Determine if the recommended new AAD baseline policy "Number of users with the highest privilege roles shall be limited" is still necessary?

[tkol2022]

💡 Summary

We have a policy MS.AAD.7.1v1 "A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role."
During the RFC period, Microsoft recommended adding a related AAD baseline policy to section 7 to cover other privileged roles: "A maximum of X users SHALL be provisioned with highly privileged roles."

12/20/2023

It has been several months since this issue was created and we need to determine if a new policy still makes sense. I updated the action items below.

• Microsoft added a new best practice feature to AAD which impacts how we design the policy in Scuba. Limit the number of privileged role assignments to less than 10.
• Since this issue was created we started working on coding a related policy MS.AAD.7.2v1 "Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator".

Rationale

Cyber attackers can abuse other privileged roles (not just Global Admin) to perform risky operations such as adding service principals and credentials to the tenant to perform attacks such as stealing email, documents, etc. For example, the Cloud Application Administrator role can perform these types of operations.

Actions

• Document the feedback from CISA on the questions above. In May CISA agreed that a new policy was reasonable.
• Get input from Microsoft regarding how they came up with their recommendation not to exceed 10 privileged role assignments.
• Examine the data from the CISA agency pilots to see how many numbers of non-Global Admin privileged roles they have in their tenants. This data will help make a decision.
• Get input from CISA regarding if a new policy is still necessary? Since we already have a policy that examines least privileged with respect to global admin and non global admin privileged roles, is an additional policy that stipulates a specific maximum number of privileged users a bridge too far? Part of the concern is that we may not be able to stipulate a specific maximum number that would work for all tenant sizes (small to large).
• If a new policy was agreed upon, create the baseline document issue and ScubaGear code issue for the policy check.

[gdasher]

I think expanding the numerical limits to highly privileged roles is sensible. The group should discuss per-role or global limits and determine a recommendation (ie "X per role" versus "total of X unique users across all roles"). I would make them high enough to not be super disruptive. Suggest analyzing the data from the pilots and choosing a value that would work for the agencies that we feel are appropriately leveraging least privilege.

[tkol2022]

This was discussed at the stand-up. Agreement was to place this into the backlog for future consideration as a potential new policy. Right now we have our hands full with Emerald, there are mitigating controls with PIM already included in the baseline related to privileged roles and we have refined the # of Global Admins requirement.

[tkol2022]

Screenshots for context

Adding some screenshots which show the context of this issue.

[tkol2022]

Decision deferred - Update 2/20/2024

Although some actions from this issue are actively being worked at this time, a decision on whether a new baseline policy is warranted has been deferred to the Halibut release. One of the factors influencing this deferral is #540 which could expand the number of roles that Scuba considers highly privileged.

[tkol2022]

@ahuynhMITRE Can you please check the provider JSON files from the pilots and get an average # of highly privileged users for each agency? Count the users in the privileged_users hashtable and only count users that are NOT assigned to Global Admin. Thanks!

[tkol2022]

pinging @ahuynhMITRE

[tkol2022]

I moved this to the backlog and made it blocked until the completion of #1330 since only then will we have a revised list of privileged roles which will determine the impacts of creating the new Scuba policy described in this issue. Also if we do decide to add this new policy, it probably makes sense to make it a SHOULD because I think it will be hard to designate a specific number that would make sense to agencies of different sizes. Larger agencies will inevitably have more privileged assignments. Also I believe Microsoft is counting "Active" assignments, not Eligible, which means that their count is only users that are currently (i.e. as the report is run) assigned to a privileged role. I am not sure if they are only counting "permanent" Active assignments or if the count also includes temporary (via PIM) active assignments. We would need to run some tests in a small tenant with PIM to determine that.