Hero Banner

Key Resources and Guides

Find key resources and guides that you can accelerate implementations

Reply
Level 1 Contributor

Protect CSP assigned subscription

As an indirect CSP we are supplying a service to our clients. As part of this service we add an Azure Subscription to the Azure tentant of the client. We want to prevent our client from adding/removing resources to the subscription. In order to prevent service disruption and aditional cost that we'll need to bill to the client. 

 

I've been investigating how to prevent someone from managing a subscription in their own tenant:

* create a lock to prevent modification

* dont add a global admin to the subscription

* deny assignment to prevent anyone from modifying the subscription 

 

However a user with sufficient privileges could always remove the lock or add him/herself to the subscription. Deny assignments seem like the only option but are poorly documented, no real examples available. 

 

But maybe im missing an option. What would be the best way to prevent modification of a subscription in the client-tenant?

1 ACCEPTED SOLUTION
Microsoft

There is no complete solution to this. A customer that has global admin permissions in AzureAD can always elevate their permission to become user access admin in the subscription and overrule role assignments this way: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

And as per the MCA the customer also the right to request permissions, so you can never guarantee he is completely blocked, you can only reduce the default permissions.

 

So the best option is to see this as a normal governance issue where you want to establish guidelines for all the admins - and thereby you also address potential issues that employees on Partner side might cause (e.g. rogue admins, insider attack - or simply lazy admins causing insecure configs). So I recommend working with Azure Policies as a way to enforce a certain configuration, to get notified if there is some deviation for a config - and then also using alerts if somebody changes permissions. Additionally think about setting up Audit logs are stored in Azure Storage to keep records for more than the defaults 30 days.

 

Deny assignments can be used - and I would recommend to think about either using Azure Blueprints (Which incorporate Azure Policies) for setting those or deploy the service you are responsible for as managed app via Marketplace because this also blocks access via Deny-Assignments: https://docs.microsoft.com/en-us/azure/role-based-access-control/deny-assignments

 

 

And on top of that I would also incorporate this aspect in the service agreement  you have with the customer, so that that it is clear for the customer that you may not adhere to SLA for your service if they intervene with the config and what the charges would look like.

Kind regards,
Janosch

View solution in original post

5 REPLIES 5
Level 4 Contributor

Quickly and easily attach other Microsoft cloud-based products and services, such as Microsoft Office 365, Microsoft Azure services, or Microsoft Dynamics 365.
Automatically deploy subscriptions at login. Deploying a Windows subscription license using CSP is quick and simple. When you use Azure Active Directory (Azure AD) credentials to log in to a device, that device automatically "steps up" from Windows 10 Pro to the subscribed edition or service. No downloads, installations, or reboots are required.
Eliminate the need for imaging. Devices can be shipped to users with the OEM Windows 10 Pro installation, without the need for any re-imaging.
Fall back to Windows 10 Pro at subscription end. If a subscription ends, is cancelled, or is reassigned from one user to another, previously deployed devices seamlessly fall back to Windows 10 Pro functionality.
Upgrade benefits to Windows 10 for devices still running Windows 7, Windows 8, or Windows 8.1. Users with active Windows CSP subscriptions can upgrade existing Windows 7 or Windows 8/8.1 devices to Windows 10 at no extra cost. All subscriptions that include Windows also include Windows 10 upgrade benefits for devices running Windows 7 or Windows 8/8.1.

Level 1 Contributor

Im not sure i understand. The text seems to be copied from: https://novacontext.com/introduction-to-windows-10-subscriptions-in-the-csp-program/ it mentions subscriptions and CSP but does not relate to protecting the subscription.

Microsoft

There is no complete solution to this. A customer that has global admin permissions in AzureAD can always elevate their permission to become user access admin in the subscription and overrule role assignments this way: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

And as per the MCA the customer also the right to request permissions, so you can never guarantee he is completely blocked, you can only reduce the default permissions.

 

So the best option is to see this as a normal governance issue where you want to establish guidelines for all the admins - and thereby you also address potential issues that employees on Partner side might cause (e.g. rogue admins, insider attack - or simply lazy admins causing insecure configs). So I recommend working with Azure Policies as a way to enforce a certain configuration, to get notified if there is some deviation for a config - and then also using alerts if somebody changes permissions. Additionally think about setting up Audit logs are stored in Azure Storage to keep records for more than the defaults 30 days.

 

Deny assignments can be used - and I would recommend to think about either using Azure Blueprints (Which incorporate Azure Policies) for setting those or deploy the service you are responsible for as managed app via Marketplace because this also blocks access via Deny-Assignments: https://docs.microsoft.com/en-us/azure/role-based-access-control/deny-assignments

 

 

And on top of that I would also incorporate this aspect in the service agreement  you have with the customer, so that that it is clear for the customer that you may not adhere to SLA for your service if they intervene with the config and what the charges would look like.

Kind regards,
Janosch

View solution in original post

Level 1 Contributor

Hi Janosch, 

 

Thanks for the reply, I've been experimenting with Azure Blueprints in order to deploy deny assignment. Unfortunately there are very limited resources on how to apply these via blueprints. The only resource showing an example i've found was a Github issue: https://github.com/MicrosoftDocs/azure-docs/issues/40720.

 

Ended up with a blueprint that seems to be accepted. But then ends up in a loop during the assginment. 

EY3COjXXsAEolTR.png

 Could you point me to resources relating to blueprints, subscriptions and deny assignments?

 

Kind regards,

 

Rik

 

Microsoft

Unfortunately I do not have more specific examples at hand, this is the only documentation I know that talks about this in context of blueprints: https://docs.microsoft.com/en-us/azure/governance/blueprints/tutorials/create-from-sample#inspect-resources-deployed-by-the-assignment (Step 7) and I shared the other documentation on Azure RBAC Deny assignment in the post.

You could raise an advisory ticket via https://aks.ms/tpdrequest to get more detailed guidance or give feedback via the docs site on Github, like it was done in the link you shared. The last option would be the best option to directly get in contact with those responsible for the documentation.

 

Also the error information in the failed assignment would maybe help to get more info on what is going wrong.

Kind regards,
Janosch