Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 5.3.5 Ensure disabled user accounts do not have read, write, or owner permissions

Description

Ensure that any roles granting read, write, or owner permissions are removed from disabled Azure user accounts.

While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Removing role assignments from disabled user accounts depends on the context and requirements of each organization and environment.

Remediation

Remediate from Azure Portal

  1. Go to Microsoft Entra ID.
  2. Under Manage, click Users.
  3. Click Add filter.
  4. Click Account enabled.
  5. Click the toggle switch to set the value to No.
  6. Click Apply.
  7. Click the Display name of a disabled user account with read, write, or owner roles assigned.
  8. Click Azure role assignments.
  9. Click the name of a read, write, or owner role.
  10. Click Assignments.
  11. Click Remove in the row for the disabled user account.
  12. Click Yes.
  13. Repeat steps 7-12 for disabled user accounts requiring remediation.

Remediate from PowerShell

For each account requiring remediation, run the following command to remove an assigned role:

Remove-AzRoleAssignment -ObjectId $user.ObjectId -RoleDefinitionName <roledefinition-name>

Default Value

Disabled user accounts retain their prior role assignments.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_5_3_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_5_3_5 --share

SQL

This control uses a named query:

with distinct_tenant as (
  select
    distinct tenant_id,
    subscription_id,
    _ctx
  from
    azure_tenant
), disabled_accounts_with_roles as (
  select
    distinct
    u.display_name,
    u.tenant_id,
    u.id,
    u.account_enabled,
    u.user_principal_name
  from
    azuread_user as u
    left join azure_role_assignment as a on a.principal_id = u.id
  where
  not u.account_enabled  and
  a.principal_id is not null
)
select
  u.user_principal_name as resource,
  case
    when u.account_enabled then 'skip'
    when not u.account_enabled and d.display_name is not null then 'alarm'
    else 'ok'
  end as status,
  case
    when u.account_enabled then u.display_name || ' is enabled account.'
    when not u.account_enabled and d.display_name is not null then u.display_name || ' is disabled and has roles assigned.'
    else u.display_name || ' account is disabled with no roles assigned.'
  end as reason,
  t.tenant_id
  
from
  azuread_user as u
  left join disabled_accounts_with_roles as d on u.id =  d.id
  left join distinct_tenant as t on t.tenant_id = d.tenant_id

Tags

category = Compliance
cis = true
cis_item_id = 5.3.5
cis_level = 1
cis_section_id = 5.3
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure