How to Easily Identity Tier Zero Azure Assets
First, you need to understand the problem we are trying to solve with Tiered Administration.
Tiered Administration protects your most privileged assets from compromise in the event that less privileged assets are compromised.
It's the wombo combo of least privilege and defense in depth.?
Do Tiered Administration effectively and you DRAMATICALLY reduce risks posed by ransomware actors, insider threats, etc.
Most efforts get stuck in the very first step: identifying which assets go into which tiers.
Here's how you do this:
You need to first understand what your most privileged assets are. These will comprise your "Tier Zero". These assets control EVERYTHING, including EACH OTHER.
For?Azure, you should follow this logic:
Some of this is obvious: Global Admins are obviously Tier Zero.
Some of this is not as obvious. This blog post dives into why those two particular MS Graph app roles grant Tier Zero privileges:
What's even less obvious is the final question in that logic: "Does it control or contain something that IS Tier Zero?"
Let's talk about control.
In this setup, a Virtual Machine (VM) has a managed identity assignment to a Service Principal (SP) with a T0 MS Graph app role:
领英推荐
That means SP A is Tier Zero, and so is "Virtual Machine 001". This blog post explains why:
But because SP B controls the VM, SP B must ALSO be considered Tier Zero, unless you revoke SP B's control over the VM:
Now let's talk about hierarchal containment. In Azure, permissions always trickle down to all child objects. Control a parent object and you control all of its children.
The AzureAD Tenant contains all objects, so it is obviously a Tier Zero asset itself:
But because the VM is Tier Zero, *all* of its parent objects must also be considered Tier Zero as well.
The resource group, subscription, and management group(s) above the VM *must* be considered Tier Zero:
Need help? This script will help you easily identify Tier Zero service principals by their AzureAD and MS Graph App Role assignments:
I'll publish more details and free tooling you can use to manage those attack paths:
It is such a small number of people who understand this concept. BRAVO!!!
IAM Strategy Owner @ Maersk
2 年Love the classification logic. Too often you see DC's and only DC's considered to be T0.