Microsoft Azure’s hidden administrators
I will uncover the broad access and security risks of these hidden accounts like excessive privileges, lack of accountability, and potential unauthorized access. Although assignment of these less visible roles is deprecated starting in February 2024, they still pose a security risk when not removed properly.
Dang! it is quiet a while since I wrote my last blog article here. It is not that I have been sitting still but I will share more about that project later in another post.
Now, that I have got your attention, lets dive straight into the topic and waist no more of your precious time. But if you have some spare time left, continue to read to the end of this post to understand the history and more in depth information about these hidden role assignments.
Classic Administrators
The oversight of classic administrator roles are a significant challenge in Azure security. Despite their broad permissions, classic administrators often go unnoticed. Across various environments that I have observed of a last period of time, classic administrator roles are still assigned in 99% of all Azure subscriptions.
The issue
You might be curious about all the fuss, so let me delve into it further. One of the key issues here is that classic administrator role assignments don’t appear in a standard query to retrieve all roles at the subscription level.
Numerous administrators depend on automation to fetch and track role assignments in their Azure subscriptions, resulting in these assignments remaining unnoticed. Moreover, these accounts won’t be flagged in Defender for Cloud recommendations.
example:
As you can see in this example, this user has no permissions to the Azure environment. But what if we add an extra property to the cmdLet includeClassicAdministrators
As show in the image, the user r.dijkman@securehats.nl has the ServiceAdministrator role on the subscription. With other words, the has the same privileges as the Owner!
To retrieve classic administrators using the API, you’ll need to query a separate endpoint to access the relevant information. Microsoft.Authorization/classicAdministrators?api-version=2015–07–01
The Risk
The potential risk arising from attackers infiltrating an organization’s Azure environment via a classic administrator account is immense. With access granted through these roles, they can exfiltrate sensitive data, disrupt operations, and cause financial and reputational damage.
These role assignments also provide an opportunity for malicious actors to establish persistence within an environment while remaining undetected.
Early Azure Development
Before 2010, Microsoft Azure, was known as Windows Azure and was still in its early stages of development. Its identity and access management (IAM) capabilities were limited compared to what exists today.
Access to Azure subscriptions and resources was primarily managed through a system of administrative credentials.
Azure Classic Administrators (c.a. 2010)
As Azure matured over the years and gained popularity, Microsoft introduced a new direction in IAM which was called the Classic Administrators model. This provided basic role-based access control capabilities. This model consisted of predefined roles, such as Service Administrator, Account Administrator and Co-Administrator, which granted varying levels of permissions within an Azure subscription.
While Classic Administrators provided some level of access control, it wasn’t the most flexibility model and lack in granularity. Users were limited to the predefined roles and could not create custom roles tailored to their specific needs.
Azure RBAC Model
The Azure Role-Based Access Control (RBAC) model was introduced in 2015 when the platform was rebranded to Microsoft Azure. This model replaced the Classic Administrators model and provided more granular access control over Azure resources, allowing organizations to assign roles with specific permissions to users, groups, and applications within their environment.
This models also allowed the creation of custom roles with finely-tuned permissions. This was the birth of wat we nowadays know as least-privileged.
With the introduction of Azure RBAC, Microsoft encouraged users to migrate their access control configurations to the new model, away from the classic administrator model.
Deprecation of Classic Administrator model
Now 14 years after the introduction of the Classic Administrator model, and 9 years after the introduction of the Azure RBAC model Microsoft is finally deprecating the old model.
Starting on March 26, 2024 users will no longer be able to assign the classic administrator roles to user.
Substitute roles
To have a better understanding of the impact of the classic roles and how they can be compared with the current RBAC model, I have described a small overview of the replacement roles.
Co-Administrator
The Co-Administrator role in the Classic Administrators model provided full access to manage resources within an Azure subscription, similar to the Service Administrator, but without access to billing and support information. Therefore, in Azure RBAC, you may need to assign multiple roles to achieve a similar level of access control.
1. Contributor Role: The Contributor role grants users permissions to manage resources within an Azure subscription, including creating, modifying, and deleting resources, but without permissions to manage access control, billing, or support.
2. Billing Reader Role: The Billing Reader role provides read-only access to billing information and cost management data within an Azure subscription. This role is suitable for users who need to view billing details but do not require permissions to modify billing configurations.
Account Administrator
The Account Administrator had the highest level of access within the Azure Account Center and was responsible for managing the billing and subscription-related tasks for an Azure account.
1. Owner: The Owner role provides full access to all resources within a subscription, similar to the Service Administrator role in the Classic Administrators model. Owners have the ability to manage resources, assign roles, and access billing information.
Service Administrator
Just like the Account Administrator the substitute for the Service Administrator in the Azure RBAC model is the Owner role.
Summary
Classic administrator roles in Azure cause a significant security risks. Although their deprecation, these roles are still widely assigned and often unnoticed.
Using automation to track role assignments is crucial, as these accounts evade detection, even in Defender for Cloud recommendations. Transitioning to Azure RBAC offers better access control, more visibility and mitigates these risks effectively.
