Skip to main content
Back to the Azure Footguns Database
GovernanceSecurityMediumCommonAZF-0053

A privileged role assignment keeps full standing access for months after anyone last used it

Privileged access granted for a project or an incident routinely outlives the need. The role keeps full standing access long after anyone last exercised it.

Footgun ID
AZF-0053 (Azure Footgun No. 53)
Azure service
Azure RBAC
Resource type
Microsoft.Authorization/roleAssignments
Updated
July 1, 2026

What it is

A high-privilege role assignment (Owner, Contributor, User Access Administrator) that was exercised at some point but hasn't been used in a long time. The migration, incident, or one-off task that justified it has ended, yet the assignment stays exactly as it was: permanent, always-on standing access.

Impact (governance)
No dollar cost — the harm is a persistent, unused privileged foothold and the audit burden it creates
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Azure role assignments are permanent by default. Nothing expires them and nothing revisits them. A grant made to get a project over the line stays configured until a human decides to remove it, and removal is nobody's explicit job.

There is no "last used" timestamp shown next to an assignment in the portal, so a role that was busy for a week and then idle for six months looks identical to one in daily use. The safe-feeling default is to leave it, which is how Owner grants accumulate faster than they ever get cleaned up. Stale is distinct from never-used (see AZF-0052): this access was legitimately used, which is exactly why no one questions it later.

What it costs / blast radius

A role assignment is free, so there is no direct dollar cost. The harm is security and governance hygiene. (Azure behavior; authored assessment.) Every stale privileged grant is an extra live credential: one more account an attacker can phish into full control, one more path a departed contractor might retain, and one more line every access review has to reconcile. Standing privilege that nobody uses is pure attack surface with no offsetting benefit.

See it

Footgun: permanent, always-on Owner that never expires
resource owner 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(subscription().id, principalId, 'Owner')
  properties: {
    // Owner — standing, permanent, and last exercised months ago
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
    principalId: principalId
    principalType: 'User'
  }
}
Fix: remove it, or make it PIM-eligible and time-bound so access activates on demand and auto-expires
// No standing access. The principal becomes ELIGIBLE for Owner,
// activates it when needed, and eligibility itself lapses after 90 days.
param nowTime string = utcNow()   // utcNow() is only valid as a param default

resource ownerEligible 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
  name: guid(subscription().id, principalId, 'Owner-eligible')
  properties: {
    principalId: principalId
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
    requestType: 'AdminAssign'
    scheduleInfo: {
      startDateTime: nowTime
      expiration: {
        type: 'AfterDuration'
        duration: 'P90D'   // eligibility expires; standing access never accrues
      }
    }
  }
}

How StratoLens helps

StratoLens surfaces privileged assignments that have gone quiet long after the work ended, across every subscription and every principal, so a stale Owner can't sit as forgotten standing access in a subscription nobody opens. You don't have to remember to re-review each grant; the check runs continuously inside your own tenant.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.