A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
Defender for Cloud CIEM Over-Provisioned Identity Recommendation Not Consistent Across Management Group Inherited Roles
We have enabled Defender CSPM with Permissions Management on 120 Azure subscriptions across our enterprise environment. We're trying to use the over-provisioned identity recommendations to achieve least privilege access, but we're seeing inconsistent behavior that makes it difficult to trust and act on the recommendations.\
Our Environment:
We have 120 subscriptions under our management group hierarchy. Some roles are assigned at the management group level and inherit to all subscriptions, while other roles are assigned directly at the subscription level. For example, a specific user has the same role assignments at both the management group level and on two specific subscriptions.
The Problem:
When reviewing the over-provisioned identity recommendations in Defender for Cloud, we only see the recommendation flagged on the two subscriptions where the role is explicitly assigned at the subscription level. However, we don't see the recommendation for the same user on the other 118 subscriptions where the role is inherited from the management group level. This creates several issues:
First, we can't see the full permission picture across all seventy subscriptions to make informed decisions about least privilege.
Second, if the recommendation is only detecting subscription-level assignments and not inherited ones, then the recommendation engine isn't giving us a complete view of over-provisioning.
Third, if we remove the subscription-level role assignment, the user still has the same permissions from the inherited management group role, so we haven't actually remediated the over-provisioning.
My Questions:
How does Defender for Cloud's CIEM recommendation engine handle inherited roles from management groups versus directly assigned subscription-level roles? Does it evaluate both, or only direct assignments?
Should inherited management group roles be included in the over-provisioned identity recommendation calculation?
If we need to remediate over-provisioned identities across multiple subscriptions with inherited roles, should we be restructuring roles at the management group level rather than at the subscription level?
Is there a way to see all over-provisioned permissions for a single identity across all subscriptions in the management group, not just where direct assignments exist?
Any guidance on how to properly use CIEM recommendations in a multi-subscription environment with management group role inheritance would be helpful.