Capturing Azure Management Group Activity Logs Using Azure Automation – Part 1

Capturing Azure Management Group Activity Logs Using Azure Automation – Part 1

Hello again fellow geeks!

Over the past few months I’ve been working with a customer who is just beginning their journey into the cloud.  We’ve had a ton of great conversations around security, governance, and operationalizing Microsoft Azure.  We recently finalized the RACI and identified the controls required by both their internal security policy and their industry compliance requirements.  With those two items complete, we put together our Azure RBAC model and narrowed down the Azure Policies we needed to put in place to satisfy our compliance controls.

After a lot of discussion about the customer’s organization, its geographical locations, business unit makeup, and how its developers and central IT operate, we came up with a subscription model.  This customer had decided on an Azure subscription model where each workload would exist in its own subscription.  Further, each workload’s production and non-production environment would be segmented in different subscriptions.  Keeping each workload in a different subscription ensures no workload will compete for resources with other workloads and hit any subscription limits.  Additionally, it allowed the customer to very easily track the costs associated with each workload.

Now why did we use separate production and non-production subscriptions for each workload?  One reason is to address the same risk as above where a non-production workload could potentially consume all resources within a subscription impacting a production workload.  The other more critical reason is it makes it easier for us to apply different governance and access controls on production workloads vs non-production workloads.  The way we do this is through the usage of Azure Management Groups.

Management Groups were introduced into general availability back in late 2018 to help address the challenges organizations were having operating subscriptions at scale.  They provided a hierarchal method to apply governance and access controls across a collection of subscriptions.  For those of you familiar with AWS, Management Groups are somewhat similar to AWS Organizations and Organizational Units.  For my fellow Windows AD peeps, you can think of Management Groups somewhat like the Active Directory container and organizational unit hierarchy in an Active Directory domain where you apply different access control entries and group policy at high levels in the OU hierarchy that is then enforced and inherited down to the children.  Management Groups work in a similar manner in that the Azure RBAC definitions and assignments and Azure Policy you assign to the parent Management Groups are inherited down into the children.

Every Azure AD tenant starts with a top-level management group called the tenant root group.  Additional management groups created within the tenant are children of the group up to a maximum of 10,000 management groups and up to six levels of depth.  Any RBAC assignment or Azure Policy assigned to the tenant root group applies to all children management group in the tenant.  It’s important to understand that Management Groups are a resource within the Azure AD tenant and not a resource of an Azure subscription.  This will matter for reasons we’ll see later.

The tenant root management group can only be administered by a Global Admin by default and even this requires a configuration change in the tenant.  The method is describe here and what it does is places the global administrator performing the action in the User Access Administrator RBAC role at the root of scope.  Once that is complete, the name of the root management group could be changed, role assignments created, or policy assigned.

Screen Shot 2019-10-17 at 9.59.59 PM

Administering Tenant Root Group

Now there is one aspect of Management Groups that is a bit funky.  If you’re very observant you probably noticed the menu option below.

Screen Shot 2019-10-17 at 9.59.59 PM.png

That’s right folks, Management Groups have their own Activity Log.  Every action you perform at the management group scope such creating an Azure RBAC role assignment or assigning or un-assigning an Azure Policy is captured in this Activity Log.  Now as of today, the only way to access these logs is viewing them through the portal or through the Azure REST API.  Unlike the Activity Logs associated with a subscription, there isn’t native integration with Event Hubs or Azure Storage.  Don’t be fooled by the Export To Event Hub link seen in the screenshot below, this will simply send you to the standard menu where you would configure subscription Activity Logs to be exported.

Screen Shot 2019-10-17 at 10.34.19 PM

Now you could log into the GUI every day and export the logs to a CSV (yes that does work with Management Groups) but that simply isn’t scalable and also prevents you from proactively monitoring the logs.  So how do we deal with this gap while the product team works on incorporating the feature?  This will be the challenge we address in this series.

Over the next few posts I’ll walk through the solution I put together using Azure Automation Runbooks to capture these Activity Logs and send them to Azure Storage for retention and an Azure Log Analytics Workspace for analysis and monitoring using Azure Monitor.

Continue the series in my second post.

Exploring Azure AD Privileged Identity Management (PIM) – Part 4 – Access Review and Azure RBAC

Exploring Azure AD Privileged Identity Management (PIM) – Part 4 – Access Review and Azure RBAC

Access Reviews

Welcome to my final post on Azure Active Directory Privileged Identity Management (AAD PIM).  Over this series of posts I’ve provided an overview of the service, guidance on how to set the service up, and a deep dive and look at the user and approver experience.  We’ll wrap up the series by looking at the Access Review feature, take an intermission to look at a new feature, and wrap up with reviewing the Azure RBAC integration.

