Giving you users (or systems) the least amount of privileged access is one of the three principles in the Zero Trust model. A role you might consider taking a closer look at is the Azure Stack Hub Operator.
Written by Bastiaan Wassenaar and Mark Scholman
Azure Stack Hub Admin Portal
Currently the permissions within the the admin portal is an “all or nothing” thing. The Operator needs to have Owner RBAC rights on the Default Provider Subscription. Some Operators only need, for example, to populate some Marketplace Items, have to run the update process or manage a specific resource provider. This means that 24/7 access to the Admin Portal is not specifically needed.
Wouldn’t it be good to have a PIM-like experience where you can temporary activate your Azure Stack Hub Operator role?
Introducing Azure Identity Governance
If you are using Azure AD P2 Licenses in your organization you can use Azure Identity Governance to create so called “Access Packages”. An Access Package can give you permanent or temporary membership to one or more Azure AD groups. An Access Package can be configured with approval stages or automatic approval.
This means that for example another Azure Stack Hub Operator or team member needs to approve the request if someone wants to enable the Azure Stack Hub Operator role.
This sounds a bit abstract all together, so let us put it in practice.
Step 1 – Prepare Azure AD and the Azure Stack Hub
In Azure Active Directory, create an Azure AD group called “AzureStackHubOperators-24h-access”.
In the Azure Stack Hub Admin Portal, add the group “AzureStackHubOperators-24h-access” to the Owner role in the Default Provider Subscription.
Step 2- Create an Access Package for 24 hour access
Go to the Azure Portal and Azure Identity Governance –> Catalogs –> General –> Resources and add the “AzureStackHubOperators-24h-access” AAD group to the Catalog.
Go to Identity Governance –> Access Packages and click Add new Access Package.
Enter the name and Description for the Access Package and click Next.
Add the AAD Group, give it the member role and click Next.
The following settings you can do as you like. But for now we use the following settings.
- For users in your directory
- All members (exlude guests)
- Require approval = No
- Enalbe = Yes
You can skip the requester information tab, but look at it to see what you can use if for. Go to Lifecycle.
Under Lifecycle set the following:
- Access package assignments expire to “Number of days”
- Assignments expire after “1” (one day)
- Allow users to extend access to “No”
- Require access reviews to “No”.
- Click Next to Review and Create.
Now click review and create and wait for the process to complete. It should be rater quick.
Step 4 – Request the Access Package
Go to the MyAccess portal and login with the user you want to use the Access Package with. https://myacess.microsoft.com/
Click on the big plus to request the access. You can write down a justification if you want. Click Submit.
Follow the process while your request is being processed.
The user will also receive an e-mail notification.
You will now see a member in the AAD group (and it is removed again after 24 hours).
You can now login to the Azure Stack Hub Admin Portal as usual (only for 24 hours)!
When your access expires you’ll receive the following e-mail.
If you have any questions about this post feel free to contact one of us:
Bastiaan Wassenaar
Mark Scholman