AWS Managed Microsoft AD Deep Dive Part 1 – Overview

Posted on August 20, 2018 by mattfeltonma

Welcome back my fellow geeks!

Earlier this year I did a deep dive into Microsoft’s managed Active Directory service, Microsoft Azure Active Directory Domain Services (AAD DS). I found was a service in its infancy and showing some promise, but very far from being an enterprise-ready service. I thought it would be fun to look at Amazon’s (which I’ll refer to as Amazon Web Services (AWS) for the rest of the entries in this series) take on a managed Microsoft Active Directory (or as Microsoft is referring to it these days Windows Active Directory).

Unless your organization popped up in the last year or two and went the whole serverless route you are still managing operating systems that require centralized authentication, authorization, and configuration management. You also more than likely have a ton of legacy/classic on-premises applications that require legacy protocols such as Kerberos and LDAP. Your organization is likely using Windows Active Directory (Windows AD) to provide these capabilities along with Windows AD’s basic domain name system (DNS) service and centralized identity data store.

It’s unrealistic to assume you’re going to shed all those legacy applications prior to beginning your journey into the public cloud. I mean heck, shedding the ownership of data centers alone can be a huge cost driver. Organizations are then faced with the challenge of how to do Windows AD in the public cloud. Is it best to extend an existing on-premises forest into the public cloud? What about creating a resource forest with a trust? Or maybe even a completely new forest with no trust? Each of these options have positives and negatives that need to be evaluated against organizational requirements across the business, technical, and legal arenas.

Whatever choice you make, it means additional infrastructure in the form of more domain controllers. Anyone who has managed Windows AD in an enterprise knows how much overhead managing domain controllers can introduce. Let me clarify that by managing Windows AD, it does not mean opening Active Directory Users and Computers (ADUC) and creating user accounts and groups. I’m talking about examining performance monitor AD counters and LDAP Debug logs to properly size domain controllers, configuring security controls to comply with PCI and HIPAA requirements or aligning with DISA STIGS, managing updates and patches, and troubleshooting the challenges those bring which requires extensive knowledge of how Active Directory works. In this day an age IT staff need to be less focused on overhead such as this and more focused on working closely with its business units to drive and execute upon business strategy. That folks is where managed services shine.

AWS offers an extensive catalog of managed services and Windows AD is no exception. Included within the AWS Directory Services offerings there is a powerful offering named Amazon Web Services Directory Service for Microsoft Active Directory, or more succinctly AWS Managed Microsoft AD. It provides all the wonderful capabilities of Windows AD without all of the operational overhead. An interesting fact is that the service has been around since December 2015 in comparison to Microsoft’s AAD DS which only went into public preview at in 3rd Q 2017. This head start has done AWS a lot of favors and in this engineer’s opinion, has established AWS Managed Microsoft AD as the superior managed Windows AD service over Microsoft’s AAD DS. We’ll see why as the series progresses.

Over the course of this series I’ll be performing a similar analysis as I did in my series on Microsoft AAD DS. I’ll also be examining the many additional capabilities AWS Managed Microsoft AD provides and demoing some of them in action. My goal is that by the end of this series you understand the technical limitations that come with the significant business benefits of leveraging a managed service.

See you next post!

Azure AD Password Protection – Hybrid Deep Dive

Posted on June 24, 2018 by mattfeltonma

Welcome back fellow geeks. Today I’m going to be looking at a brand new capability Microsoft announced entered public preview this week. With the introduction of Hybrid Azure Active Directory Password Protection Microsoft continues to extend the protection it has based into its Identity-as-a-Service (IDaaS) offering Azure Active Directory (AAD).

If you’ve administered Windows Active Directory (AD) in an environment with a high security posture, you’re very familiar with the challenges of ensuring the use of “good” passwords. In the on-premises world we’ve typically used the classic Password Policies that come out of the box with AD which provide the bare minimum. Some of you may even have leveraged third-party password filters to restrict the usage of commonly used passwords such as the classic “P@$$w0rd”. While the third-party add-ins filled a gap they also introduce additional operational complexity (Ever tried to troubleshoot a misbehaving password filter? Not fun) and compatibility issues. Additionally the filters that block “bad” passwords tend to use a static data set or a data set that has to be manually updated and distributed.

In comes Microsoft’s Hybrid Azure Active Directory Password Protection to save the day. Here we have a solution that comes directly from the vendor (no more third-party nightmares) that uses the power of telemetry and security data collected from Microsoft’s cloud to block the use of some of the most commonly used passwords (extending that even further with the use of fuzzy logic) as well as custom passwords you can provide to the service yourself. In a refreshing turn of events, Microsoft has finally stepped back from the insanity (yes I’m sorry it’s insanity for most organizations) of requiring Internet access on your domain controllers.

