[REVIEW] azure-review: add managed identity/PIM effective assignment evidence gates

[stmr]

Skill Being Reviewed

Skill name: azure-review
Skill path: skills/cloud/azure-review/

False Positive Analysis

Benign code/configuration that can be misclassified:

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(subscription().id, appIdentity.id, 'Reader')
  properties: {
    principalId: appIdentity.properties.principalId
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      'acdd72a7-3385-48ef-bd42-f606fba81ae7'
    )
    principalType: 'ServicePrincipal'
  }
}

Why this is a false positive:
The current Azure review can treat service-principal or managed-identity role assignment as risky without checking scope, role definition, PIM eligibility, assignment duration, and conditional access around operators who can modify the identity. Reader at subscription scope is different from Owner, User Access Administrator, or Key Vault Administrator.

Coverage Gaps

Missed variant 1: managed identity with high-impact data-plane role

resource "azurerm_role_assignment" "mi_kv_admin" {
  scope                = azurerm_key_vault.prod.id
  role_definition_name = "Key Vault Administrator"
  principal_id         = azurerm_user_assigned_identity.app.principal_id
}

Why it should be caught:
The skill checks Key Vault controls, but it should require effective managed-identity role evidence, data-plane scope, PIM/eligibility where supported, and justification for admin roles assigned to workloads.

Missed variant 2: privileged role assignment without activation evidence

Export shows user is eligible for Privileged Role Administrator, but no PIM activation logs or approval policy are reviewed.

Why it should be caught:
Eligibility is not the same as safe access. The review should require PIM activation settings, MFA-on-activation, approval, duration, justification, alerting, and audit logs.

Edge Cases

• Role assignments inherited from management groups may not appear in subscription-local IaC.
• User-assigned managed identities can be attached to new compute resources after review.
• App registrations with federated credentials can use managed identity paths indirectly through workload identity federation.
• Key Vault RBAC and access-policy modes require different evidence paths.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: The skill should avoid generic "remove role" guidance. Remediation should distinguish scope reduction, custom least-privilege roles, PIM eligibility, activation controls, workload identity constraints, and monitoring for assignment changes.

Comparison to Other Tools

Tool	Catches this?	Notes
Semgrep	Partial	Can match broad role names in Bicep/Terraform but not inherited or effective assignments.
CodeQL	No	Not a source-code dataflow issue.
Other: Microsoft Defender for Cloud	Partial	Flags some privileged role posture, but review needs IaC plus Entra/PIM evidence.

Overall Assessment

Strengths:
Clear CIS Azure benchmark structure and useful pitfalls around Defender plans, public storage, NSGs, and Key Vault.

Needs improvement:
Effective identity posture is broader than static role assignments. Managed identities, PIM activation, inherited scopes, and data-plane roles need explicit evidence gates.

Priority recommendations:

1. Add managed-identity effective-access checks for role, scope, data plane, and attachable compute.
2. Add PIM evidence gates for privileged role eligibility, activation policy, MFA, approval, duration, and logs.
3. Separate Key Vault RBAC mode from access-policy mode in role and remediation guidance.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal samik4184@gmail.com