What it is
A privileged role assignment — Owner, User Access Administrator, or another critical/management role — granted as standing access that stays active around the clock, held for months or longer after the reason for it ended. The longer such an assignment stands, the larger the window in which a compromised credential or a departing employee can use it.
Why it happens
Azure RBAC assignments are permanent by default: grant Owner once and it stays until someone explicitly removes it. There's no expiry, no periodic re-justification, and Azure doesn't record who granted it or why, so there's nothing prompting a cleanup.
Privileged Identity Management (PIM) exists to make these roles eligible rather than active — granted just-in-time, for a bounded window, with approval and an audit trail. But PIM is opt-in, and standing grants are the path of least resistance during an incident or a project ("just give them Owner for now"). The "for now" never ends. Service principals make it worse: non-human identities routinely hold critical roles as standing access, they don't leave the company or reset a password, and nobody reviews them the way they'd review a person.
What it costs / blast radius
There's no dollar cost — the harm is a persistent, always-live blast radius. An Owner assignment can read and write every resource in scope, reassign roles to grant itself more, and delete resource groups; standing 24/7 for months means every one of those days is an exploitable window. (Azure behavior; authored assessment.) A phished session token, a leaked service-principal secret, or an offboarded admin whose access was never revoked inherits that full reach the moment it's abused. Time-bounding the access shrinks the window from "months" to "the hour it was actually needed."
See it
// Owner, subscription-wide, active 24/7 with no end date
resource ownerGrant 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscription().id, principalId, 'Owner')
scope: subscription()
properties: {
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'8e3af657-a8ff-443c-a75c-2fe8c4bcb635') // Owner
principalId: principalId
// stays until someone remembers to delete it
}
}// Right-scope the role, then make it *eligible* via PIM instead of
// standing: activated just-in-time, for a bounded window, with approval.
resource eligible 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
name: guid(rg.id, principalId, 'Contributor-eligible')
scope: rg // scoped to the RG, not the whole subscription
properties: {
principalId: principalId
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor, not Owner
requestType: 'AdminAssign'
scheduleInfo: {
expiration: { type: 'AfterDuration', duration: 'P90D' } // not forever
}
}
}How StratoLens helps
StratoLens surfaces privileged identities across your tenant and shows how long each critical role has stood, so an Owner assignment that's been active for months, including the service-principal grants nobody reviews, doesn't stay invisible. You see where standing access has outlived its purpose without auditing role assignments by hand.