After I finished reading the announcement this week I was immediately interested in taking a peek behind the curtains on how the solution worked. Custom password filters have been around for a long time, so I’m not going to focus on that piece of the solution. Instead I’m going to look more closely at two areas, deployment and operation of the solution. Since I hate re-creating existing documentation (and let’s face it, I’m not going to do it nearly as well as those who do it for a living) I’ll be referencing back to Microsoft documentation heavily during this post so get your dual monitors powered up.

I’ll be using my Geek In The Weeds tenant for this demonstration. The tenant is synchronized and federated with AAD with Azure Active Directory Connect (AADC) and Active Directory Federation Services (AD FS). The tenant is equipped with some Office 365 E5 and Enterprise Mobility+Security E5 licenses. Since I’ll need some Windows Servers for this, I’ll be using the lab seen in the diagram below.

The first thing I needed to do was verify that my AAD tenant was configured for Azure Active Directory Password Protection. For that I logged into the portal as a global administrator and selected the Azure Active Directory blade. Scrolling down to the Security section of the menu shows an option named Authentication Methods.

After selecting the option a new blade opens with only one menu item, Password Protection. Since it’s the option there, it opens right up. Here we can see the configuration options available for Azure Active Directory Password Protection and Smart Lockout. Smart Lockout is at this time a feature specific to AAD so I’m not going to cover it. You can read more about that feature in the Microsoft announcement. The three options that we’re interested in for this post are within the Custom Banned Passwords and Password protection for Windows Server Active Directory.

The custom banned passwords section allows organizations to add additional blocked passwords beyond the ones Microsoft provides. This is helpful if organizations have a good grasp on their user’s behavior and have some common words they want to block to keep users from creating passwords using those words. Right now it’s limited to 1000 words with one word per line. You can copy and paste from a another document as long as what you paste is a single word per line.

I’d like to see Microsoft lift the cap of 1000 words as well as allowing for programmatic updating of this list. I can see some real cool opportunities if this is combined with telemetry obtained from on-premises. Let’s say the organization has some publicly facing endpoints that use a username and password for authentication. That organization could capture the passwords used during password spray and brute force attacks, record the number of instances of their use, and add them to this list as the number of instances of those passwords reach certain thresholds. Yes, I’m aware Microsoft is doing practically the same thing (but better) in Azure AD, but not everything within an organization uses Azure AD for authentication. I’d like to see Microsoft allow for programmatic updates to this list to allow for such a use case.

Let’s enter two terms in the custom banned password list for this demonstration. Let’s use geekintheweeds and journeyofthegeek. We’ll do some testing later to see if the fuzzy matching capabilities extend to the custom banned list.

Next up we configuration options have Password protection for Windows Server Active Directory. This is will be my focus. Notice that the Enable password protection on Windows Server Active Directory option is set to Yes by default. This option is going to control whether or not I can register the Azure AD Password Protection proxy service to Azure AD as you’ll see later in the post. For now let’s set to that to No because it’s always interesting to see how things fail.

I’m going to leave Mode option at Audit for now. This is Microsoft’s recommendation out of the gates. It will give you time to get a handle on user behavior to determine how disruptive this will be to the user experience, give you an idea as to how big of a security issue this is for your organization, as well as giving you an idea as to the scope of communication and education you’ll need to do within your organization.

There are two components we’ll need to install within on-premises infrastructure. On the domain controllers we’ll be installing the Azure AD Password Protection DC Agent Service and the DC Agent Password Filter dynamic-link library (DLL). On the member server we’ll be installing the Azure AD Password Protection Proxy Service. The Microsoft documentation explains what these two services do at a high level. In short, the DC Agent Password Filter functions like any other password filter and captures the clear text password as it is being changed. It sends the password to the DC Agent Service which validates the password according to the locally cached copy of password policy that it has gotten from Azure AD. The DC Agent Service also makes requests for new copies of the password policy by sending the request to the Proxy Service running on the member server which reaches out to Azure AD on the Agent Service’s behalf. The new policies are stored in the SYSVOL folder so all domain controllers have access to them. I sourced this diagram directly from Microsoft, so full credit goes to the product team for producing a wonderful visual representation of the process.

The necessary installation files are sourced from the Microsoft Download Center. After downloading the two files I distributed the DC Agent to my sole domain controller and the Proxy Service file to the member server.

