I don’t know how many times I have been in a conversation about Attack or Defense tactics in Azure AD, and ended up discussing the following question:
"Which roles are security sensitive in Azure AD, and why?"
It's such a simple question.
However, the answer is an annoyingly complex moving target.
It is a moving target because Microsoft changes built-in Azure AD roles both to deprecate old roles and introduce new one. It's also not entirely clear if the permissions provided by each role change as well, as new features are added.
The complexity, on the other hand, comes from the constant research into abuse techniques of these roles by the community. It is not always clear what you can do with certain privileges. Research is required to identify and document these techniques, and ultimately, the results of this constant research change the answer to our question above.
This makes the question even more difficult to answer on an ongoing basis.
To provide a thoughtful, accurate answer to the question, there is only really one option: automate the detection of primitives in all Azure AD roles based on known community-provided techniques, and monitor how the roles develop over time.
Today we are happy to release a project to the community that does just that: Azure AD Role Monitor. The project consists of the following consumable data and processes:
A JSON feed of roles in Azure AD, mapped to their corresponding abuse techniques.
A JSON object containing a list of abuse primitives associated with "actions" in Azure AD role definitions. We produce this, but we hope that it will be influenced and driven by the community as well.
Historical data on primitives associated with Azure AD roles, to show how they develop over time. This data will begin to be collected from today, moving forward.
Automation to check the available Azure AD roles in a test tenant on a daily basis to produce this feed.
This project is meant to provide the data that security professionals need to quickly answer the question posed above in a programmatic way. It may be used by many security functions for different purposes:
Architects: To develop an administrative tiering strategy
Engineers: To automate operational tasks around privileged roles
Detection engineers: To monitor activity of privileged users
Offensive professionals: To identify what abuse techniques are available given the compromise of certain users.
We welcome feedback and additions from the community on the tool, and would love to hear if others find this useful in their work.