Exploring Azure AD Privileged Identity Management (PIM) – Part 3 – Deep Dive

Posted on June 6, 2018 by mattfeltonma

Welcome back fellow geeks to my third post on my series covering Azure AD Privileged Identity Management (AAD PIM). In my first post I provided an overview of the service and in my second post I covered the initial setup and configuration of PIM. In this post we’re going to take a look at role activation and approval as well as looking behind the scenes to see if we can figure out makes the magic of AAD PIM work.

The lab I’ll be using consists of a non-domain joined Microsoft Windows 10 Professional version 1803 virtual machine (VM) running on Hyper V on my home lab. The VM has a local user configured that is a member of the Administrators group. I’ll be using Microsoft Edge and Google Chrome as my browsers and running Telerik’s Fiddler to capture the web conversation. The users in this scenario will be sourced from the Journey Of The Geek tenant and one will be licensed with Office 365 E5 and EMS E5 and the other will be licensed with just EMS E5. The tenant is not synchronized from an on-premises Windows Active Directory. The user Homer Simpsons has been made eligible for the Security Administrators role.

With the intro squared away, let’s get to it.

First thing I will do is navigate to the Azure Portal and authenticate as Homer Simpson. As expected, since the user is not Azure MFA enforced, he is allowed to authenticate to the Azure Portal with just a password. Once I’m into the Azure Portal I need to go into AAD PIM which I do from the shortcut I added to the user’s dashboard.

Navigating to the My roles section of the menu I can see that the user is eligible to for the Security Administrator Azure Active Directory (AAD) role.

Selecting the Activate link opens up a new section where the user will complete the necessary steps to activate the role. As you can see from my screenshot below, the Security Administrator role is one of the roles Microsoft considers high risk and enforces step-up authentication via Azure MFA. Selecting the Verify your identity before proceeding link opens up another section that informs the user he or she needs to verify the identity with an MFA challenge. If the user isn’t already configured for MFA, they will be setup for it at this stage.

Homer Simpson is already configured for MFA so after the successful response to the MFA challenge the screen refreshes and the Activation button can now be clicked.

After clicking the Activation button I enter a new section where I can configure a custom start time, configuration an activation duration (up to the maximum configured for the Role), provide ticketing information, and provide an activation reason.. As you can see I’ve adjusted the max duration for an activation from the default of one hour to three hours and have configured a requirement to provide a ticket number. This could be mapped back to your internal incident or change management system.

After filling in the required information I click the Activate button, the screen refreshes back to the main request screen, and I’m informed that activation for this role requires approval. In addition to modifying the activation and requiring a ticket number, I also configured the role to require approval.

At this point I opened an instance of Google Chrome and authenticated to Azure AD as a user who is in the privileged role administrator role. Opening up AAD PIM with this user and navigating to the My roles section and looking at the Active roles shows the user is a permanent member of the Security Administrators, Global Administrators, and Privileged Role Administrators roles.

I then navigate over to the Approve requests section. Here I can see the pending request from Homer Simpson requesting activation of the Security Administrator role. I’m also provided with the user’s reason and start and end time. I’d like to see Microsoft add a column for the user’s ticket number. My approving user may want to reference the ticket for more detail on why the user is requesting the role

At this point I select the pending request and click the Approve button. A new section opens where I need to provide the approval reason after which I hit the Approve button.

After approving the blue synchronization-like image is refreshed to a green check box indicating the approval has been process and the user’s role is now active.

If I navigate to My audit history section I can see the approval of Homer’s request has been logged as well as the reasoning I provided for my approval.

If I bounce back to the Microsoft Edge browser instance that Homer Simpsons is logged into and navigate to the My requests and I can see that my activation has been approved and it’s now active.

At this point I have requested the role and the role has been approved by a member of the Privileged Role Administrators role. Let’s try modifying an AIP Policy. Navigating back to Homer Simpsons dashboard I select the Azure Information Protection icon and receive the notification below.

What happened? Navigating to Homer Simpsons mailbox shows the email confirming the role has been activated.

What gives? To figure out the answer to that question, I’m going to check on the Fiddler capture I started before logging in as Homer Simpson.

In this capture I can see my browser sending my bearer token to various AIP endpoints and receiving a 401 return code with an error indicating the user isn’t a member of the Global Administrators or Security Administrators roles.

I’ll export the bearer token, base64 decode it and stick it into Notepad. Let’s refresh the web page and try accessing AIP again. As we can see AIP opens without issues this time.

