Posted in : Active Directory, Azure, Azure, Uncategorized Av Fredrik Lysén Översätt med Google ⟶

5 months ago

Increase protection with Strong Auth and Named locations on PIM Activation

Today almost every organization is using MFA to protect users and data. But since there are many ways to hack MFA, how do we increase the protection of your Azure environment or other PIM enabled resources, groups or applications? And how do you increase protection of your sensitive PIM escalation groups and roles?

Let’s say a service desk employee want´s to take control of your Azure environment, the user could just add themselves to an Entra ID group that have access to the Azure Environment. One way to protect against this is activating following setting on the specific group Microsoft Entra roles can be assigned to the group -> Yes. Then only Owner of the group and high privileged Azure AD roles can add users. At some scenarios you want to have a higher protection of your sensitive data. Or like for an instance, since Enterprise Scale by Microsoft and terraform is lacking the ability to enforce this setting when groups are created, we should consider implementing the solution described below.

What is Privileged Idenity Management

Privileged Identity Management (PIM) is a service in Microsoft Entra ID that helps you manage, control, and monitor access to important resources in your environment. This can be used for your resources in Microsoft Entra ID, Azure, Microsoft 365 or Intune. You have the possibility to choose between managing Azure AD roles, Azure resources or PIM for groups based on your specific task.

Conditional Access Authentication context

Authentication Context is implemented to ensure that access to sensitive data and resources is granted under the right conditions. This helps you enhance your organizations security and mitigate the risks associated with unauthorized access. With Authentication context a tag is created and allows you to label resources that need protection and control access in a more granular way. This label is possible to utilize together with PIM.

Implement Conditional Access Authentication context

When combining PIM and Conditional Access Authentication Context you can create a robust security framework for privileged identities.

  1. In your Azure Portal navigate to: Conditional Access -> Authentication Context
  2. Select New authentication context
  3. Write a name and description that describes your purpose.
  4. Make sure to Publish to apps.
  5. Choose an ID that is available.

Create a new Conditional Access Policy with Authentication Context

  1. In your Azure portal navigate to: Conditional Access -> Policies – > New Policy
  2. Scope policy to eligible users of the role
  3. Cloud apps or actions: Set policy to Authentication context and choose authentication context previously created
  4. Grant: Go to Grant access -> Require authentication strength -> Phising resistant MFA
  5. Set policy to ON and create.

Alternative: Conditional access limiting based on location
Let’s say you have different suppliers or don´t have the possibility to enforce a policy with Phising resistant MFA. One way then would be to limit what locations that are allowed to use PIM. So that you are only allowed to PIM as owner/contributor from a specific location. The policy would then look like this:

  1. In your Azure portal navigate to: Conditional Access -> Policies – > + New Policy
  2. Scope policy to all users
  3. Cloud apps or actions: Set policy to Authentication context and choose authentication context previously created
  4. Conditions: Choose Locations: Include: Any location. Exclude: Named location that should have access to these resources.
  5. Grant: Choose Block access
  6. Set policy to ON and create.

Tag Authentication Context to your PIM roles

For each of your subscriptions that you want to protect with PIM and Authentication Context.

Go to Priviliged Identity Management -> Azure resources and choose the subscription that you want to activate with authentication context, choose Manage resources.

An overview page with the subscription is loaded now choose under Manage ->Settings.

Now choose the roles that you want to protect, which at least should be Contributor and Owner but could be others based on your specific setup. Let’s start with Owner:

Remember to also move your Entra ID Groups with Contributor and Owner roles that have Active Assignments to Eligible assignments.

Tags :

Personlig rådgivning

Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.

Add comment

Your comment will be revised by the site if needed.