Cloudbrothers
Azure Attack Paths Posts Categories About me Talks english
Cloudbrothers

Contents

Just-In-Time role assignment in Microsoft Defender

 included in Azure AD Entra ID Identity and Access Security Defender for Endpoint
   1429 words   7 minutes 

For a long time assigning multiple Entra ID (Azure AD) roles to a user was a tedious task in not done via a script. Every role assignment had to be made separately. This also made it hard to change role assignments for a group of people.

That all changed when Microsoft introduced Entra ID (Azure AD) role-assignable groups. It is now possible to assign multiple roles to one group and add the users to this group. This makes it much easier to manage those role assignments.

The Privileged Identity Management features add additional security features like Just-In-Time role assignment. This means the user is not assigned permanently to the role but is only eligible to use it when she needs it. After a defined time, the active role assignment is removed automatically. Also, it allows to implement an approval process for high privileged roles.

But until a few weeks ago those features where only available for Entra ID (Azure AD) roles and Azure resources. Other services with their own role management capabilities did not support PIM. You could use access packages to assign groups, but this was not a good option, because it meant a second place for the administrator to request permissions.

With Privileged Access groups currently in preview this changes. It is now possible to enable an Entra ID (Azure AD) role-assignable group for privileged access features. Now it is possible to assign a user or a group of users as eligible to another AD group and use this group to map the necessary roles in your application of choice.

This could be Intune, Exchange, Compliance or as I will demonstrate the Microsoft 365 Defender portal.

Plan your roles

First you will have to decide which capabilities or even device groups you want to protect using PIM.

  1. You might want to put your analyst in a permanent eligible assignment to access the portal to do their day-to-day business.
  2. The second assignment could for using live response, but only after additional approval.
  3. And a third assignment group is only for those who need to get administrative permission in the portal. This, again, is protected by an approval workflow.

/en/jit-role-assignment-microsoft-defender/images/Scenarios.png

When you plan this for your environment check which roles you currently use and which actions you might want to put behind an approval workflow. You could also go as far as to protect different device groups from being accessed without approval.

In this walkthrough I will show you how to implement an approval-based workflow to get MDE Administrator permissions. It includes n users assigned to a Entra ID (Azure AD) security group (“PIM MDE Administrator”). This group will be eligible to request MemberOf status of the role enabled group (“Role_MDE Administrator”). This group is assigned to the “Microsoft Defender for Endpoint administrator (default)” role in the Microsoft 365 Defender portal.

/en/jit-role-assignment-microsoft-defender/images/PIMMicrosoft365Defender.png

Azure AD implementation

Create Azure AD security group

This group, named “PIM MDE Administrator”, will be used to avoid having to add each user as eligible later.

Since this is a normal Entra ID (Azure AD) group you just have to define a name and a description.

/en/jit-role-assignment-microsoft-defender/images/NewAzureADGroup.png

Create Azure AD role enabled groups

Next you must create a second Entra ID (Azure AD) group, but you have to enable the option “Entra ID (Azure AD) roles can be assigned to the group”. This can only be done when creating the group and cannot be changed later. This group is called “Role_MDE Administrator” in this example.

Note
Only Global Administrators and Privileged Role Administrators can create this type of group.

/en/jit-role-assignment-microsoft-defender/images/NewAzureADRoleGroup.png

Add users to the group

Add the users to the “PIM MDE Administrator” group. Since they will be only eligible they can’t use this permission directly but only after activating it.

/en/jit-role-assignment-microsoft-defender/images/GroupMembers.png

Enable Privileged access

Now switch to the “Role_MDE Administrator” group and enable the Privileged access feature.

/en/jit-role-assignment-microsoft-defender/images/EnablePrivilegedAccess.png

/en/jit-role-assignment-microsoft-defender/images/EnablePrivilegedAccess_2.png

Change assignment settings

After you enabled this feature, you can now switch to the tab and click on settings. This is where you will have to define how a user or group can be assigned to this group and configure advanced settings e.g. if an approval is needed.

/en/jit-role-assignment-microsoft-defender/images/Settings.png

After choosing settings select “Member” because this is the membership type, we want to users to have.

