Continuing with the do’s of Identity and supposing that you are in part of your journey that you have either Hybrid or fully cloud-based identities.
In the last part I covered how you can keep your External users in bay with Dynamic groups and access reviews.
In this part we will see how to protect your High-privileged users and give them permissions they need and for the time you want them to have them.
Table of Contents
First you could create your own roles
The is a good collection of predefined roles for Azure AD and Azure resources but sometimes it could be a viable solution to create your own roles from scratch.
What’s the difference?
Fundamentally, Azure AD roles are admins for users and services (M365) and should be separated from Azure Resource roles although they can be added to Azure Resource roles.
Azure AD roles = Identity in Azure AD and admin roles for M365 based services.
Azure Resource roles = Services inside Azure and their defined roles.
Here is a picture from Microsoft, how the roles differ from the other.
Why to create your own roles?
Like said, Microsoft have a comprehensive set of Azure AD based roles.
But what if you need strictly to define your own roles and the exact permissions for it? Let’s based on a regulation in our industry policies.
Currently there is 174 permissions to choose from, I will list them here for reference as I didn’t find anywhere else.
Permission | Description |
---|---|
microsoft.directory/applicationPolicies/allProperties/read | Read all properties (including privileged properties) on application policies. |
microsoft.directory/applicationPolicies/allProperties/update | Update all properties (including privileged properties) on application policies. |
microsoft.directory/applicationPolicies/basic/update | Update standard properties of application policies. |
microsoft.directory/applicationPolicies/create | Create application policies. |
microsoft.directory/applicationPolicies/createAsOwner | Create application policies, and creator is added as the first owner. |
microsoft.directory/applicationPolicies/delete | Delete application policies. |
microsoft.directory/applicationPolicies/owners/read | Read owners on application policies. |
microsoft.directory/applicationPolicies/owners/update | Update the owner property of application policies. |
microsoft.directory/applicationPolicies/policyAppliedTo/read | Read application policies applied to objects list. |
microsoft.directory/applicationPolicies/standard/read | Read standard properties of application policies. |
microsoft.directory/applications.myOrganization/allProperties/read | Read all properties (including privileged properties) on single-directory applications. |
microsoft.directory/applications.myOrganization/allProperties/update | Update all properties (including privileged properties) on single-directory applications. |
microsoft.directory/applications.myOrganization/audience/update | Update audience on single-directory applications. |
microsoft.directory/applications.myOrganization/authentication/update | Update authentication on single-directory applications. |
microsoft.directory/applications.myOrganization/basic/update | Update basic properties on single-directory applications. |
microsoft.directory/applications.myOrganization/credentials/update | Update credentials on single-directory applications. |
microsoft.directory/applications.myOrganization/delete | Delete single-directory applications. |
microsoft.directory/applications.myOrganization/owners/read | Read owners on single-directory applications. |
microsoft.directory/applications.myOrganization/owners/update | Update owners on single-directory applications. |
microsoft.directory/applications.myOrganization/permissions/update | Update exposed permissions and required permissions on single-tenant applications. |
microsoft.directory/applications.myOrganization/standard/read | Read basic properties on single-directory applications. |
microsoft.directory/applications/allProperties/read | Read all properties (including privileged properties) on all types of applications. |
microsoft.directory/applications/allProperties/update | Update all properties (including privileged properties) on all types of applications. |
microsoft.directory/applications/applicationProxy/read | Read all application proxy properties. |
microsoft.directory/applications/applicationProxy/update | Update all application proxy properties. |
microsoft.directory/applications/applicationProxyAuthentication/update | Update authentication on all types of applications. |
microsoft.directory/applications/applicationProxySslCertificate/update | Update SSL certificate settings for application proxy. |
microsoft.directory/applications/applicationProxyUrlSettings/update | Update URL settings for application proxy. |
microsoft.directory/applications/appRoles/update | Update the appRoles property on all types of applications. |
microsoft.directory/applications/audience/update | Update the audience property for applications. |
microsoft.directory/applications/authentication/update | Update authentication on all types of applications. |
microsoft.directory/applications/basic/update | Update basic properties for applications. |
microsoft.directory/applications/create | Create all types of applications. |
