User, Group or Applications have full administrator privileges
More Info:
In Microsoft Azure Key Vault, check for any Users, Groups or Applications with full administrator privileges configured to access and manage Azure Key Vaults, in order to adhere to security best practices and implement the principle of least privileges.Risk Level
CriticalAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration in Azure where a user, group, or application has full administrator privileges, follow these steps:
- Log in to the Azure portal (https://portal.azure.com/).
- Navigate to the “Azure Active Directory” service.
- Click on “Users” or “Groups” depending on which entity has full administrator privileges.
- Select the user or group that has full administrator privileges.
- Click on the “Directory role” tab.
- Click on “None” to remove all roles assigned to the user or group.
- Click “Save” to apply the changes.
- Repeat the above steps for any other users or groups that have full administrator privileges.
- To ensure that no application has full administrator privileges, navigate to the “Enterprise Applications” service.
- Click on the application that has full administrator privileges.
- Click on the “Properties” tab.
- Under “Permissions”, click on “Remove permission”.
- Click “Yes” to confirm the removal of all permissions.
- Repeat the above steps for any other applications that have full administrator privileges.
Using CLI
Using CLI
To remediate the misconfiguration of having User, Group or Applications with full administrator privileges in AZURE using AZURE CLI, follow these steps:
-
Login to your AZURE account using the AZURE CLI by running the command
az loginand enter your credentials. -
Once you are logged in, you need to identify the user, group or application that has full administrator privileges in your AZURE subscription. You can do this by running the command
az role assignment list --allwhich will list all the role assignments in your subscription. -
Identify the role assignment that has full administrator privileges and make a note of the
principalIdvalue. -
Next, you need to remove the role assignment from the user, group or application that has full administrator privileges. You can do this by running the command
az role assignment delete --assignee <principalId> --role "Owner"where<principalId>is the value you noted in step 3. -
Once the role assignment has been removed, you should verify that the user, group or application no longer has full administrator privileges. You can do this by running the command
az role assignment list --allagain and verifying that the role assignment has been removed. - Finally, you should ensure that the user, group or application has the appropriate level of access required to perform their tasks. You can assign them a more appropriate role or create a custom role with the required permissions using the AZURE CLI.
Using Python
Using Python
To remediate the misconfiguration of having user, group, or applications with full administrator privileges in Azure using Python, you can follow these steps:Note: Replace
-
Connect to Azure using Python SDK: Use the Azure SDK for Python to connect to your Azure account. You can use the
azure.identityandazure.mgmt.authorizationmodules to authenticate and access the Azure resources. -
Get the list of users, groups, and applications with full administrator privileges: Use the
RoleAssignmentsOperationsclass from theazure.mgmt.authorizationmodule to get the list of role assignments that have full administrator privileges. You can filter the role assignments based on therole_definition_idproperty that corresponds to the built-inOwnerrole. -
Revoke the full administrator privileges: Use the
RoleAssignmentsOperationsclass to revoke the full administrator privileges from the users, groups, and applications that have them. You can use thedelete_by_idmethod to delete the role assignments.
<your-subscription-id> with your actual subscription ID.