[New blog post]: "Protection of privileged users and groups by #AzureAD Restricted Management Administrative Units"

Privileged and sensitive objects can be protected from #AzureAD roles on directory-level by using this great new feature. In this blog post, will describe use cases for privileged access and tiering model but also automation, limitations and comparison to role-assignable groups:
https://www.cloud-architekt.net/restricted-management-administrative-unit/

New blog post: "Abuse and Detection of Microsoft 365 Defender Live Response for privilege escalation on Control Plane (Tier0) assets"

Description of potential attack paths to gain privilege access to #ActiveDirectory and #AzureAD by abusing script execution and how to detect and mitigate them.
https://www.cloud-architekt.net/abuse-detection-live-response-tier0/

Integration of Authentication Context in #AzureAD PIM is a great addition for implementing #ConditionalAccess. It allows to trigger a policy when an eligible #AzureAD, #Azure or Group membership will be requested. I like to share some of my notes from the field...

ℹ️ Auth. Context will not enforce re-authentication. There is no step-up if you are already satisfied conditions/controls by token claim (e.g. previously Passwordless sign-in will not re-prompt for PIN or Biometric). It would be great to combine the feature with SIF Everytime.

💡 I experimented with following step-up: FIDO2/WHfB is already enforced in CA policy (Auth. Strength). Auth. Context is requesting GPS-based Location from Auth. App to verify access from allowed countries. User will be prompted for Number Match + GPS during role activation.

⚠️ Owner and User Access Administrator can change or remove assignment to Authentication Context from PIM role settings:
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings

But also Classic Administrators (e.g., from EA Portal) are able to modify PIM role settings. Keep this in mind!

Microsoft has been published a very interesting article about protecting elevated-privilege accounts internally. It's a summary about implementing a secure high-risk environment (HRE) which is accessible by SAW only and supported by a dedicated team (SAS).
🔗 https://www.microsoft.com/insidetrack/blog/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft/?WT.mc_id=AZ-MVP-5003945

Insights about SAW usage at Microsoft will be shared:
"Each administrator has a single device, a SAW, where they have a hosted virtual machine (VM) to perform their administrative duties and a corporate VM for productivity work like email, Microsoft Office products, and web browsing."

In my opinion, the following (high-level) key aspects are really important to consider for own strategies and implementation to protect privileged identities and access:

🔎 Identify sensitive and high risk assets and privileges
🦸 Consistent implementation of least privilege and JIT access
⛓️ End-to-end supply chain for DevOps and SAW management
🚀 Automation for scaled and standardized deployment for SAWs
⌨️ Provide "secure keyboard" for critical administrative tasks
⛔ Restrict access to SAW devices by enforcing CA Device Filters
🧑‍💻 Consider to include developers in a different security approach

I've started to write a blog post series about my approach to secure privileged access in Azure AD which could help you get started your journey to protect administrators:

🛡️ Securing privileged user access with Azure AD Conditional Access and Identity Governance:
https://www.cloud-architekt.net/securing-privileged-access-conditionalaccess-governance/

🔁 Automated Lifecycle Workflows for Privileged Identities with Azure AD Identity Governance:
https://www.cloud-architekt.net/manage-privileged-identities-with-azuread-identity-governance/

🔗 More resources related to this topic:

• Recording of roundtable discussion about the implementation at Microsoft:https://www.youtube.com/watch?v=f_2tkUnxT2U
• Securing Privileged Access (SPA) documentation: https://aka.ms/SPA
• Moot Security Management (Automation of deploying PAW and SPA Management):https://mootinc.com/

Microsoft Digital Defense Report offers interesting statistics and insights about security posture. The following chart shows missing security controls (such as Admin workstations or privilege isolations).

I can only strongly recommend to read the report:
https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022

Microsoft has been published a very good summary about #AzureAD security trends in 2023 which considered post authentication attacks, such as #TokenTheft: https://microsoft.com/en-us/security/blog/2023/01/26/2023-identity-security-trends-and-solutions-from-microsoft/

If you are interested to learn more about Token replay attacks, check the following blogs:

🔗 Token tactics: How to prevent, detect, and respond to cloud token theft by Microsoft DART team: https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/

This article describes Adversary-in-the-middle (AitM) phishing/Pass-the-cookie attack scenarios and recommendations.

🔗 Abuse and replay of Azure AD refresh token from Microsoft Edge in macOS Keychain:
https://www.cloud-architekt.net/abuse-and-replay-azuread-token-macos/

I've written this blog post about token replay on #macOS devices last year. It covers an attack scenario to exfiltrate tokens from Keychain which is used to store cached Azure AD tokens for “logged in” Edge profiles on macOS devices.

🔗 Azure AD Attack & Defense: Replay of Primary Refresh (PRT) and other issued tokens from an Azure AD joined device:
https://github.com/Cloud-Architekt/AzureAD-Attack-Defense/blob/main/ReplayOfPrimaryRefreshToken.md

A comprehensive overview about attack and defense scenarios primary refresh token (PRT) & other tokens on Windows has been published by Sami Lamppu and and me. The article includes many references and links to other community resources around this topic.

Update on #AzureAD Attack & Defense Playbook 🔐☁️:
@samilamppu and I have added new attack scenarios on #RefreshToken replay from our latest research:

• Decrypted HTTPS traffic from #Azure PowerShell
• Replay RT from Edge browser on compliant device

🔗 Link: https://github.com/Cloud-Architekt/AzureAD-Attack-Defense/blob/main/ReplayOfPrimaryRefreshToken.md#refresh-token-rt

New blog post: "Securing privileged user access with #AzureAD #ConditionalAccess and #IdentityGovernance"

Overview and considerations to enforce security controls for using #PAW, strong authentication and manage access for privileged roles based on tiering levels.

https://www.cloud-architekt.net/securing-privileged-access-conditionalaccess-governance/