maester365 · merill · May 4, 2025 · Apr 14, 2025 · Apr 16, 2025 · Apr 16, 2025
@@ -165,6 +165,7 @@ FunctionsToExport = 'Add-MtTestResultDetail', 'Clear-MtGraphCache', 'Connect-Mae
                'Resolve-SpfRecord', 'Clear-MtDnsCache',
                'Test-MtTeamsRestrictParticipantGiveRequestControl',
                'Test-MtHighRiskAppPermissions',
+               'Test-MtUserAccessAdmin',
                'Test-ORCA100',
                'Test-ORCA101', 'Test-ORCA102', 'Test-ORCA103',
                'Test-ORCA104', 'Test-ORCA105', 'Test-ORCA106',

@@ -0,0 +1,28 @@
+Ensure that no person has permanent access to Azure Subscriptions.
+
+User Access Administrator is a role that allows an Administrator to perform everything on an Azure Subscription. Global Administrators can gain this permission on the Root Scope in Entra ID, in the properties of the Entra ID tenant. These permissions should only be used in case of emergency and should not be assigned permanently.
+
+Ensure that no User Access Administrator permissions at the Root Scope are applied.
+
+#### Remediation action:
+
+To remove all Admins with Root Scope permissions, as a Global Admin:
+1. Navigate to Microsoft Azure Portal [https://portal.azure.com](https://portal.azure.com).
+2. Search for **Microsoft Entra ID** and select **Microsoft Entra ID**.
+3. Expand the **Manage** menu and select **Properties**.
+3. On the **Properties** page, go to the **Access management for Azure resources** section.
+4. In the information bar, click **Manage elevated access users**.
+5. Select all User Access Administrators and click **Remove**.
+
+To remove the admins through CLI:
+```powershell
+az role assignment delete --role "User Access Administrator" --assignee adminname@yourdomain.com --scope "/"
+```
+
+#### Related links
+
+* [Manage who can create Microsoft 365 Groups](https://learn.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide)
+
+
+<!--- Results --->
+%TestResult%
@@ -0,0 +1,75 @@
+<#
+.SYNOPSIS
+    Checks if any Global Admins have User Access Control permissions at the Root Scope
+
+.DESCRIPTION
+    Ensure that no one has permanent access to all subscriptions through the Root Scope.
+
+.EXAMPLE
+    Test-MtUserAccessAdmin
+
+    Returns true if no User Access Control permissions are assigned at the root scope
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtUserAccessAdmin
+#>
+function Test-MtUserAccessAdmin {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    Write-Verbose "Checking if connected to Graph"
+    if (!(Test-MtConnection Graph)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    if(!(Test-MtConnection Azure)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedAzure
+        return $null
+    }
+
+    Write-Verbose "Getting all User Access Administrators at Root Scope"
+    try {
+        $roles = Get-AzRoleAssignment -Scope "/" -RoleDefinitionName 'User Access Administrator' -ErrorAction Stop
+    } catch {
+        Write-Error "Failed to retrieve role assignments at root scope"
+        Add-MtTestResultDetail -SkippedBecause NotConnectedAzure
+        return $null
+    }
+
+    # Get the count of role assignments
+    $roleAssignmentCount = $roles.Count
+
+    $testResult = $roleAssignmentCount -eq 0
+
+    if ($testResult) {
+        $testResultMarkdown = "Well done. Your tenant has no User Access Administrators:`n`n%TestResult%"
+    }
+    else {
+        $testResultMarkdown = "Your tenant has $roleAssignmentCount User Access Administrators:`n`n%TestResult%"
+    }
+
+    # $itemCount is used to limit the number of returned results shown in the table
+    $itemCount = 0
+    $resultMd = "| Display Name | User Access |`n"
+    $resultMd += "| --- | --- |`n"
+    foreach ($item in $resultObject) {
+        $itemCount += 1
+        $itemResult = "❌ Fail"
+        # We are restricting the table output to 50 below as it could be extremely large
+        if ($itemCount -lt 51) {
+            $resultMd += "| $($item.SignInName) | $($itemResult) |`n"
+        }
+    }
+    # Add a limited results message if more than 6 results are returned
+    if ($itemCount -gt 50) {
+        $resultMd += "Results limited to 50`n"
+    }
+
+    $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $resultMd
+
+    Add-MtTestResultDetail -Result $testResultMarkdown
+
+    return $testResult
+}
@@ -0,0 +1,10 @@
+BeforeAll {
+    . $PSScriptRoot/Test-MtUserAccessAdmin.ps1
+}
+Describe "AzureConfig" -Tag "Privilege", "Azure" {
+    It "MT. Check 'User Access Administrators' at root scope" {
+
+        $result = Test-MtUserAccessAdmin
+
+        $result | Should -Be $true -Because "No User Access Administrators at root scope"}
+}
@@ -49,10 +49,10 @@ The Azure Role Based Access Control (RBAC) implementation utilizes Uniform Resou
 > The Azure RBAC permissions are necessary to support tests that validate [Azure configurations](https://maester.dev/docs/installation#installing-azure-and-exchange-online-modules), such as the [CISA tests](https://maester.dev/docs/tests/cisa/entra#:~:text=Test%2DMtCisaDiagnosticSettings).
 
