Defender for Cloud - Disabled accounts with read and write permissions on Azure resources should be removed - removing permissions from accounts automatically

SS97 40 Reputation points
2025-01-08T13:11:15.56+00:00

Hello,

To complete recommendation from DfC "Disabled accounts with read and write permissions on Azure resources should be removed", I'd like to set autoschedule to remove permissions assigned to disabled accounts, which sign-ins aren't logged in past 30 days. I was wondering if it is possible to do it automatically using Logic Apps or script in Automation Account.

Has anyone met with this recommendation and figured out how to automate this process?

Thank you.

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,368 questions
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

Accepted answer
  1. Ryan Hill 30,281 Reputation points Microsoft Employee Moderator
    2025-01-08T15:29:59.47+00:00

    Hi @SS97

    While I personally haven't met this specific recommendation, I can tell you that you can automate the removal of the permissions. I personally wouldn't utilize a logic app but instead would use a PowerShell script. You can then use that script to either run inside a runbook that's scheduled through Azure Automation or host the script inside an Azure Function.

    Below is a sample PowerShell script that you can use to get started and make necessary adjustments to fit your environment.

    # Import any additional modules
    Import-Module -Name Az.Resources
    
    # Get all disabled accounts
    $disabledAccounts = Get-AzureADUser -Filter "accountEnabled eq false"
    
    # Inspect the users returned 
    $disabledAccounts
    
    # Get the user's role assignments
    $roleAssignments = $disabledAccounts | ForEach-Object { Get-AzRoleAssignments -ObjectId $_.ObjectId }
    
    # Inspect the role assignments returned
    $roleAssignments
    
    # Remove the assignments
    $roleAssignments | Remove-AzRoleAssigment
    
    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.