Query: Ensure disabled user accounts do not have read, write, or owner permissions

Description

Ensure that any roles granting read, write, or owner permissions are removed from disabled Azure user accounts. While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Removing role assignments from disabled user accounts depends on the context and requirements of each organization and environment.

Query

Tables used in this query:

• azure_role_assignment
• azure_tenant
• azuread_user

Controls using this query:

• 5.3.5 Ensure disabled user accounts do not have read, write, or owner permissions
• Ensure disabled user accounts do not have read, write, or owner permissions

SQL