Microsoft Corporation
Automatic reduction of privilege role assignments

Abstract:

A least-privilege role is automatically assigned to a service principal in order to ensure that a service principal is able to perform actions on a resource of a subscription in a multi-tenant environment as intended without additional access and usage rights. The assignment of the least-privilege role is based on actions previously performed on the resources of a subscription by the service principal that match those actions within a role having the bare minimum permissions needed to perform those actions.