The Nerdio service principal currently assigns itself contributor and user access admin on all linked resource groups.
This is extremely overprivileged, Nerdio should only assign the roles it actually needs to deploy and manage resources by default. Such as Desktop Virtualization Contributor, etc etc. Right now Nerdio does not follow the principle of least privilege, it seems to be configured on what is easiest, which is rarely the best option.
The User Access Admin role should also be limited with conditions to only be able to assign the roles Nerdio actually needs.
A security risk that we have identified is that scripted actions can be used to do essentially anything in a production subscription, which essentially means an organization with frankly quite standard security requirements cannot use scripted actions at all because of these risks.
For organizations that want to do additional operations via scripted actions, the option to assign more roles always exist.
Comments (1 comment)