2023-05-25 14:18:12 +02:00
|
|
|
Azure Active Directory offers built-in roles that can be assigned to users, groups, or service principals.
|
|
|
|
|
Some of these roles should be carefully assigned as they grant sensitive permissions like the ability to reset passwords for all users.
|
2022-01-03 15:23:48 +00:00
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
An Azure account that fails to limit the use of such roles has a higher risk of being breached by a compromised owner.
|
|
|
|
|
|
|
|
|
|
This rule raises an issue when one of the following roles is assigned:
|
|
|
|
|
|
|
|
|
|
* Application Administrator
|
|
|
|
|
* Authentication Administrator
|
|
|
|
|
* Cloud Application Administrator
|
|
|
|
|
* Global Administrator
|
|
|
|
|
* Groups Administrator
|
|
|
|
|
* Helpdesk Administrator
|
|
|
|
|
* Password Administrator
|
|
|
|
|
* Privileged Authentication Administrator
|
|
|
|
|
* Privileged Role Administrator
|
|
|
|
|
* User Administrator
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
== Ask Yourself Whether
|
|
|
|
|
|
|
|
|
|
* The user, group, or service principal doesn't use the entirety of this extensive set of permissions to operate on a day-to-day basis.
|
|
|
|
|
* It is possible to follow the Separation of Duties principle and split permissions between multiple users, but it's not enforced.
|
|
|
|
|
|
|
|
|
|
There is a risk if you answered yes to any of these questions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
|
|
|
|
|
|
* Limit the assignment of Global Administrator roles to less than five people or service principals.
|
|
|
|
|
* Apply the least privilege principle by choosing a role with a limited set of permissions.
|
|
|
|
|
* If no built-in role meets your needs, create a custom role with as few permissions as possible.
|
2022-01-03 15:23:48 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
2022-03-15 11:33:40 +01:00
|
|
|
[source,terraform]
|
2022-01-03 15:23:48 +00:00
|
|
|
----
|
|
|
|
|
resource "azuread_directory_role" "example" {
|
|
|
|
|
display_name = "Privileged Role Administrator" # Sensitive
|
|
|
|
|
}
|
2022-03-15 11:33:40 +01:00
|
|
|
|
2022-01-03 15:23:48 +00:00
|
|
|
resource "azuread_directory_role_member" "example" {
|
|
|
|
|
role_object_id = azuread_directory_role.example.object_id
|
|
|
|
|
member_object_id = data.azuread_user.example.object_id
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,terraform]
|
2022-01-03 15:23:48 +00:00
|
|
|
----
|
|
|
|
|
resource "azuread_directory_role" "example" {
|
|
|
|
|
display_name = "Usage Summary Reports Reader"
|
|
|
|
|
}
|
2022-03-15 11:33:40 +01:00
|
|
|
|
2022-01-03 15:23:48 +00:00
|
|
|
resource "azuread_directory_role_member" "example" {
|
|
|
|
|
role_object_id = azuread_directory_role.example.object_id
|
|
|
|
|
member_object_id = data.azuread_user.example.object_id
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
== See
|
|
|
|
|
|
2024-01-15 17:15:56 +01:00
|
|
|
* CWE - https://cwe.mitre.org/data/definitions/79[CWE-266 - Incorrect Privilege Assignment]
|
2023-05-25 14:18:12 +02:00
|
|
|
* https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference[Azure AD Documentation] - Azure AD built-in roles
|
|
|
|
|
* https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices[Azure AD Documentation] - Best practices for Azure AD roles
|
|
|
|
|
|
2022-01-03 15:23:48 +00:00
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
=== Message
|
|
|
|
|
|
|
|
|
|
* Primary location
|
|
|
|
|
** Make sure that assigning the {role_name} role is safe here.
|
|
|
|
|
* Secondary location
|
|
|
|
|
** Role assigned here.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=== Highlighting
|
2022-01-03 15:23:48 +00:00
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
* Primary location
|
|
|
|
|
** ``++azuread_directory_role.display_name++`` or ``++azuread_directory_role.template_id++`` assignment
|
|
|
|
|
* Secondary locations
|
|
|
|
|
** ``++azuread_directory_role_member.role_object_id++`` assignment
|
2022-01-25 18:36:46 +01:00
|
|
|
|
|
|
|
|
|
2022-01-03 15:23:48 +00:00
|
|
|
endif::env-github,rspecator-view[]
|
