Azure PIM Default Configuration Creates “Shadow Admin” Risks

TL;DR

The default configuration for Azure PIM’s “Eligible” role assignments only requires activation without requiring approval. That means that an eligibly assigned user can activate any role he is assigned to without needing any permissive privileges). Attackers can leverage this to escalate privileges/gain and hide their persistency in a tenant, creating a new kind of “Shadow Admin” using Azures built-in products.

Illusive researchers have discovered a default Azure PIM setting that may result in the creation of “shadow admins,” which are users with unexpected or unintended permissions that aren’t easily visible to IT or security teams. Attackers exploit these permissions to escalate their privileges, move laterally, and establish persistence.

What is Azure AD Privileged Identity Management?

According to Microsoft, Azure Privileged Identity Management (PIM) is a “service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.”

Azure PIM is based on just-in-time (JIT) access, which Microsoft further defines as, “a model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it.”

Important to the use of Azure PIM is the assignment of “Eligible” roles to different identities in Azure AD. This feature is used to grant an identity a role that will be used for limited times and might require an admin to approve their assignments or other related settings.

Illusive research findings

The Illusive research team has identified two findings:

1. After some investigation of the default PIM configurations, we noticed a surprising default setting: all roles are configured not to require any approval for activation (mails are still sent – which should alert the tenant admin on elevation). This setting means that any Identity assigned to an Eligible role can Activate the role for itself without anyone approving it.
2. Following the previous finding, we noticed that the Azure AD APIs used to list identity role assignments are incomplete. The API surfaces only Active/Assigned roles leaving others to be missed from the protection that Azure PIM is intended for. Gaining access to a more complete list of eligible role assignments requires more effort. To do this, a different API needs to be queried or the use of a different function from Azure’s PowerShell Module is required. While this workaround approach appears to work, there remains the potential for users of PIM, as well as permission analysis tools, like CIEM and other identity-related security tools, to miss eligible assignments, leaving organizations with the false expectation that Azure PIM is protecting an identity with role-based just in time access, when in reality it is not covered.
   1. Default Role Assignment API
   2. PIM Role Assignment API

Combining the two findings mentioned above allows the existence of “shadow admins” and offers an excellent persistence opportunity for an attacker or a very bad misconfiguration for a tenant admin.

Our recommendations

We highly recommend:

• DON’T use the default setting for any privileged roles both on the Tenant and on Subscriptions.
• Review all your eligible role assignments and remove them if not mandatory – especially if you haven’t changed the default role settings!

Script & Output examples

Illusive has published a script on Github that discovers risky Azure PIM configurations. By default, the script will display all the risky configurations of the Roles with Default settings in PIM, who is assigned to them (both “Active” and “Eligible” assignments) and some other interesting information we thought we should surface.

The script has an optional command to activate eligible roles assigned to the currently logged on user:

Scan-AzurePIM -ScanCurrentUser -TryElevateCurrentUser (If you want to activate all eligible roles assigned to the logged in user.)

Scan-AzurePIM output examples:

Roles with default role settings – this will show the roles that are configured with default configurations (not requiring approval for activation):

Active role assignments – this will show active user assignments to roles

Eligible role assignments – This will show users who are eligible to role assignments

Script is available at our public GitHub: https://github.com/IllusiveNetworks-Labs/Azure/tree/main/AzurePIMReviewer