Control: 6.3.3 Ensure that use of the 'User Access Administrator' role is restricted
Description
The User Access Administrator role grants the ability to view all resources and manage access assignments at any subscription or management group level within the tenant. Due to its high privilege level, this role assignment should be removed immediately after completing the necessary changes at the root scope to minimize security risks.
The User Access Administrator role provides extensive access control privileges. Unnecessary assignments heighten the risk of privilege escalation and unauthorized access. Removing the role immediately after use minimizes security exposure.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Subscriptions. - Select a subscription.
- Select
Access control (IAM). - Look for the following banner at the top of the page:
Action required: X users have elevated access in your tenant. You should take immediate action and remove all role assignments with elevated access. - Click
View role assignments. - Click
Remove.
From Azure CLI
Run the following command:
az role assignment delete --role "User Access Administrator" --scope "/"
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_6_3_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_6_3_3 --shareSQL
This control uses a named query:
with user_access_admin_role as ( select id, role_name, subscription_id from azure_role_definition where role_name = 'User Access Administrator')select ra.id as resource, case when r.role_name is not null then 'alarm' else 'ok' end as status, case when r.role_name is not null then ra.subscription_id || ' has User Access Administrator role assigned at scope ' || ra.scope else 'No User Access Administrator role assignments found.' end as reason , sub.display_name as subscriptionfrom azure_role_assignment ra left join user_access_admin_role r on ra.role_definition_id = r.id left join azure_subscription sub on sub.subscription_id = ra.subscription_idwhere r.role_name is not null;