As a frequent user of Azure Service Health, it’s essential to stay updated on significant changes regarding access to sensitive security advisories. Beginning the 22. April 2025, Microsoft will be implementing modifications that enforce stricter role-based access control (short RBAC) for security advisory details. This blog post outlines what you need to know, including what security advisories are, who can access them, and the necessary actions you must take to access the security advisories after the changes made by Microsoft.
Understanding Security Advisories
Security Advisories are a crucial part of Azure Service Health, helping you to stay informed about security events that may impact your workloads. They supplement Microsoft’s traditional Security Bulletins by addressing security changes that may not be classified as vulnerabilities and do not necessarily require a formal security bulletin by Microsoft.
Security Advisories communicate important security information regarding issues that could affect your overall security, along with any relevant changes or updates in Azure. Each advisory typically includes a Microsoft Knowledge Base Article that provides additional insights about the changes being delivered with the advisory’s release.
You receive security event notifications that are displayed within the Service Health interface across three essential tabs:
- Summary
- Impacted Resources (Already required to use enhanced RBAC for viewing security impacted resources via UI or AP)
- Issue Updates
Who Can View Security Advisories until now?
Access to Security Advisories is determined by user roles at the subscription or tenant level:
-
Subscription Level: Users with the Subscription Reader role or higher can view Security Advisory details on the Summary and Issue Updates tabs.
-
Tenant Level: Users with the roles listed below can access tenant-level security advisory details:
- Authentication Administrator
- Authentication Policy Administrator
- Azure Information Protection Administrator
- B2C IEF Keyset Administrator
- B2C IEF Policy Administrator
- Billing Administrator
- Cloud App Security Administrator
- Cloud Application Administrator
- Cloud Device Administrator
- Compliance Administrator
- Compliance Data Administrator
- Conditional Access Administrator
- Customer LockBox Access Approver
- Desktop Analytics Administrator
- Directory Reviewer
- Domain Name Administrator
- Dynamics 365 Administrator
- Exchange Administrator
- Exchange Recipient Administrator
- External ID User Flow
- Administrator
External ID User Flow Attribute Administrator - External Identity Provider Administrator
- Global Administrator
- Global Reader
- Groups Administrator
- Helpdesk Administrator
- Hybrid Identity Administrator
- Identity Governance Administrator
- Insights Administrator
- Intune Administrator
- Kaizala Administrator
- Knowledge Administrator
- License Administrator
- Message Center Privacy Reader
- Message Center Reader
- Network Administrator
- Office Apps Administrator
- Password Administrator
- Power BI Administrator
- Power Platform Administrator
- Privileged Authentication Administrator
- Privileged Role Administrator
- Reports Reader
- Search Administrator
- Security Administrator
- Security Operator
- Security Reader
- Service Support Administrator
- SharePoint Administrator
- Skype for Business Administrator
- Teams Administrator
- Teams Communications Administrator
- Teams Communications Support Engineer
- Teams Communications Support Specialist
- Teams Devices Administrator
- User Administrator
What are the Changes to Security Advisories?
Starting the 22. April 2025, accessing Security Advisories will require elevated access across all three tabs—Summary, Impacted Resources, and Issue Updates—via the new APIs. Additionally, on October 22, 2025, RBAC for security advisory events will be needed in both the Azure portal and Azure Resource Graph, enhancing permission management and safeguarding sensitive information.
Access Restrictions
Users with the Subscription Reader role or tenant roles at the tenant scope will no longer be able (after the 22. October 2025) to view security advisory details unless they possess one of the following roles:
Subscription Level:
- Subscription Owner
- Subscription Admin
- Custom Roles with Microsoft.ResourceHealth/events/
fetchEventDetails/action or Microsoft.ResourceHealth/events/action permissions
Tenant Level:
- Security Admin
- Security Reader
- Global Admin
- Tenant Admin
- Custom Roles with Microsoft.ResourceHealth/events/
fetchEventDetails/action or Microsoft.ResourceHealth/events/action permissions
Note: The use of the Global Admin role should be limited as it can increase security risks, such as exposing sensitive data and enabling unauthorized changes, violating the principle of least privilege.
API Changes
For those, who are relying on the Service Health API, you must update your code to utilize the new ARM endpoint (/fetchEventDetails) to receive security advisory notifications. The previous endpoint (/events) will no longer return sensitive security notification details.
New API Endpoint Details
To gain access to the new endpoint, users will need to hold the requisite roles:
Example Endpoint:
POST https://management.azure.com/subscriptions/{subscriptionId}/providers/microsoft.ResourceHealth/events/{trackingId}/fetchEventDetails?api-version=2023-10-01-preview
Additionally, you can access with the above-mentioned roles impacted resources through the following endpoints:
Subscription Scope:
POST https://management.azure.com/subscriptions/{subscriptionId}/providers/microsoft.resourcehealth/events/{trackingId}/listSecurityAdvisoryImpactedResources?api-version=2023-10-01-preview
Tenant Scope:
POST https://management.azure.com/providers/microsoft.resourcehealth/events/{trackingId}/listSecurityAdvisoryImpactedResources?api-version=2023-10-01-preview
Existing Events API Endpoint
With the API version 2023-10-01-preview (and future versions), existing events will only contain non-sensitive properties for security advisory events.
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/microsoft.ResourceHealth/events?api-version=2023-10-01-preview&$filter="eventType eq SecurityAdvisory"
The response will include basic properties but will exclude sensitive details.
Refer to the Microsoft Learn documentation for the complete list and their specific permissions relevant to Security Advisory access.
Required Actions you have to make
Starting now, you should take the following actions before the 22. October 2025:
- For Azure Portal Users: Ensure your RBAC and Entra ID role assignments are updated before the 22. October 2025. Users lacking the required roles will see error messages when attempting to access security advisory details.
- For Resource Health API Users: Transition to the new API version before the 22. October 2025, and use the FetchEventDetails method for viewing sensitive security information.
- For Azure Resource Graph Users: Assess the properties that require elevated access and make necessary adjustments before the cut-off date.
Staying Informed
To keep up to date with Azure security advisories and the changes being made, regularly visit Microsoft Learn.
Conclusion
In conclusion, these upcoming changes to Azure Service Health are integral to enhancing security within your Azure environment. Taking proactive steps to ensure the appropriate access for you and your IT personnel is essential. By understanding these modifications and their implications, you can continue to utilize Azure Service Health effectively and securely.
Sources: