Monitor the Total Number of Subscription Owners

Using Console

Using CLI

The misconfiguration “Monitor the Total Number of Subscription Owners” can be remediated in Azure using the following steps:

Open a command prompt or terminal window.
Login to Azure using the Azure CLI command:
```
az login
```
Select the subscription that you want to monitor using the following command:
```
az account set --subscription <subscription-id>
```
Retrieve the number of subscription owners using the following command:
```
az role assignment list --role Owner --query "[].principalName" --output tsv | sort | uniq | wc -l
```
This command retrieves all the role assignments with the “Owner” role, filters out the principal names, sorts and counts the unique principal names.
Set up a notification to alert you when the number of subscription owners changes. You can use Azure Monitor to create an alert rule that sends an email or SMS notification when the number of subscription owners exceeds a certain threshold.
```
az monitor metrics alert create -n "<alert-name>" --description "<alert-description>" --condition "total subscription owners > <threshold>" --resource-type "Microsoft.Subscription" --resource "<subscription-id>" --window-size 5m --evaluation-frequency 1m --severity 3 --action email <email-address>
```
Replace <alert-name> and <alert-description> with a name and description for your alert, <threshold> with the number of subscription owners that triggers the alert, <subscription-id> with the ID of your subscription, and <email-address> with the email address to which notifications should be sent. This command creates an alert rule that monitors the “total subscription owners” metric for your subscription, evaluates it every minute, and sends an email notification if the threshold is exceeded.
Verify that the alert is working by adding or removing subscription owners and checking that you receive notifications when the threshold is exceeded.

By following these steps, you can remediate the misconfiguration “Monitor the Total Number of Subscription Owners” in Azure using Azure CLI.

Using Python

To monitor the total number of subscription owners in Azure, you can use the Azure Management API. Here are the steps to remediate this issue using Python:Step 1: Install the Azure SDK for PythonYou can install the Azure SDK for Python using pip. Open the terminal and run the following command:

pip install azure-mgmt-resource

Step 2: Authenticate with AzureTo authenticate with Azure, you need to create a service principal. You can create a service principal using the Azure CLI or the Azure portal. Once you have the service principal details, you can use them to authenticate with Azure. Here’s an example code snippet:

from azure.common.credentials import ServicePrincipalCredentials

TENANT_ID = '<your tenant id>'
CLIENT_ID = '<your client id>'
CLIENT_SECRET = '<your client secret>'

credentials = ServicePrincipalCredentials(
    client_id=CLIENT_ID,
    secret=CLIENT_SECRET,
    tenant=TENANT_ID
)

Step 3: Get the Subscription OwnersOnce you’re authenticated with Azure, you can use the Azure Management API to get the subscription owners. Here’s an example code snippet:

from azure.mgmt.resource import ResourceManagementClient

subscription_id = '<your subscription id>'

resource_client = ResourceManagementClient(credentials, subscription_id)

owners = resource_client.providers.get('Microsoft.Authorization').get('resourceGroups', 'providers/Microsoft.Authorization/roleAssignments').properties.permissions[0].actions[0].notActions[0].dataActions[0].notDataActions[0].principalIds

total_owners = len(owners)

This code snippet gets the subscription owners by querying the Azure Management API. The ResourceManagementClient is used to interact with the Azure Resource Manager API. The providers.get method is used to get the role assignments for the Microsoft.Authorization provider. The properties.permissions attribute contains the list of permissions for the provider. The actions attribute contains the list of actions that can be performed on the resource. The notActions attribute contains the list of actions that cannot be performed on the resource. The dataActions attribute contains the list of data actions that can be performed on the resource. The notDataActions attribute contains the list of data actions that cannot be performed on the resource. Finally, the principalIds attribute contains the list of principal IDs for the role assignment.Step 4: Remediate the IssueTo remediate the issue, you need to ensure that there are no more than two subscription owners. If there are more than two subscription owners, you can remove the excess owners. Here’s an example code snippet:

if total_owners > 2:
    excess_owners = total_owners - 2
    print(f'Total number of subscription owners: {total_owners}. Excess owners: {excess_owners}.')
    # Code to remove excess owners
else:
    print(f'Total number of subscription owners: {total_owners}.')

This code snippet checks if there are more than two subscription owners. If there are, it calculates the number of excess owners and prints a message indicating the total number of subscription owners and the number of excess owners. You can replace the comment with the code to remove the excess owners.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Monitor the Total Number of Subscription Owners

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation