Microsoft Entra ID: From Great to Greater with These Fixes

Microsoft Entra ID - This cloud-based identity and access management service is like having a digital bouncer who never sleeps. It integrates seamlessly with Microsoft 365, Azure, and a gazillion other SaaS apps, making sure only the right folks get in.

Entra ID's got all the cool gadgets: single sign-on (SSO) for one-click access, multi-factor authentication (MFA) to keep the baddies out, and conditional access policies that act like a digital doorman. Plus, it offers privileged identity management (PIM) to control and monitor access to important resources, and identity governance to ensure the right people have the right access at the right time.

But wait, there's more! With user-friendly self-service portals, employees can handle their own identity crises. And don't forget the fantastic Microsoft community, always ready to help with tips, tricks, and support.

While Microsoft Entra ID is great, I have a list of three issues I really want Microsoft to fix (because, hey, even superheroes have room for improvement):

1. Rethinking Access: Microsoft Entra ID Global Reader role is able to view the bitlocker recovery keys for all the devices in the tenant
2. Why does adding domains in external collaboration settings feel like trying to get into an exclusive club? Because you need the global administrator role as your VIP pass!
3. Why does it feel like group owners have a secret backdoor key? Even when they're blocked from the Entra ID admin portal, they can still edit groups like it's no big deal!

So let us dive into the issues and why I think they needs to be fixed.

Rethinking Access: Microsoft Entra ID’s Global Reader Role ????

The link to my earlier post is here - Post | LinkedIn

In reviewing Microsoft Entra ID, it’s surprising to find the Global Reader role can view Bitlocker recovery keys and has infact the permissions - /bitlockerKeys/key/read . This can be used to read the Bitlocker recovery keys for all the devices in a tenant.

This permissions to Global Reader raises security concerns, given how widespread the Global reader role is assigned to identities in an organization.The Global Reader role is designed to provide read-only access across various administrative features and settings, enabling a broad overview without the capacity to edit or modify. However, the inclusion of BitLocker recovery keys within this role’s purview seems to extend beyond the intended level of access. How do you perceive the permissions associated with the Global Reader role, and what best practices would you recommend for managing access within Microsoft Entra ID?

Microsoft documentation for the global reader role from here?does mentions that it has access to the privileged permission of viewing bitlocker keys.

Global Administrator role is needed to add a domain in External Collaboration settings.

In Entra ID, when we choose the most restrictive option to allow invitations to be sent only to specified domains for external collaboration (which is fantastic for security), we hit a bit of a snag. To add these whitelisted domains, you need to have the global administrator role active. Now, I think that's a bit of an overkill—like using a sledgehammer to crack a nut! ???

Wouldn't it be great if this task could be handled by a lesser-privileged role? It would make life so much easier and keep our global admins from feeling like they're the only ones who can save the day. Microsoft & Microsoft Security , can we dial it down a notch and let more folks join the fun? ??

A secret backdoor for Group Owners?

In the Entra admin portal, the below setting restricts access to Entra admin center to all non-admin users.

It states that non administrators are not able to use the portal to access and manage the resources.

Microsoft also mentions that this is not a security measure.

So, when I try to sign-in with a non-admin user and access the entra admin center, I get the below - Insufficient privileges to complete the operation.

Also when I try to navigate the groups with the same user, I get the message that user has no admin roles.

Now, comes the twist. What if I know the objectId of the group. If I know it I can navigate the group with ease and if I am the group owner, I can do changes as well.

The only thing needed is the URL in below format -

https://entra.microsoft.com/?feature.msaljs=true#view/Microsoft_AAD_IAM/GroupDetailsMenuBlade/~/Overview/groupId/<GROUP OBJECT ID>/menuId/        

So, this setting does not necessarily block the access in Entra admin center for non-admin users and can be easily bypassed if we know the object id of the group.

Conclusion

What do you think of this? Do you have any suggestions or feedback? Are you also facing some issues or have improvement suggestions for Microsoft? I'd really love to hear more about your experiences and ideas. Let's make Microsoft Entra ID even better together! ??