Emergency Access account monitoring

%3CLINGO-SUB%20id%3D%22lingo-sub-2275358%22%20slang%3D%22en-US%22%3EEmergency%20Access%20account%20monitoring%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2275358%22%20slang%3D%22en-US%22%3E%3CP%3EVarious%20best%20practice%20recommendations%20seem%20to%20suggest%20that%20Emergency%20Access%20accounts%20should%20be%20configured%20to%20guard%20against%20becoming%20locked%20out%20of%20your%20own%20tenancy%20(e.g.%20as%20in%20the%20case%20of%20a%20botched%20Conditional%20Access%20policy)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMoreover%2C%20best%20practice%20recommendations%20seem%20to%20suggest%20that%20these%20accounts%20(and%20perhaps%20all%20%22high%20privilege%22%20accounts)%20should%20be%20Monitored%20with%20Alerts%20set%20up%20to%20report%20on%20Sign%20In%20activities.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20recently%20been%20spending%20some%20time%20setting%20up%20Alerts%20in%20Azure%20Monitor%20for%20this%20purpose%2C%20and%20the%20most%20granular%20interval%20available%20for%20an%20alert%20to%20be%20fired%20is%20at%20roughly%205%20minute%20intervals%2C%20as%20I%20understand%20it%20and%20from%20what%20I%20can%20see.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGiven%20that%20it%20may%20take%20at%20least%205%20minutes%20for%20an%20alert%20to%20be%20raised%20following%20a%20Sign%20in%2C%20then%20if%20we%20presume%20this%20to%20be%20an%20unauthorised%20sign%20in%2C%20this%20scenario%20would%20seem%20to%20leave%20more%20than%20adequate%20time%20for%20the%20bad%20actor%20to%20simply%20navigate%20to%20the%20Alert%20configuration%20and%20suppress%20it.%26nbsp%3B%20At%20that%20point%2C%20he%20has%20the%20keys%20to%20kingdom%20and%20nobody%20has%20been%20alerted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestions%3C%2FP%3E%3CP%3E1.%20To%20what%20extent%20does%20the%20above%20observations%20undermine%20the%20apparent%20purpose%20of%20configuring%20the%20Alerts%3F%20If%20we%20know%20that%20they%20can%20easily%20be%20suppressed%2C%20what's%20the%20point%3F%3C%2FP%3E%3CP%3E2.%20Following%20on%20from%20the%20above%20-%20is%20there%20any%20way%20to%20configure%20the%20Azure%20Portal%20so%20that%20a%20Global%20Admin%20account%20cannot%20configure%20Monitor%20%2F%20Alerts%3F%3C%2FP%3E%3CP%3E3.%20Are%20Alerts%20actually%20the%20best%20available%20signal%20of%20unauthorised%20access%20activities%2C%20given%20the%20relatively%20slow%20response%20time%2C%205%20mins%2B%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20the%20answers%20to%20these%20questions%20may%20be%20of%20enough%20significance%20for%20us%20to%20begin%20considering%20using%20an%20%22independent%22%20MFA%20solution%20for%20the%20emergency%20access%20accounts.%20I'd%20be%20interest%20to%20know%20what%20other%20people%20are%20thinking%20and%20doing%20on%20this.%3C%2FP%3E%3CP%3Ethanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2275358%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ebreak-glass%20MFA%20emergency%20access%20alerts%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280609%22%20slang%3D%22en-US%22%3ERe%3A%20Emergency%20Access%20account%20monitoring%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280609%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3EGlobal%20admin%20can%20manage%20all%20aspects%20of%20Azure%20AD%20and%20Microsoft%20services%20that%20use%20Azure%20AD%20identities.%20But%20there%20is%20no%20way%20for%20the%20global%20admin%20to%20modify%20anything%20in%20the%20Azure%20Subscription%20unless%20he%20have%20RBAC%20roles%20(%20Contributor%20or%20Owner%20or%20any%20other%20role%20assignment%20that%20can%20allow%20to%20manage%20alerts%20.%3CBR%20%2F%3EThe%20Frequency%20of%20the%20evaluation%20cannot%20be%20under%205%20minutes%3CBR%20%2F%3EYou%20will%20probably%20need%20to%20stream%20it%20to%20an%20ITSM%20or%20a%20supported%20SIEM%20tool%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2FEN-US%2Fazure%2Factive-directory%2Freports-monitoring%2Ftutorial-azure-monitor-stream-logs-to-event-hub%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2FEN-US%2Fazure%2Factive-directory%2Freports-monitoring%2Ftutorial-azure-monitor-stream-logs-to-event-hub%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20my%20Opinion%20if%20you%20generate%20a%20random%2032%20characters%20Password%20with%20characters%20or%20whatever%20that%20can%20make%20it%20robust%205%20min%20is%20not%20enough%20to%20crack%20it%20then%20use%20it%20and%20make%20damage%20.%3CBR%20%2F%3EBy%20the%20way%20if%20you%20want%20to%20avoid%20people%20having%20permanent%20high%20privileges%20and%20be%20able%20to%20review%20and%20revoke%20access%20you%20can%20consider%20PIM%20.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2FEN-US%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-configure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2FEN-US%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-configure%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2297627%22%20slang%3D%22en-US%22%3ERe%3A%20Emergency%20Access%20account%20monitoring%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2297627%22%20slang%3D%22en-US%22%3EThanks%20for%20responding.%20I%20am%20not%20sure%20this%20answers%20the%20question%2C%20though.%3CBR%20%2F%3EIf%20a%20GA%20can%20manage%20all%20aspects%20of%20AD%2C%20then%20he%20can%20turn%20off%20the%20Alerts.%20If%20he%20can%20turn%20off%20the%20Alerts%2C%20then%20he%20has%20the%20keys%20to%20the%20kingdom%20and%20nobody%20knows...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2303569%22%20slang%3D%22en-US%22%3ERe%3A%20Emergency%20Access%20account%20monitoring%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2303569%22%20slang%3D%22en-US%22%3ENo%20subscription%20access%20need%20to%20be%20configured%20before%20.%20And%20there%20is%20a%20good%20news%20for%20you%20maybe%20now%20you%20can%20pass%20from%205%20to%201%20min%20for%20the%20frequency%20.%20(Its%20in%20preview%20).%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fupdates%2Fpublic-preview-stateful-and-1minute-frequency-log-alerts-in-azure-monitor%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fupdates%2Fpublic-preview-stateful-and-1minute-frequency-log-alerts-in-azure-monitor%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Various best practice recommendations seem to suggest that Emergency Access accounts should be configured to guard against becoming locked out of your own tenancy (e.g. as in the case of a botched Conditional Access policy)

