What does the "Microsoft.Authorization/elevateAccess/action" role actually do? A sub permission of the User Access Administistrator Azure resource role

Question

I've got some questions relating to the User Access Administrator Azure resource role. Because it grants Microsoft.Authorization/*, it means that Microsoft.Authorization/elevateAccess/action is a part of that permission set. That permission is defined here and also screenshotted below for easy reference:

To me, this permission's description tells me that somehow, someone with User Access Administrator (UAA) can elevate their permissions outside of the scope it was given at. Say they were assigned UAA on Subscription A. It seems that somehow (and this is the heart of my question), they are able to "elevate" themselves to have the same Microsoft.Authorization/* across Subscriptions B-Z as well since it is at "tenant scope".

Also, I noticed that this particular permission, Microsoft.Authorization/elevateAccess/action, is explicitly listed in the NotActions of Contributor role, implying to me it is somewhat risky.

All that being said I have three questions, all related:

1. Am I correct in what this permission grants? Or completely off-base?
2. If so, how does that permission actually get "elevated"? I notice the language in the Description of the permission states "grants the caller". How does one "call" that permissions to elevate to tenant scope?
3. Is the "elevate" action really only what is available here as a part of elevating Global Admin to the UAA role? And if this is the case, why bother putting it in the "NotActions" of Contributor then?

Hopefully that all makes sense. Happy to clarify as needed, thank you in advance for your thoughts / time!

Answer 1

Hi @Johnathan Welker ,

Thanks for your post and apologies for the delayed reply! The User Access Administrator role applies to all subscriptions in a particular tenant. That scope is described here and here.

By default, Azure roles and Azure AD roles do not span Azure and Azure AD. However, if a Global Administrator elevates their access by choosing the Access management for Azure resources switch in the Azure portal, the Global Administrator will be granted the User Access Administrator role (an Azure role) on all subscriptions for a particular tenant.

I don't see this contradicted in the documentation unless I'm missing something, but please do correct me if I'm missing your concern. Because it is such a broad and highly privileged scope, it is recommended to remove that elevated access (UAA role) from the Global Admin after the necessary changes have been made. That role has always been at the tenant scope and never solely at the subscription scope.

As for the Contributor role, the NotActions are subtracted from Actions, so the Actions indicate that the principal in that role can perform all actions, but NotActions removes abilities from that role. This scenario is documented here:

Here's the Contributor role definition as displayed in Azure PowerShell and Azure CLI. The wildcard (*) actions under Actions indicates that the principal assigned to this role can perform all actions, or in other words, it can manage everything. This includes actions defined in the future, as Azure adds new resource types. The actions under NotActions are subtracted from Actions. In the case of the Contributor role, NotActions removes this role's ability to manage access to resources and also manage Azure Blueprints assignments.

Let me know if this addresses your concern and if you have further questions.

-

If the information helped you, please Accept the answer. This will help us and other community members as well.