Skip to main content
Back to the Azure Footguns Database
GovernanceSecurityMediumOccasionalAZF-0054

The same role granted separately across 5+ subscriptions signals blanket over-provisioning, not intent

When one principal holds the same role in subscription after subscription, it is usually a blanket grant, not a deliberate per-subscription decision.

Footgun ID
AZF-0054 (Azure Footgun No. 54)
Azure service
Azure RBAC
Resource type
Microsoft.Authorization/roleAssignments
Updated
July 1, 2026

What it is

A single principal (user, group, or service principal) assigned the same role, often Contributor or Owner, independently across many subscriptions. Each grant looks reasonable on its own. The pattern across five or more subscriptions is the tell: access was provisioned in bulk rather than scoped to any real per-subscription need.

Impact (governance)
No dollar cost — the harm is invisible cross-subscription reach and the blast radius of a single compromised principal
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

It is simply easier to grant a role on each subscription as it appears than to design a management-group hierarchy up front and place the grant once. Onboarding scripts, landing-zone templates, and "just give them access everywhere" tickets scatter identical assignments across the estate.

Azure never objects, because every one of those assignments is individually valid. There is no built-in view that says "this identity can write to twelve subscriptions," so the sprawl compounds quietly and the true reach of a principal becomes something nobody can see at a glance. Deliberate, scoped grants and accidental blanket over-provisioning look exactly the same in the assignment list.

What it costs / blast radius

Role assignments are free, so there is no dollar cost. (Azure behavior; authored assessment.) The harm is blast radius and visibility: one compromised principal now reaches every subscription it was blanket-granted, and because the access is spread across many independent assignments, no single place tells you how far that identity can actually go. You discover the real reach during an incident, which is the worst possible time.

See it

Footgun: the same Contributor grant deployed into each subscription, one at a time
// A separate, standing Contributor assignment per subscription.
targetScope = 'managementGroup'   // needed to deploy subscription-scoped modules
param subscriptionIds array   // e.g. 12 subscription IDs
param principalId string

module grant 'contributor-grant.bicep' = [for subId in subscriptionIds: {
  name: 'grant-${subId}'
  scope: subscription(subId)
  params: { principalId: principalId }
}]
// 12 subscriptions => 12 identical grants, and no one view of the total reach.
Fix: grant once at the management group that already contains those subscriptions, ideally to a group
targetScope = 'managementGroup'
param principalId string

resource contributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(managementGroup().id, principalId, 'Contributor')
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
    principalId: principalId
    principalType: 'Group'   // assign to a group; manage reach by membership, in one place
  }
}

How StratoLens helps

StratoLens spots principals holding the same role across many subscriptions and shows the pattern for what it is: blanket provisioning rather than a set of deliberate grants. It runs across every subscription in your tenant continuously, so a service principal quietly wired into a dozen subscriptions surfaces as one finding instead of twelve unrelated rows.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.