Per Microsoft instructions we’ll be installing the Proxy Service first. I’d recommend installing multiple instances of the Proxy Service in a production environment to provide for failover. During the public preview stage you can deploy a maximum of two proxy agents.

The agent installation could be pushed by your favorite management tool if you so choose. For the purposes of the blog I’ll be installing it manually. Double-clicking the MSI file initiates the installation as seen below.

The installation takes under a minute and then we receive confirmation the installation was successful.

Opening up the Services Microsoft Management Console (MMC) shows the new service having been registered and that it is running. The service runs as Local System.

Before I proceed further with the installation I’m going to startup Fiddler under the Local System security context using PSEXEC. For that we open an elevated command prompt and run the command below. The -s parameter opens the application under the LOCAL SYSTEM user context and the -i parameter makes the window interactive.

Additionally we’ll setup another instance of Fiddler that will run under the user’s security context that will be performing the PowerShell cmdlets below. When running multiple instances of Fiddler different ports needs to be used so agree to the default port suggested by Fiddler and proceed.

Now we need to configure the agent. To do that we’ll use the PowerShell module that is installed when the proxy agent is installed. We’ll use a cmdlet from the module to register the proxy with Azure Active Directory. We’ll need a non-MFA enforced (public preview doesn’t support MFA-enforced global admins for registration) global admin account for this. The account running the command also needs to be a domain administrator in the Active Directory domain (we’ll see why in a few minutes).

The cmdlet successfully runs. This tells us the Enable password protection on Windows Server Active Directory option doesn’t prevent registration of the proxy service. If we bounce back to the Fiddler capture we can see a few different web transactions.

First we see a non-authenticated HTTP GET sent to https://enterpriseregistration.windows.net/geekintheweeds.com/discover?api-version=1.6. For those of you familiar with device registration, this endpoint will be familiar. The endpoint returns a JSON response with a variety of endpoint information. The data we care about is seen in the screenshot below. I’m not going to bother hiding any of it since it’s a publicly accessible endpoint.

Breaking this down we can see a security principal identifier, a resource identifier indicating the device registration service, and a service endpoint which indicates the Azure Active Directory Password Protection service. What this tells us is Microsoft is piggybacking off the existing Azure Active Directory Device Registration Service for onboarding of the proxy agents.

Next up an authenticated HTTP POST is made to https://enterpriseregistration.windows.net/aadpasswordpolicy/<tenantID>/proxy?api-version=1.0. The bearer token for the global admin is used to authenticate to the endpoint. Here we have the Proxy Service posting a certificate signing request (CSR) and providing its fully qualified domain name (FQDN). The request for a CSR tells us the machine must have provisioned a new private/public key pair and once this transaction is complete we should have a signed certificate identifying the proxy.

The endpoint responds with a JSON response.

If we open up and base64 decode the value in the SignedProxyCertificateChain we see another signed JSON response. Decoding the response and dropping it into Visual Studio shows us three attributes of note, TenantID, CreationTime, and the CertificateChain.

Dropping the value of the CertificateChain attribute into Notepad and saving it as a certificate yields the result below. Note the alphanumeric string after the AzureADBPLRootPolicyCert in the issued to section below.

My first inclination after receiving the certificate was to look into the machine certificate stores. I did that and they were empty. After a few minutes of confusion I remembered the documentation stating the registration of the proxy is a onetime activity and that it was mentioned it requires domain admin in the forest root domain and a quick blurb about a service connection point (SCP) and that it needed to be done once for a forest. That was indication enough for me to pop open ADSIEDIT and check out the Configuration directory partition. Sure enough we see that a new container has been added to the CN=Services container named Azure AD Password Protection.

Within the container there is a container named Forest Certs and a service connection point named Proxy Presence. At this point the Forest Certs container is empty and the object itself doesn’t have any interesting attributes set. The Proxy Presence service connection point equally doesn’t have any interesting attributes set beyond the keywords attribute which is set to an alphanumeric string of 636652933655882150_5EFEAA87-0B7C-44E9-B25C-4F665F2E0807. Notice the bolded part of the string has the same pattern as the what was in the certificate included in the CertificateChain attribute. I tried deleting the Azure AD Password Protection container and re-registering to see if these two strings would match, but they didn’t. So I’m not sure what the purpose of that string is yet, just that it probably has some relationship to the certificate referenced above.

The next step in the Proxy Service configuration process is to run the Register-AzureADPasswordProtectionForest cmdlet. This cmdlet again requires the Azure identity being used is a member of the global admins role and that the security principal running the cmdlet has membership in the domain administrators group. The cmdlet takes a few seconds to run and completes successfully.

