7 posts tagged with "Azure"

Access Reviews in Microsoft Entra provide a way to continuously review access to resources in your tenant. More importantly, you as the owner of your tenant can enable resource owners (of groups or Teams) to govern external users’ access to said resources themselves, thus reducing your workload and shifting the responsibility.

Many organisations rely on the collaboration features available in Microsoft 365, like Microsoft Teams, to work with external organisations on projects. A convenient way of doing this is by inviting said external users as guests to your organisation, this comes with its governance challenges, which Access reviews will solve.

Access reviews for group owners are disabled by default. To enable this feature, log in to your Microsoft Entra tenant as a Global Administrator and follow the below steps:

Expand Identity Governance and select Access reviews.
Select Settings, then enable Group owners can create and manage access reviews for groups they own.

Enable Group owner access reviews with Microsoft Graph PowerShell

You can also enable this feature using Microsoft Graph PowerShell.

(For steps on installing the Microsoft Graph PowerShell SDK, check out my post here.)

Connect-MgGraph -scopes Policy.ReadWrite.AccessReview

$params = @{
	isGroupOwnerManagementEnabled = $true
}

Update-MgBetaPolicyAccessReviewPolicy -BodyParameter $params

Create a new access review as a group owner

Any user who is the owner of a group will now be able to create access reviews for groups they own through the Microsoft Entra admin center. Follow the below steps to create a new access review.

While signed in to your standard user account (without any roles) open the Identity Governance Access Reviews blade.
Click New access review.
On the Review type page, you will only have the option to set the Review scope to Select Teams + groups. Click Select groups and you will see only the groups you own, choose your target group and click Select.
In our scenario, I am going to create a single-stage review for the group owners to conduct. On the Reviews page, you will have the option to select specific reviewers.

I suggest you select Group owners as the reviewer. Then create a fallback reviewers group with appointed users. If a groups owners no longer exist (they leave the organisation for example), the fallback reviewers will be alerted of the review and can continue to maintain governance over the group.

You should also select the duration, recurrence and end date of the review, here are my recommendations:
- Duration: 2 days
- Review recurrence: Monthly
- End date: Never
When managing guest users, there should never be a time when their access to your data is not being governed or reviewed. Of course, change these settings to as you prefer, but ensure the end date is set to never when reviewing guest users.
The Upon completion settings allow you to define important settings around automatic remediation.
- Auto-apply results to resource: If the user’s access is denied, their access to the resource will be removed automatically after the review is completed, otherwise manual remediation is required.
- If reviewers don’t respond: I have chosen No change, however, for the most governance, I recommend selecting Remove Access. All options include:
  - No change
  - Remove access
  - Approve access
  - Take recommendation
- Action to apply on denied guest users:
  - Remove the user’s membership from the resource
  - Block the user from signing in for 30 days, then remove the user from the tenant.
- At end of review, send notification to: Sends a notification to specific users.
For the remaining options on the settings page, while they do not impact the outcome, they enable you to review notifications and reminders for the review and also provide helpful information such as the last sign-in date for the guest user. This will help you decide on whether to remove access or not.
Click Review + create, then define a review name and click Create.

Completing the Access Review

When the access review begins (as defined by the start date within the review settings), the reviewer of the group will receive a notification email with a link to start the review.

The link will take them to the Access reviews blade within https://myaccess.microsoft.com/. You can also navigate directly to that link and then select the name of the access review you want to begin.

As you can see, Entra is recommending that because the user has been inactive in the tenant for over 30 days, it should be denied access to the resource.

Once access is denied, it will show as denied in the list. This action can be reversed if an incorrect decision is made.

Impact of denying access in an Access review

Once the reviewer has actioned the review and denied the guest access to the resource, once the review is complete, the guest access will be removed from the resource.

This only happens once the duration period is finished and not instantly. For example, if the review duration is 2 days and you deny access on the first day, the guest will still have access for anther day, before their access is removed.

Wrapping up

Access reviews are a powerful tool to ensure that guest users in your tenant do not retain access to resources for longer than they need. In this post, I have demonstrated how to can delegate permission to create access reviews to the owner of groups and hence collaborative resources in your tenant.

This ensures guest users are governed in larger organisations where it would not be feasible for a single team to manage them and maintain responsibility for them.

