Misconfiguring Azure access control is a common issue that I've encountered more often than not as a consultant working with Azure now over a decade. I've even published a course about the subject and other Azure security best practices if you are interested in going deeper than this post.

For some, the Azure role-based access control (Azure RBAC) with Built-in roles and different scopes might feel like a burden and you would rather just leave the defaults on without getting deeper into the subject. Unfortunately, that can lead to unwanted risks for you, which you probably want to avoid.

I have assessed the security of hundreds of applications built on the Microsoft Azure cloud and found that there are some key security misconfigurations that are common across all industry verticals and company sizes. In this post, I will share what these security misconfigurations are, why do they matter and how to mitigate them.