At this point I dumped the bearer token from the failure and the bearer token from a success and compared the two as seen below. The IAT, NBF, and EXP are simply speak to times specific to the claim. I can’t find any documentation on the aio or uti claims. If anyone has information on those two, I’d love to see it.

I thought it would be interesting at this point to deactivate my access and see if I could still access AIP. To deactivate a role the user simply accesses AAD PIM, goes to My Roles and looks the Active Roles section as seen below.

After deactivation I went back to the dashboard and was still able to access AIP. After refreshing the browser I was unable to access AIP. Since I didn’t see any obvious cookies or access tokens being created or deleted. My guess at this point is applications that use Azure AD or Office 365 Roles have some type of method of receiving data from AAD PIM. A plausible scenario would be an application receives a bearer token, queries Azure AD to see if the user is in one a member of the relevant roles for the application. Perhaps for eligible roles there is an additional piece of information indicating the timespan the user has the role activated and that time is checked against the time the bearer token was issued. That would explain my experience above because the bearer token my browser sent to AIP was obtained prior to activating my role. I verified this by comparing the bearer token issued from the delegation point at first login to the one sent to AIP after I tried accessing it after activation. Only after a refresh did I obtain a new bearer token from the delegation endpoint.

Well folks that’s it for this blog entry. If you happen to know the secret sauce behind how AAD PIM works and why it requires a refresh I’d love to hear it! See you next post.

Exploring Azure AD Privileged Identity Management (PIM) – Part 2 – Setup

Posted on May 29, 2018 by mattfeltonma

Welcome back to part 2 of my series on Azure Active Directory Privileged Identity Management (AAD PIM). In the first post I covered the basics of the service. If you haven’t read it yet, take a few minutes to read through it because I’ll be jumping right into using the service going forward. In this post I’m going to cover the setup process for AAD PIM.

Before you can begin using AAD PIM, you’ll need to purchase a license that includes the capability. As we saw in my last post, at this time that means a standalone Azure AD Premium P2 or Enterprise Mobility + Security E5 license. Once the license is registered as being purchased by your tenant, you’ll be able to setup AAD PIM.

Your first step is to log into the Azure Portal. After you’ve logged in you’ll want to click the Create a Resource button and search for Azure AD Privileged Identity Management.

Select the search result and AAD PIM application will be displayed with the Create button. Click the create button to spin the service up for your tenant.

It will only take a few seconds and you’ll be informed the service has successfully been spun up and you’ll be given the option to add a link to your dashboard.

The global admin who added AAD PIM to the tenant will become the first member of the Privileged Role Administrator role. This is a new role that was introduced with the service. Members of this role are your administrators of AAD PIM and has full read and write access to it. Beware that other global admins, security administrators, and security readers only have read access to it. As soon as you successfully spin up the service, you’ll want to add another Privileged Role Administrator as a backup.

Upon opening AAD PIM for the first time, you’ll receive a consent page as seen below. The consent process requires confirmation of the user’s identity using Azure MFA. If the user isn’t enabled for it, it will be configured at this point.

After successfully authenticating with Azure MFA. The screen will update to show the status check was completed as seen below. This is a great example of Microsoft exercising the concept of step-up authentication. The user may have authenticated to the Azure Portal with a password or perhaps a still-valid session cookie. By prompting for an Azure MFA challenge the assurance of the user being the real user is that much higher thus reducing the risk of the user accessing such sensitive configuration options.

After clicking the Consent button the service becomes fully usable. The primary menu options are displayed as seen in the picture below. For the purpose of this post we’re going to click on the Azure AD directory roles option under the Manage section.

The Manage section of the menu is refreshed and a number of new options are displayed. Before I jump into the Wizard, I’ll navigate through each option in the section to explain its purpose.

The Roles option gives us a view of all of the users who are members of privileged roles within Azure AD and Office 365. In the activation column it’s shown as to whether or not the user is a permanent or eligible admin. The expiration column shows any user that is eligible and has actively requested and been approved for temporary access to the privileged role. As you can see from my screenshot from my test tenant I have a number of users in the global admin roles which is a big no no. We’ll remediate that in a bit using the Wizard.

Selecting the Add user button brings up a new screen where new users can be configured for privileged roles. Microsoft has done a good job of giving AAD PIM the capability of managing a multitude of Azure AD and Office 365 roles. Adding users to roles through this tool will make automatically make the user an eligible for the role rather than a permanent member like through other means would.

