Site icon Windows Active Directory

Elevate access for Azure subscriptions and group management

As organizations expand their Azure active directory (AD) usage, managing multiple subscriptions and organizing resources across various departments or projects becomes increasingly complex.

To streamline this process and ensure effective governance, Azure offers a feature called “Elevate access,” which allows users to manage all subscriptions centrally and management groups. This article explores the significance of elevate access, its benefits, and how to utilize it for efficient Azure management effectively.

Challenges with managing multiple subscriptions and groups

As organizations scale their Azure usage, managing multiple subscriptions manually can present several challenges:

Benefits of elevated access

To address these challenges, Azure introduced “elevate access”. These are a few reasons as to why you need to elevate your access.

Step-by-step guide to elevate your access (using Azure portal)

Follow these steps to elevate access.

1) Open Microsoft Entra ID (formerly Azure AD).

2) In the Manage section, click Properties.

3) Locate Access Management for Azure resources. Set the toggle to Yes.

4) Click Save, to make the changes.

5) Sign Out and Sign In, to reflect the changes.

You should now have access to all the Azure subscriptions and management groups.

Since, elevated access has granted full access to the resources. It is better to have the access revoked once the delegated work is done. Here’s a guide on how to remove the elevated access.

Step-by-step guide to remove elevated access (using Azure portal)

Follow these steps to remove access.

1) Sign in with the same user that has elevated access.

2) In Microsoft Entra ID, go to Properties.

3) Locate Access Management for Azure resources. Set the toggle to No.

4) Sign out to remove the elevated access.

Step-by-step guide to elevate your access (using Rest API)

1) Using REST, call elevateAccess, which grants you the User Access Administrator role at root scope (/).

POST 
https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01

Step-by-step guide to remove elevated access (using Rest API)

1) To revoke those privileges you need to remove the User Access Administrator role assignment for yourself at root scope (/).

Call Role Definitions – Get where roleName equals User Access Administrator to determine the name ID of the User Access Administrator role.

GET
https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-01&$filter=roleName+eq+'User Access Administrator'
{
"value": [

    {

      "properties": {

  "roleName": "User Access Administrator",

  "type": "BuiltInRole",

  "description": "Lets you manage user access to Azure resources.",

  "assignableScopes": [

    "/"

  ],

  "permissions": [

    {

      "actions": [

        "*/read",

        "Microsoft.Authorization/*",

        "Microsoft.Support/*"

      ],

      "notActions": []

    }

  ],

  "createdOn": "0001-01-01T08:00:00.0000000Z",

  "updatedOn": "2016-05-31T23:14:04.6964687Z",

  "createdBy": null,

  "updatedBy": null

      },

      "id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",

      "type": "Microsoft.Authorization/roleDefinitions",

      "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"

    }

  ],

  "nextLink": null

}

  Save the ID from the name parameter.

2) List all assignments at directory scope for the principalId of the directory administrator who made the elevate access call. This will list all assignments in the directory for the object id.

GET 
https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId+eq+'{objectid}'

The previous calls return a list of role assignments. Find the role assignment where the scope is “/” and the roleDefinitionId ends with the role name ID you found in step 1 and principalId matches the objectId of the directory administrator.

Sample role assignment:

{
"value": [

    {

      "properties": {

        "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",

        "principalId": "{objectID}",

        "scope": "/",

        "createdOn": "2016-08-17T19:21:16.3422480Z",

        "updatedOn": "2016-08-17T19:21:16.3422480Z",

        "createdBy": "22222222-2222-2222-2222-222222222222",

        "updatedBy": "22222222-2222-2222-2222-222222222222"

      },

      "id": "/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111",

      "type": "Microsoft.Authorization/roleAssignments",

      "name": "11111111-1111-1111-1111-111111111111"

    }

  ],

  "nextLink": null

}

  Again, save the ID from the name parameter.

3) Finally, use the role assignment ID to remove the assignment added by elevate access:

DELETE 
https://management.azure.com/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111?api-version=2022-04-01

Step-by-step guide to elevate and remove elevated access (using PowerShell)

1) Use Azure portal or REST API to elevate access for a global administrator.

2) To remove the User Access Administrator role assignment for yourself or another user at root scope (/), follow these steps.

PowerShell script:

Remove-AzRoleAssignment -SignInName <username@example.com> -RoleDefinitionName "User Access Administrator" -Scope "/"

Step-by-step guide to elevate your access (using Azure CLI)

User Access Administrator role is one of the built-in roles provided by Azure for managing access to Azure resources.

Azure CLI Script:

az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

Step-by-step guide to remove elevated access (using Azure CLI)

Azure CLI Script:

az role assignment delete --assignee username@example.com --role "User Access Administrator" --scope "/"

In conclusion, elevate access in Azure provides a vital solution for organizations dealing with the challenges of managing multiple subscriptions and management groups efficiently. By centralizing access control, governance, and resource organization, elevate access streamlines Azure management, enhances security, and ensures compliance with organizational policies and regulatory requirements.

Exit mobile version