The root User Access Administrator that is inherited by all our subscriptions is assigned to an account of an ex-employee. We're keeping that account alive so that we can continue to make changes as needed, but it's a less than ideal setup. Is there some way we can go about removing that account/reassigning those privileges? Or are we stuck with that ex-employee account forever (even the Azure consultants we enlisted were unable to change it)...
Asked
Active
Viewed 434 times
2 Answers
1
There are several terms:
- Azure AD tenant (something.onmicrosoft.com) that is directory of all users. In properties you can set that all users with "Global Admin" role have access to all Azure subscriptions.
- Azure subscription, has owner of user, this can be changed using portal.azure.com or via support ticket. It is typically user from organization (Azure AD tenant) in charge of the project / payments.
You can add additional users (free) in Azure AD tenant and provide access permissions to Azure subscription or resource groups (using IAM)
Hrvoje Kusulja
- 264
- 1
- 11
-
Has not enabled me to solve my problem yet, but is helpful information in my search – Brian Knoblauch Dec 30 '21 at 12:52
-
You can simply use Azure AD roles and Azure AD Security groups to achieve permissions on Azure subscription or resource group level. You should not reuse one account for multiple persons due to security concerns. – Hrvoje Kusulja Dec 30 '21 at 16:04
-
That's the problem. I can't find where this role is being assigned to change it the proper way... – Brian Knoblauch Dec 30 '21 at 17:52
-
portal.azure.com > suscriptions > IAM – Hrvoje Kusulja Jan 03 '22 at 11:15
-
That screen does not allow changing this attribute at the root level – Brian Knoblauch Jan 04 '22 at 11:41
1
You can remove this by logging in as the old user, going to the Azure Portal, Azure Active Directory.
Then select the Properties screen in the left menu.
https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties
The bottom Yes/No is for Access Management for Azure Resources, this will control the user access administrator.
Automated
Through Powershell or CLI you can also remove this as a Global Admin, with the User Access Administrator role active(root level Azure Subscription access is required):
az role assignment delete --assignee "user@example.com" --role "User Access Administrator" --scope "/"
Or AZ CLI:
az role assignment delete --assignee user@example.com --role "User Access Administrator" --scope "/"
Background info
The User Access Administrator is a temporarily solution to gain access to the Azure Subscriptions which are tied to the same Azure Active Directory.
The Global Administrator is the only one allowed to do so, and after gaining access, new/direct permissions can be applied to the Azure Subscription, after which the User Access Administrator role needs to be disabled again. (principle of least privilege)
Access to Subscriptions tied to a different Azure AD can not be resolved this way.
Erik Oppedijk
- 135
- 7