We Removed Palo Alto's Owner Access From Our Azure Estate (They Left It Behind)

Today we ran a quarterly access review. The kind SOC2 auditors ask about. The kind nobody actually does until the auditor asks.

We did it. Here's what we found.

Palo Alto Left Owner Access on Our Management Group

Twelve role assignments. Left behind by Prisma Cloud and its rebrand, Cortex Cloud — Palo Alto Networks' cloud security posture management product.

Four custom Prisma policy roles. Seven Reader and Key Vault Crypto assignments. And one `cortex-policy-assignment` service principal with **Owner** — the highest privilege Azure offers — scoped to our entire Management Group.

All orphaned. The service principals they pointed to were deleted. The role assignments weren't. Empty principals with live permissions. Ghost hands on the steering wheel.

This is from a **$54 billion security company** whose product exists to find exactly this kind of misconfiguration in *your* environment.

They couldn't find it in their own uninstall process.

What Owner on a Management Group Means

Management Group is above the subscription level. Owner at that scope means:

- Create, delete, or modify **any** resource in **any** subscription

- Modify IAM policies across the entire tenant

- Access Key Vault secrets

- Deploy code to production

- Delete everything

An orphaned service principal with Owner at Management Group scope is not a misconfiguration. It's an **attack surface**. If anyone compromised that SP's credentials before it was deleted from Entra ID, they had full tenant access with no human attached to the identity.

A CSPM product that leaves this behind when it disconnects is a CSPM product that **creates** the attack surface it claims to monitor.

The Cleanup

      118 ```bash
      119 # Find orphaned role assignments (empty principal = orphaned)
      120 az role assignment list --all --query '[?principalName==``]' -o table
      121
      122 # Find Prisma/Cortex specifically
      123 az role assignment list --all --query '[?contains(roleDefinitionName, `prisma`) || contains(roleDefinit
          ionName, `cortex`)]' -o table

Twelve role assignments. One command each. Thirty seconds total.

The Management Group now has one assignment: the human who owns the company.

While We Were in There

The access review uncovered something else. The admin account — `[email protected]` — was **excluded from all five Conditional Access MFA policies**.

Five policies. All requiring MFA. All with the same exclusion: the one person who runs the whole operation.

The cobbler's children have no shoes.

We removed the exclusion from all five policies. Both accounts now subject to full MFA enforcement. Zero exclusions. The next Azure portal login prompted for Microsoft Authenticator. It worked.

**Cost to fix: $0. Time to fix: 60 seconds.**

The Scorecard

What we closed today, during one quarterly access review:

| Gap | Before | After | Cost |

|-----|--------|-------|------|

| MFA enforcement | 95% (admin excluded) | 100% (zero exclusions) | $0 |

| Quarterly access review | Never done | Q1 2026 documented | $0 |

| Orphaned service principals | 12 (including Owner) | 0 | $0 |

| SOC2 POA-001 (MFA) | PLANNED | COMPLETE | $0 |

| SOC2 POA-004 (access reviews) | PLANNED | COMPLETE | $0 |

Two SOC2 plan-of-action items closed. Twelve attack surface artifacts removed. Full MFA enforcement achieved. Zero dollars spent.

The Uncomfortable Question

How many Azure tenants have orphaned Prisma Cloud / Cortex service principals with elevated permissions right now?

Palo Alto's CSPM product has thousands of enterprise customers. Each deployment creates service principals with Reader, Contributor, or Owner access at the subscription or Management Group level. When customers cancel, downgrade, or let trials expire — do those role assignments get cleaned up?

We found twelve in ours. How many are in yours?

What We Actually Run

Here's the honest badge row, as of today:

- **AbuseIPDB Contributor** — 5,000+ IPs reported, verifiable

- **AlienVault OTX Publisher** — 279 pulses, 1M+ indicators, verifiable

- **ThreatFox Contributor** — IOCs submitted back to abuse.ch

- **STIX 2.1 / TAXII 2.1 Compliant** — OASIS standard

- **SAM.gov Registered** — UEI: TP9FY7262K87

- **D-U-N-S Verified** — 14-363-3562

- **Stripe PCI DSS** — we never touch card data

- **Azure Hosted** — now with zero orphaned service principals

Every badge verifiable. Zero stolen valor. They're on the [pricing page](https://analytics.dugganusa.com/epstein/pricing) now.

The Math

Palo Alto Networks annual revenue: $6.9 billion.

Their CSPM product left Owner on our Management Group.

DugganUSA annual revenue: $0.

We found it, fixed it, and documented the access review.

Prisma Cloud costs roughly $50K-$100K/year for enterprise deployments. Our access review cost $0 and found the mess their product left behind.

You do the math.

Check Your Own Estate

      118 ```bash
      119 # Find orphaned role assignments (empty principal = orphaned)
      120 az role assignment list --all --query '[?principalName==``]' -o table
      121
      122 # Find Prisma/Cortex specifically
      123 az role assignment list --all --query '[?contains(roleDefinitionName, `prisma`) || contains(roleDefinit
          ionName, `cortex`)]' -o table

Run those two commands. See what comes back. We'll wait.

*DugganUSA LLC is a Minnesota-based threat intelligence company. We run on $500/month. Our MFA coverage is 100% as of today. We removed a $54B security company's Owner access from our Azure estate because they forgot to clean up after themselves.*

*The cobbler's children have shoes now.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →