Why can an Azure application read role definitions without permissions

Question

Microsoft states that Microsoft.Authorization/roleDefinitions/read permission is needed to read RBAC role definition.

It is mentioned here https://learn.microsoft.com/en-us/rest/api/authorization/role-definitions/list?tabs=HTTP

However I have Azure application which has assigned empty role (having 0 permissions) and still can read role definitions.

How is that possible?

This is the empty role which the Azure app is assigned in subscription S1:

  {
    "assignableScopes": [
      "/subscriptions/<S1 ID>"
    ],
    "description": "No Permissions role",
    "id": "/subscriptions/<S1 ID>/providers/Microsoft.Authorization/roleDefinitions/<role ID>",
    "name": "<role ID>",
    "permissions": [
      {
        "actions": [],
        "dataActions": [],
        "notActions": [],
        "notDataActions": []
      }
    ],
    "roleName": "No Permissions Role",
    "roleType": "CustomRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }

The app is not assigned any other roles in the subscription S1 (nor in any other subscription).

"Check Access" for the app in S1 confirms that:

When logged in with this app into Azure CLI it lists role definitions just fine, e.g. Contributor:

C:\>az login --service-principal -u <app ID> -p <client secret> --tenant <tenant ID>

C:\>az role definition list --name "Contributor"
This command or command group has been migrated to Microsoft Graph API. Please carefully review all breaking changes introduced during this migration: https://docs.microsoft.com/cli/azure/microsoft-graph-migration
[
  {
    "assignableScopes": [
      "/"
    ],
    "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
    ...
    "permissions": [
      {
        "actions": [
          "*"
        ],
        ...
      }
    ],
    "roleName": "Contributor",
    ...
  }
]

Azure CLI is authenticated using az login --service-principal -u <app ID> -p <client secret> --tenant <tenant ID>

Answer 1

This could be done if the application was given permission to read role definitions at a higher level of the hierarchy, such as the management group or tenant level.

In few scenarios, Azure subscriptions provide a default role "Reader", which grants read access to most of the Azure resources. And this role includes the Microsoft.Authorization/roleDefinitions/read permission.

Run the below command in Azure CLI to check the application's subscription-level access.

az role assignment list --assignee <ApplicationID> --scope "/subscriptions/subscriptionID/resourceGroups/Resourcegroup" --role "Reader"

Note: Instead of the subscription scope, give the management scope to retrieve the role assignments at the management level.

Alternatively,

• You can check the activity logs during some time period by filtering with the authorization action as follows.
• The below command is used to view the activity logs for role assignments and displays any changes that were made by anyone in the last three days.

 Get-AzActivityLog -ResourceGroupName <resourcegroup> -StartTime (Get-Date).AddDays(-3) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/roleDefinitions/read'}

If still the issue persists, try reaching out to your admin and restrict the access.