Zero Trust is a security strategy used to design security principles for your organization. Zero Trust helps secure corporate resources by implementing the following security principles: verify explicitly, use least privilege access, and assume breach.
In this article, we will delve into the details of Microsoft Entra Permissions Management, a cutting-edge solution that provides comprehensive visibility and control over permissions for any identity and any resource in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
Table of Contents
Introduction
The adoption of multi-cloud has led to a massive increase of identities, permissions, and resources across cloud platforms, increasing complexity and expanding organizations’ attack surface. Identity and security teams lack enterprise-wide visibility into permissions and are unable to implement consistent access policies, leaving their cloud resources exposed to potential permission misuses.
Microsoft recently unveiled a range of enhanced Security Service Edge (SSE) features as a component of their Microsoft Entra technology suite. Among these developments, Microsoft also introduced another product known as Microsoft Entra Permissions Management to help you discover, remediate, and monitor multi-cloud permission risks.
Microsoft Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides a unified platform to discover, remediate, and continuously monitor permissions for all identities, both users and workloads, across Amazon Web Services, Microsoft Azure, and Google Cloud, strengthening your Zero Trust Security and protecting your multi-cloud environment.
It gives you granular cross-cloud visibility into every action performed by every identity on every resource. By automatically detecting which permissions are unused and risky, it allows you to enforce the principle of least privilege at the cloud scale, granting additional permissions on demand when needed, and with high-precision machine-learning-based anomaly detection alerts and detailed forensic reports, you can continuously monitor your infrastructure for future permission creep.
// See Also: Microsoft Entra Global Secure Access that provides robust security and seamless access to resources.
Prerequisites
To follow this guide, you need to have a Microsoft 365 / Microsoft Entra (formerly Azure AD) Tenant. If you don’t have a tenant yet, you can create a free one here.
To use Entra Permissions Management, you need to have a free 45-day trial or paid license. You can sign up for a free 45-day trial at: aka.ms/TryPermissionsManagement by filling in the details with your email account.
If your trial has expired, you can purchase licenses at: aka.ms/BuyPermissionsManagement or by contacting your Microsoft sales representative.
Once you have the trial and license sorted out, you can access the Permissions Management portal at: https://pm.cloudknox.io/
Permissions Management
Let’s see now how Microsoft Entra Permissions Management can help you get granular cross-cloud visibility, enforce the principle of least privilege, and continuously monitor permissions with alerts and reports.
On the main dashboard, Permissions Management allows you to discover, remediate, and monitor permissions risks in your multi-cloud infrastructure. As shown in the dashboard below, the Permission Creep Index (PCI) represents the level of risk associated with the number of unused or excessive permissions across your identities and resources. The heat map shows the total number of identities contributing to the PCI.
The panes beneath the heat map show the relevant findings about identities and resources. In this example, the dashboard is filtered for Amazon Web Services (AWS). To see data for a different cloud authorization system type, you can select the drop-down arrow and choose Microsoft Azure or Google GCP.
The findings in the Identity and Resource panes use terminology specific to the cloud platform you’re analyzing, enabling you to easily communicate any findings to the appropriate team.
On the heat map, you can hover over the bubble to see how many identities are in the high, medium, and low-risk categories. If you click on the bubble, you will see a breakdown of the risk levels for users, applications, and managed identities, as well as the PCI trend over the last several weeks.
The right pane shows the highest PCI change for each account. You can select an account to drill into the data further.
The Identity and Resource findings at the bottom of the page highlight the top risks among identities and resources, in this example, Azure. Each finding links to the Permissions Analytics report.
For example, if we open the Over Provisioned Active Users findings. The report will show the number of permissions Used, the number of permissions Granted, and the PCI for each user in this account. The greater the disparity between the permissions used and the permissions granted, the higher the PCI.
If you select a user, you will see the direct roles, group roles, and permissions assigned to a specific user presented on the User Info tab.
On the Tasks Info tab, you can audit all the tasks the user has performed and determine which permissions they need. For example, if we expand Microsoft.APIManagement task. Here, you can see the specific permissions this employee is using.
The Activity tab will show details about the user’s high-risk activities, including the resource name, resource type, task name, and start date for each.
On the Resources tab, you can see the total number of tasks and high-risk tasks this user has performed on each resource. On the Permissions tab, you will see all the permissions assigned to the user, including the subscriptions, roles, and resources granted.
Analytics
Moving into the Analytics dashboard of Permissions Management.
On the Analytics view page, you can query and investigate items. Here you need to select the drop-down arrow at the top of the page. The system tracks analytics for users, groups, active resources, and more.
If we drill into the analytics for any user, we can see a single view of the analytics for the user. For example, you can change the view to see the user’s Azure Roles.
You can focus on the data you’re interested in by using the filters at the top of the page. To broaden the view to all data for Azure, you can change the Identity Type filter and choose between Role, App, Service, or Resource.
This will help you to see all the identities associated with apps and services in the Azure environment. Just like user accounts, these identities can have unnecessary permissions granted to them and pose a risk if compromised.
Remediation
The Remediation dashboard in Permissions Management is where you create custom roles to manage permissions creep that grant only the permissions a user needs to do their job.