Opening up Fiddler shows additional conversation with Azure AD.

Session 12 is the same unauthenticated HTTP GET to the discovery endpoint that we saw above. Session 13 is another authenticated HTTP POST using the global admin’s bearer token to same endpoint we saw after running the last cmdlet. What differs is the information posted to the endpoint. Here we see another CSR being posted as well as providing the DNS name, however the attributes are now named ForestCertificateCSR and ForestFQDN.

The endpoint again returns a certificate chain but instead using the attribute SignedForestCertificateChain.

The contents of the attribute look very similar to what we saw during the last cmdlet.

Grabbing the certificate out of the CertificateChain attribute, pasting it into Notepad, and saving as a certificate yields a similar certificate.

Bouncing back to ADSIEDIT and refreshing the view I saw that the Proxy Presence SCP didn’t change. We do see a new SCP was created under the Forest Certs container. Opening up the SCP we have a keywords attribute of {DC7F004B-6D59-46BD-81D3-BFAC1AB75DDB}. I’m not sure what the purpose of that is yet. The other attribute we now have set is the msDS-Settings attribute.

Editing the msDS-Settings attribute within the GUI shows that it has no values which obviously isn’t true. A quick Google search on the attribute shows it’s up to the object to store what it wants in there.

Because I’m nosey I wanted to see the entirety of the attribute so in comes PowerShell. Using a simple Get-ADObject query I dumped the contents of the attribute to a text file.

The result is a 21,000+ character string. We’ll come back to that later.

At this point I was convinced there was something I was missing. I started up WireShark, put a filter on to capture LDAP and LDAPS traffic and I restarted the proxy service. LDAP traffic was there alright over port 389 but it was encrypted via Kerberos (Microsoft’s typical habit). This meant a packet capture wouldn’t give me what I wanted so I needed to be a bit more creative. To get around the encryption I needed to capture the LDAP queries on the domain controller as they were processed. To do that I used a script. The script is quite simple in that it enables LDAP debug logging for a specific period of time with settings that capture every query made to the device. It then parses the event log entries created in the Directory Services Event Log and creates a pipe-delimited file.

The query highlighted in red is what caught my eye. Here we can see the service for performing an LDAP query against Active Directory for any objects one level under the GIWSERVER5 computer object and requesting the properties of objectClass, msds-settings, and keywords attributes. Let’s replicate that query in PowerShell and see what the results look like.

The results, which are too lengthy to paste here are there the computer object has two service connection point objects. Here is a screenshot from the Active Directory Users and Computers MMC that makes it a bit easier to see.

In the keywords attribute we have a value of {EBEFB703-6113-413D-9167-9F8DD4D24468};Domain=geekintheweeds.com. Again, I’m not sure what the purpose of the keyword attribute value is. The msDS-Settings value is again far too large to paste. However, when I dump the value into the TextWizard in Fiddler and base64 decode it, and dump it into Visual Studio I have a pretty signed JSON web token.

If we grab the value in the x509 Certificate (x5c) header and save it to a certificate, we see it’s the signed using the same certificate we received when we registered the proxy using the PowerShell cmdlets mentioned earlier.

Based upon what I’ve found in the directory, at this point I’m fairly confident the private key for the public private key pair isn’t saved within the directory. So my next step was to poke around the proxy agent installation directory of

C:\Program Files\Azure AD Password Protection Proxy\. I went directly to the logs directory and saw the following logs.

Opening up the most recent RegisterProxy log shows a line towards the bottom which was of interest. We can see that the encrypted proxy cert is saved to a folder on the computer running the proxy agent.

Opening the \Data directory shows the following three ppfxe files. I’ve never come across a ppfxe file extension before so I didn’t have a way of even attempting to open it. A Google search on the file extension comes up with nothing. I can only some it is some type of modified PFX file.

Did you notice the RegisterForest log file in the screenshot above? I was curious on that one so I popped it open. Here were the lines that caught my eye.

Here we can see the certificate requested during the Register-AzureADPasswordProtectForest cmdlet had the private key merged back into the certificate, then it was serialized to JSON, encoded in UTF8, encrypted, base64 encoded, and written to the directory to the msDS-Settings attribute. That jives with what we observed earlier in that dumping that attribute and base-64 decoding it gave us nothing decipherable.

Let’s summarize what we’ve done and what we’ve learned at this point.

