Azure Introduction
Azure Pricing
Azure Threats
Users with Administrator Access
More Info:
Administrator access also brings risk with them. Try to have minimum admins in your account.
Risk Level
High
Address
Security
Compliance Standards
CISGCP,HIPAA,SCO2,NISTCSF,NIST,AWSWAF,ISO27001,HITRUST
Triage and Remediation
Remediation
To remediate the misconfiguration of having users with Administrator Access in Azure, follow these step-by-step instructions using the Azure console:
-
Sign in to the Azure portal (portal.azure.com) using your Azure account credentials.
-
In the Azure portal, navigate to the Azure Active Directory (AAD) service by clicking on “Azure Active Directory” in the left-hand navigation menu.
-
In the AAD overview page, click on “Users” under the “Manage” section in the left-hand menu.
-
Review the list of users and identify the user accounts that have Administrator Access. These accounts will typically have the “Global administrator” or “User administrator” roles assigned.
-
Select the user account(s) that have Administrator Access by clicking on the checkbox next to their names.
-
Once the desired user account(s) are selected, click on the “Remove” button at the top of the user list.
-
In the confirmation dialog box, review the list of selected user accounts and click on “Yes” to confirm the removal of their Administrator Access.
-
After removing the Administrator Access, it is recommended to assign appropriate roles and permissions to these user accounts based on their responsibilities and requirements. To do this, click on the “Add assignments” button at the top of the user list.
-
In the “Add assignments” dialog box, select the desired role(s) from the list based on the user’s responsibilities. Commonly used roles include “Owner,” “Contributor,” or more specific roles like “Virtual Machine Contributor” or “Storage Account Contributor.”
-
After selecting the role(s), search and select the user account(s) that need to be assigned the role(s). You can search by name or email address.
-
Once the user account(s) are selected, click on the “Add” button to assign the selected role(s).
-
Repeat steps 9-11 for each user account that needs to be assigned appropriate roles.
-
After assigning the roles, review the list of users to ensure that there are no remaining user accounts with Administrator Access.
By following these steps, you will remediate the misconfiguration of having users with Administrator Access in Azure. It is crucial to regularly review and manage user access to maintain a secure and well-controlled environment.
To remediate the misconfiguration of users with Administrator Access in Azure using Azure CLI, follow these steps:
-
Install Azure CLI: If you don’t have Azure CLI already installed, download and install it from the official Azure CLI documentation.
-
Authenticate with Azure: Open the Azure CLI command prompt and sign in to your Azure account using the following command:
az login -
List existing users with Administrator Access: Run the following command to list all the users with Administrator Access in Azure:
az role assignment list --all --query "[?roleDefinitionName=='Owner' || roleDefinitionName=='Contributor' || roleDefinitionName=='User Access Administrator']" -
Identify the user(s) to remove: Review the list of users obtained from the previous command and identify the user(s) that need to be removed or modified.
-
Remove user(s) with Administrator Access: To remove a user with Administrator Access, use the following command:
az role assignment delete --assignee <user-object-id>Replace
<user-object-id>with the Object ID of the user you want to remove. Repeat this command for each user you want to remove. -
Assign appropriate role(s) to user(s): If necessary, assign the appropriate role(s) to the user(s) based on their required access level. For example, to assign the “Contributor” role to a user, use the following command:
az role assignment create --assignee <user-object-id> --role "Contributor"Replace
<user-object-id>with the Object ID of the user you want to assign the role to. Repeat this command for each user as needed. -
Verify the changes: Run the command from step 3 again to verify that the user(s) with Administrator Access have been removed or modified accordingly.
By following these steps, you can remediate the misconfiguration of users with Administrator Access in Azure using Azure CLI. Remember to review and adjust the roles assigned to users based on your specific requirements and security best practices.
To remediate the misconfiguration of users having Administrator Access in Azure IAM (Identity and Access Management) using Python, follow these steps:
-
Install the required Python libraries:
pip install azure-identity pip install azure-mgmt-resource -
Import the necessary modules:
from azure.identity import DefaultAzureCredential from azure.mgmt.authorization import AuthorizationManagementClient from azure.mgmt.authorization.models import RoleAssignmentCreateParameters -
Authenticate and create a client object:
credential = DefaultAzureCredential() client = AuthorizationManagementClient(credential, <subscription_id>) -
Get the list of role assignments with Administrator access:
role_assignments = client.role_assignments.list(filter="roleDefinitionId eq '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}'") -
Iterate through the role assignments and remove the Administrator access:
for assignment in role_assignments: client.role_assignments.delete(<scope>, assignment.name)Note: Replace
<subscription_id>with the actual subscription ID and<scope>with the appropriate scope (e.g., resource group, subscription, etc.) where the Administrator access needs to be removed. -
Optionally, you can also assign a different role to the users to limit their access:
parameters = RoleAssignmentCreateParameters(role_definition_id='/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}', principal_id='<principal_id>') client.role_assignments.create(<scope>, <role_assignment_name>, parameters)Note: Replace
<principal_id>with the ID of the user or service principal,<role_assignment_name>with a unique name for the role assignment, and<roleDefinitionId>with the ID of the desired role definition. -
Run the Python script to remediate the misconfiguration.
Ensure that you have appropriate permissions and credentials to make changes in Azure IAM. It is recommended to test the script in a non-production environment before implementing it in a production environment.