Home

Quick Way to set up Privileged Access Management for Active Directory Groups

%3CLINGO-SUB%20id%3D%22lingo-sub-990703%22%20slang%3D%22en-US%22%3EQuick%20Way%20to%20set%20up%20Privileged%20Access%20Management%20for%20Active%20Directory%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-990703%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20quick%20way%20(should%20we%20say%20interim%20solution%3F)%20for%20implementing%20some%20sort%20of%20PAM%20%2F%20PIM%20%2F%20JIT%20%2F%20JEA%20%2F%20IAM%20%2F%20IM%20solution%20for%20an%20Active%20Directory%20environment.%20Since%20all%20those%20acronyms%20are%20favorite%20topics%20for%20Security%20and%20Compliance%2C%20I%20figured%20I%20share%20the%20idea%20and%20hope%20it'll%20be%20useful%20to%20some.%20For%20a%20more%20robust%20solution%2C%20check%20out%20%3CA%20title%3D%22Microsoft%20Identity%20Manager%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-identity-manager%2Fmicrosoft-identity-manager-2016%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Identity%20Manager%3C%2FA%3E%20or%20any%20other%20Identity%20Management%20solutions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20feel%20free%20to%20post%20your%20questions%2Fcomments%2Fsuggestions.%20Open%20to%20feedback!%20My%20first%20attempt%20to%20share%2C%20so%20hope%20to%20learn%20more%20and%20share%20more.%20Maybe%20more%20acronyms%3F%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fxd_40x40.gif%22%20alt%3D%22%3Axd%3A%22%20title%3D%22%3Axd%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERequirements%3A%3C%2FP%3E%3CUL%3E%3CLI%3ESharePoint%3C%2FLI%3E%3CLI%3EMicrosoft%20Flow%3C%2FLI%3E%3CLI%3ETask%20Scheduler%3C%2FLI%3E%3CLI%3EgMSA%2FUser%20Account%2FMSA%20to%20run%20the%20script%20and%20flow%3C%2FLI%3E%3CLI%3EAzure%20AD%20Group%26nbsp%3B%3C%2FLI%3E%3CLI%3EOn-Prem%20Security%20Group%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere's%20the%20overview%20of%20the%20solution%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20691px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F155478i1206EBDBB7A930CA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Privilege%2520Access%2520Management%2520Flow%2520(1).png%22%20title%3D%22Privilege%2520Access%2520Management%2520Flow%2520(1).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20%3CSTRONG%3EAzure%20Active%20Directory.%3C%2FSTRONG%3E%20Create%20an%20Azure%20AD%20Security%20Group%20-%20this%20is%20where%20we%20will%20store%20the%20approved%20users%2C%20so%20our%20on-prem%20PowerShell%20script%20can%20check%20them.%20Make%20sure%20to%20note%20ObjectID%2C%20we%20will%20use%20it%20when%20creating%20the%20Microsoft%20Flow.%3C%2FP%3E%3CP%3E1.1%20Create%20an%20OnPrem%20Security%20Group%20-%20this%20is%20the%20nested%20group%20within%20the%20Super%20User%20Group%20(i.e.%20Domain%20Admins%20%26amp%3B%20Enterprise%20Admins).%20So%20we'll%20add%20the%20approved%20users%20upon%20their%20request%20then%20remove%20them%20at%20a%20scheduled%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20%3CSTRONG%3ESharePoint%20Online.%26nbsp%3B%3C%2FSTRONG%3ECreate%20a%20SharePoint%20List%20with%20at%20least%20the%20following%20columns%3A%3C%2FP%3E%3CUL%3E%3CLI%3ERequest%20Subject%3C%2FLI%3E%3CLI%3ERequest%20Details%3C%2FLI%3E%3CLI%3EGroup%20Choice%20(if%20you%20are%20doing%20multiple%20groups).%3C%2FLI%3E%3C%2FUL%3E%3CP%3E3.%20%3CSTRONG%3EMicrosoft%20Flow.%26nbsp%3B%3C%2FSTRONG%3ECreate%20a%20Flow%20from%20the%20SharePoint%20list.%20Picture1%20for%20single%20group%2C%20Picture2%20for%202%20groups%20or%20more%2C%20just%20keep%20adding%20a%20tree%20if%20you%20have%20more.%20%3CEM%3EI%20submitted%20this%20as%20a%20template%2C%20will%20update%20once%20approved.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPICTURE1%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F155480i967872CD8D4E21E3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22XVjnYhfuKg.png%22%20title%3D%22XVjnYhfuKg.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EPICTURE1%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPICTURE2%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F155481iD8F55A7EFD46D69A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22ApplicationFrameHost_GHM8uKuBaA.png%22%20title%3D%22ApplicationFrameHost_GHM8uKuBaA.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EPICTURE2%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.1%20Details%20of%20the%20Microsoft%20Flow%3A%3C%2FP%3E%3CUL%3E%3CLI%3Ea.%20When%20someone%20submits%20a%20form%20in%20SharePoint%2C%20get%20the%20File%20Metadata%20(this%20is%20to%20update%20SharePoint%20item%20later%20to%20show%20Status%20of%20Approval).%3C%2FLI%3E%3CLI%3Eb.%20For%20multiple%20groups%2C%20add%20a%20Condition%20which%20group%20was%20selected%3CUL%3E%3CLI%3Eb.1%20Set%20the%20approvers%20using%20their%20email%20address.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3Ec.%20Logic%20if%20approved%3A%26nbsp%3B%3CUL%3E%3CLI%3Ec.1%20Inform%20the%20requester%20his%20request%20has%20been%20approved%20using%20Outlook%20Flow.%3C%2FLI%3E%3CLI%3Ec.2%20Get%20the%20requester%20User%20Information%20(specifically%20ObjectID)%3C%2FLI%3E%3CLI%3Ec.3%20Add%20the%20user%20to%20the%20Azure%20AD%20Group.%20You%20will%20need%20the%20Azure%20AD%20Group%20ObjectID%20here.%3C%2FLI%3E%3CLI%3Ec.4%20Update%20SharePoint%20Approval%20Status%20to%20%22Approved%22%20(the%20File%20Metadata)%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3Ed.%20Logic%20if%20rejected%3A%3CUL%3E%3CLI%3Ed.1%26nbsp%3BInform%20the%20requester%20his%20request%20has%20been%20rejected%20using%20Outlook%20Flow.%3C%2FLI%3E%3CLI%3Ed.2%26nbsp%3BUpdate%20SharePoint%20Approval%20Status%20to%20%22Rejected%22%20(the%20File%20Metadata)%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E3.2%20Use%20those%20concepts%20to%20fit%20your%20use%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.%20%3CSTRONG%3EOn-Premise%20Items%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E4.1%20Set%20up%20a%20workstation%20with%20RSAT%20installed%20or%20if%20you%20have%20an%20existing%20%22scripting%22%20workstation.%26nbsp%3B%3C%2FP%3E%3CP%3E4.2%20Setup%20a%20Service%20Account%20to%20run%20the%20script%20with%20the%20appropriate%20permission%20to%20edit%20the%20concerned%20users%20and%20groups.%20(I'm%20going%20to%20assume%20you%20know%20what%20you%20are%20doing%20here%20-%20you%20are%20in%20IT%20after%20all!)%3C%2FP%3E%3CP%3E4.3%20PowerShell%20Time!%20%3CFONT%20color%3D%22%23FF0000%22%3E%3CSTRONG%3EPlease%20see%20attached%20AD-PAM-Scripts.zip%3C%2FSTRONG%3E%3C%2FFONT%3E.%20I've%20added%20comments%20in%20each%20area%20and%20left%20clues%20for%20things%20you%20have%20to%20fill%20out.%20You%20will%20need%20to%20run%20these%20scripts%20as%20a%20Scheduled%20Task%2C%20schedule%20them%20as%20you%20see%20fit.%20Review%20the%20Flow%20Chart%20for%20some%20ideas.%20I%20recommend%20creating%20and%20using%20a%20gMSA%20account%20-%20see%20%3CA%20title%3D%22Getting%20Started%20with%20Group%20Managed%20Service%20Accounts.%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fgroup-managed-service-accounts%2Fgetting-started-with-group-managed-service-accounts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGetting%20Started%20with%20Group%20Managed%20Service%20Accounts.%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20this%20helps%20improve%20AD%20security%20for%20some%20organization%20that%20are%20unable%20to%20implement%20a%20robust%20solution!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3Ejerome%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-990703%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EJust%20Enough%20Administration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EJust%20In%20Time%20Administration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELeast%20Privilege%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eprivileged%20access%20management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
jerome317
Contributor

