Skip to main content
Back to the Azure Footguns Database
SecurityGovernanceHighCommonAZF-0037

Owner held as standing access for months is a permanent blast radius

Owner and User Access Administrator granted as permanent, always-on assignments sit for months. Every day they stand is a day they can be abused.

Footgun ID
AZF-0037 (Azure Footgun No. 37)
Azure service
Azure RBAC / Entra ID
Resource type
Microsoft.Authorization/roleAssignments
Updated
July 1, 2026

What it is

A privileged role assignment — Owner, User Access Administrator, or another critical/management role — granted as standing access that stays active around the clock, held for months or longer after the reason for it ended. The longer such an assignment stands, the larger the window in which a compromised credential or a departing employee can use it.

Impact (security)
A high-privilege role held 24/7 for months is a large, always-live blast radius
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Azure RBAC assignments are permanent by default: grant Owner once and it stays until someone explicitly removes it. There's no expiry, no periodic re-justification, and Azure doesn't record who granted it or why, so there's nothing prompting a cleanup.

Privileged Identity Management (PIM) exists to make these roles eligible rather than active — granted just-in-time, for a bounded window, with approval and an audit trail. But PIM is opt-in, and standing grants are the path of least resistance during an incident or a project ("just give them Owner for now"). The "for now" never ends. Service principals make it worse: non-human identities routinely hold critical roles as standing access, they don't leave the company or reset a password, and nobody reviews them the way they'd review a person.

What it costs / blast radius

There's no dollar cost — the harm is a persistent, always-live blast radius. An Owner assignment can read and write every resource in scope, reassign roles to grant itself more, and delete resource groups; standing 24/7 for months means every one of those days is an exploitable window. (Azure behavior; authored assessment.) A phished session token, a leaked service-principal secret, or an offboarded admin whose access was never revoked inherits that full reach the moment it's abused. Time-bounding the access shrinks the window from "months" to "the hour it was actually needed."

See it

Footgun: a broad, permanent Owner grant at subscription scope
// Owner, subscription-wide, active 24/7 with no end date
resource ownerGrant 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(subscription().id, principalId, 'Owner')
  scope: subscription()
  properties: {
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')   // Owner
    principalId: principalId
    // stays until someone remembers to delete it
  }
}
Fix: make privileged access PIM-eligible, scoped, and time-bound
// Right-scope the role, then make it *eligible* via PIM instead of
// standing: activated just-in-time, for a bounded window, with approval.
resource eligible 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
  name: guid(rg.id, principalId, 'Contributor-eligible')
  scope: rg                                    // scoped to the RG, not the whole subscription
  properties: {
    principalId: principalId
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      'b24988ac-6180-42a0-ab88-20f7382dd24c')   // Contributor, not Owner
    requestType: 'AdminAssign'
    scheduleInfo: {
      expiration: { type: 'AfterDuration', duration: 'P90D' }   // not forever
    }
  }
}

How StratoLens helps

StratoLens surfaces privileged identities across your tenant and shows how long each critical role has stood, so an Owner assignment that's been active for months, including the service-principal grants nobody reviews, doesn't stay invisible. You see where standing access has outlived its purpose without auditing role assignments by hand.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.