Creating and managing delegated access as a Managed Security Service Provider (MSSP) is an essential business requirement. But the overhead of granting, controlling, and auditing access into distributed customer environments reduces available resources from protection and response. As MSSPs grow their customer portfolios, time required to manage access expands.
Using the features of Azure Identity Governance: Entitlement Management, MSSPs are able to provision and establish secure connections into their end customer's Microsoft Defender Advanced Threat Protection (ATP) environments. This approach enables automated access life cycle management, access review compliance, and least privilege security rights assignment. It empowers the customer to delegate new access approval, further streamlining the customer experience while maintaining a high security bar.
Most importantly, the delegated access model scales with the growth of MSSPs.
What is delegated access?
The following will take you through implementing your first solution and provide a baseline approach.Please review the best practices prior to deploying. Implementing as per the steps below results in users of the MSSP analyst tenant being enabled to access and work in a customer Microsoft Defender ATP tenant. Approval for access occurs in two areas:
1: MSSP Analyst Approver access package is provisioned, with approval to join confirmed by Customer Admin (or delegated contact)
2: Analyst access to the customer is managed by members of the “MSSP Analyst Approvers” access package.
The Approach
Implementing a multi tenant delegated access solution takes 3 concepts.
- Enable Role Based Access Control (RBAC) in Microsoft Defender ATP and connect with Active Directory (AD) groups
- Configure Governance Access Packages for access request and provisioning
- Manage access requests and audits in Microsoft M##yaccess
Enabling Role Based Access controls in Microsoft Defender ATP
Tier 1 Analyst
|
 |
To enable RBAC in the customer Microsoft Defender Security Center, access Settings : Permissions : Roles and “Turn on roles”, from a user account with Global Administrator or Security Administrator rights.
Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via “Assigned user groups”.
Two possible MDATP RBAC roles:
Tier 1 Analysts
Perform all actions except for “Live Response” and “Manage Security Settings”
Tier 2 Analysts
Tier 1 capabilities with the addition of “Live Response”
For more information see, Use role-based access control on Microsoft Defender ATP RBAC.
Configure Governance Access Packages
- Add MSSP as Connected Organization in Customer AAD: Identity Governance
Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned.
To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. It is recommended to create a separate AD tenant for your MSSP Analysts (See below)
- Create a resource catalog in Customer AAD: Identity Governance
Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add “New Catalog”. In our example, we will call it “MSSP Accesses”.
Further details on catalogs here
- Create access packages for MSSP resources Customer AAD: Identity Governance
Access packages are the collection of rights and accesses that a requester will be granted upon approval.
To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add “New Access Package”. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
- Requires a member of the AD group “MSSP Analyst Approvers” to authorize new requests
- Has annual access reviews, where the SOC analysts can request an access extension
- Can only be requested by users in the MSSP SOC Tenant
- Access auto expires after 365 days
For more information, see Create a new access package.
|
4. Provide access request link to MSSP resources from Customer AAD: Identity Governance |
 |
Manage Access
- Review and authorize access requests in Customer and/or MSSP myaccess
Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.
To do so, access the customer’s myaccess using:
https://myaccess.microsoft.com/@<Customer Domain >.
Example: https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/
Then approve or deny requests in the “Approvals” section of the UI.
At this point, analyst access has been provisioned, and each analyst should be able to access the customer’s Microsoft Defender Security Center: https://securitycenter.Microsoft.com/?tid=<CustomerTenantId>
Recommended Best Practices
There are two implementation recommendations that I would like to mention, a dedicated MSSP AD tenant and restriction of guest powers in the customer tenant.
Dedicated MSSP AD tenant
Separating corporate user accounts from MSSP accounts used customer environment access provides additional security from attack pivots. In a situation where a corporate account has been compromised, attackers do not gain immediate access into the customer portfolio.
The MSSP accounts also further limit the personally identifiable information being projected into customer AD tenants. Select a username format that is appropriate for your level of risk acceptance. For example, a username of a-JoshX (where x increments) allows user identification without projecting the entire analyst’s identifier into each customer tenant.
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant
Guest powers
Ensure limiting of capabilities for the Guest account type in customer AD tenant. Doing so will remove the ability for MSSP analysts to invite other guest users and remove access to the customer Azure Administration portal.
Locate and disable the following settings in the customer Administration portal.
Users : User Setting : “Restrict Access to Azure Administration portal”
And
Users : User Setting : External Collaboration Settings : “Guests can Invite”
Guest Lifecycle: Remove automated signin block when last access package expires.
By default, when the last access package is removed from a guest account, the account will have further sign ins blocked. This configuration blocks the analysts from requesting additional access packages as needed. With access packages limited to just the MSSP tenant, modifying this setting presents minimal additional security threats.
To do so, access Identity Governance : Settings, and set "Block external user from signing into this directory to 'No' "
Things to consider prior to implementing
Admin Access Required
To implement this methodology, you must have an account with global administrator rights on the Customer Tenant. To minimize threat surface, consider using a temporary account created just for this activity. Remove the account once complete
Microsoft Defender ATP RBAC enablement caution
Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important.
Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.
Users with admin permissions are automatically assigned the default built-in Microsoft Defender ATP global administrator role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security Administrators to the Microsoft Defender ATP global administrator role.
After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
Further information: RBAC access in Microsoft Defender ATP
Entitlement Management requires AAD P2
Entitlement Management is an Azure Active Directory (AAD P2) functionality. AAD P2 customers using Microsoft 365 E5, Microsoft E5 security, and Enterprise Mobility + Security (EMS) E5 have this included. If customers are not yet able to upgrade the E5 Suites, they need to purchase 1 AAD P2 license per every 5 MSSP soc analyst accounts.
A formula like this may help determine your P2 needs:
(analysts(current) + proj additional (12 month)) +[(analysts(current) + proj additional(12 month))) * .5 ]
5
For example, if your SOC has 20 analysts, and you project an analyst growth rate of 20 analysts every 12 months, then recommending a minimum of 12 P2 Licenses allows for 60 guest accounts in the customer AAD. This accounts for the 40 analysts projected per year + 50% scale capability.
Authentication Flow
The analyst user accounts authenticate against the MSSP Active Directory tenant. The tenant responds with a bearer authentication token that the analyst browser then provides access to the customer’s Microsoft Defender Security Center. The customer validates the token and provides access as defined. This means the analyst credentials remain within the MSSP AD tenant.
Please see below for an authentication breakdown
 |
 |
Microsoft Defender ATP MSSP reference architecture
Please see below for a reference architecture for Microsoft Defender ATP in MSSP environments. Extending additional services such as Teams channels, log analytics, and SharePoint collaboration all securely expand capabilities with customers.
Special Thanks
We want to acknowledge and thank Avi Sagiv, Debashis Choudhury, Efrat Kliger, Josh Michaels, Michael Shalev, Sarra Boubouh, and Richard Diver for their great work and contributions to the Managed Security Service Providers delegated access solution.