this is very new so not sure if anyone knows or has had experience in this.
So context first... Microsoft is pushing MSP's to migrate over to Granular Delegated Administrative Privileges (GDAP) from Delegated Administrative Privileges (DAP) in their partner center to manage client tenants.
So instead of just either being a helpdesk admin or a global admin, through DAP, you can now granularly assign roles to security groups, where these security groups are then applied on a per tenant basis.
So one of the administrative roles titled: Azure AD Joined Local Device Administrator can be assigned as a role to the security group, which then applies to a client tenant.
Traditionally, a Azure AD Joined Local Device Administrator lets an azure account on a tenant to be a local admin on an azure joined device.
After performing the GDAP migration, the security group from my parent tenant (MSP's tenant) which has the Azure AD Joined Local Device Administrator role, is now appearing under all my client tenants, in the normal area where you check which users or groups are Azure AD Joined Local Device Administrator.
So in theory, I understand this as, now I SHOULD be able to use an azure account from my parent tenant as a local admin on a device that is Azure joined from another tenant. Of course though when testing this, it did not work.
This would be a game changer in my opinion for local admin management on devices .. but would like to find out if I have the right idea the way I'm understanding this and if anyone might know if this is going to be the case?
Sorry for the length of this, I just couldn't find any information yet out there. Happy to clarify anything that I may have muddled up in my explanation.
Related
I have a rather (hopefully) theoretical question regarding the secure usage of Service Pricipals in Azure (Enterprise Applications)
Introduction
we currently deploy our DevOps Code via Azure Service Principals.
AppRegistration/Enterprise App is created
Secret is generated
Permission (i.e. Contributor) to the Ressource Group is granted in Azure
Service Connection is made in Devops
everything works fine.
Assumption
By default the Service Principal (Enterprise Application) is not restricted to a specific user/group (Assignment Required => "no").
My assumption is now, that every user in the AAD-Tenant is able to login to the Enterprise Application as well.
I i.e. do this by using the "Graph Powershell API"-EnterpriseApp.
I can either use a Secret or use my User Credentials to access the Service Principal and its permissions
Security issue?
coming back to our DevOps configuration:
The Service Principal has Contributor Permission on the dedicated Resource Group
Assignment Required is set to no (default configuration)
if I (as a malicious user) have the Application ID, i could simply logon to the Service Principal and receive the Token.
Question:
With this token and my login to the App, do i also have the Contributor Permissions of the App and could now manipulate the whole Resource Group?
Since i'm not an Azure Developer - but only an Azure AD Admin - my knowledge regarding this is limited,
so i'm not able to test it.
Can someone maybe either provide code or prove that my assumptions are wrong or correct?!
Thanks
Yes, the SPN can manage the resources within the resource group if it has Contributor - it is no different than a normal (human) identity.
Consider if the SPN actually needs Contributor or if you can limit it with another role or even make a custom role.
Furthermore, monitor the sign-ins using the Azure AD sign-in logs:
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins
You can also use CanNotDelete resource lock, which means that the service principal cannot delete resource as it is only Contributor:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
You might want to look into the Conditional Access to strengthen your environment:
https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identities-overview
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review
Take a look here:
https://infosecwriteups.com/a-lab-for-practicing-azure-service-principal-abuse-bd000e6c48eb
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/disable-user-sign-in-portal
https://learn.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-9.3.0#example-3-connect-to-azure-using-a-service-principal-account
My assumption is now, that every user in the AAD-Tenant is able to login to the Enterprise Application as well.
No. They would need the client secret or the rights to generate a new one. Which requires that they are owners of the App Registration. In the App Registration on the Owners tab it says:
The users listed here can view and edit this application registration. Additionally, any user (may not be listed here) with administrative privileges to manage any application (e.g., Global Administrator, Cloud App Administrator etc.) can view and edit the application registrations.
Good afternoon, I am fairly new to Azure AD in general; I know my way around but I am stumped on something for a client of ours.
