Azure Privileged Identity Managment

Introduction

Azure PIM is an Azure service that enables you to implement the least privilege principles such as just in time, just in place and reduction of privilege on your AAD-managed identities. At large it's a very simple solution and fits in a niche market as it's less developed than a Privileged Access Management tool such as cyber ark or thycotic but at minimum, it will fulfil your requirements in your journey to zero trust architecture.

How it works

At large PIM is divided into four sections: Request, Approval, Configuring and Audit. Each section is pretty self-explanatory and when you select each one in the interface a unique page is presented. Below is the breakdown of each section in the order you will likely use them:

 

Configuring  

Once you have enabled PIM within Azure Active Directory you will need to create assignments. You can create assignments for Azure AD roles, PIM Groups and Azure Resources.  Assignments control who and how people have access to a role. 

 

You first need to configure what role you want to create an assignment for and add the identities you want to be able to access the role. You can use privileged groups here if you want to. 

 

You then need to set the controls you want to place on the assignment. Best practice is to keep the assignment as short as time as possible and always use the 'Eligible' assignment type. The assignment types are described below

  • Eligible - The identities attached to the assignment are permitted to assign themselves the role.
  • Active - The identities attached to the assignment are actively in the role.

Hopefully, it's obvious using the above descriptions why using the 'Eligible' assignment type everywhere is a good idea. Users can still gain access to the role they just have to navigate to the interface.


 

You now want to configure the role so that least privilege principals are always applied. Keeping the activation time to a minimum enables users to only have access when they are actually completing work (Identities are removed from the role automatically once it lapses) . Additionally, you should use 'Require approval' where you can, it can be very useful when you have junior members in teams. 

 

Requesting

Once you have configured your roles and assignments those assigned to users will appear in the PIM interface like so:


  Selecting activate next to each role will begin the approval process (if implemented). If you are forcing the user to use MFA they will have to select the box at the top of the approval page, and it will redirect them to a login page. If you have configured the role to send a request for approval it will appear as such in the approver's interface 

 

Approval

You get pretty much all the information you need to make an informed decision as to whether to approve a request. If the request is ADHOC obviously make sure you ensure there is an appropriate behavior change whereby users are providing as verbose as possible request reasons.

 

Audit

There are a lot of different pages/interfaces within PIM for auditing largely because they decided to create an overview page and a page unique to each feature. Below I've listed the most impactful ones

Resource Audit

Details the changes made within PIM including the activation of roles and requests made for access.

Insights

Simple recommendations based on the current configuration/posture of Azure PIM.

 

Alerts

 


Alerts with changeable thresholds.

 

Access Reviews


This is probably my favourite audit feature as it basically builds an audit workflow for you. You can configure audit reviews to take action once their thresholds have been breached. This can be used to prevent stale assignments. 

 

Logs

At large logs generated by PIM are denoted with the string "PIM" so you can easily find them in your workspace. They appear much like the standard "Add User", "Create Group" etc logs in the AuditLogs table except with some additional data fields such as 'ResultDescription (Request Reason)'. I think the logs are verbose enough for me and you could even explore building a workbook around the frequency of requests by role, user, time etc.

 If you wanted to be really fancy, you could implement an org policy where all users are mandated to enter a change number or some sort of reference back to a tracking system and then build a detection around request reasons that do not match the org policy. I've put an example below:

 

// Assuming each user is required to input a change number of the format C11432A
AuditLogs
| extend RequestReason = tostring(TargetResources[1].displayName)
| where RequestReason matches regex @"([C](.*?)[A])"


Summary

Personally, I like Azure PIM as it makes implementing least privilege principles in Azure very easy and enables you to enforce a separation between your cloud infrastructure and on-prem because you don't need to use your on-prem tools to manage the identities. The interface definitely needs more work because it can get almost disorientating when clicking through features only to arrive at the same place several times. If you do a lot of building or operations in Azure, you definitively want to use PIM to at a minimum manage your highest privilege roles such as Global Administrator. I can see a reduction in value for smaller teams where there's literally only two or so people who build things in azure.





Popular posts from this blog

Endpoint on Adrenaline : One

Image
Introduction   This blog series will capture how to maximise the protection of an endpoint using the various technologies in the Defender suite. The controls outlined in the series will each need to have their own considerations taken into account for a given environment but hopefully at a minimum it will be clear just how powerful of an offering Microsoft has.  Unfortunately due to the highly modular and distinct diversity in controls Microsoft offers things are often overlooked and misconfigured when tests are conducted. With this in mind, the shortest possible route to a solution for this is utilizing the recommendations, CSPM and Secure Score technology contained within Defender 365 and Defender for Cloud as it will automatically conduct posture assessments and inform you of things you have missed and may want to turn on (IE dont take these recommendations lightly) Lastly, I would recommend reading the book “Defender for Endpoint in depth” from packt as it showcases the complexitie
Read more

Brilliance in the Basics

Image
Introduction Tired of watching you and your friends get compromised, do exactly what's in this blog and start eating adversaries alive. Avoiding the memes adversaries win because of simple mistakes and neglect and we all already know what they are so I'm going to list them for you. Its all for free too. Enumerate To put it simply, there shouldn't be anything you don't know about your environment, you should know who all your users are, where all your electronic devices are and what they do, what applications you have and what versions they are. Enumeration is the jet fuel for making good defensive decisions. I wrote about how to enumerate your environment here  Securing your estate: The First Step (goblinloot.net) . Follow these steps and become the arbitrator of your own environment  Your perimeter is a bridge, not a wall Monitor your perimeter as best as you can but always assume it has already been defeated. Monitor endpoint system and process telemetry and southwest
Read more

Investigate

Image
  Introduction This document details how an analyst should conduct investigations and triage in the normal duties of their job. It will describe concepts and logic that enable analysts to look at data, ask investigative questions, evaluate those questions and arrive at assertions about what they have found. An Alert For the most part, analysts begin their investigative work when an alert is generated. Alerts are fantastic because they are a statement that something has happened and something needs to be done about it. Typically alerts are filled with information that an analyst can then use in their investigation. Alerts are generated by detections and these detections can come in many shapes and sizes. Some just look for a particular action like someone unlocking their car door, others might have access to more context like someone who isn’t the owner of the car unlocking the door. Going even further some detections might look at how the car door was opened or at what
Read more