This blog post will guide you through removing elevated access for users via the Azure Portal.
When a user elevates their access, they are assigned the User Access Administrator role at the root scope (/). This role grants them permission to manage access to all Azure subscriptions, management groups, and resources within the tenant.
💡 In my tenant, I renamed the root management group’s display name from Tenant Root Group to mg-tenantroot
More specifically, a User Access Administrator can assign or remove Azure roles for users, groups, and service principals, granting them the necessary permissions to access resources.
They can also manage access to these resources by modifying access control policies (RBAC roles) to ensure that the appropriate users or services have the required permissions.
Additionally, they can view the access permissions granted to users, groups, or service principals.
Because of these broad capabilities, it’s crucial to assign the User Access Administrator role only to trusted individuals and their actions should be carefully monitored to avoid misuse or accidental security risks.
Moreover, it’s important to remove elevated access for those users when it’s no longer needed to minimize the risk of unauthorized access, misuse, or other security concerns.
In this blog post, I’ll show you how to remove elevated access from a user directly in the Azure Portal, without needing Azure PowerShell, Azure CLI, or the REST API, as was required before.
Remove elevated acces from a user
To remove elevated access from a user, sign in to the Azure portal as a Global Administrator. Then, in the global search bar, type “Entra” to open the Microsoft Entra ID page.
If you’re using Microsoft Entra Privileged Identity Management, make sure to first activate your Global Administrator role assignment.
⚠️ To be able to remove this elevated access role assignment from a user, you must also have elevated access privileges yourself.
Go to Properties and click on it.
Under Access management for Azure resources, set the toggle to Yes to assign yourself, as a Global Administrator, the User Access Administrator role at the root scope, granting you permission to assign roles across all Azure subscriptions and management groups. Click Save to apply your settings.
After setting this, go back to Access management for Azure resources and find the banner displaying the number of users with elevated access. Then, on the same banner, select the Manage elevated access users link to view the list of users with elevated access.
The Users with elevated access pane will appear, displaying a list of users with elevated access in your tenant. To remove elevated access for a user, select the user by checking the box next to their name, then click Remove.
This will remove the User Access Administrator role assignment from that user.
Conclusion
Previously, you could only remove the User Access Administrator role from a user using Azure PowerShell, Azure CLI, or the REST API.
However, now you can do this directly from the Azure Portal if you have the Global Administrator role and elevate yourself to User Access Administrator. As demonstrated in this blog post, you can then easily remove this role from any user who currently has it assigned.
If you have any questions or suggestions about this blog post, feel free to reach out to me on X (@wmatthyssen) or leave a comment. I’ll be happy to assist!
