Integrating with others is great. It can really benefit your users and provide a cost effective solution that benefits both parties. When this relationship ends, you need to be able to remove all instances to ensure security is kept.
We’ve seen breaches in the news where companies didn’t do proper house cleaning and left certain access enabled.
With these agreements, both parties have will have security in mind however it might just be focused on cover their own end. Sure you managed the access but it’s them who hold the credentials. If they were breached or followed poor security practise, those credentials could be stolen without you knowing.
Should your relationship end on good or bad terms, here are a few steps your can follow to remove access from your Azure tenant. These steps can also be followed should a breach occur.
Hopefully you manage the identify side of things so there should be an enterprise application setup. To block authentication through this EA, you can ‘Disable sign-in’.
Go to: Azure Active Directory > Enterprise Application and select the application.
Under Properties, you will see the following:
At this point, you can either delete the EA or remove the permissions. This can be done under the Permissions tab of the application:
Once you click Review Permissions, you see the following so simply select what has occurred:
More information can be found here: https://blogs.technet.microsoft.com/office365security/defending-against-illicit-consent-grants/
The following should be applied to all accounts which were shared and in use. Most actions can be done here the users ‘Authentication methods’ however the first is on the users overview.
The first step is to disable the account but in Azure AD, you can block sign-ins.
Azure Active Directory > Users and find the account. Under the Profile Tab, click Edit and scroll down to Settings and select Yes:
Revoke MFA Sessions and Reset Password.
Disabling the account is necessary however, what if this action was missed or undone. It’s always better to be safe than sorry. Click both options to revoke MFA approved sessions and Reset the current password. Whilst you’re here, it’s also wise to remove any groups they are apart of.
Should you wish to track further attempts, leave the account enabled and reset the password to a 25+ character password. This will allow authentication to continue whilst you track attempts under the Sign-ins tab.
To end any O365 connections, apply the following.
*All actions are done within the O365 Admin Portal and not Azure.
Users > Active Users and select the user.
Expand the OneDrive tab and select Initiate Sign-Out
Warning: There are no extra clicks so be careful when doing so
You can block sign-ins to any O365 resource should they have access to your suite.
Users > Active Users and select the user. Click Block this user and Save the changes:
Although on the face of it this would be enough, you may have integrated them manually elsewhere. You will need to check other places incase you have setup any of the following:
- Provided API Access. There may be other parts in play such as API connections. Remember to check API Connections and Application Registration.
- Shared any SAS/Connection strings or Access Keys for any storage accounts. This will need to be regenerated.
- Provided certificates or tokens. These will need to be revoked or regenerated.
- Remove access from groups, roles and RBAC. Remember these are separate (Azure AD and Azure infra). You may have also granted them access manually such as the SharePoint Term Store:
Some of these are often missed as they aren’t clearly tied to an account. It takes a manual process and well documented process to be able to identify. T
he reason you go through all of this is in case one of the steps has been missed. Social engineering techniques can always come into play to gain access to the account so by stripping it of all it’s right, you mitigate this risk.
Microsoft do offer a product to manage most of these however it comes at a cost. Cloud App Security should be on your radar so defiantly check it out. It can help monitor risk connections such as oauth2. The reason I say risk is because this protocol is currently being abused/exploited in the wild. Cloud App Security allow policies to be applied to better manage these connections.