Docs, resources and samples to implement a secure privileged identity and access management in Microsoft Azure and Microsoft Entra.
I've created an approach to automate classification of role actions based on Microsoft's Enterprise Access Model. Samples of the classification file which I've created for the implementation in EntraOps can be found here:
- EntraOps - Defined Classification of Entra ID Role Actions in JSON
- EntraOps - Defined Classification of Microsoft Graph API Permissions in JSON
The generated classification (based on the previous definition files) are also available and can be used as lookup in analytics rules (in Microsoft Sentinel) or to built your own automation and/or entity enrichment:
Sample queries to use classification in KQL queries in Microsoft Sentinel can be found here:
- List of (active/permanent) Directory role member with enriched classification
- Report of privileged operations (sorted by count) from directory role members with enriched classification of roles
- Added API Permissions with enriched classification from EntraOps Privileged EAM
- Sign-in to Cloud Application with sensitive delegated permission (classified by EntraOps Privileged EAM) to Microsoft Graph API
The helper script to create classification by using the definition of classification are available here:
- Script for Classification of Entra ID Roles
- Script for Classification of Microsoft Graph API Permission
Side Note: The classification export of App Roles (Export-EntraOpsClassificationAppRoles) can also include a list of "Authorized Api Calls" by using the Parameter IncludeAuthorizedApiCalls. This information will be enriched from the GitHub project "graphpermissions.github.io" (created by Merill Fernando). Kudos to Merill!
Mostly, role actions and permissions on Control Plane has been classified. There are still a high number of "unclassified" role actions and maybe also some classified roles which should be reviewed or may assessed differently. As already described, the source for all classification will be managed in the "EntraOps_Classification" files and should be the single point for modification to this project. I would be more than happy to see contributions by the community which helps to increase the coverage and quality of the classification for the Enterprise Access Model. Feel free to create PR, issues or contact me if you have any further questions or feedback.
- AzEntraIdApiPermissionsAdvertizer (Tool by Julian Hayward) serves as a quick reference for 1st party Microsoft Entra Id applications and their respective API permissions (delegated and application permissions). My classification files has been used for enrichment of the API Permissions.
- AzEntraIdRolesAdvertizer (Tool by Julian Hayward) serves as a reference, snapshot and detailed overview of all Entra ID Roles and their role action permissions. My classification files has been used for enrichment of Directory Roles and Role Actions.
- EntraOps Explorer (Tool by Chris Dymond) is a Single Page Application (SPA) hosted on GitHub Pages, developed using Next.js, to provide insights about applications in Microsoft Entra. Graph API permission classification of EntraOps will be used for estimation of permission level.
- FalconFound (Tool by Falcon Force) allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool. Tiering classification has been implemented from this project.
- Generate Cypher for Bloodhoud (by Martin Sohn) offers a code sample for generating a cypher for searching high-privileged roles based on the EntraOps classification.
- Detect threats using Microsoft Graph activity logs (Blog post by Fabian Bader) describes how to build advanced Microsoft Sentinel detections for this logs. Sample queries show how new sensitive role can be detected by using the classification files.
On- and Offboarding of Privileged Accounts can be automated with the Entra ID Governance feature "Lifecycle workflows". Samples for the custom tasks can be found here and are described in the blog post "Automated Lifecycle Workflows for Privileged Identities with Azure AD Identity Governance"
Various articles on Microsoft Learn describes Roles and Personas for privileged access in Azure. I've created a role definition matrix to compare the descriptions of personas but also tiering levels from Enterprise Access Model. Check out the "EAS_EAM_AzureRBAC_TabularSummary.pdf"
Examples for PowerShell Scripts to export a list of privileged assignments in Azure (incl. Azure Billing/Enterprise Agreement) and also helper files for Classification can be found here.