Azure service accounts are a way to manage access to Azure resources, allowing you to control who can use and manage those resources.
Service accounts are essentially a type of identity in Azure Active Directory (Azure AD), which is used to authenticate and authorize access to Azure resources.
Each service account has a unique ID and can be associated with a specific Azure subscription.
A service account can be used to assign roles to users or groups, giving them specific permissions to manage Azure resources.
You can create multiple service accounts in Azure AD, each with its own set of permissions and access levels.
Service accounts can be used to manage access to Azure resources such as storage accounts, virtual machines, and databases.
Azure Service Account Best Practices
To keep your Azure service account secure, it's best to avoid hardcoding service principal credentials in your code. Instead, use environment variables or a secure configuration store to manage your secrets.
Limiting the scope of each service principal is crucial, so make sure to assign only the necessary role assignments based on the required permissions.
Rotating service principal secrets regularly is a must, as it improves security posture and reduces the risk of compromise.
Use RBAC auditing to monitor role assignments on your resources and identify any unauthorized changes.
Understanding Azure Service Accounts
Azure service accounts are used to support specific operations in Azure DevOps. They are generated by the system and added at the organization or collection level.
A service account can perform operations on behalf of other users or services, making it a powerful tool for automation and integration. It can also trigger project alert events within the collection and view system synchronization information.
The system generates several types of service accounts, including Agent Pool Service, Azure Boards, PipelinesSDK, ProjectName Build Service, and Project Collection Build Service. Each of these accounts has specific permissions and responsibilities, such as listening to the message queue, managing links between GitHub and Azure Boards, and running build services.
Here are some key characteristics of service accounts in Azure DevOps:
- Agent Pool Service: Listens to the message queue for the specific pool to receive work.
- Azure Boards: Manages the link creation between GitHub and Azure Boards.
- PipelinesSDK: Supports the Pipelines policy service scope tokens and has read-only permissions to pipeline resources.
- ProjectName Build Service: Runs build services for the project and is a legacy user used for XAML builds.
- Project Collection Build Service: Runs build services for the collection.
What Are Azure Service Accounts
Azure service accounts are a type of identity that can perform operations on behalf of other users or services. They're added to support specific operations, such as Azure Boards read/write operations and updating work items when GitHub objects change.
These service accounts are automatically added at the organization or collection level, and you shouldn't need to manage their members directly. The table below describes the different types of service accounts and their permissions:
Service accounts can also trigger project alert events within the collection, call the synchronization application programming interfaces, and delete and restore work items or delete work items in a project. They're ideal for use in scenarios where automation is required, such as CI/CD pipelines.
Why Use a Azure Service Account
Using a Azure Service Account provides several benefits for managing your Azure resources effectively. It allows you to separate identity from applications or services that require access to resources, reducing the risk of unauthorized access by end-users.
This separation of identity is crucial for secure management of all elements in your Azure environment, helping to prevent cyber-attacks. By creating multiple service principals with varying degrees of permissions, you can grant project teams granular control over their own applications/resources without compromising overall data security.
Using Azure Service Accounts with APIs and applications is ideal when you have a multi-tier architecture that requires secure communication between different tiers. This is especially useful when a web application needs to communicate with a backend API hosted on Azure Functions or App Service.
Creating a service principal with specific role assignments, such as Contributor, allows automation scripts to automatically access resources without requiring human intervention. This streamlines resource management and improves operational efficiency.
Use AD Connect
You can use Azure AD Connect to synchronize users and groups between Active Directory and Azure AD.
Azure AD Connect and Azure AD cloud synchronization settings can be found via the “Azure Active Directory\Azure AD Connect” menu item in the Azure Active Directory admin center.
The Azure AD admin center can be accessed via the URL https://aad.portal.azure.com.
Azure AD Connect cloud sync requires agent software on a server that acts as a bridge between Azure AD and AD, which connects Active Directory to Azure AD.
The deployment configuration is stored in Azure AD and managed as part of the service, with all tasks stored and performed in the cloud.
Azure AD Connect cloud sync can be used in parallel with Azure AD Connect, allowing for flexibility in your synchronization setup.
Managing Azure Service Accounts
Managing Azure Service Accounts requires attention to detail and a clear understanding of their role in your system. Service accounts can perform operations on behalf of other users or services, making them a crucial component of Azure DevOps.
There are several types of service accounts, each with its own set of permissions. For example, the Agent Pool Service has permission to listen to the message queue for the specific pool to receive work, while the Azure Boards service account is responsible for managing the link creation between GitHub and Azure Boards.
To manage your service accounts effectively, it's essential to keep track of who has access to each one and regularly review the list of users with access to ensure it's up-to-date. This can be done by keeping a log of all the users who have access to each service principal.
Here is a list of common service account types:
By following these best practices, you can ensure that your Azure service accounts are secure, managed effectively, and performing their intended functions.
Securing and Managing Your Digital Effect
Securing and managing your digital effect is crucial to prevent cyber-attacks and maintain operational efficiency. Limit the number of service principals you create, as each represents a potential entry point into your system.
Creating too many service principals can be risky, so only create the ones you really need. Delete any unused ones to minimize the attack surface.
