Secure and Monitor Cross-Tenant Privileged Access

Introduction The underlying technology surrounding cross tenant administration is incredibly fascinating. Managed Service Providers often leverage Azure Lighthouse or Foreign Principle Access to delegate permissions. While this feature allows for some luxurious integrations, they may not be aware they are introducing more risk to themselves and their customers. In this article we will discuss how to securely delegate, monitor, and harden privileged access. Note: This article applies to all organizations leveraging cross-tenant technology and is not specific to Managed Service Providers.

Detecting Privilege Escalation via High Privileged Role Assignments

Introduction It’s no secret that information security teams should have detections in place to detect unusual changes in high privilege roles. Accidentally assigning the wrong Azure AD role can be catastrophic if a high privileged user or managed identity is to unknowingly fall victim to compromise. There are a number of roles which should be considered sensitive, these should be heavily monitored and periodically audited. Some examples of these roles include but are not limited to the following:

Detecting Privilege Escalation via Azure API Permission Abuse

Introduction Effective audit trails surrounding sensitive groups is essential when it comes to maintaining secure active directory networks and in some cases required by regulatory compliance frameworks. For cloud and hybrid-AD joined networks there is twice as much work to be done. Leveraging automation to have detections and reporting in place for security professionals is considered best practice and is critical in terms of detecting privilege escalation attacks both on premise and in the cloud.

Detecting Azure Lighthouse Privilege Escalation Attacks

Introduction Note: This article assumes the reader has 100-level understanding of how to manage resources across tenants through the use of Azure Lighthouse. Azure Lighthouse is extremely useful delegating permissions and resources across large multi-tenant enterprise cloud environments or for Managed Service Providers to manage their customer environments. Unfortunately Azure Lighthouse can also create security risks if not monitored properly. Below we will discuss how to detect changes in permissions/authorizations across users, groups, or service principles in cross-tenant scenarios.

Deploy Custom Content In Microsoft Sentinel Using Repositories

Introduction It can be stressful managing multiple workspaces in Microsoft Sentinel, especially when it comes to having to manually deploy analytic rules in large enterprise environments with multiple tenants. This feature is incredibly useful for Managed Security Service Providers who manage multiple workspaces. With Microsoft Sentinel Repositories, we can deploy and manage custom content from a central repository across multiple workspaces at ease. Originally this article was written in early 2022 when Microsoft Sentinel Repositories was released.