Subscription Owner as RBAC Suggestion -- Bad Practice for MS Learn?

Blake Deckard 1 Reputation point
2024-01-20T05:30:20.7233333+00:00

I was curious if this snippet was a poor security suggestion "To run LRS, you must have one of the following Azure role-based access control (RBAC) role: Subscription Owner, SQL Managed Instance Contributor, or a custom role with the permission Microsoft.Sql/managedInstances/databases/*." Subscription Owner has much more permissions than SQL MI Contributor to my understanding, so shouldn't that be the primary suggestion made for RBAC purposes? https://learn.microsoft.com/en-us/training/modules/migrate-sql-workloads-azure-managed-instances/3-use-log-replay

Azure Training
Azure Training
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Training: Instruction to develop new skills.
650 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Mahesh Goud Juvvadi 90 Reputation points Microsoft Vendor
    2024-01-20T10:52:31.98+00:00

    Hi Blake Deckard,

    Thank you for reaching out to us on the Microsoft Q&A forum.

    Yes, Subscription Owner has much more permissions, but also the based as per the requirements the Azure role-based access control (RBAC) roles will be assigned.

    In certain situations, not everyone possesses owner access. In such cases, learners have the option to select alternative access privileges like (Contributor, or a custom role with the permissions)

    If the information is helpful, please accept the answer by clicking the "Accept Answer" on the post. If you are still facing any issue, please let us know in the comments. We are happy to help you.

    Thank you.


  2. Blake Deckard 1 Reputation point
    2024-01-28T14:45:17.88+00:00

    I ended up submitting a PR to the docs to have this updated as the role suggestion was overly permissive for what the docs were trying to achieve. This PR was accepted and is now merged and this question should no longer reply.