Administrative access to Azure Cloud Infrastructur...

Midude2000 · ‎11-29-2023

Our auditors are asking IT to show who has access to Azure Infrastructure. IT says that's a very broad ask. What they need to see is: everyone who has the ability administer IT logical access related items on Azure Cloud Infrastructure. What specific screens, settings should we be specifically asking for to review this kind of ability?

dcontesti · ‎11-29-2023

So that is a very broad ask. I believe they are working from an audit "cheat" sheet on audits.

I personally would push back a little and ask them to clarify their ask.

If we look at some of the roles in Azure: say

Contributor........the user is allowed to manage all resources, but does not allow you to assign roles

User access administrator ....allows one to manage user access to Azure resources.

Disk backup reader ....permission to backup

etc.

I think I would go back and ask the following questions?

1. Do you want to know who can create accounts. etc?

2. Do you want to see that users only have access to the resource that are essential to them (think RBAC here)

3. Are you looking to see how inbound and outbound traffic is controlled?

MHOO

d

denbesten · ‎11-29-2023

To Diana-Lynn's point, the auditors need to be clear in their ask, lest they find the answer overwhelming with irrelevant detail.

I would supply them the list of azure built-in roles and ask them to identify those which they would like you to retrieve membership. Or, perhaps, they could provide a powershell script that extracts the data they desire.

You might also take a look at Azure PIM. It has reporting they may find useful, but do be aware that it is pricy ($6+ per M365 user per month).

And if you want to mess with the auditors (fun, but risky), feel free to point out that I have "Azure Cloud Infrastructure" access and if they want it, they can to. All one needs to do is sign-up and give them a credit card number.

Early_Adopter · ‎11-30-2023

Internal audit or external audit..? Same questions but the stakes are different.

I guess as well as seeing what you have actually set it’s good to be ready to show them your access management process for requests and approvals and how that is governed.

tmekelburg1 · ‎12-01-2023

@Midude2000 wrote:
What they need to see is: everyone who has the ability administer IT logical access related items on Azure Cloud Infrastructure. What specific screens, settings should we be specifically asking for to review this kind of ability?

First, ask for clarification but I interpret this as requesting a comprehensive inventory of all individuals/entities with privileged access to Azure (Entra) resources. This includes users, groups, and systems with the ability to manage identities, access permissions, and privileged accounts. The reasoning is to see if anyone/system has unauthorized access to environment.

Microsoft Entra --> Identity --> Roles & Admins --> All Roles. You can download all administrative roles into a .CSV file for viewing.

Midude2000 · ‎12-04-2023

Thank you!

Midude2000 · ‎12-04-2023

haha! points well taken! especially the last piece of advice. Mess with them just a little bit..

Midude2000 · ‎12-04-2023

external audit - SOX auditors

Midude2000 · ‎12-04-2023

very helpful thank you!

sergeling · ‎12-05-2023

It's a very broad ask. If someone is familiar with azure and knows what to ask, they should ask for list of specific roles, such as Global Administrator, User Administrator....etc.

Like the Microsoft article suggested, there are many built-in roles. Some are related to Microsoft Entra, some are related to Azure

You can access the default Azure roles from Subscription>Access Control(IAM) to see the list of roles and assignment

You can access the default Microsoft Entra roles on the Roles and administrators page and export the list.

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

Administrative access to Azure Cloud Infrastructure - how to prove