Triage and Remediation
Remediation
Using Console
Using Console
To remediate the “Custom Owner Roles In Use” misconfiguration in Azure using the Azure console, follow these steps:
- Log in to the Azure portal at https://portal.azure.com/.
- In the left-hand menu, click on “Azure Active Directory”.
- Click on “Roles and administrators”.
- In the “Roles and administrators” page, click on “Custom roles”.
- Review the custom roles that are currently in use.
- Identify any custom roles that are assigned to users or groups that have owner-level permissions.
- Determine if the custom role is necessary for the user or group to perform their job duties.
- If the custom role is not necessary, remove the role assignment.
- If the custom role is necessary, modify the permissions of the role to reduce the level of access granted.
- Repeat steps 6-9 for each custom role that is assigned to users or groups with owner-level permissions.
Using CLI
Using CLI
To remediate the “Custom Owner Roles In Use” misconfiguration in Azure using Azure CLI, follow the steps below:
- Open the Azure CLI command prompt or terminal.
-
Run the following command to list all the custom owner roles in use:
This command lists all the custom owner roles in use in your Azure subscription.
- Review the output of the above command and identify the custom owner roles that are not required or are no longer in use.
-
Run the following command to delete the custom owner role:
Replace
<object-id>with the object ID of the user or group to whom the custom owner role is assigned, and<role-name>with the name of the custom owner role. - Repeat step 4 for all the custom owner roles that are not required or are no longer in use.
-
Run the following command to verify that the custom owner roles have been deleted:
This command should not list any custom owner roles.
Using Python
Using Python
To remediate the misconfiguration “Custom Owner Roles In Use” in Azure using Python, you can follow the below steps:Step 1: Connect to Azure using Python SDKStep 2: Get the list of resource groupsStep 3: For each resource group, check if custom owner roles are assignedStep 4: Remove the custom owner role assignmentsNote: Before running the script, make sure to authenticate with Azure using the appropriate credentials and provide the necessary permissions to the service principal or user account. Also, test the script in a non-production environment before running it in a production environment.