Reputation: 2131
Why can an Azure application read role definitions without permissions
Microsoft states that Microsoft.Authorization/roleDefinitions/read permission is needed to read RBAC role definition.
It is mentioned here https://learn.microsoft.com/en-us/rest/api/authorization/role-definitions/list?tabs=HTTP
However I have Azure application which has assigned empty role (having 0 permissions) and still can read role definitions.
How is that possible?
This is the empty role which the Azure app is assigned in subscription S1:
{
"assignableScopes": [
"/subscriptions/<S1 ID>"
],
"description": "No Permissions role",
"id": "/subscriptions/<S1 ID>/providers/Microsoft.Authorization/roleDefinitions/<role ID>",
"name": "<role ID>",
"permissions": [
{
"actions": [],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "No Permissions Role",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
The app is not assigned any other roles in the subscription S1 (nor in any other subscription).
"Check Access" for the app in S1 confirms that:
When logged in with this app into Azure CLI it lists role definitions just fine, e.g. Contributor:
C:\>az login --service-principal -u <app ID> -p <client secret> --tenant <tenant ID>
C:\>az role definition list --name "Contributor"
This command or command group has been migrated to Microsoft Graph API. Please carefully review all breaking changes introduced during this migration: https://docs.microsoft.com/cli/azure/microsoft-graph-migration
[
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
...
"permissions": [
{
"actions": [
"*"
],
...
}
],
"roleName": "Contributor",
...
}
]
Azure CLI is authenticated using az login --service-principal -u <app ID> -p <client secret> --tenant <tenant ID>
Upvotes: 0
Views: 565
Answers (1)
Reputation: 8028
This could be done if the application was given permission to read role definitions at a higher level of the hierarchy, such as the management group or tenant level.
In few scenarios, Azure subscriptions provide a default role "Reader", which grants read access to most of the Azure resources. And this role includes the Microsoft.Authorization/roleDefinitions/read permission.
Run the below command in Azure CLI to check the application's subscription-level access.
az role assignment list --assignee <ApplicationID> --scope "/subscriptions/subscriptionID/resourceGroups/Resourcegroup" --role "Reader"
Note: Instead of the subscription scope, give the management scope to retrieve the role assignments at the management level.
Alternatively,
- You can check the activity logs during some time period by filtering with the authorization action as follows.
- The below command is used to view the activity logs for role assignments and displays any changes that were made by anyone in the last three days.
Get-AzActivityLog -ResourceGroupName <resourcegroup> -StartTime (Get-Date).AddDays(-3) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/roleDefinitions/read'}
If still the issue persists, try reaching out to your admin and restrict the access.
Upvotes: 0
Related Questions
- Implementing Azure Policy to Restrict Role Assignments at Subscription Level Except for Specific Service Principal
- How do Azure RBAC custom role definitions behave with regard to lifecycle, assignable scopes and resource location?
- Permissions To Create New Item in CosmoDB in Data Explorer
- How to assign custom role to the application in Bicep
- Restricting Access to what users can see in the Azure portal
- How to get the role definitions by Azure management API which can only be assigned at "Resource" scope?
- Azure AD - Can a Service Principal assign itself RBAC role in an Azure Subscription?
- Global Read Only Permissions and Table Level RBAC