π Azure User Access Administrator Role has assignments π’
- Contextual name: π Use of the 'User Access Administrator' role is not restricted π’
- ID:
/ce/ca/azure/subscription/user-access-administrator-role - Located in: π Azure Subscription
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
The User Access Administrator role grants the ability to view all resources and manage access assignments at any subscription or management group level within the tenant. Due to its high privilege level, this role assignment should be removed immediately after completing the necessary changes at the root scope to minimize security risks.
Rationaleβ
The User Access Administrator role provides extensive access control privileges. Unnecessary assignments heighten the risk of privilege escalation and unauthorized access. Removing the role immediately after use minimizes security exposure.
Impactβ
Increased administrative effort to manage and remove role assignments appropriately.
Auditβ
This policy marks a
User Access AdministratorAzure Authorization Role asINCOMPLIANTif the role has any related Azure Authorization Role Assignments.Referencesβ
Remediationβ
Remediationβ
From Azure Portalβ
- From Azure Home select the Portal Menu.
- Select
Subscriptions.- Select a subscription.
- Select
Access control (IAM).- Look for the following banner at the top of the page:
Action required: X users have elevated access in your tenant. You should take immediate action and remove all role assignments with elevated access.- Click
View role assignments.- Click
Remove.From Azure CLIβ
Run the following command:
az role assignment delete --role "User Access Administrator" --scope "/"
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 6.3.3 Ensure that use of the 'User Access Administrator' role is restricted (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Role-Based Access Control (RBAC) Management | 13 |