Defining a custom role for a Subscription or a Management group that allows all actions will give them the same capabilities as the built-in Owner role.
It's recommended to limit the number of subscription owners in order to mitigate the risk of being breached by a compromised owner.

This rule raises an issue when a custom role has an assignable scope set to a Subscription or a Management Group and allows all actions (``++*++``)
¨