microsoft.directory/applications/createAsOwner | Create all types of applications, and creator is added as the first owner. |
microsoft.directory/applications/credentials/update | Update application credentials. |
microsoft.directory/applications/delete | Delete all types of applications. |
microsoft.directory/applications/owners/read | Read owners of applications. |
microsoft.directory/applications/owners/update | Update owners of applications. |
microsoft.directory/applications/permissions/update | Update exposed permissions and required permissions on all types of applications. |
microsoft.directory/applications/standard/read | Read standard properties of applications. |
microsoft.directory/applications/synchronization/standard/read | Read provisioning settings associated with the application object. |
microsoft.directory/applicationTemplates/instantiate | Instantiate gallery applications from application templates. |
microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, including privileged properties. |
microsoft.directory/bitlockerKeys/key/read | Read bitlocker metadata and key on devices. |
microsoft.directory/bitlockerKeys/metadata/read | Read bitlocker key metadata on devices. |
microsoft.directory/connectorGroups/allProperties/read | Read all properties of application proxy connector groups. |
microsoft.directory/connectorGroups/allProperties/update | Update all properties of application proxy connector groups. |
microsoft.directory/connectorGroups/create | Create application proxy connector groups. |
microsoft.directory/connectorGroups/delete | Delete application proxy connector groups. |
microsoft.directory/connectors/allProperties/read | Read all properties of application proxy connectors. |
microsoft.directory/connectors/create | Create application proxy connectors. |
microsoft.directory/deviceManagementPolicies/basic/update | Update basic properties on device management application policies. |
microsoft.directory/deviceManagementPolicies/standard/read | Read standard properties on device management application policies. |
microsoft.directory/deviceRegistrationPolicy/basic/update | Update basic properties on device registration policies. |
microsoft.directory/deviceRegistrationPolicy/standard/read | Read standard properties on device registration policies. |
microsoft.directory/devices/createdFrom/read | Read created from Internet of Things (IoT) device template links. |
microsoft.directory/devices/delete | Delete devices from Azure AD. |
microsoft.directory/devices/disable | Disable devices in Azure AD. |
microsoft.directory/devices/enable | Enable devices in Azure AD. |
microsoft.directory/devices/registeredOwners/read | Read registered owners of devices. |
microsoft.directory/devices/registeredOwners/update | Update registered owners of devices. |
microsoft.directory/devices/registeredUsers/read | Read registered users of devices. |
microsoft.directory/devices/registeredUsers/update | Update registered users of devices. |
microsoft.directory/devices/standard/read | Read basic properties on devices. |
microsoft.directory/groups.security.assignedMembership/allProperties/update | Update all properties (including privileged properties) on Security groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.security.assignedMembership/basic/update | Update basic properties on Security groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.security.assignedMembership/classification/update | Update the classification property on Security groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.security.assignedMembership/create | Create Security groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.security.assignedMembership/createAsOwner | Create Security groups of assigned membership type, excluding role-assignable groups. Creator is added as the first owner. |
microsoft.directory/groups.security.assignedMembership/delete | Delete Security groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.security.assignedMembership/members/update | Update members of Security groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.security.assignedMembership/owners/update | Update owners of Security groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.security.assignedMembership/visibility/update | Update the visibility property on Security groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.security/allProperties/update | Update all properties (including privileged properties) on Security groups, excluding role-assignable groups. |
microsoft.directory/groups.security/basic/update | Update basic properties on Security groups, excluding role-assignable groups. |
microsoft.directory/groups.security/classification/update | Update the classification property on Security groups, excluding role-assignable groups. |
microsoft.directory/groups.security/create | Create Security groups, excluding role-assignable groups. |
microsoft.directory/groups.security/createAsOwner | Create Security groups, excluding role-assignable groups. Creator is added as the first owner. |
microsoft.directory/groups.security/delete | Delete Security groups, excluding role-assignable groups. |
