Hello, dear readers! My name is Hélder Pinto, I am an Azure Infra Customer Engineer based in Portugal, working mostly with customers in Western Europe, and I am back here to share with you some useful tools to help you better manage your Azure Infrastructure. Today, I am writing about Azure Identities and Roles and how the Azure Optimization Engine can help you gain better visibility about your Azure users and applications as well as the roles they own both in Azure and Azure AD.
How many times have you asked yourself:
- How many Owners do we have across our Azure subscriptions or how many Global Administrators do we have in our Azure AD tenant?
- Which roles does user X or application Y have in Azure and Azure AD?
- How many Azure AD service principals do we have, and which roles do they have in Azure and Azure AD?
- Do we have service principals with credentials that are about to expire and break some application?
- Do we have service principals with credentials that are not rotated, i.e., expiring very far in the future, and pose a security risk (for example, someone leaves the company and takes those highly privileged credentials with her/him)?
- For how long user X or application Y has had this specific role assigned?
Answering these questions is not straightforward, especially if you have an Azure environment made of tens of subscriptions and thousands of users and service principals. The Azure portal exposes all this information, but it is not designed to answer these questions at scale and in a centralized way. For this reason, I built a solution that periodically exports, to a Log Analytics workspace, all Azure AD identities (users, groups, and applications) and the roles they own in Azure and Azure AD. With this information available in an easily queryable repository, we can build an interesting Azure Monitor Workbook such as the one I’ll describe in the next paragraphs. At the end, I’ll tell you how to deploy this solution.
Identities and Roles Workbook
The Identities and Roles Workbook starts with summary header displaying the Azure AD objects count as well as a count of roles these objects have both in Azure and Azure AD.
The workbook is then divided into three main tabs, dedicated to the following perspectives: Azure AD application credentials, Azure AD roles and Azure Resource Manager roles. Looking at the first one, inside the Azure AD Credentials tab, we find other three sub-tabs, with the first one dedicated to application credentials that are about to expire. The expiration time range is adjustable as a filter. If you click on a specific credential, you can also verify which Azure AD/RM roles and scope this credential has.
The next tab is about credentials that will not expire anytime soon and thus pose a security risk, as they’ll not be rotated often enough. If any of those credentials owns a role in Azure AD/RM, you’ll see a warning sign and you’ll be able to know more by clicking on the credential record.
The last sub-tab of the Azure AD Credentials section is dedicated to credentials that have already expired and that may be breaking some application or may not be needed anymore and thus can be deleted.
Moving on to the Azure AD Roles main tab, we’ll find all the directory objects that have some role in Azure AD. You can filter by role or by object type (Service Principal or User). As you can see in the screenshot below, only currently assigned roles can be used as filter.
When you click on an object/role record, you can check for how long that role has been granted. This information depends on the History Range filter you chose and, of course, on the data retention settings you defined for the Log Analytics workspace. For many views in this workbook, you can also export the results as an Excel file.
The last tab is dedicated to Azure Resource Manager roles. It will show you every single role that is assigned to users and service principals, no matter the scope (Management Group, Subscription, or even more granular scopes). In this view, as well as in the Azure AD Roles view, you can search for a specific term, such as a username. If the user or the service principal has an indirect role assignment coming from an Azure AD group assignment, you’ll also see that indication and the respective group name in the Assignment column.
If we were directly querying the Microsoft Graph or the Azure RM APIs to collect all this information, the workbook would take ages to load and would probably fail in larger environments. Bringing this information into a Log Analytics workspace makes things much easier to query or visualize and provides you with the capability of getting richer insights, such as easily correlating data or getting an historical perspective of how your identities and roles evolve over time.
How to deploy the solution
To get the Identities and Roles workbook, you must deploy the Azure Optimization Engine (AOE), a free monitoring and governance tool that does much more than just collecting identities and roles data. It only needs a few, cheap Azure resources to run (Log Analytics workspace, Automation Account, Storage Account, and a small SQL Database) and it brings you lots of recommendations and can even be used to automate remediation. If you just want the Identities and Roles workbook, you can simply disable the unrelated Automation schedules and keep the costs down to less than a couple of USD/month for an environment with 10K objects and 10K role assignments.
OK, to deploy AOE, you must go ahead and download or clone the repository from GitHub and run the deployment script. You have detailed instructions in the project page, but these can be summarized as follows:
- Open the Azure Cloud Shell (PowerShell) from a user account that can grant a role to others in Azure AD (e.g., Global Administrator or Privileged Role Administrator) and in the Azure subscription you choose to host the Azure Optimization Engine (Owner role). Then execute the instructions in the next steps.
- git clone https://github.com/helderpinto/AzureOptimizationEngine.git azureoptimizationengine
- cd azureoptimizationengine
- Install-Module Microsoft.Graph.Authentication,Microsoft.Graph.Identity.DirectoryManagement
- Input your deployment options and let the deployment finish (it will take less than 5 minutes)
After the deployment, you’ll have to wait for the Automation jobs to complete, so that the information from your Azure environment starts flowing into the Log Analytics workspace. After a couple of hours, you should be able to open the Identities and Roles Workbook from the Log Analytics workspace you used for the Azure Optimization Engine. This data is updated once every 24 hours and is kept in your workspace for as long as the retention period you configured.
Due to memory restrictions on the Azure Automation sandboxes, if your Azure AD has more than 50K users, groups or applications, the Azure AD exports jobs may be suspended and you will end up with incomplete information. To work around this limitation, you must implement Azure Automation Hybrid Worker and schedule your jobs to run in a Hybrid Worker group with more compute resources.
As this solution is based on two custom Log Analytics tables (AzureOptimizationAADObjectsV1_CL and AzureOptimizationRBACAssignmentsV1_CL), you can extend it to whatever are your needs, such as creating Azure Monitor alerts (e.g., for new role assignments that have been granted in the past 24h, for credentials that are about to expire, etc.), creating new views over the data or extending the Identities and Roles Workbook with more perspectives. Contributions are welcome! Just fork the AOE repository and then submit a pull request!
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.