Azure overprovisioned identities should have only necessary permissions
HIGH
Identifies Azure identities with more permissions than they actually use and recommends right-sizing them.
What does this mean?
This recommendation identifies managed identities, service principals, and users that have been granted permissions they do not actually use. Over-provisioned identities increase the blast radius if compromised.
Benefits of implementation
- Reduces the impact of credential compromise
- Implements principle of least privilege based on actual usage
- Provides data-driven permission right-sizing
Drawbacks and considerations
- Permission analysis may not capture infrequent but legitimate operations
- Removing permissions requires careful testing
- Continuous monitoring is needed as usage patterns change
Implementation
Implementation guidance coming soon.
Related recommendations
Related recommendations will be linked here.
Frameworks
Details
- Risk Level
- HIGH
- Category
- Identity & Access Management
- Azure Resource
- Frameworks
- 1 frameworks
- Last updated
- 2026-02-12