What it is
A role assignment that grants far more than the principal ever exercises. The classic shape is Owner (or User Access Administrator) held by a user or service principal whose real activity never touches access management. Owner is essentially Contributor plus the right to grant roles; if the principal never grants a role, that extra power is unused authority sitting on the tenant.
Why it happens
Owner is the path of least resistance. It's the role you hand out when you're not sure exactly which permissions a person or automation will need, and it makes the "access denied" tickets stop. Once granted, nobody circles back to ask whether Contributor or Reader would have been enough, because the assignment keeps working and downgrading it risks breaking something.
Azure does not compare granted permissions against exercised ones. A principal that only ever reads, deploys, or updates resources looks identical to a genuine subscription owner from the role assignment alone. The gap between granted and used never surfaces on its own, so over-privileged grants become the permanent default.
What it costs / blast radius
This is a blast-radius problem, not a bill. An over-privileged Owner is a much larger target: if that identity is phished, its secret leaks, or the service principal is compromised, the attacker inherits the ability to grant themselves and others any role in the subscription, not just to operate the resources the principal actually used. (Azure behavior; authored assessment.) The damage from a single compromised credential scales with the privilege attached to it, and Owner is the widest blast radius Azure hands out at subscription scope.
See it
resource ownerAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscription().id, principalId, ownerRoleId)
properties: {
// Owner = Contributor + the right to manage access.
// This principal has never performed an access-management operation.
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'8e3af657-a8ff-443c-a75c-2fe8c4bcb635') // Owner
principalId: principalId
principalType: 'ServicePrincipal'
}
}resource contributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscription().id, principalId, contributorRoleId)
properties: {
// Deploys and updates resources but cannot grant roles.
// Use Reader instead if the principal only reads.
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor
principalId: principalId
principalType: 'ServicePrincipal'
}
}How StratoLens helps
StratoLens flags role assignments whose granted privilege outruns the principal's actual activity and names the narrower role that would cover the same work. It does this automatically and continuously across every subscription in your own tenant, so an Owner grant that only ever reads doesn't quietly become a permanent one.