SOC Security Consultant Access to Tenant Best Practice

Question

We have engaged with a 3rd party to assist in security detection and response across physical networks and cloud providers. They are requesting us to create multiple AzureAD accounts in our own tenant for their security team (7 accounts to be created in total). I am very apprehensive about going this route to provide their employees access to our environment / Azure tenant. This screams protentional for an IAM crisis.

My question is regarding best practice when utilizing 3rd parties/contracted vendors for this type of work. It is of my opinion that these providers should become a CSP or Microsoft Partner whereby they can then request access to our tenant through this defined relationship through the CSP channels - this seems logical to me.

While I do have a few one-offs of accounts created specifically for vendors, none of them have the access level / role these accounts would have. I'm trying to understand the best practice for providing this type of access and if anyone has thoughts/suggestions.

Answer 1

Hi
It is an interesting topic you raise and oddly not as reocurring as one might think. I agree that this is a gigantic security hole and my recommendation is that you actually provide any external consultants the access via dedicated accounts that you control and NOT via the csp delegated adminships. You should removed both the generic global admin and help admin roles for all your approved partners to avoid not being able to manage whom has control and when.

You should also enforce mfa on all those users. You can find current delegations under partnerships in portal.

For further information concerning this potential security issue read below article from msft.

https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/

Keep up the good work trying to stay secure!

Answer 2

@Hyper
Thank you for your post and I apologize for the delayed response! Because of the links I provided, and number of characters used, I wasn't able to fit this in the comment section, but I hope my response leads you in the right direction!

Best practice when utilizing 3rd parties/contracted vendors for this type of work - Assisting in security detection and response across physical networks and cloud providers
When it comes to best practice with 3rd party venders, I wasn't able to find any specific documentation on this, but to gain a better understanding of your issue:

• How's this 3rd party vendor going to be performing the security detection and response across physical networks and cloud providers?
• What specific permissions do they need?
• Will they need Admin permissions 24/7, or on a case-by-case basis, etc.?

Security Best Practices Links:
Azure security best practices and patterns
Azure Identity Management and access control security best practices
Azure Operational Security best practices

----------

These providers should become a CSP or Microsoft Partner whereby they can then request access to our tenant through this defined relationship through the CSP channels:

• I haven't worked in the Partner Center area, but I've added the partner-center-general tag to this thread so their community can look into this question as well.

Additional Links:
What is Partner Center?
Connect with customers
Support from Microsoft - Partner Center
Get help and contact support - Partner Center

----------

While I do have a few one-offs of accounts created specifically for vendors, none of them have the access level / role these accounts would have

• Can you share more of what you mean by that?

----------

General thoughts/suggestions:
From my experience, I'd recommend looking into some of the below features to help mitigate your security risks if/when creating these vendor accounts.

• Azure RBAC: Only grant the access users need and make the role assignments more manageable by avoiding assigning roles directly to users, instead, assign roles to groups.
• Privileged Identity Management: Ensure the type of assignment is correct for the user. There are two types of assignment – eligible and active. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks.
• Access reviews of Azure resource and Azure AD roles in PIM: The need for access to privileged Azure resource and Azure AD roles by employees changes over time. To reduce the risk associated with stale role assignments, you should regularly review access.
• Turn on multi-factor authentication for all your administrator accounts: You can enable MFA on Azure AD roles using Role settings in Privileged Identity Management, Conditional Access, or Security defaults in Azure AD.

Additional Links:
Best practices for Azure AD roles - This article describes some of the best practices for using Azure Active Directory role-based access control (Azure AD RBAC).
Azure RBAC custom roles - If the Azure built-in roles don't meet the specific needs of your organization, you can create your own custom roles.
Best practices for Azure RBAC - Best practices for using Azure role-based access control (Azure RBAC).
Sign-in logs in Azure Active Directory - You can use the sign-ins log to monitor vendor activity and see the sign-in pattern of a user, how many users have signed in over a week, etc.
Manage inactive user accounts in Azure AD - Since user accounts are not always deleted when employees leave an organization. You can detect and handle these obsolete user accounts.
Analyze Azure AD activity logs with Azure Monitor logs
Integrate Azure AD logs with Azure Monitor logs

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.