Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘RBAC’ Category

(2019-07-07) Azure AD Delegation Through Roles And Administrative Units – The Good, The Bad And The Ugly (Part 2)

Posted by Jorge on 2019-07-07


When I started this quest, my initial thoughts on all this were to delegate the “Reset of the MFA Profile” to other service desks for a scoped list of users in AAD when something happened to the users’ mobile device/phone. That could be: lost, broken or stolen device/phone. With that in mind I tried the following roles “Privileged Authentication Administrator” and “Authentication Administrator”. Before continuing I first read a few things to understand what had changed since the last time I looked at it. I can tell you that was quite some time ago!

In summary I saw the following:

  • Still in preview!
  • Managing Administrative Units and everything around that through PowerShell
  • Requires AzureADPreview Module!
  • Resources can only be users!

My investigation started by first creating some users in AAD that used native AAD Authentication, no federation or anything special like that to keep it as simple as possible. My idea was to create 5 regular users per AU and for each AU also create 1 admin for 4 unique AAD roles. I used the following PowerShell CMDlets:

# Create Users In AAD

$tenantDomain = "<AAD Tenant Domain>" # Replace this with your own value

$mobile = "<Mobile Phone Number>" # Replace this with your own value

$pwdProfileAM = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

$pwdProfileAM.Password = ‘<Some Text String As Password>‘ # Replace this with your own value

New-AzureADUser -DisplayName "John Doe (AM 1)" -GivenName "John" -Surname "Doe (AM 1)" -PasswordProfile $pwdProfileAM -UserPrincipalName "john.doe.am1@$tenantDomain" -AccountEnabled $true -City "New York" -Country "United States Of America" -Department "Finance" -JobTitle "Accountant" -Mobile $mobile -MailNickName "john.doe.am1" -UsageLocation "US"

New-AzureADUser -DisplayName "John Doe (AM 2)" -GivenName "John" -Surname "Doe (AM 2)" -PasswordProfile $pwdProfileAM -UserPrincipalName "john.doe.am2@$tenantDomain" -AccountEnabled $true -City "New York" -Country "United States Of America" -Department "Finance" -JobTitle "Accountant" -Mobile $mobile -MailNickName "john.doe.am2" -UsageLocation "US"

New-AzureADUser -DisplayName "John Doe (AM 3)" -GivenName "John" -Surname "Doe (AM 3)" -PasswordProfile $pwdProfileAM -UserPrincipalName "john.doe.am3@$tenantDomain" -AccountEnabled $true -City "New York" -Country "United States Of America" -Department "Finance" -JobTitle "Accountant" -Mobile $mobile -MailNickName "john.doe.am3" -UsageLocation "US"

New-AzureADUser -DisplayName "John Doe (AM 4)" -GivenName "John" -Surname "Doe (AM 4)" -PasswordProfile $pwdProfileAM -UserPrincipalName "john.doe.am4@$tenantDomain" -AccountEnabled $true -City "New York" -Country "United States Of America" -Department "Finance" -JobTitle "Accountant" -Mobile $mobile -MailNickName "john.doe.am4" -UsageLocation "US"

New-AzureADUser -DisplayName "John Doe (AM 5)" -GivenName "John" -Surname "Doe (AM 5)" -PasswordProfile $pwdProfileAM -UserPrincipalName "john.doe.am5@$tenantDomain" -AccountEnabled $true -City "New York" -Country "United States Of America" -Department "Finance" -JobTitle "Accountant" -Mobile $mobile -MailNickName "john.doe.am5" -UsageLocation "US"

New-AzureADUser -DisplayName "Admin Priv AuthN (AM Admin)" -GivenName "Admin" -Surname "Priv AuthN (AM Admin)" -PasswordProfile $pwdProfileAM -UserPrincipalName "admin.priv.authn.am@$tenantDomain" -AccountEnabled $true -City "New York" -Country "United States Of America" -Department "Operations" -JobTitle "DevOpsAdmin – PrivAuthN" -Mobile $mobile -MailNickName "admin.priv.authn.am" -UsageLocation "US"

New-AzureADUser -DisplayName "Admin AuthN (AM Admin)" -GivenName "Admin" -Surname "AuthN (AM Admin)" -PasswordProfile $pwdProfileAM -UserPrincipalName "admin.authn.am@$tenantDomain" -AccountEnabled $true -City "New York" -Country "United States Of America" -Department "Operations" -JobTitle "DevOpsAdmin – AuthN" -Mobile $mobile -MailNickName "admin.authn.am" -UsageLocation "US"

