Azure audit iam check subscription has one owner remediation

Using Console

Using CLI

To remediate the misconfiguration “Atleast Two Subscription Owners Should Exist” for AZURE using AZURE CLI, follow the below steps:Step 1: Open the Azure CLI and login to your Azure account using the command:

az login

Step 2: Once you are logged in, check the number of subscription owners using the command:

az role assignment list --role Owner --query "[].{Name:principalName}" --output tsv | sort | uniq | wc -l

Step 3: If the output is less than 2, create a new subscription owner using the command:

az ad sp create-for-rbac --name "NewOwnerName" --role owner --scopes /subscriptions/{subscription-id}

Replace “NewOwnerName” with the name you want to give to the new subscription owner and "" with your Azure subscription ID.Step 4: Assign the newly created subscription owner to the subscription using the command:

az role assignment create --assignee "NewOwnerName" --role Owner --subscription "{subscription-id}"

Replace “NewOwnerName” with the name of the new subscription owner and "" with your Azure subscription ID.Step 5: Verify the number of subscription owners again using the command:

az role assignment list --role Owner --query "[].{Name:principalName}" --output tsv | sort | uniq | wc -l

Step 6: If the output is 2 or more, the misconfiguration has been remediated successfully.Note: Repeat the above steps for each Azure subscription that you have.

Using Python

To remediate the misconfiguration “At least two subscription owners should exist” in Azure using Python, you can use the Azure SDK for Python. Here are the steps to remediate the misconfiguration:

Import the necessary modules:

from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient

Authenticate using the Azure SDK for Python:

credential = DefaultAzureCredential()
authorization_client = AuthorizationManagementClient(credential, subscription_id)

Note: Replace subscription_id with the ID of the Azure subscription you want to remediate.

Check the number of subscription owners:

subscription_id = 'your-subscription-id'
owners = authorization_client.role_assignments.list_for_scope(subscription_id, filter='roleDefinitionId eq acdd72a7-3385-48ef-bd42-f606fba81ae7')
num_owners = len(list(owners))

Note: The acdd72a7-3385-48ef-bd42-f606fba81ae7 role definition ID is for the Owner role.

If the number of owners is less than 2, add another owner:

if num_owners < 2:
    owner_principal_id = 'your-owner-principal-id'
    owner_role_definition_id = '/subscriptions/your-subscription-id/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' # Owner role definition ID
    authorization_client.role_assignments.create(scope=subscription_id, role_assignment_name='owner', role_definition_id=owner_role_definition_id, principal_id=owner_principal_id)

Note: Replace your-owner-principal-id with the principal ID of the user or service principal you want to add as an owner.

Verify that there are now at least two subscription owners:

owners = authorization_client.role_assignments.list_for_scope(subscription_id, filter='roleDefinitionId eq acdd72a7-3385-48ef-bd42-f606fba81ae7')
num_owners = len(list(owners))
if num_owners >= 2:
    print('There are now at least two subscription owners.')
else:
    print('There are still less than two subscription owners.')

Note: This step is optional, but it can be helpful to verify that the misconfiguration has been remediated successfully.By following these steps, you can remediate the misconfiguration “At least two subscription owners should exist” in Azure using Python.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Azure audit iam check subscription has one owner remediation

Triage and Remediation

Remediation