We have a lot to cover, so let’s jump into it.

As a quick refresher, I’ll be using my Journey Of the Geek tenant.  Within the tenant I have some Office 365 E5 and EMS E5 licenses provisioned.  Our admin user will be initiating the access review and Homer Simpson will acting as a reviewer.

I first log into the Azure Portal as the admin user and open up the AAD PIM shortcut from my dashboard.  Once the application opens, I’m going to navigate to the Azure AD directory roles option.

4aadpim1

After selecting the option my main menu is refreshed to show the management options for the various AAD PIM features.  As a quick refresher, let’s look at the settings I’ve configured for Access Reviews in my tenant.  We navigate to those Settings by clicking the Settings option as seen below and selecting Access Reviews.

4aadpim2

As you can see from the settings in the screenshot below, my tenant is set to send mail notifications to reviewers when a review is started and to admins when it finishes.  It’s also configured for reminders to be sent out to reviewers who haven’t yet completed their review.  I’ve configured reviewers to provider a reason as to why continued access to a privileged role needs to be maintained.  This is a great little option to capture the business requirements behind the access.  Finally, my access reviews are configured to run a total of 30 days.

4aadpim3

Let’s navigate back to the Access Review blade under the management menu.

4aadpim4

On the Access Reviews blade we see a listing of the access reviews in progress.  You can see I setup an access review for users that are members of the Global Admins role.  On the top we have the menu options to start a new access review, filter what access reviews are displayed, change the way they are grouped, and go back to the Access Review settings I showed earlier.

4aadpim5

et’s spin up a new access review for users who are permanent or eligible members of the User Administrators Azure AD role.  We click the Add link and a new blade opens where we can configure a number of options.  We have the basic options of naming the access review, providing a description, and a start and end date.

I’ve selected the User Administrator role as the role being reviewed during this access review.  Notice the Scope option with the Everyone radio button.  Perhaps that’s a placeholder for functionality that will be introduced in the future to limit the users within a role that the access review will cover.  I’ve selected Homer Simpson to be the reviewer for the role.  The advanced settings have inherited the global settings for my tenant for access reviews I covered previously.  Once the information is filled in, I hit the start button to kick off the access review.

4aadpim6

It takes a few minutes for the access review to be created and then it’s displayed in the listing of access reviews with a status of active.

4aadpim7

If we navigate over to Homer Simpson’s Outlook inbox, we see he has received an email informing him an access review has been kicked off and he has been designated as a reviewer and must approve or reject other members’ continued eligibility for the role.

4aadpim8

If we delay acting on the access review for a day we receive another reminder email per our settings.  The email can be seen below.

4aadpim9

If the approvers do not respond to the access review, the review completes but records that none of the users have been reviewed.

4aadpim10.png

Let’s spin up another review and complete this one.

4aadpim11

Homer Simpson again receives the notice that an Access Review has been kicked off.  Clicking the Start Review button in the email opens up the Azure Portal and the AAD PIM blade.  Here Homer gets an overview of the access review including the user who created the review, the length of the review, the description of the review, and the users who are members (permanent or eligible) for the role.

The filter option allows us to filter on the listing of users based upon whether they still need to be reviewed or have been approved or denied.

4aadpim12

We first check off Bart Simpson and see that we are required to input a reason for Bart’s approval or denial.  I input a reason and choose the deny button.  Bart disappears from the menu.  If I use the filter option to show all three categories of users, Bart now reappears under the denied category.

4aadpim13

I check off both Homer and Marge and provide a reason for both users and hit the approve button. All users have been reviewed by Homer Simpson. After refreshing the page the review now shows 0 users remaining to be reviewed.

4aadpim14

Switching over to the browser for the admin user we see that the access review is still open.

4aadpim15

If we open the access review we can see that all users have been reviewed even though the review is still active.  We have the option to Reset the access review to force the approvers to perform the access review activities again or we can stop it.  We’re going to choose end the access review early now that all the reviews have been completed.

4aadpim16

Re-opening the access review, we now have the option to apply the results of it.  After clicking he Apply button the changes are applied and we’re notified via the Portal notification system.

4aadpim17

Navigating to the roles blade under the Manage section now shows only Homer and Marge as being eligible for the User Administrator role verifying that the changes made during the access review have taken effect.

The access review feature is a wonderful addition by Microsoft.  Back in the olden days of Windows Active Directory, managing the entire lifecycle of an identity and its entitlements often involved complex third-party identity management solutions in combination with request management system.  By including this feature out of the gates, Microsoft is showing a real maturity in its identity offerings.