New-AzureADUser -DisplayName "Admin Helpdesk (AM Admin)" -GivenName "Admin" -Surname "Helpdesk (AM Admin)" -PasswordProfile $pwdProfileAM -UserPrincipalName "admin.helpdesk.am@$tenantDomain" -AccountEnabled $true -City "New York" -Country "United States Of America" -Department "Operations" -JobTitle "DevOpsAdmin – Helpdesk" -Mobile $mobile -MailNickName "admin.helpdesk.am" -UsageLocation "US"

New-AzureADUser -DisplayName "Admin User Account (AM Admin)" -GivenName "Admin" -Surname "User Account (AM Admin)" -PasswordProfile $pwdProfileAM -UserPrincipalName "admin.user.account.am@$tenantDomain" -AccountEnabled $true -City "New York" -Country "United States Of America" -Department "Operations" -JobTitle "DevOpsAdmin – UserAccount" -Mobile $mobile -MailNickName "admin.user.account.am" -UsageLocation "US"

$pwdProfileEU = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

$pwdProfileEU.Password = ‘<Some Text String As Password>‘ # Replace this with your own value

New-AzureADUser -DisplayName "Jan Janssen (EU 1)" -GivenName "Jan" -Surname "Janssen (EU 1)" -PasswordProfile $pwdProfileEU -UserPrincipalName "jan.janssen.eu1@$tenantDomain" -AccountEnabled $true -City "Amsterdam" -Country "The Netherlands" -Department "ICT" -JobTitle "Engineer" -Mobile $mobile -MailNickName "jan.janssen.eu1" -UsageLocation "NL"

New-AzureADUser -DisplayName "Jan Janssen (EU 2)" -GivenName "Jan" -Surname "Janssen (EU 2)" -PasswordProfile $pwdProfileEU -UserPrincipalName "jan.janssen.eu2@$tenantDomain" -AccountEnabled $true -City "Amsterdam" -Country "The Netherlands" -Department "ICT" -JobTitle "Engineer" -Mobile $mobile -MailNickName "jan.janssen.eu2" -UsageLocation "NL"

New-AzureADUser -DisplayName "Jan Janssen (EU 3)" -GivenName "Jan" -Surname "Janssen (EU 3)" -PasswordProfile $pwdProfileEU -UserPrincipalName "jan.janssen.eu3@$tenantDomain" -AccountEnabled $true -City "Amsterdam" -Country "The Netherlands" -Department "ICT" -JobTitle "Engineer" -Mobile $mobile -MailNickName "jan.janssen.eu3" -UsageLocation "NL"

New-AzureADUser -DisplayName "Jan Janssen (EU 4)" -GivenName "Jan" -Surname "Janssen (EU 4)" -PasswordProfile $pwdProfileEU -UserPrincipalName "jan.janssen.eu4@$tenantDomain" -AccountEnabled $true -City "Amsterdam" -Country "The Netherlands" -Department "ICT" -JobTitle "Engineer" -Mobile $mobile -MailNickName "jan.janssen.eu4" -UsageLocation "NL"

New-AzureADUser -DisplayName "Jan Janssen (EU 5)" -GivenName "Jan" -Surname "Janssen (EU 5)" -PasswordProfile $pwdProfileEU -UserPrincipalName "jan.janssen.eu5@$tenantDomain" -AccountEnabled $true -City "Amsterdam" -Country "The Netherlands" -Department "ICT" -JobTitle "Engineer" -Mobile $mobile -MailNickName "jan.janssen.eu5" -UsageLocation "NL"

New-AzureADUser -DisplayName "Admin Priv AuthN (EU Admin)" -GivenName "Admin" -Surname "Priv AuthN (EU Admin)" -PasswordProfile $pwdProfileEU -UserPrincipalName "admin.priv.authn.eu@$tenantDomain" -AccountEnabled $true -City "Amsterdam" -Country "The Netherlands" -Department "Operations" -JobTitle "DevOpsAdmin – PrivAuthN" -Mobile $mobile -MailNickName "admin.priv.authn.eu" -UsageLocation "NL"

