Skip to content

Home

Protect Your Privilege with PAW

According to the Microsoft Digital Defense Report 2022, weak identity controls are listed as a top three contributing factors found during ransomware incident response. One particularly troubling finding within identity controls is the lack of Privileged Access Workstations (PAW) found in any response engagement:

None of the impacted organizations implemented proper administrative credential segregation and least privilege access principals via dedicated workstations during the management of their critical identity and high-value assets, such as proprietary systems and business-critical applications.

Microsoft Digital Defense Report 2022, page 15 (Microsoft Digital Defense Report 2022 | Microsoft Security)

The report does not speculate as to why the organizations were not using PAW, but for anyone seasoned out there in the world of consultancy the answers will look like:

  • Lack of time/budget/resources/priority
  • Lack of understanding and education
  • Lack of sufficient desire to change privileged administrative behavior
  • Belief that they have other sufficient compensating controls

And these all really relate to each other – if you don’t understand what a PAW is, you can easily believe other solutions such as PIM or PAM will sufficiently fill the gap. Likewise, if you don’t understand how to articulate the value and principles behind PAW, it’s difficult to run it up the chain to ensure that it has priority. Even in those instances where you may have a decent understanding of PAW, but as an admin don’t want to change your working behavior – it’s understandable, it’s human to not want to change without knowing why.

Awareness is the first principle of ADKAR (The Prosci ADKAR Model: Why it Works). May this article build that awareness, so you’ll come out of it with the second principle, desire.

The nOAuth “flaw” is a symptom of industry antipatterns

If you haven’t followed the news recently, Descope released an article diving into how their security researchers were able to abuse OpenID Connect (OIDC) ID token claims to spoof the user they are authenticating as for multi-tenant SaaS applications. You can read their research article here, nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover (descope.com).

In conjunction with this, Microsoft has updated developer guidance for OpenID Connect and SAML assertions, and provided a blog post covering all of this, which can be found here, The False Identifier Anti-pattern (microsoft.com).

Multi-tenant SaaS applications are those applications, such as Canva or Sessionize, which allow you to authenticate with your Microsoft or Office 365 account. Without getting off track, this is what allows SaaS application vendors to develop applications that can integrate with an organizations Azure Active Directory environment requiring no effort on the part of administrators.

Figure 1

The Sessionize authentication screen allowing a user to select their identity provider.

And as it goes whenever there is a security problem, someone must fall on the sword. In this case Microsoft is taking the hit; unfortunately most new articles are incorrectly reporting on this as an Azure AD “flaw” that Microsoft had to “fix”. Kudos to Kurt Mackie (@kurmac) at Redmond Mag for being the only article to accurately report on this problem, which you can find here, Microsoft Advises App Developers About ‘nOAuth’ Attack Route — Redmondmag.com. To be fair, Microsoft isn’t completely innocent, as it took a case like this to really have them sharpen their guidance from a bit of a softer stance, but this is not really a technical flaw. I suppose we can’t blame others for not wanting to write articles about developers using antipatterns.

Identiverse 2023: Recap And Highlights

Going to a conference like Identiverse is a privilege, even if the travel is funded by airline and hotel miles earned by the feverish pace of pre-COVID travel from my time at Microsoft. The recommendation that every identity and security practitioner should try to attend at least one Identiverse in their career comes with the understanding that the means of doing so could vary greatly. But for those that can – you should absolutely put Identiverse 2024 on your priority list of big conferences to attend, especially for those within North America.

While I take in security content, and sometimes speak at regional events, as an identity practitioner there was no greater clarity provided on some hot topic items than at Identiverse this year. And despite working and living primarily in the Microsoft ecosystem of identity, a few of the most poignant sessions were from those who are not within that ecosystem at all; looking at identity from the angle of a pure practitioner is something that is a growth mindset activity.

Figure 1

With my new friend and Entra identity wiz, Chris Brumm (@cbrhh)

March 23rd, 2023: The Day Everyone Came From Uzbekistan

According to Wikipedia, Toshkent (or Tashkent) is the largest city in, as well as the capital of, Uzbekistan, a country located in Central Asia. The city sports a population of 2.9 million people.

Except for March 23rd, 2023. The day that everyone came from Toshkent City, UZ, at least according to Azure Active Directory.

Note

Not necessarily everyone may have been indicated as coming from Toshkent City, but incident MO531859 was globally impacting users.

Figure 1

#WeAreAllUzbekistan

  • in Entra ID
  • 18 min read

Entra App Registrations and Enterprise Applications: The Definitive Guide

For those that must manage application integrations in Entra ID, it’s an inevitable question: What is the difference between an App Registration and an Enterprise Application? Why are there two different management blades? Why do I see some applications in both places?

I’ll admit that this is not the first take at answering this question, and there are already some good answers out there. Microsoft breaks things down here, Apps & service principals in Azure AD – Microsoft Entra | Microsoft Learn, with a decent visual at the end.

Marilee Turscak also has an excellent breakdown here, The Differences Between App Registrations, Enterprise Applications, and Service Principals in Azure AD | Marilee Turscak.

And John Savill has fantastic video published covering this as well, Azure AD App Registrations, Enterprise Apps and Service Principals – YouTube.

As John points out in his video, the understanding of App Registrations and Enterprise Apps can further be enhanced by understanding OpenID Connect and OAuth 2.0 flows. This is especially important for identity professionals and ITPros who may come from a sysadmin background. Modern authentication flows and concepts may feel foreign to folks who built their career on identity platforms such as Active Directory.

For those that find it easiest to learn by doing, if you want to play around with App Registrations, Enterprise Apps and Service Principals, but don’t want to mess with your prod environment, sign up for an M365 Developer account, to have your own free tenant to work with here, Developer Program | Microsoft 365 Dev Center.

We’ll start with some definitions, and then try to walk through various scenarios that you may encounter. If you don’t see your question answered within the definitions, keep reading… we’ll try to hit on all the areas here.