Information
The User Access Administrator role grants the ability to view all resources and manage access assignments at any subscription or management group level within the tenant. Due to its high privilege level, this role assignment should be removed immediately after completing the necessary changes at the root scope to minimize security risks.
The User Access Administrator role provides extensive access control privileges. Unnecessary assignments heighten the risk of privilege escalation and unauthorized access. Removing the role immediately after use minimizes security exposure.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Remediate from Azure Portal
- From Azure Home select the Portal Menu.
- Select Subscriptions
- Select a subscription.
- Select Access control (IAM)
- Look for the following banner at the top of the page: Action required: X users have elevated access in your tenant. You should take immediate action and remove all role assignments with elevated access.
- Click View role assignments
- Click Remove
Remediate from Azure CLI
Run the following command:
az role assignment delete --role "User Access Administrator" --scope "/"
Impact:
Increased administrative effort to manage and remove role assignments appropriately.