Skip to content

Permissions Management First Look

June 1, 2022

When we help customers to harden their Azure AD, Azure and on-premises AD DS, one of the first things we do is what we call Account Disposition. As part of Account Disposition in Azure, we review the following:

  • Azure AD privileged roles – goal to identify all accounts that are members of these roles so we can plan what to do with them,
  • Azure AD applications (SPNs) – review it for any risky permissions (more on it in one of the future posts),
  • RBAC on Azure Subscriptions – review who has what type of access to control resources in subscriptions.

Permissions Management is designed to help us with analyzing Azure, AWS and GCP to provide comprehensive visibility into permissions assigned to all identities (users and workloads), actions, and resources. I’m hoping to use this product in our engagements to assist with Account Disposition, not only in Azure, but also in other clouds.

As I started testing it in Azure, I quickly discovered that it does not actually look at Azure AD permissions – ie it does not provide analysis of Azure AD roles and it does not look at applications (SPNs) permissions. It only looks at permissions in connected Azure subscriptions (via Management group or individual subscriptions). For some reason I expected that it will look comprehensively at Azure AD and subscriptions, yet it is not current capability.

After reading documentation in more detail, it actually never explicitly states that it looks at Azure AD. Also, one of the names for this technology being “cloud infrastructure entitlement management” (CIEM) kind of leads to think that it only looks at infrastructure and does not look at the directory service that provides access to this infrastructure.

I hope product team will expand Permissions Management capability to look at Azure AD and applications (SPNs) so we have one truly comprehensive view over all permissions assignments in Azure.

For now, you have to look at and analyze Azure AD and applications using some other process.

In the next few posts, I’ll share some observations on Permissions Management over Azure subscriptions and AWS account, which is the main focus of this product.

See you around!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: