Microsoft Entra ID offers built-in roles that can be assigned to users, groups, or service principals. Some of these roles grant sensitive permissions like the ability to reset passwords for all users.
A Microsoft Entra ID account that fails to limit the use of high-privilege roles has a higher risk of being breached by a compromised owner.
This rule raises an issue when one of the following roles is assigned:
If a user, group, or service principal is granted a high-privilege role that it does not need, it violates the least privilege principle. A compromised account with such a role could be used to reset passwords, manage applications, or escalate privileges across the entire directory.
Limit the assignment of Global Administrator roles to less than five people or service principals. Apply the least privilege principle by choosing a role with a limited set of permissions. If no built-in role meets your needs, create a custom role with as few permissions as possible.
resource "azuread_directory_role" "example" {
display_name = "Privileged Role Administrator" # Noncompliant
}
resource "azuread_directory_role_assignment" "example" {
role_id = azuread_directory_role.example.template_id
principal_object_id = data.azuread_user.example.object_id
}
resource "azuread_directory_role" "example" {
display_name = "Usage Summary Reports Reader"
}
resource "azuread_directory_role_assignment" "example" {
role_id = azuread_directory_role.example.template_id
principal_object_id = data.azuread_user.example.object_id
}