Elevate access for Azure subscriptions and group management

As organizations expand their Azure active directory (AD) usage, managing multiple subscriptions and organizing resources across various departments or projects becomes increasingly complex.

To streamline this process and ensure effective governance, Azure offers a feature called “Elevate access,” which allows users to manage all subscriptions centrally and management groups. This article explores the significance of elevate access, its benefits, and how to utilize it for efficient Azure management effectively.

Challenges with managing multiple subscriptions and groups

As organizations scale their Azure usage, managing multiple subscriptions manually can present several challenges:

• Access control complexity: Assigning and managing permissions across numerous subscriptions can become tedious and prone to make mistakes.
• Compliance and governance: Ensuring compliance with organizational policies and regulatory requirements across multiple subscriptions requires a centralized approach.
• Resource organization: Without a unified management strategy, locating and organizing resources efficiently becomes challenging, leading to increased complexity and potential security risks.

Benefits of elevated access

To address these challenges, Azure introduced “elevate access”. These are a few reasons as to why you need to elevate your access.

• Manage access: A global admin with elevated access can view all subscriptions and management groups. They can also grant access to any users who have lost their access.
• Governance and compliance: A user with elevated access can enforce governing policies and can ensure compliance with regulatory requirements.
• Automation: Granting necessary permission can allow automation apps such as Azure Automation, to perform its tasks effectively, which can be facilitated by a user with elevated access.
• Security incidents: Global admins can configure security default access policies to enforce additional security measures.

Step-by-step guide to elevate your access (using Azure portal)

Follow these steps to elevate access.

1) Open Microsoft Entra ID (formerly Azure AD).

2) In the Manage section, click Properties.

3) Locate Access Management for Azure resources. Set the toggle to Yes.

4) Click Save, to make the changes.

5) Sign Out and Sign In, to reflect the changes.

You should now have access to all the Azure subscriptions and management groups.

Since, elevated access has granted full access to the resources. It is better to have the access revoked once the delegated work is done. Here’s a guide on how to remove the elevated access.

Step-by-step guide to remove elevated access (using Azure portal)

Follow these steps to remove access.

1) Sign in with the same user that has elevated access.

2) In Microsoft Entra ID, go to Properties.

3) Locate Access Management for Azure resources. Set the toggle to No.

4) Sign out to remove the elevated access.

Step-by-step guide to elevate your access (using Rest API)

1) Using REST, call elevateAccess, which grants you the User Access Administrator role at root scope (/).

POST 
https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01

Step-by-step guide to remove elevated access (using Rest API)

1) To revoke those privileges you need to remove the User Access Administrator role assignment for yourself at root scope (/).

Call Role Definitions – Get where roleName equals User Access Administrator to determine the name ID of the User Access Administrator role.

GET
https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-01&$filter=roleName+eq+'User Access Administrator'
{
"value": [

    {

      "properties": {

  "roleName": "User Access Administrator",

  "type": "BuiltInRole",

  "description": "Lets you manage user access to Azure resources.",

  "assignableScopes": [

    "/"

  ],

  "permissions": [

    {

      "actions": [

        "*/read",

        "Microsoft.Authorization/*",

        "Microsoft.Support/*"

      ],

      "notActions": []

    }

  ],

  "createdOn": "0001-01-01T08:00:00.0000000Z",

  "updatedOn": "2016-05-31T23:14:04.6964687Z",

  "createdBy": null,

  "updatedBy": null

      },

      "id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",

      "type": "Microsoft.Authorization/roleDefinitions",

      "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"

    }

  ],

  "nextLink": null

}

  Save the ID from the name parameter.

2) List all assignments at directory scope for the principalId of the directory administrator who made the elevate access call. This will list all assignments in the directory for the object id.

GET 
https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId+eq+'{objectid}'

The previous calls return a list of role assignments. Find the role assignment where the scope is “/” and the roleDefinitionId ends with the role name ID you found in step 1 and principalId matches the objectId of the directory administrator.

Sample role assignment:

{
"value": [

    {

      "properties": {

        "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",

        "principalId": "{objectID}",

        "scope": "/",

        "createdOn": "2016-08-17T19:21:16.3422480Z",

        "updatedOn": "2016-08-17T19:21:16.3422480Z",

        "createdBy": "22222222-2222-2222-2222-222222222222",

        "updatedBy": "22222222-2222-2222-2222-222222222222"

      },

      "id": "/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111",

      "type": "Microsoft.Authorization/roleAssignments",

      "name": "11111111-1111-1111-1111-111111111111"

    }

  ],

  "nextLink": null

}

  Again, save the ID from the name parameter.

3) Finally, use the role assignment ID to remove the assignment added by elevate access:

DELETE 
https://management.azure.com/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111?api-version=2022-04-01

Step-by-step guide to elevate and remove elevated access (using PowerShell)

1) Use Azure portal or REST API to elevate access for a global administrator.

2) To remove the User Access Administrator role assignment for yourself or another user at root scope (/), follow these steps.

• Sign in as a user that can remove elevated access.
• Use the Remove-AzRoleAssignment command to remove the User Access Administrator role assignment.

PowerShell script:

Remove-AzRoleAssignment -SignInName <username@example.com> -RoleDefinitionName "User Access Administrator" -Scope "/"

Step-by-step guide to elevate your access (using Azure CLI)

User Access Administrator role is one of the built-in roles provided by Azure for managing access to Azure resources.

• Use the az rest command to call the elevateAccess endpoint, which grants you the User Access Administrator role at root scope (/).

Azure CLI Script:

az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

Step-by-step guide to remove elevated access (using Azure CLI)

• Sign in as a user that can remove elevated access.
• Use the az role assignment delete command to remove the User Access Administrator role assignment.

Azure CLI Script:

az role assignment delete --assignee username@example.com --role "User Access Administrator" --scope "/"

In conclusion, elevate access in Azure provides a vital solution for organizations dealing with the challenges of managing multiple subscriptions and management groups efficiently. By centralizing access control, governance, and resource organization, elevate access streamlines Azure management, enhances security, and ensures compliance with organizational policies and regulatory requirements.