Adopt the new Monitoring Policy Contributor least privileged role
OverviewHow this feature worksHow to remove existing high-privileged role assignments
As part of the ongoing security enhancements in AMBA-ALZ, a new least privileged built-in role called “Monitoring Policy Contributor” has been introduced and used with the 2025-10-01 release. This new Azure built-in role is designed to align with SFI principles by significantly reducing the security risk surface cutting down from over 6,700 unused permissions to just 6.
Before | After |
---|---|
![]() | ![]() |
Tailored to support both AMBA-ALZ and customer-created alert policies, the role ensures operational flexibility while enforcing strict access control. This change not only simplifies permission management but also addresses overprovisioning concerns flagged by Microsoft Defender for Cloud, making such alerts less critical and improving overall compliance posture.
Deploying the least privileged version of AMBA-ALZ in a clean environment is straightforward and efficient. With the 2025-10-01 release, users can apply the updated template, which includes the new least privileged role, and benefit immediately from a reduced security footprint and tailored permissions. For existing deployments, the update process involves two key steps:
- Removing any existing role assignments deployed by using previous AMBA-ALZ releases
- Redeploying AMBA-ALZ using the new release. Documentation on how to update to this specific new release is available at Update to new releases
Removing existing high-privileged role assignment is straightforward. We have updated the Clean-up Script to provide a specific option to only remove role assignments.
To use this capability, it is enough to execute the script using the following command syntax:
./Start-AMBA-ALZ-Maintenance.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -cleanItems RoleAssignments
For further information about the clean-up script, refer to the Clean-up AMBA-ALZ Deployment page or to the Clean-up Script Execution section in the same page.