microsoft.directory/groups.security/dynamicMembershipRule/update | Update the dynamic membership rule on Security groups, excluding role-assignable groups. |
microsoft.directory/groups.security/members/update | Update members of Security groups, excluding role-assignable groups. |
microsoft.directory/groups.security/owners/update | Update owners of Security groups, excluding role-assignable groups. |
microsoft.directory/groups.security/visibility/update | Update the visibility property on Security groups, excluding role-assignable groups. |
microsoft.directory/groups.unified.assignedMembership/allProperties/update | Update all properties (including privileged properties) on Microsoft 365 groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.unified.assignedMembership/basic/update | Update basic properties on Microsoft 365 groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.unified.assignedMembership/classification/update | Update the classification property on Microsoft 365 groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.unified.assignedMembership/create | Create Microsoft 365 groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.unified.assignedMembership/createAsOwner | Create Microsoft 365 groups of assigned membership type, excluding role-assignable groups. Creator is added as the first owner. |
microsoft.directory/groups.unified.assignedMembership/delete | Delete Microsoft 365 groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.unified.assignedMembership/members/update | Update members of Microsoft 365 groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.unified.assignedMembership/owners/update | Update owners of Microsoft 365 groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.unified.assignedMembership/visibility/update | Update the visibility property on Microsoft 365 groups of assigned membership type, excluding role-assignable groups. |
microsoft.directory/groups.unified/allProperties/update | Update all properties (including privileged properties) on Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups.unified/basic/update | Update basic properties on Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups.unified/classification/update | Update the classification property on Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups.unified/create | Create Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups.unified/createAsOwner | Create Microsoft 365 groups, excluding role-assignable groups. Creator is added as the first owner. |
microsoft.directory/groups.unified/delete | Delete Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups.unified/dynamicMembershipRule/update | Update the dynamic membership rule on Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups.unified/members/update | Update members of Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups.unified/owners/update | Update owners of Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups.unified/visibility/update | Update the visibility property on Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups/allProperties/read | Read all properties (including privileged properties) on Security groups and Microsoft 365 groups, including role-assignable groups. |
microsoft.directory/groups/allProperties/update | Update all properties (including privileged properties) on Security groups and Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups/assignLicense | Assign product licenses to groups for group-based licensing. |
microsoft.directory/groups/basic/update | Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups/classification/update | Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups/create | Create Security groups and Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups/createAsOwner | Create Security groups and Microsoft 365 groups, excluding role-assignable groups. Creator is added as the first owner. |
microsoft.directory/groups/delete | Delete Security groups and Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups/dynamicMembershipRule/update | Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups/groupType/update | Update properties that would affect the group type of Security groups and Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups/memberOf/read | Read the memberOf property on Security groups and Microsoft 365 groups, including role-assignable groups. |
microsoft.directory/groups/members/read | Read members of Security groups and Microsoft 365 groups, including role-assignable groups. |
microsoft.directory/groups/members/update | Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups/owners/read | Read owners of Security groups and Microsoft 365 groups, including role-assignable groups. |
microsoft.directory/groups/owners/update | Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/groups/reprocessLicenseAssignment | Reprocess license assignments for group-based licensing. |
microsoft.directory/groups/standard/read | Read standard properties of Security groups and Microsoft 365 groups, including role-assignable groups. |
microsoft.directory/groups/visibility/update | Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups. |
microsoft.directory/provisioningLogs/allProperties/read | Read all properties of provisioning logs. |
microsoft.directory/servicePrincipals/allProperties/read | Read all properties (including privileged properties) on servicePrincipals. |