 

 

This is a quick way (should we say interim solution?) for implementing some sort of PAM / PIM / JIT / JEA / IAM / IM solution for an Active Directory environment. Since all those acronyms are favorite topics for Security and Compliance, I figured I share the idea and hope it'll be useful to some. For a more robust solution, check out Microsoft Identity Manager or any other Identity Management solutions.

 

Please feel free to post your questions/comments/suggestions. Open to feedback! My first attempt to share, so hope to learn more and share more. Maybe more acronyms? :xd:

 

Requirements:

  • SharePoint
  • Microsoft Flow
  • Task Scheduler
  • gMSA/User Account/MSA to run the script and flow
  • Azure AD Group 
  • On-Prem Security Group

 

Here's the overview of the solution:
Privilege%20Access%20Management%20Flow%20(1).png

 

1. Azure Active Directory. Create an Azure AD Security Group - this is where we will store the approved users, so our on-prem PowerShell script can check them. Make sure to note ObjectID, we will use it when creating the Microsoft Flow.

1.1 Create an OnPrem Security Group - this is the nested group within the Super User Group (i.e. Domain Admins & Enterprise Admins). So we'll add the approved users upon their request then remove them at a scheduled time.

 

2. SharePoint Online. Create a SharePoint List with at least the following columns:

  • Request Subject
  • Request Details
  • Group Choice (if you are doing multiple groups).

3. Microsoft Flow. Create a Flow from the SharePoint list. Picture1 for single group, Picture2 for 2 groups or more, just keep adding a tree if you have more. I submitted this as a template, will update once approved.

 

PICTURE1:

XVjnYhfuKg.pngPICTURE1

 

PICTURE2:
ApplicationFrameHost_GHM8uKuBaA.pngPICTURE2

 

3.1 Details of the Microsoft Flow:

  • a. When someone submits a form in SharePoint, get the File Metadata (this is to update SharePoint item later to show Status of Approval).
  • b. For multiple groups, add a Condition which group was selected
    • b.1 Set the approvers using their email address.
  • c. Logic if approved: 
    • c.1 Inform the requester his request has been approved using Outlook Flow.
    • c.2 Get the requester User Information (specifically ObjectID)
    • c.3 Add the user to the Azure AD Group. You will need the Azure AD Group ObjectID here.
    • c.4 Update SharePoint Approval Status to "Approved" (the File Metadata)
  • d. Logic if rejected:
    • d.1 Inform the requester his request has been rejected using Outlook Flow.
    • d.2 Update SharePoint Approval Status to "Rejected" (the File Metadata)

3.2 Use those concepts to fit your use case.

 

4. On-Premise Items.

4.1 Set up a workstation with RSAT installed or if you have an existing "scripting" workstation. 

4.2 Setup a Service Account to run the script with the appropriate permission to edit the concerned users and groups. (I'm going to assume you know what you are doing here - you are in IT after all!)

4.3 PowerShell Time! Please see attached AD-PAM-Scripts.zip. I've added comments in each area and left clues for things you have to fill out. You will need to run these scripts as a Scheduled Task, schedule them as you see fit. Review the Flow Chart for some ideas. I recommend creating and using a gMSA account - see Getting Started with Group Managed Service Accounts.

 

I hope this helps improve AD security for some organization that are unable to implement a robust solution! 

 

Thanks,

jerome