Ensure That No Custom Subscription Administrator Roles Exist
Why This Matters
Custom subscription administrator roles with broad permissions can obscure the actual privileges granted to users and introduce significant blind spots in privileged identity management. Without regular audits, these roles accumulate unnecessary access that violates the principle of least privilege and increases the risk of privilege escalation or misuse by compromised accounts.
What Aether365 Checks
Aether365 verifies that no custom role definitions exist with a subscription-level assignableScope (such as / or the full subscription ID) and an action set to *, which grants full administrative access. This check appears in your Aether365 dashboard under the azure-subscription-security checks category.