This blog outlines security recommendations for Azure Cloud Solution Provider (CSP) environments specific to admin access management, aligning with the least privileged access principle of Zero trust framework.
What is Azure Cloud Solution Provider (CSP)?
Azure Cloud Solution Provider (CSP) offers industry-specific solutions bundled with Microsoft products and provides managed services. CSP program enables partners to provision, manage Azure resources for customers, and provide technical and billing support.
Why is it critical to safeguard Azure CSP admin access?
Considering the threats are targeting technology service providers, which are privileged in their downstream customer tenants, as a method to gain access to their downstream customers (Microsoft blog post), it is important for both Customers and Partners to ensure the right level of access to required resources are granted only for the duration needed. This enables partners to reduce the likelihood and impact of security breaches and protect their customers' data and services in the cloud.
Admin privileges for Azure in the CSP program
The following diagram includes two levels of admin privileges for Azure in CSP.
DAP and AOBO admin privileges highlighted in yellow are granted when a partner establishes a reseller relationship with a customer and creates a CSP subscription.
In the following sections, we will focus specifically on the standing privileged admin access that is granted implicitly, understand the risks associated with these, and give the recommended solutions.
1. Tenant-level admin privileges
This grants partner access to customers' tenants. Based on type and access granted, delegated access allows a partner to perform administrative functions, such as adding and managing users, resetting passwords, and managing user licenses.
Delegated Admin Privileges - DAP
This access is granted when customers accept partner center invite for reseller relationship where 'Include delegated administration privileges for Azure Active Directory and Office 365' is enabled. When a customer grants a delegated administration privilege to a partner:
- The Admin Agent group is assigned to the Global administrator role in the customer's Azure AD tenant.
- The Helpdesk Agent group is assigned to the Helpdesk administrator role in the customer's Azure AD tenant.
As DAP results in the standing assignment of privileged Global administrator role of customer tenant to Admin Agent group of partner, the recommendation is to migrate to Granular Delegated Admin Privileges - GDAP.
What is GDAP - Granular Delegated Admin Privileges?
GDAP is a security feature that allows granting partners with the least privileged access following the Zero Trust principles. It lets partners configure granular and time-bound access to their customers' workloads. The GDAP relationship request specifies:
• The CSP partner tenant
• The roles to delegate
• Duration in days
Refer to the "Recommendation" section for additional information on DAP to GDAP transition.
2. Subscription-level admin privileges
This grants partner access to customers' Azure CSP subscriptions. This access allows a partner to provision and manage their Azure resources.
Admin On Behalf Of - AOBO
Granted when CSP partner provisions a new Azure subscription for the customer. Admin Agents group under the CSP partner tenant is automatically assigned AOBO access granting Owner role under the subscription.
AOBO does not allow flexibility to create distinct groups that work with different customers.
As AOBO results in permanent assignment of privileged Owner role of CSP subscription to members of partner Admin Agents group, this access should be made available to only required users and used with caution. For regular operations which may not require partner users to have the owner role of subscription, granular timebound access must be granted for example using Azure Lighthouse.
What is Azure Lighthouse?
With Azure Lighthouse, Customers maintain control over who has access to their tenant, which resources they can access, and what actions can be taken for what duration.
Using Azure Lighthouse, you can assign distinct groups to different customers to have the appropriate level of access and improve security by limiting privileged access to customers' resources only to required members. To further minimize standing assignments for privileged roles, eligible authorizations can be used to grant additional roles only on a just-in-time basis.
Guidelines to ensure the least privileged access assignment:
- Identify and review if Delegated Admin Privilege (DAP) is in use. This information can be extracted with the help of one of the following approaches.
Through Partner center portal
Through Partner Center API
List the delegated admin customers of a partner - Partner app developer | Microsoft Learn
Get delegated admin relationship statistics - Partner app developer | Microsoft Learn
- Identify and review AOBO access granted to foreign principals. This information can be extracted with help of one of the following approaches.
Azure portal
Sample PowerShell script
https://learn.microsoft.com/en-us/partner-center/partner-earned-credit-troubleshoot#sample-scripts
- Plan to transition to the least privileged approach to manage customer tenants where possible.
DAP to GDAP
Granular delegated admin privileges (GDAP)
Microsoft-led transition from DAP to GDAP - Partner Center | Microsoft Learn
AOBO to Azure Lighthouse
Azure Lighthouse and the Cloud Solution Provider program
- Consider minimizing the number of permanent assignments using just-in-time access using Azure AD Privileged Identity Management wherever possible. For example - In Azure Lighthouse using eligible authorizations or Just in time access for security group memberships of GDAP.
Create eligible authorizations - Azure Lighthouse | Microsoft Learn
- Consider creating alert for privileged Azure role assignments to monitor any unexpected access assignments.
Alert on privileged Azure role assignments | Microsoft Learn
Configure security alerts for Azure roles in Privileged Identity Management | Microsoft Learn
- Recommended to implement SIEM solution such as Microsoft Sentinel that can correlate and monitor logs such as Azure AD admin audit logs and sign-in logs, Azure Activity logs, Office 365 unified audit log etc. to identify potential suspicious activities of tactics like Privilege Escalation, Credential Access, Persistence or Impact.
Additional References:
- Customer security best practices:
Customer security best practices - Partner Center | Microsoft Learn
- Partner security best practices:
Cloud Solution Provider security best practices - Partner Center | Microsoft Learn
Partner security requirements - Partner Center | Microsoft Learn
Partner security requirements FAQ - Partner Center | Microsoft Learn