Service Principals should not be assigned administrative roles at sub/RG level

CRITICAL

Ensures service principals are not assigned highly privileged roles like Owner or Contributor at subscription or resource group scope.

What does this mean?

Service principals with administrative roles at subscription or resource group level create a significant security risk. If the service principal credentials are compromised, the attacker gains broad administrative access across all resources in that scope.

Benefits of implementation

Reduces blast radius of compromised service principal credentials
Enforces principle of least privilege for automation accounts
Required by CIS and MCSB benchmarks

Drawbacks and considerations

Requires redesigning existing automation that uses broad permissions
More granular role assignments increase management complexity
Some Azure services may require elevated permissions for setup

Implementation

Implementation guidance coming soon.

Related recommendations will be linked here.

Frameworks

CSPM Defender for Cloud Recommendations

Details

Risk Level: CRITICAL
Category: Identity & Access Management
Azure Resource
Frameworks: 2 frameworks
Last updated: 2026-02-12