Uncovering the Impact of Technology on Communication: How Social Media is Transforming the Way We Connect

Posted by

This blogpost explains how to use Azure Functions to remove unauthorized Role Assignments. A Log Search Alert Rule is used to detect the creation of Role Assignments on the scope of a Resource Group or Subscription, and an Action Group is used to trigger an Azure Function. The Function App uses a System-assigned Managed Identity to remove the unauthorized Role Assignment.

Introduction

Recently, one of my customers faced a challenge regarding the assignment of Role Definitions to workload teams on their Subscriptions. Their current configuration uses Entitlement Management, in combination with Privileged Identity Management (PIM), to grant a set of standing and eligible Role Assignments to workload teams. In this way, individual users would be able to elevate to the Contributor Role Definition on the scope of their own Subscription.

Even though the Contributor Role Definition grants users a lot of rights, in some cases it is not sufficient. For instance, it does not allow for the creation of a key, secret or certificate in an Azure Key Vault. Instead, Access Policies or another Role Definition (e.g. Key Vault Administrator) need to be used.

Solution Overview

In order to prevent the creation of Role Assignments at the Resource Group scope or above, different Azure services are used. To execute the PowerShell code in the Function, a System-assigned Managed Identity is linked to the Function App. The Storage Account is used by the Function App for operations such as managing triggers and logging function executions. Finally, Application Insights is used to monitor the Functions in Function App.

Putting Theory into Practice

As you can see in Figure 2, I am starting the flow with the creation of a Role Assignment on the scope of a Subscription. I have configured my Log Search Alert Rule in such a way that it will run a KQL query every 5 minutes while using a 5-minute timeframe. The KQL query is formatted so that it detects Role Assignments created on a Resource Group or Subscription scope.

“AzureActivity
|whereCategoryValue=~”Administrative”andOperationNameValue=~”Microsoft.Authorization/roleAssignments/write”andActivityStatusValue=~”Success”//Only selectthecreationofRole Assignmentsthatsucceeded
|where_ResourceId matches regex”^\\/subscriptions\\/[a-f0-9]{8}(-[a-f0-9]{4}){3}-[a-f0-9]{12}\\/providers\\/microsoft\\.authorization\\/roleassignments\\/[a-f0-9]{8}(-[a-f0-9]{4}){3}-[a-f0-9]{12}$”or_ResourceId matches regex”^\\/subscriptions\\/[a-f0-9]{8}(-[a-f0-9]{4}){3}-[a-f0-9]{12}\\/resourcegroups\\/[a-zA-Z0-9._\\-()]+\\/providers\\/microsoft\\.authorization\\/roleassignments\\/[a-f0-9]{8}(-[a-f0-9]{4}){3}-[a-f0-9]{12}$”//Only selectthecreationofRole AssignmentsontheSubscriptionorResource Group scope
|whereCaller !=”87794bfc-4bf9-4695-b010-154387cedcc3″//Only selectthecreationofRole Assignmentsnotconducted Privileged Identity Management(87794bfc-4bf9-4695-b010-154387cedcc3)| project TimeGenerated,Caller,_SubscriptionId,_ResourceId//Only project informationonwhentheRole Assignmentiscreated,bywhom,andonwhat Azure resource”

If you want to create a similar Log Search Alert Rule, use the KQL query contained in the code block above. As the Log Search Alert Rule is triggered, an Alert is created in Azure Monitor. If the Alert is triggered, the Action Group makes sure that it subsequently triggers the Function that is part of the Function App. With the use of the JSON payload that is sent to the Function, a PowerShell script is executed to remove the unauthorized Role Assignment.

Key points from the article:

  • Explains how to use Azure Functions to remove unauthorized Role Assignments
  • Uses a Log Search Alert Rule to detect the creation of Role Assignments on the scope of a Resource Group or Subscription
  • An Action Group is used to trigger an Azure Function
  • Function App uses a System-assigned Managed Identity to remove the unauthorized Role Assignment
  • GitHub repository contains all the artifacts used to build the solution

From the Core Infrastructure and Security Blog


Related Posts
Unlock the Power of the Platform: Your Guide to Power Platform at Microsoft Ignite 2022

Microsoft is leading the way in AI-generated low-code app development. With the help of AI, users can quickly Read more

Unlock the Power of Microsoft Intune with the 2210 October Edition!

Microsoft is an enterprise mobility management platform that helps organizations manage mobile , applications, and data. The October edition Read more

Unlock the Power of Intune 2.211: What’s New for November!

Microsoft Intune has released its November edition, featuring new updates to help IT admins better manage their organization’s mobile devices. Read more

Unlock the Power of Microsoft Edge on Intune-Managed Shared Android Devices

Microsoft Intune now supports Microsoft on devices, allowing organizations to provide a secure and productive experience for their Read more