A Brief Intermission

Before I get into what AAD PIM can do for Azure RBAC, I want to touch on a new feature that went into public preview while I was working on this post.  Notice in the Manage section the Roles blade now has a (Preview) notation after it.

4aadpim18

Navigating into the blade shows an entirely new interface with far more useful information.  We now have a complete list of the roles AAD PIM can manage including descriptions.  If we select a role we go a level deeper and can add users to the role as we would expect.

4aadpim19

We also have two new menu options for Description and Definition.  The Description blade opens up and gives us a link to the Microsoft documentation on the role as well as every permissions the role has (AWESOME!).  The Definition blade gives us a JSON view of the role information.  Perhaps we’ll be able to create custom AAD / O365 roles in the future and we’ll be able to use these JSON views as ARM templates?  Time will tell.

4aadpim20

The introduction of this new feature is a great demonstration of how quickly things change in the cloud.

AAD PIM and Azure RBAC

Most organizations consuming Microsoft cloud services don’t just consume Office 365.  These organizations want to yield the benefits of the infrastructure-as-a-Service (IaaS) and platform-as-a-Service (PaaS) services provide by Microsoft’s Azure offering.  Managing authorization in Azure is handled through Azure Role-Based Access Control (RBAC).  In short, Azure RBAC provides a method of authorizing a security principal (user, group, or service principal) to perform an action on a resource (VM, storage account, Azure SQL, etc) based upon membership in a role.  Out of the box Microsoft provides a few roles such as owner, reader, and contributor.  You can also create custom roles to fit your business needs.

 

Similar to Office 365 prior to AAD PIM, preventing standing access of security principals in Azure RBAC roles was left to custom scripts and third-party solutions.  Last year it was announcedthat AAD PIM capabilities were being extended to Azure RBAC.  The integration of AAD PIM and Azure RBAC become generally available in the commercial offering of Azure AD in May of 2018.

For this demonstration I’m going to switch over to my Geek In The Weeds tenant.  Recall that the tenant is a synchronized and federated tenant using Azure AD Connect and Active Directory Federation Services.  I’ve already activated AAD PIM for the tenant so I’ll be jumping right into its integration with Azure RBAC.

After logging into the portal as a user who has permanent membership in the Privileged Role Administrator role I’m faced with the standard admin view of AAD PIM.  In the Manage menu I’m going to select the Azure resources option.

4aadpim21

If this is your first time using AAD PIM with Azure RBAC you’ll need to go through the discovery stage.  This will discover Azure Resources that you have write permissions to and thus have the ability to manage privileged access to.  After discovery is complete you’ll see a screen similar to the below.  You can see that my user is a member of the owners role for the Visual Studio Enterprise Azure subscription and that there are 77 roles defined for the subscription with three security principals holding one or more roles.

4aadpim22

Selecting the subscription resource gives us a dashboard displaying key metrics about PIM activity within the subscription.

4aadpim23.png

One of the metrics that caught my eye was the single user in the User Access Administrator role.  Selecting that area of the dashboard opens a new blade which lists out the members of the role.  We can see the service principal for PIM has been added to the User Access Administrator role to grant the service permissions to administer the roles within the resource (in this case a subscription).

4aadpim24

Notice also that the PIM menu for managing Azure AD/Office 365 differs for the menu for managing Azure RBAC.  We see that the new Role options I outlined above haven’t been migrated to the Azure RBAC integration yet.  Additionally we see that the request approval workflow is still in public preview in Azure RBAC.  In the Azure RBAC menu we also get a Resource Audit log which details PIM activity within the resource.

4aadpim25

Notice also that the general Settings option isn’t present in the Azure RBAC menu.  Instead we have a Role Settings option.  Selecting this option opens a new blade that lists out the Roles associated with the Resource.  Selecting any of the resources opens a new blade where we have the options of configuring a large selection of options for the role for both assignment (making the user eligible or a permanent member) as well as activation.  If you recall the configurable options for the Azure AD / Office 365 roles, these are far more granular.  The additional flexibility makes sense because these roles are going to managing IaaS and PaaS resources which are much more catered to programmatic access by non-humans.  The non-human access tends to be much more predictable than human access, so enforcing controls such as temporary eligibility for a role makes a lot of sense.

4aadpim26

Let’s take a look at what the experience is adding a user to one of the RBAC roles.  The process is very similar to AAD PIM with Azure AD / Office 365 in that we select the Roles option from the Manage section.  For this demonstration I’m going to add a user to the Virtual Machine Contributor role.

Clicking the Add Member option allows me to assign Ash Williams as an eligible member of the role.  Notice the additional option called Set membership settings.  Here I can set a timespan that Ash is eligible for the role.  This option isn’t available in AAD PIM for Azure AD / Office 365 that I could see.