When creating a role, you can select how would you like to create the role. You have the option to create the role for a user(s), group(s), or app(s), or choose from an existing tole.
In this example, we’ll create the role based on the activity of the user. Select the user in the list and then continue to the next step.
Next, you need to provide a name for the custom role. You can review the tasks that the user has performed and ensure only the necessary permissions are included for the role.
Once you are satisfied, continue to the next step. And before submitting the role, you can preview the Selected Tasks under Actions.
You can also select the JSON tab that shows the exact permissions that will be generated. The Script tab will show the Azure CLI command that will be executed to create the role in Permissions Management. You can also download the JSON and/or the Script commands if you want to review them later or execute the commands manually.
Once you are satisfied, you can submit the role.
Now, if a cloud user needs permissions they do not currently have, they can submit a request for approval from the My Requests tab.
On the My Requests page, select New Request.
Next, select the environment you are requesting permissions for, such as AWS, Azure, or GCP.
Next, select the specific account and identity you need permissions for.
Next, you can request a policy, request a task, or use a preconfigured template. In this example, we’ll request a policy.
Select the desired policy to assign to your identity, and then continue to the next step.
Next, provide a summary of the request that includes a brief business justification for the approver. You can also specify a schedule for the permissions change.
You can schedule the permissions to be granted ASAP, Once, or regularly (Daily, Weekly, or Monthly) which can be useful for apps or services that only need permissions during certain periods. In this example, we only need the permissions granted Once to make a configuration change.
Last, review the information, and then submit the request. A notification will appear indicating that the request was successfully submitted.
On the Requests tab, here, a manager with appropriate permissions can review the requests and choose to Approve or Reject them.
Autopilot
The Autopilot dashboard in Permissions Management is where you can set up rules to automatically monitor environments and make permissions changes automatically.
When you create a new rule, you can see some examples of rules you can create for the different cloud environments (AWS, AZURE, or GCP). For example, the following rule automatically removes permissions for unused applications and managed identities in the Azure environment.
Audit
The Audit dashboard will help you capture all high-risk activity in a centralized location and allow system and identity administrators to query user activity performed in their authorization system.
To run a query, you select Search. Then you can edit and create advanced queries for each cloud environment (AWS, AZURE, or GCP), as well as audit the activities performed within Permissions Management as a platform.
To query Permissions Management, you need to select the drop-down arrow and select Platform. Querying the platform enables you to see who approved or rejected requests in the system, made changes, created policies, and more.
Next, let’s look at an example of a system report in Permissions Management.
Reports
Moving into the Reports dashboard of Permissions Management.
The reports in the Resource pane enable you to review and audit permissions assigned to resources. For example, if we select Blob Containers Accessible Externally.
This report will show all blob containers that are accessible externally. This information can help security teams determine whether identity permissions are aligned properly and whether external access should be removed from these resources. Please note that Microsoft Entra Permissions Management is NOT a cloud security posture management (CSPM) solution, for CSPM you need to use Microsoft Defender for Cloud (MDfC).
The Permissions Analytics Report shows your Permission Creep Index, PCI score distribution, identities with a high PCI score, and identities that can escalate privileges. The report also shows how many identities can administer security tools and access secret information, and tracks metrics on S3 bucket access, in the case of AWS for example.
Next, let’s look at how to configure alerts.
Customizable machine learning-powered anomaly and outlier detection alerts will notify you of any suspicious activity, such as deviations in usage profiles or abnormal access times. Alerts can be used to alert on permissions usage, access to resources, indicators of compromise (IOC), insider threats, or to track previous incidents. You can configure alerts to trigger based on activities in your environment.
You can also configure alerts to trigger Rule-Based Anomalies. To do so, you select Create Anomaly Trigger and then provide a name for the alert.
Next, select the environment you want to create the alert trigger for (AWS, AZURE, or GCP). In this example, we’ll select Azure. Next, select the rule for the trigger.
We’ll configure the alert to trigger when any resource is accessed for the first time, and then proceed to the Next step.
Then select the Azure account you want to apply the rule to. Next, select configuration. You can also specify a time interval for the alert. In this example, we’ll configure the alert to trigger activities that have occurred over the past 90 days, and then Save your changes.
You can review the results of the alert once they are ready, and see all the activities that have been flagged by the alert.
On the Statistical Anomaly tab, you can create and configure alerts to trigger based on statistical anomalies.
Similarly, on the Permission Analytics tab, you can create and trigger alerts based on permission analytics. You have built-in triggers available for each cloud environment (AWS, AZURE, or GCP) that you can use.
There you have it!
Wrapping Up
In this guide, you’ve learned how Microsoft Entra Permissions Management can help you get granular cross-cloud visibility, enforce the principle of least privilege, and continuously monitor permissions with alerts and reports.
As more services are moved to the cloud, users and workloads continue to accumulate permissions over time. Left unused and unmonitored, these permissions become prime targets for attackers or simple misuse.
The unified multi-cloud Permissions Management in Microsoft Entra provides a single, unified platform to manage permissions for all identities – users and workloads – across all major cloud infrastructures (Amazon AWS, Microsoft Azure, and Google GCP).
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
