RBAC Is Simple. Getting It Right Isn't.
Azure RBAC is straightforward in concept: assign a role to a principal at a scope. But in practice, most environments accumulate misconfigurations over time — each one expanding the blast radius of a compromised account.
Here are the five most common RBAC anti-patterns we see across hundreds of Azure tenants.
1. Subscription-Level Owner Assignments
The pattern: Assigning the Owner role at the subscription level "because it's easier."
Why it's dangerous: Owner grants full control over every resource in the subscription — including the ability to assign roles to others. A compromised Owner account can create backdoor access that survives a password reset.
The fix: Assign Owner only at the resource group level, and only when Contributor isn't sufficient. Use PIM for just-in-time activation with approval workflows.
2. Standing Privileged Access
The pattern: Permanent Global Admin, Exchange Admin, or Privileged Role Admin assignments.
Why it's dangerous: Standing access means a compromised account has privileged access 24/7, not just during the window when it's actually needed.
The fix: Move all privileged roles to PIM eligible assignments. Users activate when needed, with time limits (4-8 hours), justification requirements, and optional approval.
3. Service Principals with Contributor
The pattern: CI/CD pipelines, automation accounts, and monitoring tools running as Contributors because "they need to create resources."
Why it's dangerous: A compromised service principal with Contributor can create compute resources (crypto mining), modify network rules (open access), or exfiltrate data.
The fix: Create custom roles with the minimum actions required. A deployment pipeline that only creates App Services doesn't need permission to modify NSGs or Key Vaults.
4. Group-Based Access Without Reviews
The pattern: Adding users to Azure AD groups that grant RBAC roles, but never reviewing group membership.
Why it's dangerous: Groups grow. People change roles. Six months later, half the group members don't need the access anymore, but nobody removes them.
The fix: Enable access reviews for all security groups that grant Azure RBAC roles. Monthly or quarterly reviews with manager attestation.
5. No Emergency Access Accounts
The pattern: No break-glass accounts configured. The only Global Admins are individual user accounts with MFA.
Why it's dangerous: If the MFA service has an outage, or all Global Admins are unavailable, you're locked out of your own tenant.
The fix: Create two emergency access accounts (break-glass), excluded from Conditional Access policies, with long complex passwords stored in a physical safe. Monitor their sign-in activity with alerts.
How to Audit Your RBAC
You can manually review role assignments in the Azure Portal, but it's time-consuming — especially across multiple subscriptions. Unsave automates this:
- Maps every role assignment across all subscriptions
- Flags over-privileged principals (Owner, Contributor at broad scopes)
- Identifies standing privileged access that should use PIM
- Detects orphaned assignments for deleted principals
- Tracks changes over time to catch privilege escalation
Audit your Azure RBAC in 60 seconds. Try Unsave free at unsave.io.