question

CarlosPorter-6362 avatar image
0 Votes"
CarlosPorter-6362 asked vipullag-MSFT edited

How to prevent users from re-using access tokens from "az login"

I was wondering,

How would be possible to secure "az ssh" on an environment where several users have access to a windows jumbox where the Azure CLI is installed and configured to used "az ssh" but at the same time all the operators share the admin credentials ( they all use the same username and password to access the windows jumpbox ).

I was thinking of possible solutions such as:

  • by creating a policy to reduce the lifetime of the access tokens on the Azue CLI to 5 or 10 minutes, so users will be forced to re-enter their Azure AD credentials after 5 or 10 minutes if they wan't to another server using "az ssh"

  • by creating induvial user accounts on the windows server ( this one is kind of obvious, but requires too much work/maintenance ).

  • by Setting up AADLoginForWindows on the windows jumpbox, so each user must connect first to the windows server with their own Azure AD accounts ( hence access to the Azure CLI access token for each user will be secured within the Windows Jumpbox ).

Also, I noticed that changing the user role assigned to an account on any server is really easy ( if the account has already a Contributor role on the subscription ), so is there a way to prevent users with Contributor roles to grant themselves root access on the servers by just changing the name of the roles assigned to them?

As an example:

# Delete the role previously assigned to the user account on the virtual machine
az role assignment delete --role "Virtual Machine User Login" --assignee $AZ_USER_ACCOUNT --scope $VM_RESOURCE_ID

# Re-Create the user role on the virtual machine giving root access to the user account
az role assignment create --role "Virtual Machine Administrator Login" --assignee $AZ_USER_ACCOUNT --scope $VM_RESOURCE_ID


Originally asked at https://github.com/MicrosoftDocs/azure-docs/issues/78690

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers