Limit use of subscription scoped Owner role#
Limit the number of subscription Owners.
Azure provides a flexible delegation model using Role-Base Access Control (RBAC). RBAC allows administrators to grant fine grained permissions using roles to Azure resources. Over 100 built-in roles exist, and custom roles can be created to perform specific tasks. Permissions can be scoped to management group, subscription, resource group or individual resources.
The Owner role provides the ability to create, delete, update and configure permissions for any resource. When assigned at the subscription scope, these permissions apply to the whole subscription and all resources in the subscription.
Consider limiting the number of subscription Owners by using a more specific role or scoping Owner permission to a Resource Group.