We have a client who has devices joined to Azure AD. They wish to create local administrator accounts on specific computers that only specific people can access and only that administrative account can be used on that workstation for administrative rights (just like a regular device local admin account)
For example:
CON-01 (PC name) should have a local admin account that's in Azure AD named JohnDoe_adm#contoso.com that can do elevated admin privileges' but this JohnDoe_adm#contoso.com account should not be allowed to have local administrative rights on CON-02. And vice versa. JaneDoe_adm#contoso.com should only have local administrative rights to CON-02 but her login can't be used on CON-01 for elevated permissions.
Devices will not be connected to the local AD frequently for policy updates (and we want to avoid VPN connection to the local AD DC). Client strictly wants these devices joined via Azure AD Joined but to have administrative accounts managed through Azure AD.
The clients accounts are synchronized in Azure with their local AD.
I saw that with a premium license for Azure you can add local administrators group on Azure AD joined devices but doing so will allow that user to have local administrative access on all devices that are joined and we are trying to prevent that.
Would it be possible to create a group called CONOTSO/CON-01 Local Administrators in Azure AD; and add JohnDoe_adm#contoso.com to this group and go onto CON-01 and manually apply CONOTSO/CON-01 Local Administrators group under Administrators in lusrmgr.msc on the workstation CON-01 ?
Or any suggestions to make this process easier to achieve what I am looking for?
Any advice is appreciated! Thanks!
You can do that, just not in the GUI. :-)
On an individual computer you can use "Net Group Administrators /Add AzureAD\JohnDoe_adm" to give that account admin rights to the machine.
You'll have to do that for each machine.
• Yes, you can create an Azure AD user, for example in this scenario, johndoe_adm#contoso.com as a member of the local administrators’ group on Azure AD joined devices. For that purpose, you will have to create a policy under ‘Endpoint Protection’ in Intune management portal for ‘local user/group membership’ for managing local admins of Windows 10/11 client devices. Please follow the below snapshots for more information: -
As shown in the above policy, you can create a policy for ‘local user group membership’. In it, you can create a profile for Windows 10/11 by selecting the appropriate option and selecting the correct local users’ group to be managed through it as shown below: -
Once the above options have been selected, then you can have the option of selecting Azure AD users or groups in the respective selected local administrators group so that the Azure AD users can be a member of local administrators’ group on client system as below: -
Thus, in this way, you can add an Azure AD user/group as a member of local administrators’ group on the Azure AD joined and Intune MDM managed and complaint system by assigning this policy on the said device groups.
• Also, please note that as you are saying that a particular Azure AD user, i.e., ABC should be a member of a local administrators’ group on an Azure AD joined device, viz., XYZ which is readily possible as per stated above but you also want that this user ABC should not be a member of another Azure AD joined device’s local administrators’ group, then for this purpose, you will have to create a separate Azure AD user for every Azure AD joined device and create one profile likewise for every Azure AD user/group as well as for every device that is going to be a part of the local administrators’ group on the client system which can be very hectic and time consuming given the options available in Intune MDM.
Thus, I would suggest you create a single Azure AD user for the purpose of adding it in the local administrators’ group on every Azure AD joined and Intune MDM managed Windows 10/11 device and further create a profile as shown above and deploy it on all the Windows 10/11 devices to be managed through Intune and required accordingly. Also, do keep the credentials of that Azure AD user with yourself only to maintain a level of confidentiality.
For more detailed information on the above, kindly refer the below link: -
https://www.anoopcnair.com/manage-local-admins-using-intune-group-mgmt/#:~:text=The%20local%20user%20group%20management,or%20Windows%2011%20local%20group.
I was logged in to my AzureDevops account using my hotmail account.I then went to Organization Settings and then connected my Org to Azure AD.
After i logged out and logged in back again with the same account, i don't see anymore my projects which i was working on. I have disconnected my Azure AD and also tried switching directories but i am no longer able to see that particular organization anymore.
Any idea how to fix this or why this happened
Please check below points :
Try logging on to https://.visualstudio.com to see you can see the organization and projects, as stated in this.
Check Troubleshoot connecting to a project
You may not able to signin or access your organization unless your work or school account has the same email address as your Microsoft account.
Although you can add new work accounts to your organization, they're
treated as new users.
If you want to access all your work, including its history, you must
use the same sign-in addresses that you used before your organization
was connected to your Azure AD.
For that Add your Microsoft account as a member to your Azure AD Or
ask the owner of the organization who has proper permissions to map
any disconnected members to their Azure AD identities Or invite them
as guests into the Azure AD.
Invited user should use corresponding account, work/school account
for AAD based, personal account for the other.
So basically the user who makes the connection must confirm the following statements are true.
User exists in Azure AD as a member. If the user is an Azure AD guest, rather than member
User must have project collection administrator or owner of the organization
User must also have Azure Service Administrator or Coadministrator permissions for the Azure subscription that's linked to your organization in Azure DevOps.
User isn't using the Microsoft account identity that matches the Azure AD identity. For example, if the Microsoft account that users are currently using is jamalhartnett#fabrikam.com, the Azure AD identity they'll use after connecting is also jamalhartnett#fabrikam.com. Use a single identity that spans both applications, rather than two separate identities using the same email.
Add your work account as an administrator in your Azure DevOps organization
The AAD tenant should be same as the DevOps tenant to connect & Transfer the ownership of the organization to your work account.
Please see if you have followed the Prerequisites to Connect organization to Azure Active Directory
FAQ: to be refered
why dont i see my organization in the azure portal
why do i have to choose between a work or school account and my personal account
what if we cant use the same sign in addresses
Note: No other user than the owner of the organization will be able to see the organization under the “Azure DevOps organizations”
service in the Azure portal. Also, Azure DevOps does not support
multiple owners, like Azure services that support Role Based Access
Control (RBAC) do. An Azure DevOps organization will only have a
single owner at a time :reference
Please try to access https://aex.dev.azure.com/ and change domain to see if your organization is present in the list.
Or
You may need to open a support case on the Developer Community to help you out or raise a support request through azure portal.
References:
Lost organization after disconnecting it from Azure Active Directory-Stack Overflow
What not to do when Connecting Azure DevOps to
AzureAD |Josh Corrick |
Restore project - Azure DevOps Services | Microsoft Docs
First of all I am pretty new to Azure AD, so just excuse if the question is vague. I was trying to understand when a Windows 10 Device is AD joined, which all users will get default 'Local Administrator Role'. Will it be :
Global Admin, Device Administrator and User who join device (as mentioned here)
or
Global Admin and User who adds the device (as mentioned here)
The two documents are talking two different things. Excuse me again if this is very straightforward to answer.
The first article applicable to only Azure AD join devices.
The second article is for all joined devices such as Hybrid Azure AD joined devices, Azure AD join devices, Azure AD registered devices
No, All users will not get default 'Local Administrator Role'.Azure AD adds only security principals to the local administrators group on the device as per first article.
We're a very small company, for unknown reasons our internal app infrastructure (based on PaaS VMs) was set up on the Azure subscription for a "personal" Windows Live account of an internal email address, with only that one user in the AD. (We also use the "correct" Azure instance, the AD is synced from the remnant of our old on-prem infrastructure and our Office 365 is based on it.)
We're about to recruit a second developer, I want to give him some level of access to our app infrastructure but not the global admin that sharing the existing single account would provide. I've experimentally added another user to the Azure AD as a global admin (so it should have access to everything) but when I log in with that user it takes me to the portal for the default free personal Azure instance you get if there's nothing set up. If I paste in a URL for a resource in the account it's global admin for I get "You do not have access" (403). (Audit trail of the user in Azure AD shows it logged in.)
Is there an inherent restriction on this type of account (in which case I'll have to bite the bullet and migrate the infrastructure where it belongs) or should I be able to expect this user to be able to access the right portal - and if so what do I need to do to get that to happen?
Having Global Admin role in Azure AD does not give you access to Azure resources, only to manage users etc. in Azure AD.
You need to add e.g. Owner/Contributor role on the subscription to the user through the Access Control (IAM) tab.