, and easy to revoke during an incident.
When RBAC is disabled, users or service principals may gain access to sensitive operations or data beyond what their role requires. An attacker who compromises any account with overly broad permissions can move laterally across the resource without fine-grained controls to limit the blast radius.
Without RBAC, revocations during a security incident must target broad access groups rather than specific roles, making it harder to contain a breach quickly.
The following examples show resources with RBAC explicitly disabled. Enable RBAC by setting the relevant property to true (or its
enabled equivalent).
For AKS Azure Kubernetes Service:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-03-01",
"properties": {
"aadProfile": {
"enableAzureRBAC": false
},
"enableRBAC": false
}
}
]
}
resource aks 'Microsoft.ContainerService/managedClusters@2023-03-01' = {
properties: {
aadProfile: {
enableAzureRBAC: false // Noncompliant
}
enableRBAC: false // Noncompliant
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-03-01",
"properties": {
"aadProfile": {
"enableAzureRBAC": true
},
"enableRBAC": true
}
}
]
}
resource aks 'Microsoft.ContainerService/managedClusters@2023-03-01' = {
properties: {
aadProfile: {
enableAzureRBAC: true
}
enableRBAC: true
}
}
The following examples show resources with RBAC explicitly disabled. Enable RBAC by setting the relevant property to true (or its
enabled equivalent).
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2022-07-01",
"properties": {
"enableRbacAuthorization": false
}
}
]
}
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
properties: {
enableRbacAuthorization: false // Noncompliant
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2022-07-01",
"properties": {
"enableRbacAuthorization": true
}
}
]
}
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
properties: {
enableRbacAuthorization: true
}
}