Apr 15 2021 03:15 PM
Various best practice recommendations seem to suggest that Emergency Access accounts should be configured to guard against becoming locked out of your own tenancy (e.g. as in the case of a botched Conditional Access policy)
Moreover, best practice recommendations seem to suggest that these accounts (and perhaps all "high privilege" accounts) should be Monitored with Alerts set up to report on Sign In activities.
I have recently been spending some time setting up Alerts in Azure Monitor for this purpose, and the most granular interval available for an alert to be fired is at roughly 5 minute intervals, as I understand it and from what I can see.
Given that it may take at least 5 minutes for an alert to be raised following a Sign in, then if we presume this to be an unauthorised sign in, this scenario would seem to leave more than adequate time for the bad actor to simply navigate to the Alert configuration and suppress it. At that point, he has the keys to kingdom and nobody has been alerted.
Questions
1. To what extent does the above observations undermine the apparent purpose of configuring the Alerts? If we know that they can easily be suppressed, what's the point?
2. Following on from the above - is there any way to configure the Azure Portal so that a Global Admin account cannot configure Monitor / Alerts?
3. Are Alerts actually the best available signal of unauthorised access activities, given the relatively slow response time, 5 mins+ ?
I think the answers to these questions may be of enough significance for us to begin considering using an "independent" MFA solution for the emergency access accounts. I'd be interest to know what other people are thinking and doing on this.
thanks
Apr 21 2021 12:02 PM
Apr 27 2021 05:48 AM
Apr 28 2021 10:53 AM
May 01 2021 04:23 PM