How to prevent users from re-using access tokens from "az login"
I was wondering,
How would be possible to secure "az ssh" on an environment where several users have access to a windows jumbox where the Azure CLI is installed and configured to used "az ssh" but at the same time all the operators share the admin credentials ( they all use the same username and password to access the windows jumpbox ).
I was thinking of possible solutions such as:
- by creating a policy to reduce the lifetime of the access tokens on the Azue CLI to 5 or 10 minutes, so users will be forced to re-enter their Azure AD credentials after 5 or 10 minutes if they wan't to another server using "az ssh"
- by creating induvial user accounts on the windows server ( this one is kind of obvious, but requires too much work/maintenance ).
- by Setting up AADLoginForWindows on the windows jumpbox, so each user must connect first to the windows server with their own Azure AD accounts ( hence access to the Azure CLI access token for each user will be secured within the Windows Jumpbox ).
Also, I noticed that changing the user role assigned to an account on any server is really easy ( if the account has already a Contributor role on the subscription ), so is there a way to prevent users with Contributor roles to grant themselves root access on the servers by just changing the name of the roles assigned to them?
As an example:
# Delete the role previously assigned to the user account on the virtual machine
az role assignment delete --role "Virtual Machine User Login" --assignee $AZ_USER_ACCOUNT --scope $VM_RESOURCE_ID
# Re-Create the user role on the virtual machine giving root access to the user account
az role assignment create --role "Virtual Machine Administrator Login" --assignee $AZ_USER_ACCOUNT --scope $VM_RESOURCE_ID
Originally asked at https://github.com/MicrosoftDocs/azure-docs/issues/78690