State of Azure IAM 2023
Identity and Access Management (IAM) is an essential component in any Azure security design. By effectively controlling access within an Azure environment, we can simplify the process of detecting unusual or unauthorized activities. This post offers an independent review of important changes and updates in Azure IAM for 2023, with an emphasis on key technical details and real-world impact.
1. Role assignments with ABAC enhancements!
In 2022, Microsoft introduced ABAC (attribute-based access control) for the Azure Blob service, enabling cloud operators to assign access based on the attributes of blob resources. Expanding on this in 2023, Microsoft introduced ABAC for delegating Azure role assignments. This allows us to design an access management strategy that includes a new category of “delegated administrators” that are allowed to assign roles within defined limits. These are typically application owners and developers. For example, they might be given rights to allow a managed identity to pull images from a container registry (acrPull).
This can be implemented during the assignment process for roles with unrestricted permission to modify role assignments (referred to as Privileged Administrator Roles). This includes the built-in roles: Owner; User Access Administrator; Role Based Access Control Administrator; Access Review Operator Service and any custom role that has any of the following permissions:
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
Here is what the assignment looks like from the portal and using the API:
"permissions":[
{
"actions":[],
"notActions":[],
"dataActions":[],
"notDataActions":[],
"conditionVersion":"2.0",
"condition":"((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{xxxxxxxx-yyyy-zzzz-xxxx-yyyyyyyyyyyy, xxxxxxxx-yyyy-zzzz-xxxx-yyyyyyyyyyyy})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{xxxxxxxx-yyyy-zzzz-xxxx-yyyyyyyyyyyy, xxxxxxxx-yyyy-zzzz-xxxx-yyyyyyyyyyyy}))"
}
],
}
2. New permissions and built-in roles added
In the past year, 2560 new permissions have been added to Azure RBAC, increasing the total number of permissions to 18,984*. This is compared to 2710 permissions that were added in 2022.
98 new built-in roles was also added in 2023 — an average of eight (8) new roles per month bringing the total number of built-in roles up from 377 to 476*. This includes the LocalRulestacksAdministrator and LocalNGFirewallAdministrator roles for the newly announced Cloud NGFW by Palo Alto Networks service.
From my analysis, fifty-five (55) of the new roles have broad permissions either beyond their default namespaces or with wildcard permissions that could be abused. Cloud administrators should thoroughly review these roles beyond the descriptions or recommendations in documentation before using them to grant access. For example, the App Compliance Automation Reader role has complete read access (same permissions as the built-in READER role). You can check out the book that I wrote with Karl Fosaeen on Azure Pentesting, that covers techniques to escalate privilege using a reader role — https://amzn.to/3C7mrcL.
It is good to see Microsoft starting to include ABAC conditions for built-in roles that have permissions to assign roles — [Microsoft.Authorization/roleAssignments/write]
. There were three roles added this year with this permission — Key Vault Data Access Administrator (Preview), Virtual Machine Data Access Administrator (preview); and Azure Stack HCI Administrator. All three of them have conditions that limits the roles that they can be used to assign (see below).
## Azure Stack HCI Administrator
- Azure Connected Machine Resource Manager
- Azure Connected Machine Resource Administrator
- Azure Connected Machine Onboarding
- Azure Stack HCI VM Reader
- Azure Stack HCI VM Contributor
- Azure Stack HCI Device Management Role
- Azure Resource Bridge Deployment Role
- Key Vault Secrets User (preview)
## Key Vault Data Access Administrator
- Key Vault Administrator (preview)
- Key Vault Certificates Officer
- Key Vault Crypto Officer
- Key Vault Crypto Service Encryption User (preview)
- Key Vault Crypto User (preview)
- Key Vault Reader (preview)
- Key Vault Secrets Officer (preview)
- Key Vault Secrets User (preview)
## Virtual Machine Data Access Administrator (preview)
- Virtual Machine Administrator Login
- Virtual Machine User Login
Even with the constraints, many of the roles that they can be used to assign still have broad access that can be abused for recon and even data exfiltration if assigned at a wider scope.
3. Existing roles that changed
Another important detail often overlooked is that existing built-in roles can change: permissions are updated, added for new features, or removed and tightened. In 2023, fifty-two (52) existing roles underwent changes, with fourteen (14) seeing added constraints (NotActions or NotDataActions) and 43 adding permissions. For instance, the built-in Contributor role was updated to exclude permissions for writing or deleting Purview consents. Some roles, like the Azure Kubernetes Service RBAC Admin, even saw permissions expanded, only for those changes to be reversed shortly after.
Many have not even considered the impact of these fluid changes to their overall security. When an assigned built-in role is updated to add new permissions, it may unexpectedly extend user access beyond what was originally intended. This can expose your environment to risks if users or services end up with more privileges than necessary, possibly leading to security vulnerabilities. It is recommended to review and update their security policies to account for these changes in role permissions.