 

Moreover, best practice recommendations seem to suggest that these accounts (and perhaps all "high privilege" accounts) should be Monitored with Alerts set up to report on Sign In activities.

 

I have recently been spending some time setting up Alerts in Azure Monitor for this purpose, and the most granular interval available for an alert to be fired is at roughly 5 minute intervals, as I understand it and from what I can see.

 

Given that it may take at least 5 minutes for an alert to be raised following a Sign in, then if we presume this to be an unauthorised sign in, this scenario would seem to leave more than adequate time for the bad actor to simply navigate to the Alert configuration and suppress it.  At that point, he has the keys to kingdom and nobody has been alerted.

 

Questions

1. To what extent does the above observations undermine the apparent purpose of configuring the Alerts? If we know that they can easily be suppressed, what's the point?

2. Following on from the above - is there any way to configure the Azure Portal so that a Global Admin account cannot configure Monitor / Alerts?

3. Are Alerts actually the best available signal of unauthorised access activities, given the relatively slow response time, 5 mins+ ?

 

I think the answers to these questions may be of enough significance for us to begin considering using an "independent" MFA solution for the emergency access accounts. I'd be interest to know what other people are thinking and doing on this.

thanks

 

 

 

4 Replies
Hi
Global admin can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. But there is no way for the global admin to modify anything in the Azure Subscription unless he have RBAC roles ( Contributor or Owner or any other role assignment that can allow to manage alerts .
The Frequency of the evaluation cannot be under 5 minutes
You will probably need to stream it to an ITSM or a supported SIEM tool
https://docs.microsoft.com/EN-US/azure/active-directory/reports-monitoring/tutorial-azure-monitor-st...

In my Opinion if you generate a random 32 characters Password with characters or whatever that can make it robust 5 min is not enough to crack it then use it and make damage .
By the way if you want to avoid people having permanent high privileges and be able to review and revoke access you can consider PIM .
https://docs.microsoft.com/EN-US/azure/active-directory/privileged-identity-management/pim-configure
Thanks for responding. I am not sure this answers the question, though.
If a GA can manage all aspects of AD, then he can turn off the Alerts. If he can turn off the Alerts, then he has the keys to the kingdom and nobody knows...
No subscription access need to be configured before . And there is a good news for you maybe now you can pass from 5 to 1 min for the frequency . (Its in preview ). https://azure.microsoft.com/en-us/updates/public-preview-stateful-and-1minute-frequency-log-alerts-i...
I think what you are saying is that the Emergency account can be denied access to the Subscription but I can only reiterate, this doesn't solve the problem.
The Alerts are defined in AAD. The emergency account has to be a GA. If the Emergency account is denied access to the Subscription, you wouldn't be able to use it in an emergency......