The Azure Active Directory Password Protection Proxy Service has been installed in GIWSERVER5.
The cmdlet Register-AzureADPasswordProtectionProxy was run successfully.
When the Register-AzureADPasswordProtectionProxy was run the following actions took place:
- GIWSERVER5 created a new public/private keypair
- Proxy service performs discovery against Azure AD to discover the Password Protection endpoints for the tenant
- Proxy service opened a connection to the Password Protection endpoints for the tenant leveraging the capabilities of the Azure AD Device Registration Service and submits a CSR which includes the public key it generated
- The endpoint generates a certificate using the public key the proxy service provided and returns this to the proxy service computer
- The proxy service combines the private key with the public key certificate and saves it to the C:\Program Files\Azure AD Password Protection Proxy\Data directory as a PPFXE file type
- The proxy service connects to Windows Active Directory domain controller over LDAP port 389 using Kerberos for encryption and creates the following containers and service connection points:
- - CN=Azure AD Password Protection,CN=Configuration,DC=XXX,DC=XXX
- - CN=Forest Certs,CN=Azure AD Password Protection,CN=Configuration,DC=XXX,DC=XXX
- - - Writes keyword attribute
- - CN=Proxy Presence,CN=Azure AD Password Protection,CN=Configuration,DC=XXX,DC=XXX
- - CN=AzureADPasswordProtectionProxy,CN=GIWSERVER5,CN=Computers,DC=XXX,DC=XXX
- - - Writes signed JSON Web Token to msDS-Settings attribute for
- - - Writes keyword attribute (can’t figure out what this does yet)
The cmdlet Register-AzureADPasswordProtectionForest was run successfully
When the Register-AzureADPasswordProtectionForest was run the following actions took place:
- GIWSERVER5 created a new public/private keypair
- Proxy service performs discovery against Azure AD to discover the Password Protection endpoints for the tenant
- Proxy service opened a connection to the Password Protection endpoints for the tenant leveraging the capabilities of the Azure AD Device Registration Service and submits a CSR which includes the public key it generated
- The endpoint generates a certificate using the public key the proxy service provided and returns this to the proxy service computer
- The proxy service combines the private key with the public key certificate and saves it to the C:\Program Files\Azure AD Password Protection Proxy\Data directory as a PPFXE file type
- The proxy service connects to Windows Active Directory domain controller over LDAP port 389 using Kerberos for encryption and creates the following containers:
- - CN=<UNIQUE IDENTIFIER>,CN=Forest Certs,CN=Azure AD Password Protection,CN=Configuration,DC=XXX,DC=XXX
- - - Writes to msDS-Settings the encoded and encrypted certificate it received back from Azure AD including the private key
- - - Writes to keyword attribute (not sure on this one either)

Based upon observation and review of the logs the proxy service creates when registering, I’m fairly certain the private key and certificate provisioned during the Register-AzureADPasswordProtectionProxy cmdlet is used by the proxy to make queries to Azure AD for updates on the banned passwords list. Instead of storing the private key and certificate in the machine’s certificate store like most applications do, it stores them in a PPFXE file format. I’m going to assume there is some symmetric key stored someone on the machine that is used to unlock the use of that information, but I couldn’t determine it with Rohitab API Monitor or Sysinternal Procmon.

I’m going to theorize the private key and certificate provisioned during the Register-AzureADPasswordProtectionForest cmdlet is going to be used by the DC agents to communicate with the proxy service. This would make sense because the private key and certificate are stored in the directory and it would make for easy access by the domain controllers. In my next post I’ll do a deep dive into the DC agent so I’ll have a chance to get more evidence to determine if the theory holds.

On a side note, I attempted to capture the web traffic between the proxy service and Azure AD once the service was installed and registered. Unfortunately the proxy service doesn’t honor the system proxy even when it’s configured in the global machine.config. I confirmed that the public preview of the proxy service doesn’t support the usage of a web proxy. Hopefully we’ll see that when it goes general availability.

Have a great week.

Exploring Azure AD Privileged Identity Management (PIM) – Part 3 – Deep Dive

Posted on June 6, 2018 by mattfeltonma

Welcome back fellow geeks to my third post on my series covering Azure AD Privileged Identity Management (AAD PIM). In my first post I provided an overview of the service and in my second post I covered the initial setup and configuration of PIM. In this post we’re going to take a look at role activation and approval as well as looking behind the scenes to see if we can figure out makes the magic of AAD PIM work.

