Azure RBAC role assignments grant permissions over a scope — a set of resources such as a resource group, subscription, or management group. Assigning roles at subscription or management group scope grants access to all resources within that entire boundary and should be avoided in favour of narrower scopes.

Why is this an issue?

The widest scopes a role can be assigned to are the Subscription scope, which grants access to all resources in a subscription, and the Management Group scope, which grants access to all resources across all subscriptions in that group. Assigning roles at these wide scopes violates the principle of least privilege. In the event of a compromised identity, an attacker gains access to a large portion of the infrastructure rather than a narrowly scoped set of resources.

What is the potential impact?

If an identity with a subscription- or management-group-scoped role assignment is compromised, an attacker gains permissions over all resources within that scope. This can lead to unauthorized access, data exfiltration, or destruction of resources across the entire subscription or management group.

How to fix it in Bicep

Code examples

The following code creates a role assignment scoped to an entire subscription or management group, granting the assigned principal access to all resources within that scope.

Noncompliant code example

targetScope = 'subscription' // Noncompliant

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(subscription().id, 'exampleRoleAssignment')
}

Compliant solution

targetScope = 'resourceGroup'

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(resourceGroup().id, 'exampleRoleAssignment')
}

How to fix it in JSON templates

Code examples

The following code creates a role assignment scoped to an entire subscription or management group, granting the assigned principal access to all resources within that scope.

Noncompliant code example

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2022-04-01",
      "name": "[guid(subscription().id, 'exampleRoleAssignment')]"
    }
  ]
}

Compliant solution

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2022-04-01",
      "name": "[guid(resourceGroup().id, 'exampleRoleAssignment')]"
    }
  ]
}

Resources

Documentation

• Azure Documentation - Understand scope for Azure RBAC
• Azure Documentation - Best practices for Azure RBAC

Standards

• CWE - CWE-266 - Incorrect Privilege Assignment