General
Within Entra ID, there are hidden administrative roles that bypass configurations such as multi-factor authentication. This check verifies whether this role is assigned to (new) users.
Rationale
These hidden roles exist for certain legitimate functionalities. The roles should not be used for other reasons, but can be exploited by attackers to grant themselves high privileges unnoticed.
These roles should not be assigned at all, and will always trigger an alarm in Attic when assigned:
- Partner Tier1 Support
- Partner Tier2 Support
This role is only needed in case of a Hybrid setup of Exchange, but in that case, it should be assigned to a maximum of 1 account. The check will trigger an alarm if directory synchronization is not used but the role is still assigned:
- Directory Synchronization Accounts
- On Premises Directory Sync Account
Manual Instructions
Follow these steps to remove the incorrectly assigned role(s). Since these are invisible roles, this can only be done using PowerShell.
In this script, replace the red parts <ROLENAME> and <USERNAME@COMPANY> with values from the incident.
$role = Get-AzureADDirectoryRole | Where-Object { $roles -contains "<ROLENAME>" }
$user = Get-AzureADUser -ObjectId "<USERNAME@COMPANY>"
Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
It is a complex PowerShell command that varies per Microsoft 365 organization. Therefore, contact us in the ticket to execute the correct command.
Furthermore, it is highly advisable to initiate an incident response process and conduct extensive research into this role assignment. There is a reasonable chance that this is part of a larger cyberattack that has had other consequences. An investigation must determine if this is the case to identify specific necessary follow-up actions.
Comments
0 comments
Please sign in to leave a comment.