Hechtov
commented
4 years ago Hi @rich-davies Thanks for sharing this issue. Yes, the AzureStealth scan checks the RBAC permissions of each Azure subscriptions and currently doesn't check inherited permissions from the Management Group level. Nowadays, I can assume many organizations don't use Management Group permissions assignments, but we will want to help also the ones who do use them, and it might get more popular in the future. We will add this as a feature request for future versions of the SkyArk. Thanks, Asaf
ErikMogensen
Most of our Azure permissions management is done through group membership and applied at Management Group level. This tool only seems to report on RBAC that is granted specifically at the subscription level rather than being inherited from Management Groups. Would it be possible to enhance it so that inherited permissions are covered too?