The lab I’ll be using consists of a non-domain joined Microsoft Windows 10 Professional version 1803 virtual machine (VM) running on Hyper V on my home lab. The VM has a local user configured that is a member of the Administrators group. I’ll be using Microsoft Edge and Google Chrome as my browsers and running Telerik’s Fiddler to capture the web conversation. The users in this scenario will be sourced from the Journey Of The Geek tenant and one will be licensed with Office 365 E5 and EMS E5 and the other will be licensed with just EMS E5. The tenant is not synchronized from an on-premises Windows Active Directory. The user Homer Simpsons has been made eligible for the Security Administrators role.

With the intro squared away, let’s get to it.

First thing I will do is navigate to the Azure Portal and authenticate as Homer Simpson. As expected, since the user is not Azure MFA enforced, he is allowed to authenticate to the Azure Portal with just a password. Once I’m into the Azure Portal I need to go into AAD PIM which I do from the shortcut I added to the user’s dashboard.

Navigating to the My roles section of the menu I can see that the user is eligible to for the Security Administrator Azure Active Directory (AAD) role.

Selecting the Activate link opens up a new section where the user will complete the necessary steps to activate the role. As you can see from my screenshot below, the Security Administrator role is one of the roles Microsoft considers high risk and enforces step-up authentication via Azure MFA. Selecting the Verify your identity before proceeding link opens up another section that informs the user he or she needs to verify the identity with an MFA challenge. If the user isn’t already configured for MFA, they will be setup for it at this stage.

Homer Simpson is already configured for MFA so after the successful response to the MFA challenge the screen refreshes and the Activation button can now be clicked.

After clicking the Activation button I enter a new section where I can configure a custom start time, configuration an activation duration (up to the maximum configured for the Role), provide ticketing information, and provide an activation reason.. As you can see I’ve adjusted the max duration for an activation from the default of one hour to three hours and have configured a requirement to provide a ticket number. This could be mapped back to your internal incident or change management system.

After filling in the required information I click the Activate button, the screen refreshes back to the main request screen, and I’m informed that activation for this role requires approval. In addition to modifying the activation and requiring a ticket number, I also configured the role to require approval.

At this point I opened an instance of Google Chrome and authenticated to Azure AD as a user who is in the privileged role administrator role. Opening up AAD PIM with this user and navigating to the My roles section and looking at the Active roles shows the user is a permanent member of the Security Administrators, Global Administrators, and Privileged Role Administrators roles.

I then navigate over to the Approve requests section. Here I can see the pending request from Homer Simpson requesting activation of the Security Administrator role. I’m also provided with the user’s reason and start and end time. I’d like to see Microsoft add a column for the user’s ticket number. My approving user may want to reference the ticket for more detail on why the user is requesting the role

At this point I select the pending request and click the Approve button. A new section opens where I need to provide the approval reason after which I hit the Approve button.

After approving the blue synchronization-like image is refreshed to a green check box indicating the approval has been process and the user’s role is now active.

If I navigate to My audit history section I can see the approval of Homer’s request has been logged as well as the reasoning I provided for my approval.

If I bounce back to the Microsoft Edge browser instance that Homer Simpsons is logged into and navigate to the My requests and I can see that my activation has been approved and it’s now active.

At this point I have requested the role and the role has been approved by a member of the Privileged Role Administrators role. Let’s try modifying an AIP Policy. Navigating back to Homer Simpsons dashboard I select the Azure Information Protection icon and receive the notification below.

What happened? Navigating to Homer Simpsons mailbox shows the email confirming the role has been activated.

What gives? To figure out the answer to that question, I’m going to check on the Fiddler capture I started before logging in as Homer Simpson.

In this capture I can see my browser sending my bearer token to various AIP endpoints and receiving a 401 return code with an error indicating the user isn’t a member of the Global Administrators or Security Administrators roles.

I’ll export the bearer token, base64 decode it and stick it into Notepad. Let’s refresh the web page and try accessing AIP again. As we can see AIP opens without issues this time.

At this point I dumped the bearer token from the failure and the bearer token from a success and compared the two as seen below. The IAT, NBF, and EXP are simply speak to times specific to the claim. I can’t find any documentation on the aio or uti claims. If anyone has information on those two, I’d love to see it.

I thought it would be interesting at this point to deactivate my access and see if I could still access AIP. To deactivate a role the user simply accesses AAD PIM, goes to My Roles and looks the Active Roles section as seen below.