The Filter button allows for robust filtering options including the permission state (all, eligible, permanent), activation state (all, active, or inactive), and by role. The Refresh button’s function is obvious and the group option allows you to group the data either by user or by role. The Review button allows you to kick off an access review which we’ll cover in a later post. Lastly we have the Export button which exports the data to a CSV.

The Users option under the Manage section presents the same options as the Roles option except it takes a user-centric view.

The Alerts option under the Manage section displays the alerts referenced here. You can see it is alerting me to the fact I have too many permanent global admins configured for my tenant. I also have the option to run a manual scan rather than waiting on the next automatic scan.

The Access Reviews option under the Manage section is used to create new access review. I’ll cover the capability in a future post.

Skipping over the Wizard option for a moment, we have the Settings option. Here we can configure a variety of settings for roles, alerts, and access reviews.

Let’s dig into the settings for roles first.

Here we can configure the default settings for all roles as well as settings specific to one role. When a user successfully activates a privileged role, the membership in that role is time bound with a default of one hour. If after doing some baselining we find one hour is insufficient, we could bump it up to something higher. We can also configure notifications to notify administrators of activation of a role. There is also the option to require an incident or request reference that may map back to an internal incident management or request management system. Azure MFA can be required when a user activates a role. You’ll want to be aware that the MFA setting is automatically enforced for roles Microsoft views as critical such as global administrator.

Finally we have the option to require an approval. If you’ve played around with AAD PIM since preview, you may remember the approval workflow. For some reason the product team removed it when AAD PIM original went general available. This effectively meant users could elevate their access whenever they wanted. Sure they weren’t permanent members but there were no checks and balances. For organizations with a high security posture it made AAD PIM of little value and forced the on-demand management of privileged roles to be done using complicated PowerShell scripts or third-party tools that were integrated with the Graph API. It’s wonderful to see the product team responded to customer feedback and has added the feature back.

Toggling to Enable for the require approval option adds a section where you can select approvers for requests for the role.

Moving on to the Alerts settings we have the ability to configure parameters for some of the alerting as can be seen from the examples below.

The default values for the configurable thresholds around the “There are too many global administrator” should be a good wake up call to organizations as to the risk Microsoft associates with global admin access. The thresholds for the “Roles are being activated too frequently” should be left as the default until the behavior of your user base is better understood. This will help you to identify deviations from standard behavior indicating a possible threat as well as to identify opportunities to improve the user experience by bumping up the activation time span for users holding privileged roles that the hour long default activation time is insufficient.

Lastly we have Access Review settings. Here we can enable or disable mail notifications to reviewers are the beginning and end of an access review. Reminders can also be sent to reviewers if they have no completed a review they are a part of. A very welcome feature of requiring reviewers to provide reasons for approvals of a review. This can be helpful to capture business requirements as to why a user needs continued access to a role. Finally, the default access review duration can be adjusted.

Now on to the Wizard. The Wizard is a great tool to use when you first configure AAD PIM in order to get it up and running and begin capturing behavioral patterns. The steps within the Wizard are outlined below.

The Discover privileged roles step displays a simple summary of the privileged roles in use and the amount of permanent and eligible users. We can see from the below my tenant has exceeded either the 3 global admins or greater than 10% of users default thresholds for the “There are too many global admins” alert. Selecting any of the roles displays a listing of the users holding permanent or eligible membership in the role.

Clicking the next button bring us to the “Convert users to eligible step” where we can begin converting permanent members to eligible members. From a best practices perspective, you should ensure you keep at least two permanent members in the Privileged Role Administrator role to avoid being locked out if one account becomes unavailable. You can see that I’m making Ash Williams and Jason Voorhies eligible members of the global admins group.

After clicking the Next button I’m moved to the “Review the changes to your users in the privileged roles” step. I commit the changes by hitting the OK button and my two users are now setup as eligible members of the roles.

As you’ve seen throughout the post AAD PIM is incredibly easy to configure. I firmly believe that the only successful security solutions moving forward will be solutions that are simple to use and transparent to the users. These two traits will allow security professionals to focus less of their time on convoluted solutions and more time working directly with the business to drive real value to the organization.

I’m going to start something new with a quick bulleted list of key learning points that I came across while performing the lab and doing the research for the post.

AAD PIM can be configured after the first Azure AD Premium P2 or EMS E5 license is associated with the tenant
Be aware that at this time Microsoft does not enforce a technical control to prevent all users from benefiting from PIM but the licensing requirements require an individual license for each user benefitting from the feature. Make sure you’re compliant with the licensing requirements and don’t build processes around what technical controls exist today. They will change.
Once AAD PIM is activated by the first global admin, immediately assign a second user permanent membership in the Privileged Role Administrators role.

