How to prevent users from re-using access tokens from "az login"

Carlos Porter 1 Reputation point
2021-07-22T19:59:52.457+00:00

I was wondering,

How would be possible to secure "az ssh" on an environment where several users have access to a windows jumbox where the Azure CLI is installed and configured to used "az ssh" but at the same time all the operators share the admin credentials ( they all use the same username and password to access the windows jumpbox ).

I was thinking of possible solutions such as:

  • by creating a policy to reduce the lifetime of the access tokens on the Azue CLI to 5 or 10 minutes, so users will be forced to re-enter their Azure AD credentials after 5 or 10 minutes if they wan't to another server using "az ssh"
  • by creating induvial user accounts on the windows server ( this one is kind of obvious, but requires too much work/maintenance ).
  • by Setting up AADLoginForWindows on the windows jumpbox, so each user must connect first to the windows server with their own Azure AD accounts ( hence access to the Azure CLI access token for each user will be secured within the Windows Jumpbox ).

Also, I noticed that changing the user role assigned to an account on any server is really easy ( if the account has already a Contributor role on the subscription ), so is there a way to prevent users with Contributor roles to grant themselves root access on the servers by just changing the name of the roles assigned to them?

As an example:

# Delete the role previously assigned to the user account on the virtual machine
az role assignment delete --role "Virtual Machine User Login" --assignee $AZ_USER_ACCOUNT --scope $VM_RESOURCE_ID

# Re-Create the user role on the virtual machine giving root access to the user account
az role assignment create --role "Virtual Machine Administrator Login" --assignee $AZ_USER_ACCOUNT --scope $VM_RESOURCE_ID

Originally asked at https://github.com/MicrosoftDocs/azure-docs/issues/78690

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,697 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.