MT.1056 - Ensure that no person has permanent access to all Azure subscriptions at the root scope
Overview
Ensure that no person has permanent access to Azure Subscriptions.
User Access Administrator is a role that allows an Administrator to perform everything on an Azure Subscription. Global Administrators can gain this permission on the Root Scope in Entra ID, in the properties of the Entra ID tenant. These permissions should only be used in case of emergency and should not be assigned permanently.
Ensure that no User Access Administrator permissions at the Root Scope are applied.
Remediation action:
To remove all Admins with Root Scope permissions, as a Global Admin:
- Navigate to Microsoft Azure Portal https://portal.azure.com.
- Search for Microsoft Entra ID and select Microsoft Entra ID.
- Expand the Manage menu and select Properties.
- On the Properties page, go to the Access management for Azure resources section.
- In the information bar, click Manage elevated access users.
- Select all User Access Administrators and click Remove.
- Also check other role assignments, as they need to be removed to pass the tests.
To remove the admins through CLI:
az role assignment delete --role "User Access Administrator" --assignee adminname@yourdomain.com --scope "/"
Related links
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1056 |
| Severity | High |
| Suite | Maester |
| Category | Privileged |
| PowerShell test | Test-MtUserAccessAdmin |
| Tags | Azure, MT.1056, Privileged |
Source
- Pester test:
tests/Maester/Azure/UserAccessAdmin.Tests.ps1 - PowerShell source:
powershell/public/maester/azure/Test-MtUserAccessAdmin.ps1