User Access Administrator permission should not be permanently assigned on the root scope
Why This Matters
Leaving the User Access Administrator role permanently assigned at the root scope means any user with that role holds full control over all Azure resources in your tenant. This bypasses normal privilege escalation controls and creates a persistent attack vector if the account is compromised. Regularly auditing and removing standing root scope permissions reduces your blast radius for Azure subscription abuse.
What Aether365 Checks
Aether365 verifies that no User Access Administrator role assignments exist at the root scope (/) in your Microsoft 365 tenant. This check appears in your Aether365 dashboard under the microsoft-365 security category.
How to Fix
To remove all User Access Administrator assignments from the root scope: