This weblog publish will information you thru eradicating elevated entry for customers by way of the Azure Portal.
When a consumer elevates their entry, they’re assigned the Consumer Entry Administrator position on the root scope (/). This position grants them permission to handle entry to all Azure subscriptions, administration teams, and assets inside the tenant.
💡 In my tenant, I renamed the foundation administration group’s show identify from Tenant Root Group to mg-tenantroot
Extra particularly, a Consumer Entry Administrator can assign or take away Azure roles for customers, teams, and repair principals, granting them the required permissions to entry assets.
They will additionally handle entry to those assets by modifying entry management insurance policies (RBAC roles) to make sure that the suitable customers or companies have the required permissions.
Moreover, they’ll view the entry permissions granted to customers, teams, or service principals.
Due to these broad capabilities, it’s essential to assign the Consumer Entry Administrator position solely to trusted people and their actions must be rigorously monitored to keep away from misuse or unintentional safety dangers.
Furthermore, it’s necessary to take away elevated entry for these customers when it’s not wanted to attenuate the chance of unauthorized entry, misuse, or different safety issues.
On this weblog publish, I’ll present you how one can take away elevated entry from a consumer immediately within the Azure Portal, while not having Azure PowerShell, Azure CLI, or the REST API, as was required earlier than.
Take away elevated acces from a consumer
To take away elevated entry from a consumer, sign up to the Azure portal as a International Administrator. Then, within the world search bar, sort “Entra” to open the Microsoft Entra ID web page.
In case you’re utilizing Microsoft Entra Privileged Identification Administration, make certain to first activate your International Administrator position project.
⚠️ To have the ability to take away this elevated entry position project from a consumer, you will need to even have elevated entry privileges your self.
Go to Properties and click on on it.
Beneath Entry administration for Azure assets, set the toggle to Sure to assign your self, as a International Administrator, the Consumer Entry Administrator position on the root scope, granting you permission to assign roles throughout all Azure subscriptions and administration teams. Click on Save to use your settings.
After setting this, return to Entry administration for Azure assets and discover the banner displaying the variety of customers with elevated entry. Then, on the identical banner, choose the Handle elevated entry customers hyperlink to view the checklist of customers with elevated entry.
The Customers with elevated entry pane will seem, displaying an inventory of customers with elevated entry in your tenant. To take away elevated entry for a consumer, choose the consumer by checking the field subsequent to their identify, then click on Take away.
It will take away the Consumer Entry Administrator position project from that consumer.
Conclusion
Beforehand, you may solely take away the Consumer Entry Administrator position from a consumer utilizing Azure PowerShell, Azure CLI, or the REST API.
Nonetheless, now you are able to do this immediately from the Azure Portal you probably have the International Administrator position and elevate your self to Consumer Entry Administrator. As demonstrated on this weblog publish, you possibly can then simply take away this position from any consumer who at present has it assigned.
You probably have any questions or solutions about this weblog publish, be happy to succeed in out to me on X (@wmatthyssen) or go away a remark. I’ll be glad to help!
