Closed ahuynhMITRE closed 6 months ago
Investigated access packages and implemented them in a test environment. Initially it looks like the following baselines may be feasible:
Access package baselines not considered in scope at this time in lieu of higher priorities. Reasons cited: relatively low adoption of feature (so far), other issues have potentially higher impact. However this issue can be revisited in the future.
Rich demonstrated this capability to us and answered questions about how it works. At this time I don't see a way that it can be included in a Scuba security policy in a way that would be applicable to most organizations. Its main purpose is setting up guardrails around what M365 resources users can access and the governance process around that.
I took some time to test-drive identity governance access reviews to get a feel for what it is and how it works. The specific use case that I selected was to review a list of users that have inactive accounts, because we don't have an existing policy on that in Scuba and inactive accounts are an area of high risk since their credentials are an attractive target for adversaries. I created an access review that would list all the users in the Scuba Testers group that were inactive for 15 days.
Once I created the access review, then I opened it and navigated to the Results page.
The access review results screen shows the following information for each user that met that inactivity criteria:
The licensing necessary to get the full set of features for access reviews was unclear. On an E5 Developer tenant that has Entra ID Premium P2, I received a license message and the ability to perform an access review was greyed out. On an G5 tenant I was able to perform an access review.
I think that the ability for a sys admin to create a downloadable report of inactive users is powerful. The inactivity period can be customized. In particular the CSV output file contains the last sign-in date of each user which is a valuable data point for detecting and remediating stale accounts that might be attractive targets for adversaries.
That said, we would need to get creative on how to incorporate this into ScubaGear. Here are some potential ideas for future consideration:
There are some APIs available to grab the access review data from the tenant.
https://learn.microsoft.com/en-us/graph/api/resources/accessreviewsv2-overview?view=graph-rest-beta https://learn.microsoft.com/en-us/graph/api/accessreviewscheduledefinition-list-instances?view=graph-rest-beta&tabs=http https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/get-mgidentitygovernanceaccessreviewdefinition?view=graph-powershell-1.0&viewFallbackFrom=graph-powershell-beta I had to add this permission to view the access review data: AccessReview.Read.All
pinging @mitchelbaker-cisa @gdasher for awareness
💡 Summary
Further investigation into AAD's new access package in entitlement management feature should be investigated due to its enablement of resources and policies that automatically administers access for the life of the access package.
Motivation and context
Additional investigation on potential vulnerabilities to M365 applications and permissions is needed to understand its potential use for policies and how it interacts with existing policies. Link to Microsoft article below.
https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-create
Acceptance criteria