microsoft.directory/servicePrincipals/allProperties/update | Update all properties (including privileged properties) on servicePrincipals. |
microsoft.directory/servicePrincipals/appRoleAssignedTo/read | Read service principal role assignments. |
microsoft.directory/servicePrincipals/appRoleAssignedTo/update | Update service principal role assignments. |
microsoft.directory/servicePrincipals/appRoleAssignments/read | Read role assignments assigned to service principals. |
microsoft.directory/servicePrincipals/audience/update | Update audience properties on service principals. |
microsoft.directory/servicePrincipals/authentication/update | Update authentication properties on service principals. |
microsoft.directory/servicePrincipals/basic/update | Update basic properties on service principals. |
microsoft.directory/servicePrincipals/create | Create service principals. |
microsoft.directory/servicePrincipals/createAsOwner | Create service principals, with creator as the first owner. |
microsoft.directory/servicePrincipals/credentials/update | Update credentials of service principals. |
microsoft.directory/servicePrincipals/delete | Delete service principals. |
microsoft.directory/servicePrincipals/disable | Disable service principals. |
microsoft.directory/servicePrincipals/enable | Enable service principals. |
microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials | Manage password single sign-on credentials on service principals. |
microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials | Read password single sign-on credentials on service principals. |
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read | Read delegated permission grants on service principals. |
microsoft.directory/servicePrincipals/owners/read | Read owners of service principals. |
microsoft.directory/servicePrincipals/owners/update | Update owners of service principals. |
microsoft.directory/servicePrincipals/permissions/update | Update permissions of service principals. |
microsoft.directory/servicePrincipals/policies/read | Read policies of service principals. |
microsoft.directory/servicePrincipals/policies/update | Update policies of service principals. |
microsoft.directory/servicePrincipals/standard/read | Read basic properties of service principals. |
microsoft.directory/servicePrincipals/synchronization/standard/read | Read provisioning settings associated with your service principal. |
microsoft.directory/servicePrincipals/synchronizationCredentials/manage | Manage application provisioning secrets and credentials. |
microsoft.directory/servicePrincipals/synchronizationJobs/manage | Start, restart, and pause application provisioning syncronization jobs. |
microsoft.directory/servicePrincipals/synchronizationSchema/manage | Create and manage application provisioning syncronization jobs and schema. |
microsoft.directory/servicePrincipals/tag/update | Update the tag property for service principals. |
microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties. |
microsoft.directory/users/appRoleAssignments/read | Read application role assignments for users. |
microsoft.directory/users/assignLicense | Manage user licenses. |
microsoft.directory/users/assignLicense | Manage user licenses. |
microsoft.directory/users/basic/update | Update basic properties on users. |
microsoft.directory/users/contactInfo/update | Update the contact info properties of users, such as address, phone, and email. |
microsoft.directory/users/deviceForResourceAccount/read | Read deviceForResourceAccount of users. |
microsoft.directory/users/directReports/read | Read the direct reports for users. |
microsoft.directory/users/extensionProperties/update | Update extension properties of users. |
microsoft.directory/users/identities/read | Read identities of users. |
microsoft.directory/users/identities/update | Update the identity properties of users, such as name, user principal name, and object ID. |
microsoft.directory/users/jobInfo/update | Update the job info properties of users, such as job title, department, and company name. |
microsoft.directory/users/licenseDetails/read | Read license details of users. |
microsoft.directory/users/manager/read | Read manager of users. |
microsoft.directory/users/manager/update | Update manager for users. |
microsoft.directory/users/memberOf/read | Read the group memberships of users. |
microsoft.directory/users/ownedDevices/read | Read owned devices of users. |
microsoft.directory/users/parentalControls/update | Update parental controls of users. |
microsoft.directory/users/passwordPolicies/update | Update password policies properties of users. |
microsoft.directory/users/registeredDevices/read | Read registered devices of users. |
microsoft.directory/users/reprocessLicenseAssignment | Reprocess license assignments for users. |
microsoft.directory/users/reprocessLicenseAssignment | Reprocess license assignments for users. |
microsoft.directory/users/scopedRoleMemberOf/read | Read user's membership of an Azure AD role, that is scoped to an administrative unit. |
microsoft.directory/users/standard/read | Read basic properties on users. |
microsoft.directory/users/usageLocation/update | Update usage location of users. |
How?