Keep track of who has access to your service principals by logging all users with access to each one. Regularly review the list of users with access to ensure it's up-to-date.
Revoke access for anyone who no longer needs it to prevent unauthorized access. Use strong passwords or keys for your service principals and change them regularly.
This will help prevent unauthorized access and keep your system secure. By following these best practices, you'll be able to manage your Azure service accounts effectively and maintain a secure digital environment.
Common Mistakes to Avoid
Creating too many service principals is a common mistake that can lead to security issues. This can cause confusion and make it harder to manage access to your Azure resources.
Granting too many permissions to a single service principal is another mistake to avoid. This gives unauthorized access a broad control over the resources associated with that principal, making it a significant security risk.
Not monitoring activity associated with a particular service principal closely enough can lead to security issues going unnoticed until it’s too late. Regular monitoring can help catch potential problems before they become major issues.
Failing to revoke unnecessary permissions or delete unused service principals can create security vulnerabilities in your system. This can leave your Azure resources exposed to unauthorized access.
Assigning Role and Scope
You can assign a role and scope to an Azure Service Principal using the New-AzRoleAssignment cmdlet. This is an additional step needed after creating the Service Principal.
The Azure Service Principal has been created, but with no Role and Scope assigned yet. This is because the -Role and -Scope parameters cannot be used together with the -PasswordCredential parameter.
The New-AzRoleAssignment cmdlet is used to assign the scope and role of the Azure Service Principal. This cmdlet is essential for managing resources in Azure effectively and securely.
The scope determines which resources the identity has permission for. For example, if you assign a role at the subscription level, then that identity will have that role for all resources within that subscription.
You can use the Get-AzRoleAssignment -ObjectID $sp.id command to get the role assignments of the Azure service principal. This command is useful for verifying the role assignment.
The role and scope assignment is a crucial step in managing Azure resources. Without it, the Service Principal will not have the necessary permissions to access the resources it needs.
The New-AzRoleAssignment cmdlet can be used to assign various roles, including the owner role. The owner role is a built-in role that has full control over the resource.
Assigning the owner role to the VSE3 subscription of the service principal can be done using the New-AzRoleAssignment cmdlet. This cmdlet is a powerful tool for managing resources in Azure.
The role and scope assignment can be verified using the Azure Portal. You can check the resource’s access control list to see if the role assignment was successful.
The role and scope assignment is not just limited to the owner role. You can assign various other roles, such as the reader role, to the Service Principal.
The reader role is a built-in role that has read-only access to the resource. Assigning this role to the Service Principal can help with auditing and monitoring.
In summary, assigning a role and scope to an Azure Service Principal is a crucial step in managing resources in Azure. It provides a secure and efficient way to manage resources, without the need for human intervention.
Implementing Azure Service Account Authentication
You can use Group Managed Service Accounts (GMSA) to make installation on multiple servers easier to implement, and the agent setup wizard can create a grouped managed service account.
Using Azure Service Principals provides a secure way to authenticate applications and APIs with Azure resources, leveraging the OAuth 2.0 protocol for authentication.
To implement authentication using an Azure Service Principal, you need to obtain the necessary credentials, such as client ID, secret, and tenant ID, from your service principal record in the portal or through PowerShell/CLI commands.
Once you have these credentials, you can use them in your application code by passing them as parameters during runtime, as shown in sample C# code that obtains an access token using the acquired credentials and the Azure AD OAuth 2.0 authentication endpoint.
The passwords of managed service accounts are not changed manually, but automatically by Active Directory under certain conditions, eliminating the need for administrators to configure system services when passwords are changed.
To use an Azure Service Principal for authentication, you'll need to create it first, and then you can obtain the necessary credentials and use them in your application code to securely access your resources.
By following best practices, such as avoiding hardcoded service principal credentials and limiting the scope of each service principal, you can ensure that your applications and APIs are securely communicating with Azure resources without exposing unnecessary risks or vulnerabilities.
Azure Service Account Security
Limiting the number of service principals is crucial, as each one represents a potential entry point into your system, making it risky to create too many.
You should only create service principals you really need and delete any unused ones to maintain security.
To keep track of who has access to your service principals, keep a log of all users with access and regularly review the list to ensure it's up-to-date.
Use strong passwords or keys for your service principals and change them regularly to prevent unauthorized access.
Here's a key takeaway: having admin roles in Azure, including Privileged Role Admin, can be a problem if not managed properly.
A Service Principal with admin roles can be used to escalate rights, as shown in the attack path:
1. Alice App Admin has the Application Admin role, scoped to the tenant.
2. The tenant contains the MyCoolApp app, granting Alice App Admin control of the app.
3. Alice App Admin can add a new secret for this app's service principal.
4. MyCoolApp authenticates to the tenant as the MyCoolApp service principal.
5. The MyCoolApp service principal has the PRA role.
6. Alice App Admin can authenticate to the tenant as the MyCoolApp service principal and use that service principal's rights as a PRA to promote themself or another user to Global Admin.
This highlights the importance of managing service principal access and permissions carefully.
