Forum Discussion
Emergency Access account monitoring
Various best practice recommendations seem to suggest that Emergency Access accounts should be configured to guard against becoming locked out of your own tenancy (e.g. as in the case of a botched Co...
Hi
Global admin can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. But there is no way for the global admin to modify anything in the Azure Subscription unless he have RBAC roles ( Contributor or Owner or any other role assignment that can allow to manage alerts .
The Frequency of the evaluation cannot be under 5 minutes
You will probably need to stream it to an ITSM or a supported SIEM tool
https://docs.microsoft.com/EN-US/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub
In my Opinion if you generate a random 32 characters Password with characters or whatever that can make it robust 5 min is not enough to crack it then use it and make damage .
By the way if you want to avoid people having permanent high privileges and be able to review and revoke access you can consider PIM .
https://docs.microsoft.com/EN-US/azure/active-directory/privileged-identity-management/pim-configure
Global admin can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. But there is no way for the global admin to modify anything in the Azure Subscription unless he have RBAC roles ( Contributor or Owner or any other role assignment that can allow to manage alerts .
The Frequency of the evaluation cannot be under 5 minutes
You will probably need to stream it to an ITSM or a supported SIEM tool
https://docs.microsoft.com/EN-US/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub
In my Opinion if you generate a random 32 characters Password with characters or whatever that can make it robust 5 min is not enough to crack it then use it and make damage .
By the way if you want to avoid people having permanent high privileges and be able to review and revoke access you can consider PIM .
https://docs.microsoft.com/EN-US/azure/active-directory/privileged-identity-management/pim-configure
Thanks for responding. I am not sure this answers the question, though.
If a GA can manage all aspects of AD, then he can turn off the Alerts. If he can turn off the Alerts, then he has the keys to the kingdom and nobody knows...
If a GA can manage all aspects of AD, then he can turn off the Alerts. If he can turn off the Alerts, then he has the keys to the kingdom and nobody knows...
- No subscription access need to be configured before . And there is a good news for you maybe now you can pass from 5 to 1 min for the frequency . (Its in preview ). https://azure.microsoft.com/en-us/updates/public-preview-stateful-and-1minute-frequency-log-alerts-in-azure-monitor/
- I think what you are saying is that the Emergency account can be denied access to the Subscription but I can only reiterate, this doesn't solve the problem.
The Alerts are defined in AAD. The emergency account has to be a GA. If the Emergency account is denied access to the Subscription, you wouldn't be able to use it in an emergency......