Azure AD roles
Easiest way is to GET a new role with Graph and modify the permissions, then POST the role back with
1 |
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions |
Paste it back to Graph and select POST (Note that
Consent the permission to Write and Read roles.
Note that if you are trying to create a roles with an permissions that isn’t allowed, you will get this.
After the role is successfully created, you will get a template ID that you can use in new custom roles.
Inside the portal you will it this way
Azure resources
But for Azure resource roles the story is totally different. You can still use JSON files to create the roles but you have ability to Clone the existing Built-in roles.
If we choose Key Vault Administrator for cloning, we will see the following.
In the JSON you can download the content and use it for a new role or go next next and finish to create and assign the the role.
Or create it with REST API (Postman + Bearer token) or with AZ CLI
If in doubt how to use CLI or Web request (Invoke-WebRequest or Curl) see this post.
Use PIM
To reduce the risks of excessive, pointless, or erroneous access permissions to crucial resources, Privileged Identity Management (PIM) offers a time-based and approval-based role activation. Resources from Azure Active Directory (Azure AD), Azure, and other Microsoft Online Services like Microsoft 365 or Microsoft Intune are included in this list.
PIM enables you to allow a specific set of actions at a particular scope. Key features include:
- Provide just-in-time privileged access to resources
- Assign eligibility for membership or ownership of privileged access groups
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multifactor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
To use Privileged Identity Management, you must have one of the following licenses:
- Azure AD Premium P2
How to enable?
Couple of months ago I wrote a study series for AZ-500 and during that I that I covered also PIM, see the following post for PIM activation.
And Privileged Access Groups
But use the Azure AD portal’s Roles and Administrators experience rather than the Privileged Access Groups experience to make the user or group eligible for activation into the group if you want to assign a privileged access group to a role for administrative access to Exchange, Security & Compliance Center, or SharePoint.
So, that in mind let’s see what it’s all about.
You can create different just-in-time policies for each group and will be able to activate several roles at once.
How to enable?
Yeah, sure
And then activate
And you can see it under PIM control plane.
And we can mix Activate and Eligible assignments
And the permanently active
Make it a M365 group
We chose to create an M365 group in the beginning and it will show inside Microsoft 365 Admin center also.
So, let’s see can we Teamify this group?
The options
We have at least three options here, use Microsoft Graph, PnP-PowerShell modules or create a new Teams as the owner of the group (the Approval all mighty)
From Teams
You can enable the group from Teams directly as the Owner of the group.
Once the group member will login to Teams they will see the new Team
Graph
You can also do it with Graph if you want. And the same requirements apply.
In order to create a team, the group must have a least one owner.
Due to replication delays, if the group was created less than 15 minutes ago, the Create team request could fail with a 404 error code. With a 10-second gap between calls, the suggested practice is to retry the Create team call three times.
With PnP
With PnP you can do it with PowerShell, you just have to install the modules and follow these instructions.
How to install the modules
1 |
Install-Module -Name "PnP.PowerShell" |
The modules used
Sentinel collaboration in Teams (Public preview)
Did you know that Sentinel already has this feature, you can have all the incident details inside a Teams and once the case is closed, it will be archived and stored for future references or just to keep backlog of the deeds done during the investigation and remediation.
In order to create teams from Microsoft Sentinel:
- The user creating the team must have Incident write permissions in Microsoft Sentinel. For example, the Microsoft Sentinel Responder role is an ideal, minimum role for this privilege.
- The user creating the team must also have permissions to create teams in Microsoft Teams.
- Any Microsoft Sentinel user, including users with the Reader, Responder, or Contributor roles, can gain access to the created team by requesting access.
Closure
In this part we discovered how we can protect the high-privileged user and roles with PIM and how to activate multiple roles inside a Access group but also how to collaborate with the users having the role.
Automating the process of giving permissions and removing the accordingly is an important part of keeping your environments safe of harms way.
In the next part more Identity do’s and don’ts, Stay tuned!
Hackers don’t break in – they log in.