General
This alarm is triggered when an administrator authorizes a new GDAP relationship.
Rationale
GDAP stands for Granular Delegated Admin Privileges. The purpose of a GDAP relationship is to grant an external management party the necessary rights in your Microsoft 365 environment. A new GDAP relationship can therefore be perfectly legitimate. However, such authorizations can also be exploited by attackers. For a hacker, a GDAP relationship with a tenant is a way to maintain long-term and unnoticed access with high privileges.
Therefore, it is advisable to further validate each new GDAP relationship, hence this alarm.
Follow-up
Follow these steps to adequately respond to this detection:
- Check with the administrator in question whether the GDAP relationship was intentionally established
-
If not: consider the administrator account as compromised:
- Reset the administrator's password
- Revoke all logged-in sessions of the administrator
- Remove the GDAP relationship as follows
- Log in to https://admin.microsoft.com with Global Admin rights
- Go to Settings, then Partner Relationships (direct link)
- Find the new GDAP relationship and remove it by clicking on the three dots next to the name of the relationship and then choosing Remove Role
- Consider conducting an Attic Tier2 investigation to learn more about the attack (who, what, when, where, why, how?). This is strongly advised since the executing user has admin rights.
- If yes: close the Attic incident as resolved
-
If not: consider the administrator account as compromised:
Comments
0 comments
Please sign in to leave a comment.