/en/jit-role-assignment-microsoft-defender/images/Settings-Members.png

Change how an activation of this role is handled. In this case I require an approval from a named user.

/en/jit-role-assignment-microsoft-defender/images/RequireApprovalToActivate.png

And since an approval is needed, and I use a group for the user assignment, I changed the setting to allow a permanent eligible assignment.

/en/jit-role-assignment-microsoft-defender/images/AllowPermanentEligibleAssignment.png

Add eligible assignment

At last, add the “PIM MDE Administrator” as a permanent eligible assignment.

/en/jit-role-assignment-microsoft-defender/images/AddAssignment.png

Your Entra ID (Azure AD) is now all set up. Let’s switch to the Defender portal.

Microsoft 365 Defender

Enable Role Management for Defender

You have to enable role-based access control in the settings on security.microsoft.com if this was not already done. You must be member of the Entra ID (Azure AD) Global Administrator or Security Administrator role to access the portal after you make the change. All other users will lose their access until you assign them a new role.

/en/jit-role-assignment-microsoft-defender/images/EnableRBACinMDE.png

After enabling the RBAC feature the default administrator role is the only role present.

/en/jit-role-assignment-microsoft-defender/images/RBACEnabled.png

Create roles and add permissions and groups in MDE portal

Administrator

First add the “Role_MDE Administrator” to the default administrator role.

/en/jit-role-assignment-microsoft-defender/images/AddAdminRole.png

Basic access

Next create your other roles and add the respective Entra ID (Azure AD) groups to them. I use a basic analyst role group as an example.

/en/jit-role-assignment-microsoft-defender/images/RoleAnalyst.png

Note
If you already have device groups in place you will have to add the AAD groups to the correct device groups as well.

/en/jit-role-assignment-microsoft-defender/images/DeviceGroup.png

Test your setup

Now it’s time to check out if your setup is working as expected.

Info
Do not try to do the request and approval with the same user. It is not possible to approve your own requests.

Request access

Access the “Privileged Identity Management” portal and select “My roles” and “Privileged access groups

You should see the “Role_MDE Administrator” under “Eligible assignments” with membership type “Group”. Click “Activate” to start the activation workflow. Enter a justification and after clicking on “activate” your request is pending for approval.

You can check the current state in the “My requests” blade.

/en/jit-role-assignment-microsoft-defender/images/ActivateRole.png

Approval

Login with the user that has the permission to approve the request and switch to “Approve requests”. Select the request and click on “Approve”. Depending on your configuration you now must enter a justification and after that the approval is given.

To verify this head over to the “PIM_MDE Administrators” group and check the group membership. The requesting user should be a member of this group. You can also check the audit log to see that “MS-PIM” added the user to the group.

/en/jit-role-assignment-microsoft-defender/images/ApprovalAndGroupMembership.png

Check access

The last thing to do is to check if you now have access to the Microsoft 365 Defender portal as the requesting user. It might be necessary to log out from the portal if accessed it before. In my testing this was not always the case.

Conclusion

With the privileged access groups feature Privileged Identity Management now is the one-stop-shop for everything related to just in time administration. The possibilities using this new feature are nearly limitless if the application you want to put behind PIM supports Entra ID (Azure AD) groups for role assignments.

Currently there is a limit of 400 Entra ID (Azure AD) groups that use the isAssignableToRole property per tenant.

That you cannot use existing groups is, in my opinion, not a bad thing because it forces you to plan your setup based on the new capabilities.

If you have the necessary licenses, I recommend checking out this feature for every possible administrative application. If you have already implemented Single Sign On with Entra ID (Azure AD) for your applications there should be no good reason not to use this. Even if you must allow active assignments for some use cases, this bundles the administrative roles in one portal and the administrator herself can easily check out which permissions and roles she can use, using the “My roles” blade.

Something that is currently missing is the “Access review” feature, but I think this is just a matter of time.

Personally I would limit the usage of PIM to admin centric use cases and recommend using access packages for more user centric workflows e.g. software assignments.

Updated on 2021-11-29
Back | Home