"Disabled accounts with X permissions on Azure resources should be removed" is Showing Active Accounts

Cusimano, Joey 80 Reputation points
2024-11-12T16:08:23.8933333+00:00

I review our Microsoft Defender Secure Score for each of 3 subscriptions weekly and noticed a huge reduction in one of them. The following are the recommendations for this subscription in particular:

"Disabled accounts with read and write permissions on Azure resources should be removed"

"Disabled accounts with owner permissions on Azure resources should be removed"

Between the two recommendations, there are 7 user accounts and ALL of them are active. I verified this in the Microsoft 365 admin center, going to users, and adding the "sign-in status" column which lists "Allowed" for all 7. All of these users have been active for months and we have not seen this recommendation before for any subscription. Only one of the 3 subscriptions is giving this as a recommendation and docking the Secure Score by a massive amount as a result, but all 7 of the users have roles assigned on the other 2 subscriptions as well.

This behavior is inconsistent between subscriptions and is incorrectly flagging inactive users. What would cause this false positive? Is there a way to resolve this without having to exempt this recommendation for the subscription?

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,422 questions
0 comments No comments
{count} votes

Accepted answer
  1. Goutam Pratti 660 Reputation points Microsoft Vendor
    2024-11-13T08:51:29.7066667+00:00

    Hello @Cusimano, Joey ,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I see that Secure Score for certain recommendations have been regressed in your tenant. This issue occurred with many other customers since 11th November.

    Affected recommendations with score regression is mentioned below:

    • Disabled accounts with read and write permissions on Azure resources should be removed.
    • Disabled accounts with owner permissions on Azure resources should be removed.

    The root cause has been identified and a hotfix is being rolled out. Correct data has been released. Please check and confirm me if you are able to see the correct data on your end within 24hours.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Regards,
    Goutam Pratti.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.