Description:
Privileged role assignments in Microsoft Entra ID (formerly Azure Active Directory) grant users elevated access to critical resources and administrative tasks within the organization. These roles typically include Global Administrator, Privileged Role Administrator, User Access Administrator, and other high-level access roles. Since these roles allow full control over important resources, it is essential to regularly review and audit their assignments to ensure that only authorized users retain these elevated privileges.
Regular reviews of privileged role assignments ensure that users who no longer require administrative access have their roles revoked, reducing the attack surface and helping maintain a secure environment.
Rationale:
Regularly reviewing privileged role assignments helps:
Enhance security by ensuring that only authorized personnel have access to sensitive resources and management functions.
Prevent privilege escalation by detecting users who no longer require elevated privileges but still hold them.
Maintain compliance with regulatory and security standards, many of which mandate periodic access reviews for high-privilege accounts.
Reduce insider threats by ensuring that only necessary personnel have access to privileged roles.
Impact:
Performing periodic reviews will:
Increase security by ensuring that no unused or unnecessary privileged roles are left assigned to users.
Improve compliance by ensuring that reviews are part of a continuous security management process.
Increase administrative overhead since it requires regular monitoring and communication with department heads or resource owners to validate role assignments. However, this can be mitigated with automated review tools like Azure AD Access Reviews.
Default Value:
By default, privileged role assignments are not automatically reviewed. Organizations must implement their own processes or use Azure AD Access Reviews to automate the periodic review of privileged roles.
Pre-requisites:
Azure subscription with Microsoft Entra ID (Azure AD) configured.
Global Administrator or Privileged Role Administrator permissions to review and manage privileged role assignments.
Access to Azure AD Audit logs to verify role assignments.
Audit:
Sign in to Azure portal as a Global Administrator or Privileged Role Administrator.
Navigate to Azure Active Directory > Roles and administrators and review the assignments for privileged roles (e.g., Global Administrator, Privileged Role Administrator).
Ensure that all privileged role assignments are reviewed regularly (e.g., quarterly or bi-annually) to confirm they are still necessary.
Implementation Steps (Manual):
Sign in to Azure portal:
Use an account with Global Administrator or Privileged Role Administrator permissions.
Navigate to Microsoft Entra ID (Azure AD):
In the Azure portal, go to Azure Active Directory.
Review Privileged Role Assignments:
Under Manage, select Roles and administrators.
Review the list of privileged roles, including roles like Global Administrator, Privileged Role Administrator, User Access Administrator, etc.
Identify all users who have been assigned privileged roles.
Verify Role Necessity:
For each privileged role assignment, verify if the user still requires it based on their current responsibilities or project involvement.
Coordinate with department heads or resource owners to confirm that access is still required.
Remove Unnecessary Privileged Role Assignments:
If any privileged role is no longer required, remove the assignment by selecting the user and clicking Remove from the role.
Alternatively, you can assign a less privileged role to the user, such as Security Reader or User Administrator, depending on their requirements.
Set Up Azure AD Access Reviews (Optional):
Use Azure AD Access Reviews to automate and streamline the review process for privileged roles.
Go to Identity Governance > Access Reviews in the Azure portal.
Create an Access Review for privileged roles and configure the review frequency (e.g., quarterly or bi-annually).
Specify reviewers (e.g., department heads, role owners, or security admins) to assess whether users should retain their privileged role assignments.
Verify and Test the Review Process:
After implementing the Access Review or performing a manual review, verify that all users' privileged roles are appropriately assigned.
Test by attempting to access a privileged resource using a removed user to confirm that their role was successfully revoked.
Document the Review Process:
Maintain a log of all role review activities, including who performed the review, the results, and any changes made.
Ensure that all decisions regarding privileged role removals or modifications are documented for compliance and auditing purposes.
Monitor Role Changes:
Set up audit logs to monitor and alert you whenever a privileged role assignment is changed or modified in Azure AD.
Use Azure Monitor to set up alerts for when roles are assigned or removed from high-privilege users.
Regularly Review Role Assignments:
Schedule and perform regular privileged role reviews, ensuring they happen on a recurring basis (e.g., quarterly).
Ensure that new employees, contractors, or external partners with privileged roles are periodically reviewed based on the review policy.
Backout Plan (Manual):
Sign in to Azure portal:
Use an account with Global Administrator or Privileged Role Administrator permissions.
Navigate to Microsoft Entra ID (Azure AD):
Go to Azure Active Directory in the Azure portal.
Reassign Privileged Roles if Necessary:
If you need to revert any changes from the review, you can reassign privileged roles back to users.
Go to Roles and administrators, select the role, and click Assign to re-add the user to the role.
Verify Role Assignment:
After reassigning roles, verify that users now have the appropriate privileged roles.
Test the Reverted Configuration:
Test by logging in as the reassigned user and ensuring they have the expected access to resources and management functions.