One of risual’s multinational clients had a large amount of administrators in Azure Active Directory (Azure AD) who were all permanently assigned to high privileged Azure AD Roles. Some users were also permanently assigned Roles on Azure Subscriptions; this was picked up by security auditors.
risual worked with the client to implement Privileged Identity Management (PIM) in Azure AD.
Firstly, risual reviewed the existing Azure AD and Azure Subscription roles, and encouraging them to remove any unnecessary accounts from those roles.
The second step was to move away from permanently assigning accounts with roles, instead making accounts eligible for those roles; with an eligible user requiring Multi Factor Authentication (MFA) to activate a role which then has a defined time period of privilege allowed once they have activated it.
The work was performed in a phased approach hitting the high privileged roles first, which could do the most damage if compromised. Documentation and demonstrations were also completed for the support teams, as activating a role in PIM required different processes to those that their administrators were used to.
Now, the number of accounts that have permanent access to high privileged roles in Azure AD, and on Azure subscriptions, has been drastically reduced, and security scores improved.
User accounts only hold a role for a configured time period that is agreed to be the time period required to perform work. Therefore if an admins Azure AD account was compromised, it would not hold any high privileged roles by default; if an account was compromised, and there was an attempt to activate a role in PIM, they would require MFA (in this case, approving a notification on the device associated with that account) to do so, making it much more unlikely they would succeed.
Access reviews can be set up in Privileged Identity Management (PIM) in Azure AD to give visibility of if, and when, accounts roles are activating and therefore we get a better view of if when a certain role may be required for an account. (These reviews can be configured once, or to run on a schedule; a number of actions can automatically be performed on completion, or designated reviewers can be assigned to review and action the outputs.)