 The following PowerShell script will enable you, with a Global Administrator role assignment, to:
-- Identify the Service Principal Object ID that will be authorized as a Reader and the Subscription ID to authorize for
+- Identify the Service Principal Object ID that will be authorized as a Reader (Enterprise app Object ID)
 - Install the necessary Az module and prompt for connection
 - Elevate your account access to the root scope
-- Create a role assignment for Reader access over the Subscription and objects within
+- Create a role assignment for Reader access over the Root Scope
 - Create a role assignment for Reader access over the Entra ID (i.e., [aadiam provider](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/identity#microsoftaadiam))
 - Identify the role assignment authorizing your account access to the root scope
 - Delete the root scope role assignment for your account
@@ -65,8 +65,11 @@ Install-Module Az.Resources -Force
 Connect-AzAccount
 #Elevate to root scope access
 $elevateAccess = Invoke-AzRestMethod -Path "/providers/Microsoft.Authorization/elevateAccess?api-version=2015-07-01" -Method POST
-New-AzRoleAssignment -ObjectId $servicePrincipal -Scope "/subscriptions/$subscription" -RoleDefinitionName "Reader" -ObjectType "ServicePrincipal"
+
+#Assign permissions to Enterprise App
+New-AzRoleAssignment -ObjectId $servicePrincipal -Scope "/" -RoleDefinitionName "Reader" -ObjectType "ServicePrincipal"
 New-AzRoleAssignment -ObjectId $servicePrincipal -Scope "/providers/Microsoft.aadiam" -RoleDefinitionName "Reader" -ObjectType "ServicePrincipal"
+
 #Remove root scope access
 $assignment = Get-AzRoleAssignment -RoleDefinitionId 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9|?{$_.Scope -eq "/" -and $_.SignInName -eq (Get-AzContext).Account.Id}
 $deleteAssignment = Invoke-AzRestMethod -Path "$($assignment.RoleAssignmentId)?api-version=2018-07-01" -Method DELETE

@@ -0,0 +1,35 @@
+---
+title: MT.1056 - User Access Administrator permission should not be permanently assigned on the root scope
+description: Global Admins should not have permanent access to Azure Subscriptions at the root scope
+slug: /tests/MT.1056
+sidebar_class_name: hidden
+---
+
+# User Access Administrator permission should not be permanently assigned on the root scope
+
+## Description
+Ensure that no person has permanent access to Azure Subscriptions.
+
+User Access Administrator is a role that allows an Administrator to perform everything on an Azure Subscription. Global Administrators can gain this permission on the Root Scope in Entra ID, in the properties of Entra ID. These permissions should only be used in case of emergency and should not be assigned permanently.
+
+Ensure that no User Access Administrator permissions at the Root Scope are applied.
+
+## How to fix
+
+To remove all Admins with Root Scope permissions, as a Global Admin:
+1. Navigate to Microsoft 365 admin center [https://portal.microsoft.com](https://portal.microsoft.com).
+2. Search for **Microsoft Entra ID** select **Microsoft Entra ID**.
+3. Expand the **Manage** menu, select **Properties**
+3. On the **Properties** page, go to the **Access management for Azure resources** section.
+4. In the information bar, click: **Manage elevated access users**.
+5. Select all User Access Administrators, and click **Remove**
+
+To remove the admins through CLI:
+```powershell
+az role assignment delete --role "User Access Administrator" --assignee adminname@yourdomain.com --scope "/"
+```
+
+## Learn more
+
+* [Elevate access to manage all Azure subscriptions and management groups](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin)
+