4aadpim27

After hitting the add button Ash is successfully added as a Direct member to the role.  Notice that I can also add groups as members of the Role.  This is another capability unit to the Azure RBAC integration.

4aadpim28

Let’s go through the user experience for activating a role.  For the sake of simplicity I’m going to cover differences in the user experience.  You can reference my third post if you’re curious of the full user experience.

At this point I’ve logged into a virtual machine as Ash Williams and have authenticated to the Azure Portal.  I’ve entered the Azure resources blade.  Here we see the user being informed that no Azure resources are protected by PIM.  In this instance hitting the Discover resources permission will not update this menu because Ash Williams isn’t a member of any role that would grant him write permissions on an Azure Resource.  Instead I’m going to click the Activate Role button.

4aadpim29

After clicking the Activate role button I’m shown the roles Ash Williams is eligible to activate.  Notice Ash has the ability to activate the role due to both his direct membership and his membership in the GIW AIP Users group.  I’d recommend leveraging groups for this access where possible so you don’t get in the situation where you grant a security principal longer access to the role than you wanted due to a direct role assignment situation.

4aadpim30

he activation experience and approval experience is the same from this point forward so I’m going stop here.

Summing It Up

I really enjoyed this blog series.  I hadn’t done a deep dive into AAD PIM since it was in public preview and much has changed since then.  I really like how Microsoft is finally exposing capabilities which have historically been more Azure AD / Office 365 centric to Microsoft Azure.  It’s an excellent marketing tool for companies who may already be using Office 365 but are using another cloud provider for IaaS and PaaS. The product team has also done great job integrating much needed features such as approval workflows, access reviews, and metrics.

I’m not going to have the time to do a post about the AAD PIM PowerShell module but I recommend you check it out if you have some bandwidth.  There are some great opportunities there to integrate PIM functionality with third party workflow management tools to automate the entire user experience behind a GUI you users are already familiar with.

That wraps up my series on Azure AD Privileged Identity Management.  I hope you enjoyed it as much as I did.

See you next post!

Exploring Azure AD Privileged Identity Management (PIM) – Part 1

Exploring Azure AD Privileged Identity Management (PIM) – Part 1

We’re going to take a break from Azure Information Protection and shift our focus to Azure Active Directory Privileged Identity Management (AAD PIM).

If you’ve ever had to manage an application, you’re familiar with the challenge of trying to keep a balance between security and usability when it comes to privileged access.  In many cases you’re stuck with users that have permanent membership in privileged roles because the impact to usability of the application is far too great to manage that access on an “as needed basis” or as we refer to it in the industry “just in time” (JIT).   If you do manage to remove that permanent membership requirement (often referred to as standing privileged access) you’re typically stuck with a complicated automation solution or a convoluted engineering solution that gives you security but at the cost of usability and increasing operational complexity.

Not long ago the privileged roles within Azure Active Directory (AAD), Office 365 (O365), and Azure Role-Based Access Control had this same problem.  Either a user was a permanent member of the privileged role or you had to string together some type of request workflow that interacted with the Graph API or triggered a PowerShell script.  In my first entry into Azure AD, I had a convoluted manual process which involved requests, approvals, and a centralized password management system.  It worked, but it definitely impacted productivity.

Thankfully Microsoft (MS) has addressed this challenge with the introduction of Azure AD Privileged Identity Management (AAD PIM).  In simple terms AAD PIM introduces the concept of an “eligible” administrator which allows you to achieve that oh so wonderful JIT.  AAD PIM is capable of managing a wide variety of roles which is another area Microsoft has made major improvements on.  Just a few years ago close to everything required being in the Global Admin role which was a security nightmare.

In addition to JIT, AAD PIM also provides a solid level of logging and analytics, a centralized view into what users are members of privileged roles, alerting around the usage of privileged roles, approval workflow capabilities (love this feature), and even provides an access review capability to help with access certification campaigns.  You can interact with AAD PIM through the Azure Portal, Graph API, or PowerShell.

To get JIT you’ll need an Azure Active Directory Premium P2 or Enteprise Mobility and Security E5 license.  Microsoft states that every use that benefits from the feature requires a license.  While this is a licensing requirement, it’s not technically enforced as we see in my upcoming posts.

You’re probably saying, “Well this is all well and good Matt, but there is nothing here I couldn’t glean from Microsoft documentation.”  No worries my friends, we’ll be using this series to walk to demonstrate the capabilities so you can see them in action.  I’ll also be breaking out my favorite tool Fiddler to take a look behind the scenes of how Microsoft manages to elevate access for the user after a privileged role has been activated.