Concept
Some Azure/Entra functionality requires RBAC Roles instead of the standard Administrative roles. In order to utilize the RBAC Roles, with the CyberQP Just in Time Accounts functionality, some configuration will be required to accomplish this.
Prerequisites
- QGuard Pro Enabled Tenant
Contact your Rep - Just in Time Functionality Enabled and an Understanding of Just in Time Policies
https://support.getquickpass.com/hc/en-us/articles/18911410129175-How-To-Turn-On-Just-in-Time-Privileged-Accounts-Feature-QGuard-Pro - Understand the Concepts of Custom Security Groups in Just in Time Policies
https://support.getquickpass.com/hc/en-us/articles/30229804417303-How-To-Custom-Security-Groups-with-Active-Directory-JIT-Accounts - Create Azure/Entra Security Groups in the Customers' environment.
- Understand Azure/Entra RBAC Roles and their intended purpose
Azure RBAC documentation
Implementation
For this KB, I will be using the RBAC Role for Azure Virtual Machine Management. This same concept can be utilized with any RBAC Role.
- Begin with understanding the RBAC Role and at what level in the Azure/Entra/M365 Tenant you wish to apply the access.
- This step is critical because RBAC Roles can be assigned in multiple different levels within Azure/Entra and where the RBAC Role is assigned defines the level of access given.
- Subscription
- Resource
- Resource Group
- Management Group
- This step is critical because RBAC Roles can be assigned in multiple different levels within Azure/Entra and where the RBAC Role is assigned defines the level of access given.
- Create an Azure/Entra Security group with the "Assigned" method (you can use Dynamic Groups if you wish, but the configuration of these would be outside the scope of this KB - Dynamic Groups COULD be used to automatically add JIT accounts by naming convention, but this reduces your ability to use the Granular CyberQP Just in Time Policies)
- Assign the Group you just created to the Appropriate Azure/Entra RBAC role.
- Add the Group to a new or existing Just in Time Policy
- Consider that you may not want all of your Technicians to have access to the RBAC Role.
- Consider that if you have Co-Managed Technicians, you may not want them to have access to the RBAC Role.
- Test the creation/re-enable of the JIT account.
- Confirm that the Just in Time account gets added to the Security Group
- Confirm that the RBAC Role has given access to the Functionality in Azure/Entra you desire.
Comments
0 comments
Please sign in to leave a comment.