Join Log in
Score:0
avatar Server

Changing Azure User Access Administrator?

us flag
Brian Knoblauch

The root User Access Administrator that is inherited by all our subscriptions is assigned to an account of an ex-employee. We're keeping that account alive so that we can continue to make changes as needed, but it's a less than ideal setup. Is there some way we can go about removing that account/reassigning those privileges? Or are we stuck with that ex-employee account forever (even the Azure consultants we enlisted were unable to change it)...

54
0 + 0
Score:1
Erik Oppedijk avatar Server
gb flag
Erik Oppedijk

You can remove this by logging in as the old user, going to the Azure Portal, Azure Active Directory.

Then select the Properties screen in the left menu. https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties

The bottom Yes/No is for Access Management for Azure Resources, this will control the user access administrator.

Automated

Through Powershell or CLI you can also remove this as a Global Admin, with the User Access Administrator role active(root level Azure Subscription access is required):

az role assignment delete --assignee "[email protected]" --role "User Access Administrator" --scope "/"

Or AZ CLI:

 az role assignment delete --assignee [email protected] --role "User Access Administrator" --scope "/"

Background info

The User Access Administrator is a temporarily solution to gain access to the Azure Subscriptions which are tied to the same Azure Active Directory.

The Global Administrator is the only one allowed to do so, and after gaining access, new/direct permissions can be applied to the Azure Subscription, after which the User Access Administrator role needs to be disabled again. (principle of least privilege)

Access to Subscriptions tied to a different Azure AD can not be resolved this way.

+ 0
Score:1
avatar Server
in flag
Hrvoje Kusulja

There are several terms:

  • Azure AD tenant (something.onmicrosoft.com) that is directory of all users. In properties you can set that all users with "Global Admin" role have access to all Azure subscriptions.
  • Azure subscription, has owner of user, this can be changed using portal.azure.com or via support ticket. It is typically user from organization (Azure AD tenant) in charge of the project / payments.

You can add additional users (free) in Azure AD tenant and provide access permissions to Azure subscription or resource groups (using IAM)

0 + 0
us flag
Brian Knoblauch
Has not enabled me to solve my problem yet, but is helpful information in my search
0
Reply
in flag
Hrvoje Kusulja
You can simply use Azure AD roles and Azure AD Security groups to achieve permissions on Azure subscription or resource group level. You should not reuse one account for multiple persons due to security concerns.
0
Reply
us flag
Brian Knoblauch
That's the problem. I can't find where this role is being assigned to change it the proper way...
0
Reply
in flag
Hrvoje Kusulja
portal.azure.com > suscriptions > IAM
0
Reply
us flag
Brian Knoblauch
That screen does not allow changing this attribute at the root level
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.