More Info:

Ensure there are at least two subscription owners designated for your Microsoft Azure account subscription in order to provide administrator access redundancy.

Risk Level

Medium

Address

Security

Compliance Standards

NISTCSF

Remediation

Using Console

To remediate the misconfiguration “At least two subscription owners should exist” in Azure, you can follow the below steps:

  1. Log in to the Azure Portal using your credentials.
  2. Go to the “Subscriptions” option in the left-hand menu.
  3. Select the subscription that needs to be remediated.
  4. Click on “Access control (IAM)” in the left-hand menu.
  5. Click on “Add” and select “Add role assignment”.
  6. In the “Add role assignment” pane, select “Owner” as the role.
  7. In the “Select” box, search for the user or group that needs to be added as an owner.
  8. Click on “Save” to add the user or group as an owner.

Repeat steps 5-8 to add another owner to the subscription. Once you have added at least two owners, the misconfiguration will be remediated.

Using CLI

To remediate the misconfiguration “Atleast Two Subscription Owners Should Exist” for AZURE using AZURE CLI, follow the below steps:

Step 1: Open the Azure CLI and login to your Azure account using the command:

az login

Step 2: Once you are logged in, check the number of subscription owners using the command:

az role assignment list --role Owner --query "[].{Name:principalName}" --output tsv | sort | uniq | wc -l

Step 3: If the output is less than 2, create a new subscription owner using the command:

az ad sp create-for-rbac --name "NewOwnerName" --role owner --scopes /subscriptions/{subscription-id}

Replace “NewOwnerName” with the name you want to give to the new subscription owner and ”” with your Azure subscription ID.

Step 4: Assign the newly created subscription owner to the subscription using the command:

az role assignment create --assignee "NewOwnerName" --role Owner --subscription "{subscription-id}"

Replace “NewOwnerName” with the name of the new subscription owner and ”” with your Azure subscription ID.

Step 5: Verify the number of subscription owners again using the command:

az role assignment list --role Owner --query "[].{Name:principalName}" --output tsv | sort | uniq | wc -l

Step 6: If the output is 2 or more, the misconfiguration has been remediated successfully.

Note: Repeat the above steps for each Azure subscription that you have.

Using Python

To remediate the misconfiguration “At least two subscription owners should exist” in Azure using Python, you can use the Azure SDK for Python. Here are the steps to remediate the misconfiguration:

  1. Import the necessary modules:
from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient
  1. Authenticate using the Azure SDK for Python:
credential = DefaultAzureCredential()
authorization_client = AuthorizationManagementClient(credential, subscription_id)

Note: Replace subscription_id with the ID of the Azure subscription you want to remediate.

  1. Check the number of subscription owners:
subscription_id = 'your-subscription-id'
owners = authorization_client.role_assignments.list_for_scope(subscription_id, filter='roleDefinitionId eq acdd72a7-3385-48ef-bd42-f606fba81ae7')
num_owners = len(list(owners))

Note: The acdd72a7-3385-48ef-bd42-f606fba81ae7 role definition ID is for the Owner role.

  1. If the number of owners is less than 2, add another owner:
if num_owners < 2:
    owner_principal_id = 'your-owner-principal-id'
    owner_role_definition_id = '/subscriptions/your-subscription-id/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' # Owner role definition ID
    authorization_client.role_assignments.create(scope=subscription_id, role_assignment_name='owner', role_definition_id=owner_role_definition_id, principal_id=owner_principal_id)

Note: Replace your-owner-principal-id with the principal ID of the user or service principal you want to add as an owner.

  1. Verify that there are now at least two subscription owners:
owners = authorization_client.role_assignments.list_for_scope(subscription_id, filter='roleDefinitionId eq acdd72a7-3385-48ef-bd42-f606fba81ae7')
num_owners = len(list(owners))
if num_owners >= 2:
    print('There are now at least two subscription owners.')
else:
    print('There are still less than two subscription owners.')

Note: This step is optional, but it can be helpful to verify that the misconfiguration has been remediated successfully.

By following these steps, you can remediate the misconfiguration “At least two subscription owners should exist” in Azure using Python.