Azure

PLACEHOLDER 3

Tobias Schuele

· 3 min read

Test copy from ourcloudnetwork.com

In this tutorial, I will show you how to create a new local administrator account on your Windows devices using Microsoft Intune. While there are a few preferred methods among professionals and MVPs for creating local admin accounts, here we are going to use a simple PowerShell script for the detection and creation of the account.

It is often questioned why you need the added complexity of creating a new local admin account and why you cannot just use the built-in Windows account instead. Well, the rationale behind this can be broken down quite simply into the following points:

The built-in administrator account has a well-known SID. Even if the account is renamed, it can be easily enumerated by an attacker.
The account cannot be locked out by default. This makes it susceptible to brute-force attacks. (As of October 11, 2022, account lockout can be enforced on this account, but it is not enabled by default).
CIS recommends you don’t use it. The Center for Internet Security (COS) provides well-respected recommendations for best practice configurations across a variety of products within the industry. Sometimes companies must simply conform to policy and adhere to a standard to meet compliance requirements.

Really simple local admin account

The process of creating a local admin account on Windows devices using Microsoft Intune can be summarised in the following steps:

Create a PowerShell script to detect if the account is present and is a local administrators group member.
Create a PowerShell script to create the account if it doesn’t exist and add it to the local administrators group.
Upload as a remediation script package to Intune

You must consider with this approach that you should have a method to change and manage the password for the account after it has been deployed. The best way of doing that is to use Windows LAPS with Microsoft Entra and Intune.

Detection script

<#
Written by Daniel Bradley
https://ourcloudnetwork.com/
https://www.linkedin.com/in/danielbradley2/
#>

#The name of the account
$AccountName = 'localadmin'

#Check if user exisis
$Userexist = (Get-LocalUser).Name -Contains $AccountName
if ($userexist) {
  Write-Host "$AccountName exists"
}
Else {
  Write-Host "$AccountName does not Exists"
  Exit 1
}

#Check if user is a local admin
$localadmins = ([ADSI]"WinNT://./Administrators").psbase.Invoke('Members') | % {
 ([ADSI]$_).InvokeGet('AdsPath')
}

if ($localadmins -like "*localadmin*") {
    Write-Host "localadmin is a member of local admins"
    exit 0
} else {
    Write-Host "localadmin is NOT a member of local admins"
    exit 1
}

Remediation script

<#
Written by Daniel Bradley
https://ourcloudnetwork.com/
https://www.linkedin.com/in/danielbradley2/
#>

#The name of the account
$accountName = 'localadmin'

#Add system.web assembly
Add-Type -AssemblyName 'System.Web'

#Check if user exisis
$Userexist = (Get-LocalUser).Name -Contains $AccountName
if (!$userexist) {
    $password = [System.Web.Security.Membership]::GeneratePassword(20,5)
    $Securepassword = ConvertTo-SecureString $Password -AsPlainText -force
    $params = @{
        Name        = $accountName
        Password    = $Securepassword
    }
    New-LocalUser @params
}

# Add the account to the Administrators group
Add-LocalGroupMember -Group "Administrators" -Member $accountName

Uploading the remediation script to Microsoft Intune

Both the detection script and remediation script first need to be saved into a PowerShell file. You can do this by copying and pasting each of the above scripts to a notepad file and saving them with the .ps1 file extension. Once you have done that follow the below steps to upload them to Intune:

Log in to Microsoft Intune.
Select Devices then Remediations.
Select Create Script package.
Define the basic remediation settings such as the name of the package and a meaningful description.
On the settings page, upload both script files to the corresponding location, then ensure the script is not run in the users context and the enforce script signature check is set to No. As all of the workstations in scope of this package should be 64-bit, set Run script in 64-bit PowerShell to Yes.
On the Assignments page, assign the package to the target group of users and define the frequency at which the remediation package will run.
Then click Create.

Monitoring deployment progress

You should allow the remediation package some time to run based on the schedule you defined. Otherwise you can run the remediation package manually on a target device as a test from the Intune devices blade.

To monitor the status of your deployment, select the remediation package and click the Overview menu option. You will immediately see a high level overview of the total devices that have been detected and remediated. You can also see more detailed information on the Device status menu page, like below: