Skip to main content
Back to the Azure Footguns Database
GovernanceSecurityHighCommonAZF-0050

An Owner role that only ever reads: over-privileged RBAC no one downgrades

A principal holds Owner but its actual activity is read/deploy work that Contributor or Reader would cover. The extra privilege is pure blast radius with no offsetting use.

Footgun ID
AZF-0050 (Azure Footgun No. 50)
Azure service
Azure RBAC
Resource type
Microsoft.Authorization/roleAssignments
Updated
July 1, 2026

What it is

A role assignment that grants far more than the principal ever exercises. The classic shape is Owner (or User Access Administrator) held by a user or service principal whose real activity never touches access management. Owner is essentially Contributor plus the right to grant roles; if the principal never grants a role, that extra power is unused authority sitting on the tenant.

Impact (governance)
Standing Owner/User Access Administrator held by a principal that never manages access
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Owner is the path of least resistance. It's the role you hand out when you're not sure exactly which permissions a person or automation will need, and it makes the "access denied" tickets stop. Once granted, nobody circles back to ask whether Contributor or Reader would have been enough, because the assignment keeps working and downgrading it risks breaking something.

Azure does not compare granted permissions against exercised ones. A principal that only ever reads, deploys, or updates resources looks identical to a genuine subscription owner from the role assignment alone. The gap between granted and used never surfaces on its own, so over-privileged grants become the permanent default.

What it costs / blast radius

This is a blast-radius problem, not a bill. An over-privileged Owner is a much larger target: if that identity is phished, its secret leaks, or the service principal is compromised, the attacker inherits the ability to grant themselves and others any role in the subscription, not just to operate the resources the principal actually used. (Azure behavior; authored assessment.) The damage from a single compromised credential scales with the privilege attached to it, and Owner is the widest blast radius Azure hands out at subscription scope.

See it

Footgun: Owner granted to a principal that only reads and deploys
resource ownerAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(subscription().id, principalId, ownerRoleId)
  properties: {
    // Owner = Contributor + the right to manage access.
    // This principal has never performed an access-management operation.
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') // Owner
    principalId: principalId
    principalType: 'ServicePrincipal'
  }
}
Fix: downgrade to the least-privileged role the activity actually needs
resource contributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(subscription().id, principalId, contributorRoleId)
  properties: {
    // Deploys and updates resources but cannot grant roles.
    // Use Reader instead if the principal only reads.
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor
    principalId: principalId
    principalType: 'ServicePrincipal'
  }
}

How StratoLens helps

StratoLens flags role assignments whose granted privilege outruns the principal's actual activity and names the narrower role that would cover the same work. It does this automatically and continuously across every subscription in your own tenant, so an Owner grant that only ever reads doesn't quietly become a permanent one.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.