New-AzureADUser -DisplayName "Admin AuthN (EU Admin)" -GivenName "Admin" -Surname "AuthN (EU Admin)" -PasswordProfile $pwdProfileEU -UserPrincipalName "admin.authn.eu@$tenantDomain" -AccountEnabled $true -City "Amsterdam" -Country "The Netherlands" -Department "Operations" -JobTitle "DevOpsAdmin – AuthN" -Mobile $mobile -MailNickName "admin.authn.eu" -UsageLocation "NL"

New-AzureADUser -DisplayName "Admin Helpdesk (EU Admin)" -GivenName "Admin" -Surname "Helpdesk (EU Admin)" -PasswordProfile $pwdProfileEU -UserPrincipalName "admin.helpdesk.eu@$tenantDomain" -AccountEnabled $true -City "Amsterdam" -Country "The Netherlands" -Department "Operations" -JobTitle "DevOpsAdmin – Helpdesk" -Mobile $mobile -MailNickName "admin.helpdesk.eu" -UsageLocation "NL"

New-AzureADUser -DisplayName "Admin User Account (EU Admin)" -GivenName "Admin" -Surname "User Account (EU Admin)" -PasswordProfile $pwdProfileEU -UserPrincipalName "admin.user.account.eu@$tenantDomain" -AccountEnabled $true -City "Amsterdam" -Country "The Netherlands" -Department "Operations" -JobTitle "DevOpsAdmin – UserAccount" -Mobile $mobile -MailNickName "admin.user.account.eu" -UsageLocation "NL"

After this I had to create some administrative units in AAD. 2 AUs was more than enough

# Create Administrative Units In AAD

New-AzureADAdministrativeUnit -Description "AM Region – City Of New York" -DisplayName "AM Region – NYC"

New-AzureADAdministrativeUnit -Description "EU Region – City Of Amsterdam" -DisplayName "EU Region – AMS"

Before being able to continue and configure things I needed to retrieve the objects that were created in AAD

# Get individual AUs

$auAMNYC = $aUs | ?{$_.Displayname -eq "AM Region – NYC"}

$auEUAMS = $aUs | ?{$_.Displayname -eq "EU Region – AMS"}

# Get List Of Candidate Users Using SOME Filter

$usersAMNYC = Get-AzureADUser -Filter "(City eq ‘New York’)"

$usersEUAMS = Get-AzureADUser -Filter "(City eq ‘Amsterdam’)"

Now I needed to add the previously created users to the previously created AUs

# Add Users To AUs

$usersAMNYC | %{

    $userObjectID = $null

    $userObjectID = $_.ObjectId

    Add-AzureADAdministrativeUnitMember -ObjectId $auAMNYC.ObjectId -RefObjectId $userObjectID

}

$usersEUAMS | %{

    $userObjectID = $null

    $userObjectID = $_.ObjectId

    Add-AzureADAdministrativeUnitMember -ObjectId $auEUAMS.ObjectId -RefObjectId $userObjectID

}

Now I needed to assign the roles to specific admins for specific AUs

# Retrieve Admin Accounts For AM – New York

$adminPrivAuthNAMNYC = Get-AzureADUser -Filter "(City eq ‘New York’) and (Department eq ‘Operations’) and (JobTitle eq ‘DevOpsAdmin – PrivAuthN’)"

$adminAuthNAMNYC = Get-AzureADUser -Filter "(City eq ‘New York’) and (Department eq ‘Operations’) and (JobTitle eq ‘DevOpsAdmin – AuthN’)"

$adminHelpdeskAMNYC = Get-AzureADUser -Filter "(City eq ‘New York’) and (Department eq ‘Operations’) and (JobTitle eq ‘DevOpsAdmin – Helpdesk’)"

$adminUserAccountAMNYC = Get-AzureADUser -Filter "(City eq ‘New York’) and (Department eq ‘Operations’) and (JobTitle eq ‘DevOpsAdmin – UserAccount’)"

# Retrieve Admin Accounts For EU – Amsterdam

$adminPrivAuthNEUAMS = Get-AzureADUser -Filter "(City eq ‘Amsterdam’) and (Department eq ‘Operations’) and (JobTitle eq ‘DevOpsAdmin – PrivAuthN’)"

$adminAuthNEUAMS = Get-AzureADUser -Filter "(City eq ‘Amsterdam’) and (Department eq ‘Operations’) and (JobTitle eq ‘DevOpsAdmin – AuthN’)"

