11/4/2023 0 Comments Security defaults azureThis “magic button” provides the ability to manage Azure roles, but no direct Azure rights (to VMs). While this option is configured in the Directory Properties section, this is actually a per account configuration option. ![]() This option is only available to accounts that are members of the Global Administrator role. In this example, the Office 365 Global Admin account “AzureAdmin” is compromised.Īttacker Moves from Office 365 Global Admin to Shadow Azure Subscription AdminĪccording to Microsoft documentation, toggling this option from No to Yes, adds the account to the User Access Administrator role in Azure RBAC at the root scope (which has control over all subscriptions in the tenant). The attacker creates a new Global Admin account (or leverages an existing account). Since less than 10% of Global Admins have MFA configured, this is a real threat. The attacker password sprays the Acme Office 365 environment and identifies a Global Admin account that doesn’t have MFA (multi-factor authentication). Towards the bottom is “Access management for Azure resources” toggle. This page shows the Directory Properties and now includes the new Manage Security Defaults We can view several different configuration settings for Azure Active Directory which controls many aspects of Office 365. Once we have access to the Azure AD portal (which is typically all Azure AD users by default). Note that there is nothing stated here about Azure capability. The Microsoft online document provides key information (): The Global Administrator role provides full admin rights to Azure AD and ultimately all Office 365 services. So, more than should be there and not well protected. All of the Active Directory and Exchange admins (and many other IT admins) are granted temporary Global Administrator (aka Global Admin or GA) rights to facilitate the pilot. Acme has other sensitive applications hosted on servers in Azure.Īcme signed up for Office 365 and started a pilot. Acme IT locked down the DCs following hardening advice and limited Azure administration to the VMs hosting the DCs. Acme embraced Azure Infrastructure as a Service (IAAS) as an additional datacenter and deployed Domain Controllers to Azure for their on-prem AD (as their “cloud datacenter”). In this scenario, Acme has an on-premises Active Directory environment. ![]() Most of the research around this issue was performed during August 2019 through December 2019 and Microsoft may have incorporated changes since then in functionality and/or capability. The key takeaway here is that if you don’t carefully protect and control Global Administrator role membership and associated accounts, you could lose positive control of systems hosted in all Azure subscriptions as well as Office 365 service data. In this post I explore the danger associated with this option how it is currently configured (as of May 2020). This is “by design” as a “break-glass” (emergency) option that can be used to (re)gain Azure admin rights if such access is lost. ![]() This article details a known configuration (at least to those who have dug into Azure AD configuration options) where it’s possible for a Global Administrator (aka Company Administrator) in Azure Active Directory to gain control of Azure through a tenant option. ![]() While Azure leverages Azure Active Directory for some things, Azure AD roles don’t directly affect Azure (or Azure RBAC) typically. In May 2020, I presented some Microsoft Office 365 & Azure Active Directory security topics in a Trimarc Webcast called “Securing Office 365 and Azure AD: Protect Your Tenant” and included the attack path described in this article that takes advantage of a little known feature. As I went through each of them, I found one that was very interesting. For most of 2019, I was digging into Office 365 and Azure AD and looking at features as part of the development of the new Trimarc Microsoft Cloud Security Assessment which focuses on improving customer Microsoft Office 365 and Azure AD security posture.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |