User Access Administrator permission should not be permanently assigned on the root scope

Description

Ensure that no person has permanent access to Azure Subscriptions.

User Access Administrator is a role that allows an Administrator to perform everything on an Azure Subscription. Global Administrators can gain this permission on the Root Scope in Entra ID, in the properties of Entra ID. These permissions should only be used in case of emergency and should not be assigned permanently.

Ensure that no User Access Administrator permissions at the Root Scope are applied.

How to fix

To remove all Admins with Root Scope permissions, as a Global Admin:

Navigate to Microsoft 365 admin center https://portal.microsoft.com.
Search for Microsoft Entra ID select Microsoft Entra ID.
Expand the Manage menu, select Properties
On the Properties page, go to the Access management for Azure resources section.
In the information bar, click: Manage elevated access users.
Select all User Access Administrators, and click Remove

To remove the admins through CLI:

az role assignment delete --role "User Access Administrator" --assignee adminname@yourdomain.com --scope "/"

Learn more

Elevate access to manage all Azure subscriptions and management groups

Description​

How to fix​

Learn more​

Description

How to fix

Learn more