Privileged Identity Management – Custom Roles

As I have mentioned earlier, I believe and hope that Microsoft will be implementing more and more self service features in Azure.

This is because I believe that automation and self service are key components in a secure infrastructure, simply because manuel processes often are bypassed or not followed correctly. Either because the process is poorly described or implemented or because it´s easier to not.

Automated processes does the job as good as they are programmed to, everytime!

From that perspective Microsofts release of custom roles in Azure AD Privileged Identity Management is a great new feature.

As always, it is not quite there yet, but I hope that they will evolve this feature to meet my expectations.

As you will know if you read earlier posts, Privileged Identity Management is a feature that allows for dynamically adding privileges to varoius types of administrative roles.

But with the new release it is possible to create custom roles in Azure AD, that can be controlled in Privileged Identity Management.

There are 3 steps to this, creating the role in Azure AD, adjusting settings for the custom role in PIM and assigning members.

Creating the role in Azure AD:

Creating a custom role is a fairly simple procedure.

Locate Roles and administrators under Azure Active Directory and choose New custom role at the top.

Name the role.

Add the permissions.

And create the custom role.

As I wrote it is fairly simple. It will after a sync be available in PIM, from my tests, this takes a little time, so be patient.

Adjusting the settings:

First locate Custom roles in PIM under Manage.

Under manage select Settings and select the role you wish to configure

Click Edit in the top and set the settings as desired

Assigning members:

Under manage roles your custom role should now be listed. Select the custom role and click Add member

This will bring up the following where you can select the directory, custom role, members and settings

After setting the settings wanted, I can now see the new custom role under my roles.

Selecting Activate, I will get the normal PIM Activation window.

Conclusion

As mentioned I am a big fan of automation when it comes to security management and this feature is straight up my ally.

Note that it is a preview so test it out, but I wouldn´t recommend building any new business processes on it yet.

As always, if you would like a live demo or have any questions, feel free to reach out to us at Mindcore.

Microsoft Defender ATP

This time we will take a closer look on how easy it is to onboard clients into Microsoft Defender Advanced Threat Protection with System Center Configuration Manager.

First we will go the the Microsoft Defender Security Center https://securitycenter.windows.com/

On this page we select Settings – Onboarding - Windows 10 – System Center Configuration Manager (current branch) version 1606 and later and the Download Package.

Extract the downloaded ZIP-file to get an onboard-file like this.

Now got to the SCCM console – Assets and Compliance – Endpoint Protection – Microsoft Defender ATP Policies and then select Create Microsoft Defender ATP Policy.

Name the policy and select Onboarding.

Select Browse.

Select the extracted onboarding-file.

With the file selected click Next.

Select the settings after your own choice.

Select Next.

Select Close.

Now lets deploy the Policy, by selecting the policy we just created in SCCM and then Deploy.

Select the collection used for your Microsoft Defender ATP devices, in this example a specific collection is used holding devices running Windows 10 and at the same time with active ATP license.

After deployment it will show up at the client as a configuration baseline, and we will speedup onboarding by forcing a Evaluation by selecting Evaluate.

Status will then change to Compliant.

When onboarded you will be able to see the computer in the Machine List in the portal.

We will also be able to see the onboarding status in the SCCM Console, in the Monitoring node.

On the Client we can follow onboarding in the log Applications and Services Logs – Microsoft – Windows - SENSE.

When onboarded the client will have a running service called Windows Defender Advanced Threat Protection Service.

For this test we will simply try to isolate the computer from the portal, just to see if we are connected as expected.

First open the the client by clicking on the client name.

Then we select Isolate machine.

Allow Outlook, Teams and Skype for business communication if needed and enter a comment about why we want to isolate the computer, then select Confirm.

We will then see the Action, you can just close this unless we need to cancel the action.

Soon after the client is unable to reach the Office 365 portal.

Back in the Portal we can allow connection again by selecting Release from isolation.

Again we comment why we now allow connection to the machine and select Confirm.

Again we just close the message from Action Center.

And the client can again access the Office 365 portal.

The level of information and the overview is impressive, and if you have access to the licenses for Microsoft Defender ATP, the is no reason not to get started. Now test yourself.

Azure Bastion

Since we now have Azure Bastion in preview it’s time to take a closer look.

Azure Bastion will allow us to have private RDP and SSH access to our Virtual Machines from a HTML5 Web Browser over SSL.

We can do this without using public IP address on the VM.

Today we often connect to our virtual machines, either by exposing the virtual machines to the public Internet or by deploying a jump-host/server.

For this test we will use the following test setup.

First go to https://aka.ms/BastionHost, select All services and search for Bastion, then we can add Bastions to our favorites.

Select Bastions from our favorites.

Select Create Bastion.

Lets create a new resource group for this test.

Name the resource group.

Name the bastion instance, select Region and then create a new virtual network.

We need to create a subnet for our VM’s and a dedicated subnet with the name AzureBastionSubnet.

I will choose 10.10.100.0/24 for the Azure BastionSubnet and 10.10.10.0/24 for the VM subnet (LabSubnet)

We the select the AzureBastionSubnet as subnet and create a new public IP address, finally we click Review + create.

Select Create.

Deployment will then start, and we will have to wait until deployment is complete.

Deployment is now complete.

In order for this test to work we also need to deploy a virtual machine. Go to Virtual Machines  and Create Virtual machine.

We select our Subscription and the Resource group we already created, then we give the VM a name, select region, image type and size.

We will use our newly created Virtual network and VM subnet, and no public IP.

And the create the virtual machine.

Deployment will then start, and again we will have to wait until deployment is complete.

Deployment is now complete, lets Go to resource.

The VM has no public IP as shown, lets Connect.

It will automatically open the Bastion tab, enter Username, Password and connect.

You will need to allow popup from Azure.

and we are connected to the VM.

For browsers that support the advanced Clipboard API access, you will be able to use copy and paste but only text, the browser might prompt you to allow access.

For other browsers, you can use the Bastion clipboard tool.

Now test in your own environment.