Skip to main content
Back to the Azure Footguns Database
GovernanceSecurityMediumCommonAZF-0052

A privileged role assignment nobody has used, still standing

A principal holds a privileged role but has performed no operations in its scope. It is standing access with nothing on the other side of the ledger.

Footgun ID
AZF-0052 (Azure Footgun No. 52)
Azure service
Azure RBAC
Resource type
Microsoft.Authorization/roleAssignments
Updated
July 1, 2026

What it is

A privileged role assignment that the principal simply never exercises. The role, often Owner, Contributor, or User Access Administrator, is granted at a scope where the user or service principal performs no operations at all. It is live, standing access that does nothing except widen the set of identities that could act on the subscription if compromised.

Impact (governance)
A critical or management role granted to a principal with zero activity in that scope
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Unused assignments accumulate because RBAC grants have no natural expiry. Access is handed out for a project, a migration, a break-glass scenario, or "just in case," and once the reason passes the assignment stays. Removing an assignment nobody is using feels risky, since you can't be certain it isn't load-bearing for some rare path, so the safe-looking choice is always to leave it.

Azure never tells you an assignment has gone unused. There's no last-used indicator on a role assignment and no prompt when a grant has sat idle since the day it was created. From the assignment alone, a principal that has done nothing looks the same as one doing critical daily work, so dormant privileged access is invisible until someone deliberately goes looking.

What it costs / blast radius

This is a blast-radius problem, not a bill. Every standing privileged assignment is another identity an attacker can aim at, and the ones nobody uses are the worst kind: they carry real permissions but no one is watching them, because no legitimate activity would ever draw attention to the account. (Azure behavior; authored assessment.) Unused Owner or User Access Administrator grants are persistent, unmonitored footholds that add risk while contributing nothing.

See it

Footgun: a standing Owner assignment with no activity behind it
resource standingOwner 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(subscription().id, principalId, ownerRoleId)
  properties: {
    // Permanent grant. Never expires, never gets re-justified,
    // and this principal has performed no operations in scope.
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') // Owner
    principalId: principalId
    principalType: 'User'
  }
}
Fix: remove the standing grant; make it eligible (PIM) so it exists only when needed
// Drop the permanent assignment and make the role eligible instead,
// so the privilege is activated on request and expires on its own.
resource eligibleOwner 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
  name: guid(subscription().id, principalId, ownerRoleId, 'eligible')
  properties: {
    principalId: principalId
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') // Owner, eligible not active
    requestType: 'AdminAssign'
  }
}

How StratoLens helps

StratoLens flags privileged role assignments that sit unused in their scope so dormant standing access stops hiding behind the accounts that never touch it. The check runs automatically and continuously across every subscription in your own tenant, turning "is anyone actually using this grant?" into an answer instead of a guess.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.