That’s it folks. In the next post in my series I’ll take a look at what the user experience is like for a requestor and approver. I’ll also look at some Fiddler captures to see I capture any detail as to how/if the modified privileges are reflected in the logical security token.

Thanks!

The Evolution of AD RMS to Azure Information Protection – Part 1

Posted on March 25, 2018 by mattfeltonma

Collaboration. It’s a term I hear at least a few times a day when speaking to my user base. The ability to seamlessly collaborate with team members, across the organization, with trusted partners, and with customers is a must. It’s a driving force between much of the evolution of software-as-a-service collaboration offerings such as Office 365. While the industry is evolving to make collaboration easier than ever, it’s also introducing significant challenges for organizations to protect and control their data.

In a recent post I talked about Microsoft’s entry into the cloud access security broker (CASB) market with Cloud App Security (CAS) and its capability to provide auditing and alerting on activities performed in Amazon Web Services (AWS). Microsoft refers to this collection of features as the Investigate capability of CAS. Before I cover an example of the Control features in action, I want to talk about the product that works behind the scenes to provide CAS with many of the Control features.

That product is Azure Information Protection (AIP) and it provides the capability to classify, label, and protect files and email. The protection piece is provided by another Microsoft product, Azure Active Directory Rights Management Services (Azure RMS). Beyond just encrypting a file or email, Azure RMS can control what a user can do with a file such as preventing a user from printing a document or forwarding an email. The best part? The protection goes with the data even when it leaves your security boundary.

For those of you that have read my blog you can see that I am a huge fanboy of the predecessor to Azure RMS, Active Directory Rights Management Services (AD RMS, previously Rights Management Service or RMS for you super nerds). AD RMS has been a role available in Microsoft Windows Server since Windows Server 2003. It was a product well ahead of its time that unfortunately never really caught on. Given my love for AD RMS, I thought it would be really fun to do a series looking at how AIP has evolved from AD RMS. It’s a dramatic shift from a rather unknown product to a product that provides capabilities that will be as standard and as necessary as Antivirus was to the on-premises world.

I built a pretty robust lab environment (two actually) such that I could demonstrate the different ways the solutions work as well as demonstrate what it looks to migrate from AD RMS to AIP. Given the complexity of the lab environment, I’m going to take this post to cover what I put together.

The layout looks like this:

On the modern end I have an Azure AD tenant with the custom domain assigned of geekintheweeds.com. Attached to the tenant I have some Office 365 E5 and Enterprise Mobility + Security E5 trial licenses For the legacy end I have two separate labs setup in Azure each within its own resource group. Lab number one contains three virtual machines (VMs) that run a series of services included Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), AD RMS, and Microsoft SQL Server Express. Lab number two contains four VMs that run the same set as services as Lab 1 in addition to Active Directory Federation Services (AD FS) and Azure Active Directory Connect (AADC). The virtual network (vnet) within each resource group has been peered and both resource groups contain a virtual gateway which has been configured with a site-to-site virtual private network (VPN) back to my home Hyper-V environment. In the Hyper V environment I have two workstations.

Lab 1 is my “legacy” environment and consists of servers running Windows 2008 R2 and Windows Server 2012 R2 (AD RMS hasn’t changed in any meaningful manner since 2008 R2) and a client running Windows 7 Pro running Office 2013. The DNS namespace for its Active Directory forest is JOG.LOCAL. Lab 2 is my “modern” environment and consists of servers running Windows Server 2016 and a Windows 10 client running Office 2016 . It uses a DNS namespace of GEEKINTHEWEEDS.COM for its Active Directory forest and is synchronized with the Azure AD tenant I mentioned above. AD FS provides SSO to Office 365 for Geek in The Weeds users.

For AD RMS configuration, both environments will initially use Cryptographic Mode 1 and will have a trusted user domain (TUD). SQL Server Express will host the AD RMS database and I will store the cluster key locally within the database. The use of a TUD will make the configuration a bit more interesting for reasons you’ll see in a future post.

Got all that?

In my next post I’ll cover how the architecture changes when migrating from AD RMS to Azure Information Protection.

Journey Of The Geek

The chronicles of a Bostonian tech geek navigating through life and technology

Tag Archives: e5

Exploring Azure AD Privileged Identity Management (PIM) – Part 3 – Deep Dive

Exploring Azure AD Privileged Identity Management (PIM) – Part 2 – Setup

The Evolution of AD RMS to Azure Information Protection – Part 1