This blogpost explains how to use Azure Functions to remove unauthorized Role Assignments. A Log Search Alert Rule is used to detect the creation of Role Assignments on the scope of a Resource Group or Subscription, and an Action Group is used to trigger an Azure Function. The Function App uses a System-assigned Managed Identity to remove the unauthorized Role Assignment.
Introduction
Recently, one of my customers faced a challenge regarding the assignment of Role Definitions to workload teams on their Subscriptions. Their current configuration uses Entitlement Management, in combination with Privileged Identity Management (PIM), to grant a set of standing and eligible Role Assignments to workload teams. In this way, individual users would be able to elevate to the Contributor Role Definition on the scope of their own Subscription.
Even though the Contributor Role Definition grants users a lot of rights, in some cases it is not sufficient. For instance, it does not allow for the creation of a key, secret or certificate in an Azure Key Vault. Instead, Access Policies or another Role Definition (e.g. Key Vault Administrator) need to be used.
Solution Overview
In order to prevent the creation of Role Assignments at the Resource Group scope or above, different Azure services are used. To execute the PowerShell code in the Function, a System-assigned Managed Identity is linked to the Function App. The Storage Account is used by the Function App for operations such as managing triggers and logging function executions. Finally, Application Insights is used to monitor the Functions in your Function App.
Putting Theory into Practice
As you can see in Figure 2, I am starting the flow with the creation of a Role Assignment on the scope of a Subscription. I have configured my Log Search Alert Rule in such a way that it will run a KQL query every 5 minutes while using a 5-minute timeframe. The KQL query is formatted so that it detects Role Assignments created on a Resource Group or Subscription scope.
“AzureActivity
|whereCategoryValue=~”Administrative”andOperationNameValue=~”Microsoft.Authorization/roleAssignments/write”andActivityStatusValue=~”Success”//Only selectthecreationofRole Assignmentsthatsucceeded
|where_ResourceId matches regex”^\\/subscriptions\\/[a-f0-9]{8}(-[a-f0-9]{4}){3}-[a-f0-9]{12}\\/providers\\/microsoft\\.authorization\\/roleassignments\\/[a-f0-9]{8}(-[a-f0-9]{4}){3}-[a-f0-9]{12}$”or_ResourceId matches regex”^\\/subscriptions\\/[a-f0-9]{8}(-[a-f0-9]{4}){3}-[a-f0-9]{12}\\/resourcegroups\\/[a-zA-Z0-9._\\-()]+\\/providers\\/microsoft\\.authorization\\/roleassignments\\/[a-f0-9]{8}(-[a-f0-9]{4}){3}-[a-f0-9]{12}$”//Only selectthecreationofRole AssignmentsontheSubscriptionorResource Group scope
|whereCaller !=”87794bfc-4bf9-4695-b010-154387cedcc3″//Only selectthecreationofRole Assignmentsnotconducted Privileged Identity Management(87794bfc-4bf9-4695-b010-154387cedcc3)| project TimeGenerated,Caller,_SubscriptionId,_ResourceId//Only project informationonwhentheRole Assignmentiscreated,bywhom,andonwhat Azure resource”
If you want to create a similar Log Search Alert Rule, use the KQL query contained in the code block above. As the Log Search Alert Rule is triggered, an Alert is created in Azure Monitor. If the Alert is triggered, the Action Group makes sure that it subsequently triggers the Function that is part of the Function App. With the use of the JSON payload that is sent to the Function, a PowerShell script is executed to remove the unauthorized Role Assignment.
Key points from the article:
- Explains how to use Azure Functions to remove unauthorized Role Assignments
- Uses a Log Search Alert Rule to detect the creation of Role Assignments on the scope of a Resource Group or Subscription
- An Action Group is used to trigger an Azure Function
- Function App uses a System-assigned Managed Identity to remove the unauthorized Role Assignment
- GitHub repository contains all the artifacts used to build the solution
From the Core Infrastructure and Security Blog
Microsoft Power Platform is leading the way in AI-generated low-code app development. With the help of AI, users can quickly Read more
Microsoft Intune is an enterprise mobility management platform that helps organizations manage mobile devices, applications, and data. The October edition Read more
Microsoft Intune has released its November edition, featuring new updates to help IT admins better manage their organization’s mobile devices. Read more
Microsoft Intune now supports Microsoft Edge on Android devices, allowing organizations to provide a secure and productive experience for their Read more