After deactivation I went back to the dashboard and was still able to access AIP. After refreshing the browser I was unable to access AIP. Since I didn’t see any obvious cookies or access tokens being created or deleted. My guess at this point is applications that use Azure AD or Office 365 Roles have some type of method of receiving data from AAD PIM. A plausible scenario would be an application receives a bearer token, queries Azure AD to see if the user is in one a member of the relevant roles for the application. Perhaps for eligible roles there is an additional piece of information indicating the timespan the user has the role activated and that time is checked against the time the bearer token was issued. That would explain my experience above because the bearer token my browser sent to AIP was obtained prior to activating my role. I verified this by comparing the bearer token issued from the delegation point at first login to the one sent to AIP after I tried accessing it after activation. Only after a refresh did I obtain a new bearer token from the delegation endpoint.

Well folks that’s it for this blog entry. If you happen to know the secret sauce behind how AAD PIM works and why it requires a refresh I’d love to hear it! See you next post.

Exploring Azure AD Privileged Identity Management (PIM) – Part 2 – Setup

Posted on May 29, 2018 by mattfeltonma

Welcome back to part 2 of my series on Azure Active Directory Privileged Identity Management (AAD PIM). In the first post I covered the basics of the service. If you haven’t read it yet, take a few minutes to read through it because I’ll be jumping right into using the service going forward. In this post I’m going to cover the setup process for AAD PIM.

Before you can begin using AAD PIM, you’ll need to purchase a license that includes the capability. As we saw in my last post, at this time that means a standalone Azure AD Premium P2 or Enterprise Mobility + Security E5 license. Once the license is registered as being purchased by your tenant, you’ll be able to setup AAD PIM.

Your first step is to log into the Azure Portal. After you’ve logged in you’ll want to click the Create a Resource button and search for Azure AD Privileged Identity Management.

Select the search result and AAD PIM application will be displayed with the Create button. Click the create button to spin the service up for your tenant.

It will only take a few seconds and you’ll be informed the service has successfully been spun up and you’ll be given the option to add a link to your dashboard.

The global admin who added AAD PIM to the tenant will become the first member of the Privileged Role Administrator role. This is a new role that was introduced with the service. Members of this role are your administrators of AAD PIM and has full read and write access to it. Beware that other global admins, security administrators, and security readers only have read access to it. As soon as you successfully spin up the service, you’ll want to add another Privileged Role Administrator as a backup.

Upon opening AAD PIM for the first time, you’ll receive a consent page as seen below. The consent process requires confirmation of the user’s identity using Azure MFA. If the user isn’t enabled for it, it will be configured at this point.

After successfully authenticating with Azure MFA. The screen will update to show the status check was completed as seen below. This is a great example of Microsoft exercising the concept of step-up authentication. The user may have authenticated to the Azure Portal with a password or perhaps a still-valid session cookie. By prompting for an Azure MFA challenge the assurance of the user being the real user is that much higher thus reducing the risk of the user accessing such sensitive configuration options.

After clicking the Consent button the service becomes fully usable. The primary menu options are displayed as seen in the picture below. For the purpose of this post we’re going to click on the Azure AD directory roles option under the Manage section.

The Manage section of the menu is refreshed and a number of new options are displayed. Before I jump into the Wizard, I’ll navigate through each option in the section to explain its purpose.

The Roles option gives us a view of all of the users who are members of privileged roles within Azure AD and Office 365. In the activation column it’s shown as to whether or not the user is a permanent or eligible admin. The expiration column shows any user that is eligible and has actively requested and been approved for temporary access to the privileged role. As you can see from my screenshot from my test tenant I have a number of users in the global admin roles which is a big no no. We’ll remediate that in a bit using the Wizard.

Selecting the Add user button brings up a new screen where new users can be configured for privileged roles. Microsoft has done a good job of giving AAD PIM the capability of managing a multitude of Azure AD and Office 365 roles. Adding users to roles through this tool will make automatically make the user an eligible for the role rather than a permanent member like through other means would.

The Filter button allows for robust filtering options including the permission state (all, eligible, permanent), activation state (all, active, or inactive), and by role. The Refresh button’s function is obvious and the group option allows you to group the data either by user or by role. The Review button allows you to kick off an access review which we’ll cover in a later post. Lastly we have the Export button which exports the data to a CSV.

The Users option under the Manage section presents the same options as the Roles option except it takes a user-centric view.

The Alerts option under the Manage section displays the alerts referenced here. You can see it is alerting me to the fact I have too many permanent global admins configured for my tenant. I also have the option to run a manual scan rather than waiting on the next automatic scan.

The Access Reviews option under the Manage section is used to create new access review. I’ll cover the capability in a future post.

Skipping over the Wizard option for a moment, we have the Settings option. Here we can configure a variety of settings for roles, alerts, and access reviews.

