Azure Security Fundamentals: Moving Co-Admins to RBAC
Anyone who has worked with Azure for long enough knows the raised eyebrow response you have gotten from security teams in the past when you describe how you can enforce separation of duties and least privilege when it comes to Azure subscription and service management. In a previously well-received blog post, one of my colleagues provided good guidance around subscription management as it applied to Azure at that time.
Essentially, the situation was:
- Any Azure service management required full administrator or co-administrator access to a subscription which provided the user with full permission to do anything provisioned there-in.