$adminHelpdeskEUAMS = Get-AzureADUser -Filter "(City eq ‘Amsterdam’) and (Department eq ‘Operations’) and (JobTitle eq ‘DevOpsAdmin – Helpdesk’)"

$adminUserAccountEUAMS = Get-AzureADUser -Filter "(City eq ‘Amsterdam’) and (Department eq ‘Operations’) and (JobTitle eq ‘DevOpsAdmin – UserAccount’)"

# Prepare The Role Definitions And Enable As Needed

# ROLE: Privileged Authentication Administrator

$privAuthAdminRoleDisplayName = "Privileged Authentication Administrator"

$privAuthAdminRole = Get-AzureADDirectoryRole | ?{$_.DisplayName -eq $privAuthAdminRoleDisplayName} # Allowed to view, set and reset authentication method information for any user (admin or non-admin).

If (!$privAuthAdminRole) {

    $privAuthAdminRoleTemplate = $null

     $privAuthAdminRoleTemplate = Get-AzureADDirectoryRoleTemplate | ?{$_.DisplayName -eq $privAuthAdminRoleDisplayName}

    Enable-AzureADDirectoryRole -RoleTemplateId $privAuthAdminRoleTemplate.ObjectId

}

$privAuthAdminRoleObjectID = $privAuthAdminRole.ObjectId

# ROLE: Authentication Administrator

$authAdminRoleDisplayName = "Authentication Administrator"

$authAdminRole = Get-AzureADDirectoryRole | ?{$_.DisplayName -eq $authAdminRoleDisplayName} # Allowed to view, set and reset authentication method information for any non-admin user.

If (!$authAdminRole) {

    $authAdminRoleTemplate = $null

    $authAdminRoleTemplate = Get-AzureADDirectoryRoleTemplate | ?{$_.DisplayName -eq $authAdminRoleDisplayName}

    Enable-AzureADDirectoryRole -RoleTemplateId $authAdminRoleTemplate.ObjectId

}

$authAdminRoleObjectID = $authAdminRole.ObjectId

# ROLE: Helpdesk Administrator

$helpdeskAdminRoleDisplayName = "Helpdesk Administrator"

$helpdeskAdminRole = Get-AzureADDirectoryRole | ?{$_.DisplayName -eq $helpdeskAdminRoleDisplayName} # Can reset passwords for non-administrators and Helpdesk Administrators

If (!$helpdeskAdminRole) {

    $helpdeskAdminRoleTemplate = $null

    $helpdeskAdminRoleTemplate = Get-AzureADDirectoryRoleTemplate | ?{$_.DisplayName -eq $helpdeskAdminRoleDisplayName}

    Enable-AzureADDirectoryRole -RoleTemplateId $helpdeskAdminRoleTemplate.ObjectId

}

$helpdeskAdminRoleObjectID = $helpdeskAdminRole.ObjectId

# ROLE: User Account Administrator

$userAccountAdminRoleDisplayName = "User Account Administrator"

$userAccountAdminRole = Get-AzureADDirectoryRole | ?{$_.DisplayName -eq "User Account Administrator"} # Can manage all aspects of users and groups, including resetting passwords for limited admins

If (!$userAccountAdminRole) {

    $userAccountAdminRoleTemplate = $null

    $userAccountAdminRoleTemplate = Get-AzureADDirectoryRoleTemplate | ?{$_.DisplayName -eq $userAccountAdminRoleDisplayName}

    Enable-AzureADDirectoryRole -RoleTemplateId $userAccountAdminRoleTemplate.ObjectId

}

$userAccountAdminRoleObjectID = $userAccountAdminRole.ObjectId

# Role Delegation For AM – New York

$adminPrivAuthNAMNYC | %{

    $userObjectID = $null

    $userObjectID = $_.ObjectId

    $userMemberInfo = $null

    $userMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ObjectId = $userObjectID}

    Add-AzureADScopedRoleMembership -ObjectId $auAMNYC.ObjectId -RoleObjectId $privAuthAdminRoleObjectID -RoleMemberInfo $userMemberInfo

}

$adminAuthNAMNYC | %{

    $userObjectID = $null

    $userObjectID = $_.ObjectId

    $userMemberInfo = $null

    $userMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ObjectId = $userObjectID}

    Add-AzureADScopedRoleMembership -ObjectId $auAMNYC.ObjectId -RoleObjectId $authAdminRoleObjectID  -RoleMemberInfo $userMemberInfo

