Restrict ‘User Access Administrator’ Role Usage

Risk Level: High (not acceptable risk)

Rule ID: Subscriptions-005

Ensure that the use of the 'User Access Administrator' role is limited within your Microsoft Azure cloud account in order to minimize security risks and promote the Principle of Least Privilege (i.e., providing users and applications the minimal amount of access required to perform their tasks).

Security

Restricting the use of the 'User Access Administrator' role in Azure cloud is essential to minimize the risk of excessive permissions. This role grants the ability to manage access for all Azure resources, making it highly privileged. Limiting its use reduces the potential for accidental or malicious misuse, enhances security, and aligns with the Principle of Least Privilege (POLP).

Audit

To check the User Access Administrator role usage within your Azure cloud account, perform the following operations:

Using Azure Console

Sign in to the Microsoft Azure Portal.
Navigate to All resources blade available at https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2 to access all your Microsoft Azure subscriptions.
Click on the name (link) of the Azure subscription that you want to examine.
In the navigation panel, choose Access control (IAM) to access the Azure IAM configuration settings available for the selected subscription.
Select the Role assignments tab to view the role assignments for the selected subscription.
Select the All tab to access all role assignments, type User Access Administrator in the Search by name or email box, and press Enter to find any role assignments for the User Access Administrator role. If one or more role assignments are returned, the use of the User Access Administrator role is not restricted within the selected Azure subscription.
Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
```
az account list
	--query '[*].id'
```

The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

Run role assignment list command (Windows/macOS/Linux) with the ID of the Azure subscriptions that you want to examine as the identifier parameter, to describe the role assignments for the User Access Administrator role available in the selected subscription:
```
az role assignment list
	--role "User Access Administrator"
	--scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd"
```

The command output should return the role assignments for the User Access Administrator role:

[
	{
		"condition": null,
		"conditionVersion": null,
		"createdBy": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"createdOn": "2025-04-11T12:00:32.061981+00:00",
		"delegatedManagedIdentityResourceId": null,
		"description": null,
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleAssignments/abcd1234-abcd-1234-abcd-abcd1234abcd",
		"name": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"principalId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"principalName": "user1@domain.onmicrosoft.com",
		"principalType": "User",
		"roleDefinitionId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleDefinitions/abcd1234-abcd-1234-abcd-abcd1234abcd",
		"roleDefinitionName": "User Access Administrator",
		"scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"type": "Microsoft.Authorization/roleAssignments",
		"updatedBy": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"updatedOn": "2025-04-11T12:00:32.061981+00:00"
	},
	{
		"condition": null,
		"conditionVersion": null,
		"createdBy": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"createdOn": "2024-02-10T11:00:32.061981+00:00",
		"delegatedManagedIdentityResourceId": null,
		"description": null,
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleAssignments/abcd1234-abcd-1234-abcd-abcd1234abcd",
		"name": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"principalId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"principalName": "user2@domain.onmicrosoft.com",
		"principalType": "User",
		"roleDefinitionId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleDefinitions/abcd1234-abcd-1234-abcd-abcd1234abcd",
		"roleDefinitionName": "User Access Administrator",
		"scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"type": "Microsoft.Authorization/roleAssignments",
		"updatedBy": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"updatedOn": "2024-02-10T11:00:32.061981+00:00"
	}
]

If the role assignment list command output returns an array with one or more role assignments, as shown in the example above, the use of the User Access Administrator role is not restricted in the selected Azure subscription.

Repeat steps no. 3 and 4 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To restrict the User Access Administrator role usage within your Azure cloud account, perform the following operations:

Using Azure Console

Sign in to the Microsoft Azure Portal.
Navigate to All resources blade available at https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2 to access all your Microsoft Azure subscriptions.
Click on the name (link) of the Azure subscription that you want to configure.
In the navigation panel, choose Access control (IAM) to access the Azure IAM configuration settings available for the selected subscription.
Select the Role assignments tab to view the role assignments for the selected subscription.
Select the All tab to access all role assignments, type User Access Administrator in the Search by name or email box, and press Enter to list only the role assignments created for the User Access Administrator role.
Select the role assignment(s) created for the User Access Administrator role, choose Delete from the page top menu, and select Yes to remove the selected role assignment(s).
(Optional) If you need to add a new role assigment that follows the Principle of Least Privilege (POLP), choose Access control (IAM) from the identity navigation panel, choose Add from the console top menu, select Add role assigment, and perform the following actions:
1. For Role, select the Job function roles tab, and choose the appropriate, non-privileged role that you want to attach. Choose Next to continue the assignment process.
2. For Members, select User, group, or service principal or Managed identity next to Assign access to to choose the principal type that you want to use. Choose Select members next to Members, and select the principal (member) that you want to assign to the selected role. Choose Next to continue. (Optional) For Description, your can add a short description for the new role assignment.
3. For Review + assign, review the role assignment information, then choose Review + assign to complete the assigment process.
Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
```
az account list
	--query '[*].id'
```

The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

Run role assignment delete command (OSX/Linux/UNIX) to remove the role assignment(s) for the User Access Administrator role from the selected Azure subscription (if the request is successful, the command does not produce an output):
```
az role assignment delete
	--role "User Access Administrator"
	--scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd"
```
(Optional) If required, run role assignment create command (OSX/Linux/UNIX) to add a new role assigment that follows the Principle of Least Privilege. Replace \ with the name of the non-privileged role that you want to assign:
```
az role assignment create
	--assignee user@domain.com
	--role <iam-role>
	--scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd"
```

Once the assignment process is completed, the command output should return the information available for the new role assignment:

{
	"roleDefinitionName": "<iam-role> ",
	"roleDefinitionId": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-1234-abcd-1234-abcd1234abcd",
	"condition": null,
	"conditionVersion": null,
	"createdBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"createdOn": "2025-06-20T08:11:52.463577+00:00",
	"delegatedManagedIdentityResourceId": null,
	"description": null,
	"name": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"principalName": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"principalType": "ServicePrincipal",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"type": "Microsoft.Authorization/roleAssignments",
	"updatedBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"updatedOn": "2025-06-20T08:11:52.463577+00:00"
}

Repeat steps no. 3 – 5 for each subscription available in your Microsoft Azure cloud account.

References

Azure Official Documentation
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

Azure Command Line Interface (CLI) Documentation
az account list
az account set
az role assignment list
az role assignment delete
az role assignment create

Publication date May 8, 2025

Audit

Using Azure Console

Using Azure CLI

Remediation / Resolution

Using Azure Console

Using Azure CLI

References

Related Subscriptions rules