securityrbacazure-rbaccloud-securityazure-defender

Why can't security administrator see resources in a subscription?


I have Security administrator role on a subscription. Now, what I want to see is the resources available in the subscription to know the attack surface, but when I go to the resources tab, I see nothing Or if I check the VMs tab I cannot see any VM (even though they're available). Similarly, on the defender plans page, it shows all the resources as 0 whereas that's not the case.

Defender Plans Page

Why being a security admin I cant see this data? Doesn't it come under my scope? If not, then what additional role I need to see this data. Obviously, I can't ask for Contributor consider the least privilege principle

I tried accessing resource details but couldn't. I was expecting to have access to this data as a security admin.


Solution

  • Note that: Security Administrator role will be able to read security information and reports and manage configuration in Microsoft Entra ID and Office 365 but not to view Azure resources. Check this MsDoc.

    Hence assign Reader role to the user at subscription scope or resource group scope based on your requirement:

    enter image description here

    Now I am able to view the resources:

    enter image description here

    If you want to manage resources, then you have to assign contributor/owner role to the user.

    Reference:

    Azure built-in roles - Azure RBAC | Microsoft