Skip to main content

🛡️ Azure disabled User Accounts have read, write, or owner permissions🟢⚪

  • Contextual name: 🛡️ Disabled User Accounts have read, write, or owner permissions🟢⚪
  • ID: /ce/ca/azure/subscription/disabled-user-accounts-permissions
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Description

Open File

Description

Ensure that any roles granting read, write, or owner permissions are removed from disabled Azure user accounts.

While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Removing role assignments from disabled user accounts depends on the context and requirements of each organization and environment.

Rationale

Disabled accounts should not retain access to resources, as this poses a security risk. Removing role assignments mitigates potential unauthorized access and enforces the principle of least privilege.

Impact

Ensure disabled accounts are not relied on for break glass or automated processes before removing roles to avoid service disruption.

Audit

From Azure Portal
  1. Go to Microsoft Entra ID.
  2. Under Manage, click Users.
  3. Click Add filter.
  4. Click Account enabled.
  5. Click the toggle switch to set the value to No.
  6. Click Apply.
  7. Click the Display name of a disabled user account.
  8. Click Azure role assignments.
  9. Ensure that no read, write, or owner roles are assigned to the user account.

... see more

Remediation

Open File

Remediation

From Azure Portal

  1. Go to Microsoft Entra ID.
  2. Under Manage, click Users.
  3. Click Add filter.
  4. Click Account enabled.
  5. Click the toggle switch to set the value to No.
  6. Click Apply.
  7. Click the Display name of a disabled user account with read, write, or owner roles assigned.
  8. Click Azure role assignments.
  9. Click the name of a read, write, or owner role.
  10. Click Assignments.
  11. Click Remove in the row for the disabled user account.
  12. Click Yes.
  13. Repeat steps 7-12 for disabled user accounts requiring remediation.

From PowerShell

For each account requiring remediation, run the following command to remove an assigned role:

Remove-AzRoleAssignment -ObjectId $user.ObjectId -RoleDefinitionName <role-definition-name>

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CIS Azure v5.0.0 → 💼 5.3.5 Ensure disabled user accounts do not have read, write, or owner permissions (Manual)1no data
💼 Cloudaware Framework → 💼 Threat Protection49no data