Skip to main content
Back to the Azure Footguns Database
GovernanceSecurityMediumCommonAZF-0051

Subscription-wide RBAC for work that lives in one resource group

A Contributor or Owner assignment sits at subscription scope, but every operation the principal performs lands in one resource group. The rest of the subscription is exposed for nothing.

Footgun ID
AZF-0051 (Azure Footgun No. 51)
Azure service
Azure RBAC
Resource type
Microsoft.Authorization/roleAssignments
Updated
July 1, 2026

What it is

A role assignment granted at a scope far wider than the principal actually uses. The common shape is a Contributor or Owner role assigned at subscription (or management-group) scope while the principal's real work is confined to a single resource group. RBAC inherits downward, so the grant hands write access to every resource group in the subscription when one would have done.

Impact (governance)
A write role granted at subscription or management-group scope while activity touches a single resource group
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Subscription scope is the convenient default. It's simpler to assign a role once at the top than to reason about which resource groups a team or pipeline will touch, and it pre-empts the "I can't deploy to the new resource group" ticket that a tightly scoped grant would eventually cause.

Azure evaluates whether a principal is authorized at a scope, but never whether the scope is wider than the principal's behavior. A Contributor confined to rg-app-prod looks exactly like one that manages the whole subscription. Because the broad grant keeps working and rescoping carries a small risk of breaking a future deployment, the assignment stays subscription-wide long after the work settled into one resource group.

What it costs / blast radius

This is a blast-radius problem rather than a bill. A subscription-scoped write role means a compromise of that identity, or an automation bug running under it, can reach every resource group in the subscription, not just the one the principal legitimately uses. (Azure behavior; authored assessment.) The exposed surface is the difference between one resource group and the entire subscription, and the assignment gives you nothing in return for that gap.

See it

Footgun: Contributor at subscription scope for single-RG work
// Assigned at the subscription. Inherits into every resource group,
// though this principal only ever operates in rg-app-prod.
targetScope = 'subscription'

resource wideAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(subscription().id, principalId, contributorRoleId)
  properties: {
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor
    principalId: principalId
    principalType: 'ServicePrincipal'
  }
}
Fix: assign the same role at the resource group the activity actually lives in
// Scoped to the one resource group in use. Same role, far smaller surface.
targetScope = 'resourceGroup'

resource scopedAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(resourceGroup().id, principalId, contributorRoleId)
  properties: {
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor
    principalId: principalId
    principalType: 'ServicePrincipal'
  }
}

How StratoLens helps

StratoLens flags write-role assignments whose scope is much broader than where the principal actually operates and points to the resource group the activity is confined to. It runs automatically and continuously across every subscription in your own tenant, so a subscription-wide grant for single-resource-group work surfaces instead of inheriting quietly forever.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.