Let’s dig into the settings for roles first.

Here we can configure the default settings for all roles as well as settings specific to one role. When a user successfully activates a privileged role, the membership in that role is time bound with a default of one hour. If after doing some baselining we find one hour is insufficient, we could bump it up to something higher. We can also configure notifications to notify administrators of activation of a role. There is also the option to require an incident or request reference that may map back to an internal incident management or request management system. Azure MFA can be required when a user activates a role. You’ll want to be aware that the MFA setting is automatically enforced for roles Microsoft views as critical such as global administrator.

Finally we have the option to require an approval. If you’ve played around with AAD PIM since preview, you may remember the approval workflow. For some reason the product team removed it when AAD PIM original went general available. This effectively meant users could elevate their access whenever they wanted. Sure they weren’t permanent members but there were no checks and balances. For organizations with a high security posture it made AAD PIM of little value and forced the on-demand management of privileged roles to be done using complicated PowerShell scripts or third-party tools that were integrated with the Graph API. It’s wonderful to see the product team responded to customer feedback and has added the feature back.

Toggling to Enable for the require approval option adds a section where you can select approvers for requests for the role.

Moving on to the Alerts settings we have the ability to configure parameters for some of the alerting as can be seen from the examples below.

The default values for the configurable thresholds around the “There are too many global administrator” should be a good wake up call to organizations as to the risk Microsoft associates with global admin access. The thresholds for the “Roles are being activated too frequently” should be left as the default until the behavior of your user base is better understood. This will help you to identify deviations from standard behavior indicating a possible threat as well as to identify opportunities to improve the user experience by bumping up the activation time span for users holding privileged roles that the hour long default activation time is insufficient.

Lastly we have Access Review settings. Here we can enable or disable mail notifications to reviewers are the beginning and end of an access review. Reminders can also be sent to reviewers if they have no completed a review they are a part of. A very welcome feature of requiring reviewers to provide reasons for approvals of a review. This can be helpful to capture business requirements as to why a user needs continued access to a role. Finally, the default access review duration can be adjusted.

Now on to the Wizard. The Wizard is a great tool to use when you first configure AAD PIM in order to get it up and running and begin capturing behavioral patterns. The steps within the Wizard are outlined below.

The Discover privileged roles step displays a simple summary of the privileged roles in use and the amount of permanent and eligible users. We can see from the below my tenant has exceeded either the 3 global admins or greater than 10% of users default thresholds for the “There are too many global admins” alert. Selecting any of the roles displays a listing of the users holding permanent or eligible membership in the role.

Clicking the next button bring us to the “Convert users to eligible step” where we can begin converting permanent members to eligible members. From a best practices perspective, you should ensure you keep at least two permanent members in the Privileged Role Administrator role to avoid being locked out if one account becomes unavailable. You can see that I’m making Ash Williams and Jason Voorhies eligible members of the global admins group.

After clicking the Next button I’m moved to the “Review the changes to your users in the privileged roles” step. I commit the changes by hitting the OK button and my two users are now setup as eligible members of the roles.

As you’ve seen throughout the post AAD PIM is incredibly easy to configure. I firmly believe that the only successful security solutions moving forward will be solutions that are simple to use and transparent to the users. These two traits will allow security professionals to focus less of their time on convoluted solutions and more time working directly with the business to drive real value to the organization.

I’m going to start something new with a quick bulleted list of key learning points that I came across while performing the lab and doing the research for the post.

AAD PIM can be configured after the first Azure AD Premium P2 or EMS E5 license is associated with the tenant
Be aware that at this time Microsoft does not enforce a technical control to prevent all users from benefiting from PIM but the licensing requirements require an individual license for each user benefitting from the feature. Make sure you’re compliant with the licensing requirements and don’t build processes around what technical controls exist today. They will change.
Once AAD PIM is activated by the first global admin, immediately assign a second user permanent membership in the Privileged Role Administrators role.

That’s it folks. In the next post in my series I’ll take a look at what the user experience is like for a requestor and approver. I’ll also look at some Fiddler captures to see I capture any detail as to how/if the modified privileges are reflected in the logical security token.

Thanks!

Journey Of The Geek

The chronicles of a Bostonian tech geek navigating through life and technology

Tag Archives: security

Azure AD Password Protection – Hybrid Deep Dive

Exploring Azure AD Privileged Identity Management (PIM) – Part 3 – Deep Dive

Exploring Azure AD Privileged Identity Management (PIM) – Part 2 – Setup