Azure Introduction
Azure Pricing
Azure Threats
User, Group or Applications have full administrator privileges
More Info:
In Microsoft Azure Key Vault, check for any Users, Groups or Applications with full administrator privileges configured to access and manage Azure Key Vaults, in order to adhere to security best practices and implement the principle of least privileges.
Risk Level
Critical
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration in Azure where a user, group, or application has full administrator privileges, follow these steps:
-
Log in to the Azure portal (https://portal.azure.com/).
-
Navigate to the “Azure Active Directory” service.
-
Click on “Users” or “Groups” depending on which entity has full administrator privileges.
-
Select the user or group that has full administrator privileges.
-
Click on the “Directory role” tab.
-
Click on “None” to remove all roles assigned to the user or group.
-
Click “Save” to apply the changes.
-
Repeat the above steps for any other users or groups that have full administrator privileges.
-
To ensure that no application has full administrator privileges, navigate to the “Enterprise Applications” service.
-
Click on the application that has full administrator privileges.
-
Click on the “Properties” tab.
-
Under “Permissions”, click on “Remove permission”.
-
Click “Yes” to confirm the removal of all permissions.
-
Repeat the above steps for any other applications that have full administrator privileges.
By following these steps, you will have successfully remediated the misconfiguration where a user, group, or application has full administrator privileges in Azure.
To remediate the misconfiguration of having User, Group or Applications with full administrator privileges in AZURE using AZURE CLI, follow these steps:
-
Login to your AZURE account using the AZURE CLI by running the command
az loginand enter your credentials. -
Once you are logged in, you need to identify the user, group or application that has full administrator privileges in your AZURE subscription. You can do this by running the command
az role assignment list --allwhich will list all the role assignments in your subscription. -
Identify the role assignment that has full administrator privileges and make a note of the
principalIdvalue. -
Next, you need to remove the role assignment from the user, group or application that has full administrator privileges. You can do this by running the command
az role assignment delete --assignee <principalId> --role "Owner"where<principalId>is the value you noted in step 3. -
Once the role assignment has been removed, you should verify that the user, group or application no longer has full administrator privileges. You can do this by running the command
az role assignment list --allagain and verifying that the role assignment has been removed. -
Finally, you should ensure that the user, group or application has the appropriate level of access required to perform their tasks. You can assign them a more appropriate role or create a custom role with the required permissions using the AZURE CLI.
To remediate the misconfiguration of having user, group, or applications with full administrator privileges in Azure using Python, you can follow these steps:
-
Connect to Azure using Python SDK: Use the Azure SDK for Python to connect to your Azure account. You can use the
azure.identityandazure.mgmt.authorizationmodules to authenticate and access the Azure resources. -
Get the list of users, groups, and applications with full administrator privileges: Use the
RoleAssignmentsOperationsclass from theazure.mgmt.authorizationmodule to get the list of role assignments that have full administrator privileges. You can filter the role assignments based on therole_definition_idproperty that corresponds to the built-inOwnerrole. -
Revoke the full administrator privileges: Use the
RoleAssignmentsOperationsclass to revoke the full administrator privileges from the users, groups, and applications that have them. You can use thedelete_by_idmethod to delete the role assignments.
Here’s some sample code that demonstrates how to revoke the full administrator privileges from users, groups, and applications in Azure using Python:
from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient
# Connect to Azure using the default credentials
credential = DefaultAzureCredential()
authorization_client = AuthorizationManagementClient(credential, "<your-subscription-id>")
# Get the list of role assignments with full administrator privileges
role_assignments = authorization_client.role_assignments.list(filter="roleDefinitionId eq '/subscriptions/<your-subscription-id>/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'")
# Revoke the full administrator privileges from each role assignment
for role_assignment in role_assignments:
authorization_client.role_assignments.delete_by_id(role_assignment.id)
Note: Replace <your-subscription-id> with your actual subscription ID.