}

$adminHelpdeskAMNYC | %{

    $userObjectID = $null

    $userObjectID = $_.ObjectId

     $userMemberInfo = $null

    $userMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ObjectId = $userObjectID}

    Add-AzureADScopedRoleMembership -ObjectId $auAMNYC.ObjectId -RoleObjectId $helpdeskAdminRoleObjectID -RoleMemberInfo $userMemberInfo

}

$adminUserAccountAMNYC | %{

     $userObjectID = $null

    $userObjectID = $_.ObjectId

    $userMemberInfo = $null

    $userMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ObjectId = $userObjectID}

    Add-AzureADScopedRoleMembership -ObjectId $auAMNYC.ObjectId -RoleObjectId $userAccountAdminRoleObjectID -RoleMemberInfo $userMemberInfo

}

# Role Delegation For EU – Amsterdam

$adminPrivAuthNEUAMS | %{

    $userObjectID = $null

    $userObjectID = $_.ObjectId

    $userMemberInfo = $null

    $userMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ObjectId = $userObjectID}

    Add-AzureADScopedRoleMembership -ObjectId $auEUAMS.ObjectId -RoleObjectId $privAuthAdminRoleObjectID -RoleMemberInfo $userMemberInfo

}

$adminAuthNEUAMS | %{

    $userObjectID = $null

    $userObjectID = $_.ObjectId

    $userMemberInfo = $null

    $userMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ObjectId = $userObjectID}

    Add-AzureADScopedRoleMembership -ObjectId $auEUAMS.ObjectId -RoleObjectId $authAdminRoleObjectID  -RoleMemberInfo $userMemberInfo

}

$adminHelpdeskEUAMS | %{

    $userObjectID = $null

    $userObjectID = $_.ObjectId

    $userMemberInfo = $null

    $userMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ObjectId = $userObjectID}

    Add-AzureADScopedRoleMembership -ObjectId $auEUAMS.ObjectId -RoleObjectId $helpdeskAdminRoleObjectID -RoleMemberInfo $userMemberInfo

}

$adminUserAccountEUAMS | %{

    $userObjectID = $null

    $userObjectID = $_.ObjectId

    $userMemberInfo = $null

    $userMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ObjectId = $userObjectID}

    Add-AzureADScopedRoleMembership -ObjectId $auEUAMS.ObjectId -RoleObjectId $userAccountAdminRoleObjectID -RoleMemberInfo $userMemberInfo

}

While adding the “Privileged Authentication Administrator” AAD role I noticed the following

image

Figure 1: An Error Stating That Role Delegation For Administrative Units Is Only Possible For The “User Account Administrator” Role And The “Helpdesk Administrator” Role

Now this is a bummer! Damn!

The end result of all this is:

image

Figure 2: The Administrative Units And Its AU Members

image

Figure 3: The Administrative Units And Its Scoped Role Members

It should be obvious the “Privileged Authentication Administrator” is missing as that one failed as displayed in figure 1. It is weird though the configuration for that one failed, as the configuration for the “Authentication Administrator” role succeeded.

As in the previous post I started with the AAD Portal (https://portal.azure.com/) and I logged on with admin.authn.am@iamtec.onmicrosoft.com which was delegated the “Authentication Administrator” in the “AM Region – NYC” AU. Looking at my own Directory Role I saw the following

image

Figure 4: The Assigned Directory Role To The Admin Account In The Directory Role Section Of The User Account

Although the AAD Portal is able to see that I have the “Authentication Administrator” role assigned, on the main page of the AAD Portal it tells me I’m a regular user

image

Figure 5: The Assigned Directory Role To The Admin Account On The Main Overview Page

So is the AAD Portal having some role crisis regarding this user? Something else worth mentioning is that the AAD Portal unfortunately does not have a notion about AUs, at least I could not see anything about that when logged on with the delegated admin account.

Trying to reset the MFA profile for a scoped user….

image

Figure 6: Authentication Methods Section For A User Through The AAD Portal

Looking at that I see I can do something with the following because it is not greyed:

  • Edit Authentication Info
  • Revoke MFA sessions
  • Require Re-Register MFA
  • Reset Password

This time stuff was not as I expected. Almost everything was greyed out and I got the message that I did not have access to the requested data. In the end I thing that the AAD Portal overview page was indeed right. Just a regular user!

