Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of having users with Administrator Access in Azure, follow these step-by-step instructions using the Azure console:
- Sign in to the Azure portal (portal.azure.com) using your Azure account credentials.
- In the Azure portal, navigate to the Azure Active Directory (AAD) service by clicking on “Azure Active Directory” in the left-hand navigation menu.
- In the AAD overview page, click on “Users” under the “Manage” section in the left-hand menu.
- Review the list of users and identify the user accounts that have Administrator Access. These accounts will typically have the “Global administrator” or “User administrator” roles assigned.
- Select the user account(s) that have Administrator Access by clicking on the checkbox next to their names.
- Once the desired user account(s) are selected, click on the “Remove” button at the top of the user list.
- In the confirmation dialog box, review the list of selected user accounts and click on “Yes” to confirm the removal of their Administrator Access.
- After removing the Administrator Access, it is recommended to assign appropriate roles and permissions to these user accounts based on their responsibilities and requirements. To do this, click on the “Add assignments” button at the top of the user list.
- In the “Add assignments” dialog box, select the desired role(s) from the list based on the user’s responsibilities. Commonly used roles include “Owner,” “Contributor,” or more specific roles like “Virtual Machine Contributor” or “Storage Account Contributor.”
- After selecting the role(s), search and select the user account(s) that need to be assigned the role(s). You can search by name or email address.
- Once the user account(s) are selected, click on the “Add” button to assign the selected role(s).
- Repeat steps 9-11 for each user account that needs to be assigned appropriate roles.
- After assigning the roles, review the list of users to ensure that there are no remaining user accounts with Administrator Access.
Using CLI
Using CLI
To remediate the misconfiguration of users with Administrator Access in Azure using Azure CLI, follow these steps:
- Install Azure CLI: If you don’t have Azure CLI already installed, download and install it from the official Azure CLI documentation.
-
Authenticate with Azure: Open the Azure CLI command prompt and sign in to your Azure account using the following command:
-
List existing users with Administrator Access: Run the following command to list all the users with Administrator Access in Azure:
- Identify the user(s) to remove: Review the list of users obtained from the previous command and identify the user(s) that need to be removed or modified.
-
Remove user(s) with Administrator Access: To remove a user with Administrator Access, use the following command:
Replace
<user-object-id>with the Object ID of the user you want to remove. Repeat this command for each user you want to remove. -
Assign appropriate role(s) to user(s): If necessary, assign the appropriate role(s) to the user(s) based on their required access level. For example, to assign the “Contributor” role to a user, use the following command:
Replace
<user-object-id>with the Object ID of the user you want to assign the role to. Repeat this command for each user as needed. - Verify the changes: Run the command from step 3 again to verify that the user(s) with Administrator Access have been removed or modified accordingly.
Using Python
Using Python
To remediate the misconfiguration of users having Administrator Access in Azure IAM (Identity and Access Management) using Python, follow these steps:
-
Install the required Python libraries:
-
Import the necessary modules:
-
Authenticate and create a client object:
-
Get the list of role assignments with Administrator access:
-
Iterate through the role assignments and remove the Administrator access:
Note: Replace
<subscription_id>with the actual subscription ID and<scope>with the appropriate scope (e.g., resource group, subscription, etc.) where the Administrator access needs to be removed. -
Optionally, you can also assign a different role to the users to limit their access:
Note: Replace
<principal_id>with the ID of the user or service principal,<role_assignment_name>with a unique name for the role assignment, and<roleDefinitionId>with the ID of the desired role definition. - Run the Python script to remediate the misconfiguration.