This is one of the reasons why organizations should generally avoid using built-in roles for access and instead create custom roles tailored to their specific needs. This may delay the adoption of new features, a workaround is to grant broader permissions to accounts designated for testing new features, balancing security with the need for innovation.
## Built-in roles that added permissions in 2023
App Configuration Data Owner
Azure Arc ScVmm Administrator role
Azure Arc ScVmm Private Cloud User
Azure Arc ScVmm Private Clouds Onboarding
Azure Arc ScVmm VM Contributor
Azure Arc VMware Administrator role
Azure Arc VMware Private Cloud User
Azure Arc VMware Private Clouds Onboarding
Azure Arc VMware VM Contributor
Azure Center for SAP solutions administrator
Azure Center for SAP solutions reader
Azure Center for SAP solutions service role
Azure Connected Machine Resource Administrator
Azure Connected Machine Resource Manager
Azure Kubernetes Service Cluster Monitoring User
Azure Kubernetes Service RBAC Admin
Azure Kubernetes Service RBAC Reader
Azure Kubernetes Service RBAC Writer
Backup Operator
Backup Reader
Bayer Ag Powered Services CWUM Solution
Bayer Ag Powered Services GDU Solution
Bayer Ag Powered Services Imagery Solution
CDN Profile Reader
Chamber Admin
Chamber User
Cognitive Services Face Recognizer
Cognitive Services Language Reader
Cognitive Services OpenAI Contributor
Cognitive Services OpenAI User
Cognitive Services Speech Contributor
Cognitive Services Speech User
Defender for Storage Data Scanner
Deployment Environments User
Desktop Virtualization User
Desktop Virtualization Virtual Machine Contributor
DevCenter Dev Box User
DevCenter Project Admin
EventGrid Data Sender
FHIR Data Contributor
FHIR Data Writer
Key Vault Certificates Officer
Monitoring Contributor
Resource Policy Contributor
SQL Security Manager
Security Admin
SignalR REST API Owner
4. Increased pace of platform evolution continues
In 2023, Microsoft annouced 350 updates for the Azure platform on https://azure.microsoft.com/updates/ — 172 preview announcements and 178 GA announcements.
Given the volume and pace of these updates, it is challenging and sometimes unrealistic for security teams to fully assess and understand the risks of each new feature. This is particularly troubling when looking at past Azure vulnerabilities, where cases like ChaosDB and Autowarp had a wider impact due to “new features” that became default (see below). Both of these were classic cases of features evolving into defaults which evolved into security bugs.
Ultimately, a reactionary approach is not enough to handle this challenge effectively. Instead, implementing a well-validated zero-trust architecture is key to providing robust protection. I started advocating for security teams to include CSP vulnerabilities in their threat modeling and risk assessments. This is becoming increasingly important to stay ahead of potential threats caused by the introduction of potentially vulnerable new features.
5. Final thoughts
Here are my final thoughts for you to consider based on conversations and assessments done this year:
1. The way to scale is proactive access management — restricting user’s permissions to actions needed to fulfill their job requirements. This reduces the attack surface and makes it easier to detect suspicious or unauthorized behavior later.
2. Look through your environment and convert assignments that target individual resources or users to target groups instead.
3. Defining granular and custom permissions is the way to go for many organizations BUT it can also create complexity. As roles and job requirements evolve, this can lead to increased management overhead. Consider if your organaization has the operational maturity to handle this complexity before proceeding.
4. Assigning roles at a wide scope creates risk, even if the identity has a limited set of permissions. As much as possible, avoid wildcard and sensitive permissions at wider scopes.
5. Post implementation monitoring is key to identifying the effectiveness of your access management strategy. Measuring privilege usage (used and unused) is a good start to evaluating and improving your strategy.
6. Zero-trust architecture that takes into account the risk of CSP vulnerabilities is key to maintaining security in the public cloud.
To get notified when I publish new posts or analysis, follow my medium and social media pages — Twitter, LinkedIn. I’m always happy to have conversations on cloud security. If you need to dive deeper into Azure cloud security and expand your multi-cloud expertise, check out my upcoming weekend-only courses in 2024! Anyone who registers for my Azure Cloud Pentesting course will also get a copy of my book on Penetration Testing Azure for Ethical hackers.
Azure Cloud Pentesting for Ethical Hackers (2 Days)
- Dates: March 2 & 3 (GMT & PST)
- Register: Azure Pentesting Course
Multi-Cloud Fundamentals — Azure, AWS, GCP (4 Days)
- Dates: March 23, 24, 30 & 31 (GMT & PST)
- Register: Multi-Cloud Fundamentals Course
REFERENCES:
- * I analyzed two main data sources — the commit history of Ian McKay’s github repository for the past 12 months — https://github.com/iann0036/iam-dataset/ and Julian Hayward’s https://www.azadvertizer.net/
- Unit42 CLOUD THREAT REPORT VOLUME 7 — https://www.paloaltonetworks.com/resources/research/unit-42-cloud-threat-report-volume-7