I did try the Password Reset as that was not greyed out, but it failed with an error saying: “The password can not be reset. This may be due to an incorrect level of administrative privilege or if trying to reset your own password

Let’s move on to the Office 365 Admin Center.

I logged on with admin.authn.am@iamtec.onmicrosoft.com and in the “Users – Active Users” section I could only see the users of the administrative unit I was had been assigned a role in. If I was assigned a role for multiple administrative units than the drop-down list would specify all applicable AUs and for each AU the AU members would be displayed below

image

Figure 7: List Of Users Within A Specific Administrative Unit The Admin Was Delegated To

In the Office 365 Admin Center I was not able to find a way to Reset the MFA profile or to revoke MFA sessions. Unfortunately that was disappointing as I was able to reset the password of the scoped users.

Moving to PowerShell using any of the following CMDlets:

Revoke-AzureADUserAllRefreshToken –ObjectId <Object ID Or UPN>

Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName <UPN>

Set-MsolUserPassword -UserPrincipalName <UPN> -NewPassword ‘<Some Text String As Password>’

Set-AzureADUserPassword -ObjectId <Object ID Or UPN> -Password $(ConvertTo-SecureString -String ‘<Some Text String As Password>’ -AsPlainText -Force)

All CMDlets succeeded, except the one that I really needed!

image

Figure 8: Using PowerShell When Using Delegated AAD Roles For Administrative Units

As it looks, there appears to be no way in delegating the reset of an MFA profile for a scoped user. The AAD Portal does not really understand administrative Units, The O365 Admin Center does understand administrative Units, but has no option to reset the MFA profile for a scoped user when using AUs. Through PowerShell, the CMDlet “Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName <UPN>” does not work when using delegated permissions for AUs.

Not much has changed unfortunately. As how I look at it right now, although it does support delegated tasks in the Office 365 Admin Center, it lacks the options to be able to do everything. With this in mind the administrative units feature is not yet enterprise ready, especially when the need exists to delegate parts to other regions/locations.

Hopefully Microsoft changes this soon

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Administrative Units, RBAC, Windows Azure Active Directory | Leave a Comment »

(2019-07-04) Azure AD Delegation Through Roles And Administrative Units – The Good, The Bad And The Ugly (Part 1)

Posted by Jorge on 2019-07-04


Within Active Directory (AD), organizational units (OUs) were used to apply policy and delegate administration. With regards to delegation of administration in AD, that came down to delegation of specific actions such as for example “Password Reset” (a so called Control Access Right (CAR)) or Read/Write of a specific attribute such as for example givenName. AD does not know the concept of roles. Those can be implement though by creating a security group that has one or more permissions for a specific scope of objects.

Azure Active Directory (AAD) in turn does not implement OUs like AD, but rather administrative units (AUs). Also, in AAD it is not possible to apply permissions as granular as is possible in AD. Nevertheless, AAD does know the concept of roles and every role has a predefined set of permissions. Some roles are available by default and ready to use and other roles need to be enabled/activated first. Within AAD you can make people permanent members of one or more roles, or when using roles together with Privileged Identity Management (PIM), you can make people eligible of specific roles and allow those eligible people to activate a specific role for a specific amount of time as needed.

Through the following CMDlet you can retrieve the current enabled AAD roles:

Get-AzureADDirectoryRole

In any AAD tenant the following AAD roles are by default enabled:

image

Figure 1: Default Enabled Azure AD Roles

Before you can assign an AAD role through PowerShell it must be enabled first through the following CMDlet:

Enable-AzureADDirectoryRole -RoleTemplateId <Role Template Object ID>

The available roles can be retrieved by asking for the available role templates and can be done through:

Get-AzureADDirectoryRoleTemplate

In any AAD tenant the following AAD role templates are by default available:

image

Figure 2: Default Available Azure AD Role Templates

However, in the AAD Portal (https://portal.azure.com/), it is not required to enable an AAD role first before being able to assign it to someone. As soon as you assign the AAD role through the AAD Portal it is enabled automatically if it was previously disabled. From an AAD portal perspective things look as displayed in the figure below. All AAD roles with a flag, are newly introduced roles.

image

Figure 3: Default Available Azure AD Role (Templates) In The AAD Portal

When using the Office 365 Admin Center (https://portal.office.com/) you can see a similar list with AAD roles that in addition also mention the category the AAD role is used in. Examples are “Identity”, “Security & Compliance”, “Devices”, “Billing”, “Collaboration” and some others.

