This blog outlines security recommendations for Azure Cloud Solution Provider (CSP) environments specific to admin access management, aligning with the least privileged access principle of Zero trust framework.
What is Azure Cloud Solution Provider (CSP)?
Azure Cloud Solution Provider (CSP) offers industry-specific solutions bundled with Microsoft products and provides managed services. CSP program enables partners to provision, manage Azure resources for customers, and provide technical and billing support.
Why is it critical to safeguard Azure CSP admin access?
Considering the threats are targeting technology service providers, which are privileged in their downstream customer tenants, as a method to gain access to their downstream customers (Microsoft blog post), it is important for both Customers and Partners to ensure the right level of access to required resources are granted only for the duration needed. This enables partners to reduce the likelihood and impact of security breaches and protect their customers' data and services in the cloud.
Admin privileges for Azure in the CSP program
The following diagram includes two levels of admin privileges for Azure in CSP.
DAP and AOBO admin privileges highlighted in yellow are granted when a partner establishes a reseller relationship with a customer and creates a CSP subscription.
In the following sections, we will focus specifically on the standing privileged admin access that is granted implicitly, understand the risks associated with these, and give the recommended solutions.
1. Tenant-level admin privileges
This grants partner access to customers' tenants. Based on type and access granted, delegated access allows a partner to perform administrative functions, such as adding and managing users, resetting passwords, and managing user licenses.
This access is granted when customers accept partner center invite for reseller relationship where 'Include delegated administration privileges for Azure Active Directory and Office 365' is enabled. When a customer grants a delegated administration privilege to a partner:
As DAP results in the standing assignment of privileged Global administrator role of customer tenant to Admin Agent group of partner, the recommendation is to migrate to Granular Delegated Admin Privileges - GDAP.
GDAP is a security feature that allows granting partners with the least privileged access following the Zero Trust principles. It lets partners configure granular and time-bound access to their customers' workloads. The GDAP relationship request specifies:
• The CSP partner tenant
• The roles to delegate
• Duration in days
Refer to the "Recommendation" section for additional information on DAP to GDAP transition.
2. Subscription-level admin privileges
This grants partner access to customers' Azure CSP subscriptions. This access allows a partner to provision and manage their Azure resources.
Granted when CSP partner provisions a new Azure subscription for the customer. Admin Agents group under the CSP partner tenant is automatically assigned AOBO access granting Owner role under the subscription.
AOBO does not allow flexibility to create distinct groups that work with different customers.
As AOBO results in permanent assignment of privileged Owner role of CSP subscription to members of partner Admin Agents group, this access should be made available to only required users and used with caution. For regular operations which may not require partner users to have the owner role of subscription, granular timebound access must be granted for example using Azure Lighthouse.
With Azure Lighthouse, Customers maintain control over who has access to their tenant, which resources they can access, and what actions can be taken for what duration.
Using Azure Lighthouse, you can assign distinct groups to different customers to have the appropriate level of access and improve security by limiting privileged access to customers' resources only to required members. To further minimize standing assignments for privileged roles, eligible authorizations can be used to grant additional roles only on a just-in-time basis.
Guidelines to ensure the least privileged access assignment:
Through Partner center portal
Through Partner Center API
List the delegated admin customers of a partner - Partner app developer | Microsoft Learn
Get delegated admin relationship statistics - Partner app developer | Microsoft Learn
Azure portal
Sample PowerShell script
https://learn.microsoft.com/en-us/partner-center/partner-earned-credit-troubleshoot#sample-scripts
DAP to GDAP
Granular delegated admin privileges (GDAP)
Microsoft-led transition from DAP to GDAP - Partner Center | Microsoft Learn
AOBO to Azure Lighthouse
Azure Lighthouse and the Cloud Solution Provider program
Create eligible authorizations - Azure Lighthouse | Microsoft Learn
Alert on privileged Azure role assignments | Microsoft Learn
Configure security alerts for Azure roles in Privileged Identity Management | Microsoft Learn
Additional References:
Customer security best practices - Partner Center | Microsoft Learn
Cloud Solution Provider security best practices - Partner Center | Microsoft Learn
Partner security requirements - Partner Center | Microsoft Learn
Partner security requirements FAQ - Partner Center | Microsoft Learn
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.