You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/role-based-access-control/elevate-access-global-admin.md
+28Lines changed: 28 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -337,6 +337,34 @@ When you call `elevateAccess`, you create a role assignment for yourself, so to
337
337
338
338
---
339
339
340
+
## Remove elevated access for users
341
+
342
+
If you have users with unnecessary elevated access, you should take immediate action and remove that access. To remove these role assignments, you must also have elevated access. This section describes how you can view users that have elevated access and remove that access using the Azure portal.
343
+
344
+
1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
345
+
346
+
1. Open **Microsoft Entra ID**.
347
+
348
+
1. Under **Manage**, select **Properties**.
349
+
350
+
1. Under **Access management for Azure resources**, look for the following banner.
351
+
352
+
`You have X users with elevated access. Microsoft Security recommends deleting access for users who have unnecessary elevated access. Manage elevated access users`
353
+
354
+
If you don't see this banner, you currently don't have any users with elevated access.
355
+
356
+
:::image type="content" source="./media/elevate-access-global-admin/elevated-access-users-banner.png" alt-text="Screenshot of banner that indicates there are users with elevated acccess." lightbox="./media/elevate-access-global-admin/elevated-access-users-banner.png":::
357
+
358
+
1. If you want to remove elevated access, set the toggle to **Yes** as described earlier in [Step 1: Elevate access for a Global Administrator](#step-1-elevate-access-for-a-global-administrator).
359
+
360
+
1. Select the **Manage elevated access users** link.
361
+
362
+
The **Users with elevated access appears** pane appears with a list of users with elevated access.
363
+
364
+
:::image type="content" source="./media/elevate-access-global-admin/elevated-access-users-pane.png" alt-text="Screenshot of Users with elevated access pane that lists users with elevated acccess." lightbox="./media/elevate-access-global-admin/elevated-access-users-pane.png":::
365
+
366
+
1. To remove elevated access for users, add a check mark next to the user and select **Remove**.
367
+
340
368
## View elevate access log entries in the Directory Activity logs
341
369
342
370
When access is elevated, an entry is added to the logs. As a Global Administrator in Microsoft Entra ID, you might want to check when access was elevated and who did it. Elevate access log entries do not appear in the standard activity logs, but instead appear in the Directory Activity logs. This section describes different ways that you can view the elevate access log entries.
0 commit comments