User Access Administrator permission should not be permanently assigned on the root scope

Description

Ensure that no person has permanent access to Azure Subscriptions.

User Access Administrator is a role that allows an Administrator to perform everything on an Azure Subscription. Global Administrators can gain this permission on the Root Scope in Entra ID, in the properties of Entra ID. These permissions should only be used in case of emergency and should not be assigned permanently.

Ensure that no User Access Administrator permissions at the Root Scope are applied.

How to fix

To remove all Admins with Root Scope permissions, as a Global Admin:

1. Navigate to Microsoft Entra admin center.
2. Navigate to Entra ID > Overview.
3. Click on Properties.
4. On the Properties page, go to the Access management for Azure resources section.
5. Eleveate your account by toggle the switch to Yes and refresh the page.
6. In the yellow information bar, click: Manage elevated access users.
7. Select all User Access Administrators, and click Remove.
8. Remove elevated access your account by setting the toggle to No.

To remove the admins through CLI:

az role assignment delete --role "User Access Administrator" --assignee adminname@yourdomain.com --scope "/"

Learn more

• Elevate access to manage all Azure subscriptions and management groups