Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for the Number of Subscription Owners

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Subscriptions-002

Ensure there are at least two subscription owners designated for your Microsoft Azure account subscription in order to provide administrator access redundancy.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability

To manage access to your Azure cloud resources, you must have the appropriate administrator role. For access redundancy, a minimum number of two owners should be assigned to a Microsoft Azure subscription. To make a user an owner of an Azure subscription, an existing administrator assigns them the Owner role at the subscription level. The Owner role gives the user full access to all Azure resources available within the subscription, including the right to delegate access to other users.


Audit

To determine if your Microsoft Azure subscriptions have at least two subscription owners assigned, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console as an account owner.

02 Navigate to Subscriptions blade at https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade.

03 Click on the name of the Azure subscription that you want to examine.

04 In the navigation panel, choose Access control (IAM), then select Role assignments to access the list with the role assignments created for the selected account subscription.

05 On the Role assignments panel, select Owner from the Role dropdown list to show only the Azure users with the Owner role, assigned to the selected subscription. If only one user is returned, the selected Microsoft Azure subscription does not have at least 2 subscription owners assigned for access redundancy.

06 Repeat steps no. 3 – 5 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run role assignment list command (Windows/macOS/Linux) using the ID of the Azure cloud subscription that you want to examine as identifier parameter and custom query filters to list the name of each Azure user with the Owner role, assigned to the selected account subscription:

az role assignment list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--role "Owner"
	--query '[*].principalName'

04 The command output should return the requested Azure user names:

[
  "secops_cloudconformity.com#EXT#@secopscloudconformity.onmicrosoft.com"
]

If the role assignment list command output returns only one Azure user name, as shown in the output example above, the selected Microsoft Azure subscription does not have at least 2 subscription owners assigned for access redundancy.

05 Repeat step no. 3 and 4 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To assign a co-owner to your Microsoft Azure account subscriptions in order to provide administrator access redundancy at the subscription level, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console as an account owner.

02 Navigate to Subscriptions blade at https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade.

03 Click on the name of the Azure subscription that you want to access.

04 In the navigation panel, choose Access control (IAM), then select Role assignments to access the list with the role assignments available for the selected subscription.

05 On the Role assignments page, click Add and Add role assignment to open the Add role assignment configuration panel.

06 On the Add role assignment panel, perform the following:

  1. From the Role dropdown list, select Owner. The Owner role gives the specified user full administrator access to all Azure resources available in the subscription, including the permission to grant access to others.
  2. From Assign access to dropdown list, select User, group, or service principal option as the type of security principal to assign the role to.
  3. From the Select list, choose the user that you want to assign the selected role to. If you cannot find the principal in the list, use the Select search box to search the directory for display names or email addresses.
  4. Click Save to assign the selected role. Once the role assignment is done, the selected Microsoft Azure account subscription will have 2 active subscription owners.

07 Repeat steps no. 4 – 6 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run role assignment create command (Windows/macOS/Linux) using the ID of the Azure cloud subscription that you want to reconfigure as identifier parameter, to create a new Owner role assignment for an Azure user with the name "azmanager_trendmicro@azmanagertrendmicro.onmicrosoft.com", at the selected Azure subscription level. Once the role assignment is done, the selected Microsoft Azure account subscription will have 2 active subscription owners:

az role assignment create
	--role "Owner"
	--assignee azmanager_trendmicro@azmanagertrendmicro.onmicrosoft.com
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

02 The command output should return the new role assignment metadata:

{
  "canDelegate": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleAssignments/1234abcd-1234-abcd-1234-abcd1234abcd",
  "name": "1234abcd-1234-abcd-1234-abcd1234abcd",
  "principalId": "1234abcd-abcd-abcd-abcd-abcd1234abcd",
  "principalType": "User",
  "roleDefinitionId": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-abcd-abcd-abcd-abcd1234abcd",
  "scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "type": "Microsoft.Authorization/roleAssignments"
}

03 Repeat step no. 1 and 2 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Apr 6, 2020