Primary Considerations
Creating an Azure service principal requires some basic planning to ensure it's created efficiently and effectively. The display name is a crucial aspect, and while there's no specific rule, it's a good idea to follow your organization's prescribed naming convention.
The type of credential to use is also a key consideration. You can choose to create a service principal that uses a password or certificate for authentication, or even use both.
The validity period of the credential is another important factor. This typically depends on how often you're willing to rotate or renew certificates and passwords, and it's recommended to define a start and end date for its validity.
The scope of access is also a critical consideration. Are you creating a service principal that will have access to a subscription, resource group, or selected resources?
The role assigned to the service principal is also crucial. There are various roles available, such as Contributor, Reader, and Owner, and you need to define which role is "just enough" for the service principal.
Here are the primary considerations for creating an Azure service principal:
A credential validity period of 1 year is a common practice, but this may vary depending on your organization's needs.
Prevention
Limiting the number of service principals is crucial to prevent potential entry points into your system. This means creating only the ones you really need and deleting any unused ones.
Keeping track of who has access to your service principals is essential. You should keep a log of all the users who have access to each one and regularly review the list of users with access to make sure it is up-to-date.
Strong passwords or keys are a must for your service principals. Change them regularly to prevent unauthorized access and keep your system secure.
Azure's built-in attack path prevention system is a game-changer. It protects against the emergence of attack paths, particularly around password reset privileges.
The system prevents Global Admins and Privileged Authentication Admins from resetting each other's passwords. This safety rail provides a highly effective, non-configurable, frictionless way to prevent attack paths.
You can safely dole out the "Password Admin" role without worrying about the safety of your Global Admins. This is thanks to Azure's built-in system, which prevents the opposite – a Global Admin's password from being reset by someone else.
Abuse of Rights
An application object is created with a unique application (client) ID when you create or register an application in your Azure tenant.
This unique identifier can be used to gain control of the app, and subsequently the tenant, if you have control of the tenant.
The app "MyCoolApp" has a unique identifier starting with d6f118bc, which is used to authenticate to the tenant.
Service Principals work like users, authenticating to the tenant with an object ID and a certificate or secret.
A Service Principal can have admin roles in Azure, just like users.
The Privileged Role Admin role is one such admin role that can be assigned to a Service Principal.
An attack path can emerge when a user with the Application Administrator role assigns a Service Principal with the Privileged Role Admin role.
Here's a breakdown of the attack path:
- Alice App Admin has the Application Admin role, scoped to the tenant.
- The tenant contains the MyCoolApp app, granting Alice App Admin control of the app.
- Alice App Admin can add a new secret for this app's service principal.
- MyCoolApp authenticates to the tenant as the MyCoolApp service principal.
- The MyCoolApp service principal has the PRA role.
- Alice App Admin can authenticate to the tenant as the MyCoolApp service principal and use that service principal's rights as a PRA to promote themselves or another user to Global Admin.
Azure Service Account Configuration
You can use Group Managed Service Accounts (GMSA) to make installation on multiple servers easier.
GMSA uses one user account for each installed instance of Azure AD cloud sync.
The account can be managed by the service itself, including changing passwords.
Administrators can trigger password changes manually for managed service accounts.
The system services that use these user accounts take over the change of passwords automatically.
This eliminates the need for administrators to configure system services when passwords are changed.
Azure Service Account Scenarios
Using an Azure Service Principal is ideal for secure communication between different tiers of a multi-tier architecture, such as a web application and a backend API hosted on Azure Functions or App Service.
You can also use a service principal when building automation scripts that need access to different resources in your subscription, allowing your script to automatically access those resources without requiring human intervention.
A service principal can be created with specific role assignments, like Contributor, to grant the necessary permissions for your script to access the required resources.
Useful Scenarios
Using an Azure Service Principal is a game-changer for secure communication between different tiers of your application.
In a multi-tier architecture, an Azure Service Principal allows your web application to authenticate with a backend API without exposing user credentials or requiring manual authentication.
This is especially useful when your web application needs to communicate with a backend API hosted on Azure Functions or App Service.
Having a service principal with specific role assignments, such as Contributor, enables automation scripts to access different resources in your subscription without human intervention.
This means you can automate tasks and access resources without having to manually log in or provide credentials.
Scenarios Where Using is Useful
Using an Azure Service Principal is a game-changer for multi-tier architectures.
In a web application that communicates with a backend API, a service principal allows secure authentication without exposing user credentials or relying on manual authentication.
This is particularly useful when you have different tiers that need to interact with each other, such as a web application and an Azure Functions or App Service backend.
By using a service principal, you can automate access to resources without requiring human intervention.
For example, if you're building automation scripts that need access to different resources in your subscription, a service principal with specific role assignments can grant access without manual authentication.
Creating a service principal with a Contributor role allows your script to access resources automatically, streamlining your workflow.
Sources
- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
- https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions
- https://activedirectoryfaq.com/2021/08/azure-ad-connect-and-azure-ad-connect-cloud-sync/
- https://www.smikar.com/azure-service-principals/
- https://adamtheautomator.com/azure-service-principal/
Featured Images: pexels.com