I've been attending to the issues mentioned by Advisor in my Azure subscription. One of those issues is "There should be more than one owner assigned to your subscription". However, I am noticing some oddities when trying to fix this.
I created a new user account in Azure Active Directory (AAD). I then followed the steps found in https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator. I'll spell out those steps below.
- Sign in to the Azure portal as the subscription owner and open Subscriptions.
- Click the subscription where you want to grant access.
- Click Access control (IAM).
- Click the Role assignments tab to view all the role assignments for this subscription.
This is where things start to get strange. There were no users assigned to any roles in this page. I then clicked the Roles tab. There is an Owner role amongst quite a few other roles. When I opened that role I confirmed that it indeed contained no users.
This is confusing because I created the subscription and I would expect that I would be the owner. In addition, the Roles listed in this page bear no resemblance to the Roles listed in the "Azure Active Directory/Roles and administrators" blade.
I pressed on and added my own account and the new account to the Owner role using the remaining steps mention in the URL above. However, when I checked Advisor again, it is still saying "There should be more than one owner...". I even signed out completely and back in again without any change to the message. I also signed into Azure with the new account and can see that it is an Owner in the subscription.
So, my questions are:
- Why was I not automatically added to the Owner role if I was the one that created the subscription?
- Why are the roles in AAD and the roles in my subscription completely different from each other?
- The two user accounts are clearly in the correct roles. Why does Advisor still tell me that I'm vulnerable in that area?
Thanks