Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Restrict 'User Access Administrator' Role Usage

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the use of the 'User Access Administrator' role is limited within your Microsoft Azure cloud account in order to minimize security risks and promote the Principle of Least Privilege (i.e., providing users and applications the minimal amount of access required to perform their tasks).

Security

Restricting the use of the 'User Access Administrator' role in Azure cloud is essential to minimize the risk of excessive permissions. This role grants the ability to manage access for all Azure resources, making it highly privileged. Limiting its use reduces the potential for accidental or malicious misuse, enhances security, and aligns with the Principle of Least Privilege (POLP).

Audit

To check the **User Access Administrator** role usage within your Azure cloud account, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2 to access all your Microsoft Azure subscriptions.

03 Click on the name (link) of the Azure subscription that you want to examine.

04 In the navigation panel, choose Access control (IAM) to access the Azure IAM configuration settings available for the selected subscription.

05 Select the Role assignments tab to view the role assignments for the selected subscription.

06 Type User Access Administrator in the Search by name or email box and press Enter to find any role assignments for the User Access Administrator role. If one or more role assignments are returned, the use of the User Access Administrator role is not restricted within the selected Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run role assignment list command (Windows/macOS/Linux) with the ID of the Azure subscriptions that you want to examine as the identifier parameter, to describe the role assignments for the User Access Administrator role available in the selected subscription: 

az role assignment list
	--role "User Access Administrator"
	--scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd"

04 The command output should return the role assignments for the User Access Administrator role: 

[
	{
		"condition": null,
		"conditionVersion": null,
		"createdBy": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"createdOn": "2025-04-11T12:00:32.061981+00:00",
		"delegatedManagedIdentityResourceId": null,
		"description": null,
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleAssignments/abcd1234-abcd-1234-abcd-abcd1234abcd",
		"name": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"principalId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"principalName": "user1@domain.onmicrosoft.com",
		"principalType": "User",
		"roleDefinitionId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleDefinitions/abcd1234-abcd-1234-abcd-abcd1234abcd",
		"roleDefinitionName": "User Access Administrator",
		"scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"type": "Microsoft.Authorization/roleAssignments",
		"updatedBy": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"updatedOn": "2025-04-11T12:00:32.061981+00:00"
	},
	{
		"condition": null,
		"conditionVersion": null,
		"createdBy": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"createdOn": "2024-02-10T11:00:32.061981+00:00",
		"delegatedManagedIdentityResourceId": null,
		"description": null,
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleAssignments/abcd1234-abcd-1234-abcd-abcd1234abcd",
		"name": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"principalId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"principalName": "user2@domain.onmicrosoft.com",
		"principalType": "User",
		"roleDefinitionId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleDefinitions/abcd1234-abcd-1234-abcd-abcd1234abcd",
		"roleDefinitionName": "User Access Administrator",
		"scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"type": "Microsoft.Authorization/roleAssignments",
		"updatedBy": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"updatedOn": "2024-02-10T11:00:32.061981+00:00"
	}
]

If the role assignment list command output returns an array with one or more role assignments, as shown in the example above, the use of the User Access Administrator role is not restricted in the selected Azure subscription.

05 Repeat steps no. 3 and 4 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To restrict the User Access Administrator role usage within your Azure cloud account, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2 to access all your Microsoft Azure subscriptions.

03 Click on the name (link) of the Azure subscription that you want to configure.

04 In the navigation panel, choose Access control (IAM) to access the Azure IAM configuration settings available for the selected subscription.

05 Select the Role assignments tab to view the role assignments for the selected subscription.

06 Type User Access Administrator in the Search by name or email box and press Enter.

07 Select the role assignment(s) for the User Access Administrator role, choose Delete from the console top menu, and select Yes to remove the selected role assignments.

08 (Optional) If you need to add a new role assigment that follows the Principle of Least Privilege (POLP), choose Access control (IAM) from the identity navigation panel, choose Add from the console top menu, select Add role assigment, and perform the following actions:

  1. For Role, select the Job function roles tab, and choose the appropriate, non-privileged role that you want to attach. Choose Next to continue the assignment process.
  2. For Members, select Managed identity next to Assign access to, choose Select members next to Members, and select the user-assigned managed identity associated with your OpenAI instance. Choose Next to continue.
  3. For Review + assign, review the role assignment information, then choose Review + assign to complete the assigment process.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run role assignment delete command (OSX/Linux/UNIX) to remove the role assignment(s) for the User Access Administrator role from the selected Azure subscription (if the request is successful, the command does not produce an output): 

az role assignment delete
	--role "User Access Administrator"
	--scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd"

04 (Optional) If required, run role assignment create command (OSX/Linux/UNIX) to add a new role assigment that follows the Principle of Least Privilege. Replace \ with the name of the non-privileged role that you want to assign: 

az role assignment create
	--assignee user@domain.com
	--role <iam-role>
	--scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd"

05 Once the assignment process is completed, the command output should return the information available for the new role assignment: 

{
	"roleDefinitionName": "<iam-role> ",
	"roleDefinitionId": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-1234-abcd-1234-abcd1234abcd",
	"condition": null,
	"conditionVersion": null,
	"createdBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"createdOn": "2025-06-20T08:11:52.463577+00:00",
	"delegatedManagedIdentityResourceId": null,
	"description": null,
	"name": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"principalName": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"principalType": "ServicePrincipal",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"type": "Microsoft.Authorization/roleAssignments",
	"updatedBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"updatedOn": "2025-06-20T08:11:52.463577+00:00"
}

06 Repeat steps no. 3 – 5 for each subscription available in your Microsoft Azure cloud account.

References

Publication date May 8, 2025

Related Subscriptions rules