Looking at the contents of figure 1 and compare it with the contents of figure 2 you can see a huge difference in AAD roles that have been added by Microsoft to AAD to prevent and offload the usage of the “Global Administrator” (a.k.a. “Company Administrator”) and use a less powerful AAD role to accomplish what you need. All AAD roles work at tenant level, so delegating stuff to a less powerful role is progressing by experience and what admins of AAD request. For example, not so long ago I requested Microsoft to implement a new role similar to “Global Administrator” in read-only mode. I have had and still have many occasions where I need “Global Administrator” role just to look a configurations and/or data. Having a “Global Administrator Read-Only” (or whatever Microsoft will call it in the end) would prevent me from having to use the “Global Administrator” role, which is of course a good thing. That way I could be a permanent member of “Global Administrator Read-Only” and use PIM to activate the “Global Administrator” as really needed!. And believe it or not, Microsoft can deprecate roles in AAD as specified in Administrator role permissions in Azure Active Directory at the bottom of the article.

Using the “administrative units” feature in AAD. Unfortunately that’s when things become more problematic and unfortunately experience today is not always consistent. As an example, I’m going to use the “Authentication Administrator”, which has a description of “Allowed to view, set and reset authentication method information for any non-admin user.”. That role will be assigned to the user account “admin.authn.am@iamtec.onmicrosoft.com” at either tenant level or AU level, depending on what I’m discussing.

First, let’s have a look at that role. The “Authentication Administrator” AAD role has a description of “Allowed to view, set and reset authentication method information for any non-admin user.”. Looking at the additional information as written in Administrator role permissions in Azure Active Directory it says:

Users with this role can set or reset non-password credentials. Authentication Administrators can require users to re-register against existing non-password credential (for example, MFA or FIDO) and revoke remember MFA on the device, which prompts for MFA on the next sign-in of users who are non-administrators or assigned the following roles only:

  • Authentication Administrator
  • Directory Readers
  • Guest Inviter
  • Message Center Reader
  • Reports Reader

I have assigned the “Authentication Administrator” AAD role to the user “admin.authn.am@iamtec.onmicrosoft.com” at tenant level. So, what is described above that user can do against ANY non-admin user in AAD and members of the specified AAD roles.

Taking the targeted user “john.doe.am1@iamtec.onmicrosoft.com” as an example, after navigating to that user in the AAD Portal, I see the following in the “Authentication Methods” section of that user.

image

Figure 4: Authentication Methods Section For A User Through The AAD Portal

Looking at that I see I can do something with the following because it is not greyed:

  • Edit Authentication Info
  • Revoke MFA sessions
  • Require Re-Register MFA
  • Reset Password

Everything looks as expected, except for “Reset Password” because the description explicitly mentions “non-password credential”. After trying it, and yes I was able to reset the password of that account while I did not expect to be able to do so. Weird. Probably a bug, but hey it is still in public preview!

Going to the Office 365 Admin Center, I see:

SNAGHTML155ffe81

Figure 5: The Properties For A User Through The O365 Admin Center

In that portal I cannot find a way to require re-registration of MFA or revoke MFA sessions, but I can reset the password.

Trying actions through PowerShell using any of the following CMDlets also work:

Revoke-AzureADUserAllRefreshToken –ObjectId <Object ID Or UPN>

Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName <UPN>

Set-MsolUserPassword -UserPrincipalName <UPN> -NewPassword ‘<Some Text String As Password>’

Set-AzureADUserPassword -ObjectId <Object ID Or UPN> -Password $(ConvertTo-SecureString -String ‘<Some Text String As Password>’ -AsPlainText -Force)

Microsoft is really putting a lot of effort in offloading the usage of the “Global Administrator” AAD role to other less powerful AAD roles. This is really a good thing and I can imagine that’s a lot of work due to all the possible AAD roles people can think of for all the richness that AAD has to offer!

Next time, I’ll continue with this and focus more on administrative units

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Administrative Units, RBAC, Windows Azure Active Directory | Leave a Comment »

(2015-10-13) Roles Based Access Control (RBAC) For Azure Is Now GA

Posted by Jorge on 2015-10-13


Finally, no more “all or nothing”. Delegation is now possible for Azure resources.

More information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in RBAC, Windows Azure Active Directory | Leave a Comment »

 
%d bloggers like this: