Azure Managed Identities (technical service accounts)

Explaination

  • Azure Managed Identities = technical service accounts
  • Password is automatically managed, as it was the case in managed service accounts in OnPrem ActiveDirectory
  • Managed Identity types:
    • System Managed Idendity ==> strictly assigned to a single Azure system (like a VM), cant be shared with another system
    • User Managed Identity ==> for example for HA-clusters, in which all HA-nodes need the same user

Managed Identities dont use a password, instead they use OAuth2 and its token --> https://169.254.169.254/metadata/identity/oauth2/token 

Source https://medium.com/@siddiquimohammad0807/azure-managed-identity-types-and-importance-c64f6292577d

Source: https://medium.com/@siddiquimohammad0807/azure-managed-identity-types-and-importance-c64f6292577d


Example

  • When using PowerShell Connect-AzAccount --> a new window for username+password+mfa is opened --> these will be used as credentials


  • When using PowerShell Connect-AzAccount - Identity --> no new window is opened, instead the managed identity is used --> Powershell sends HTTPS OAuth2 Query to Azure IMDS "Instance Meta Data Service" and received a token, which is then used

Windows PowerShell
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\Administrator20>
PS C:\Users\Administrator20>
PS C:\Users\Administrator20> Install-Module Az 
NuGet provider is required to continue 
PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGetprovider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies'  or 'C:\Users\Administrator20\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install
 and import the NuGet provider now?
[Y] Yes[N] No[S] Suspend[?] Help (default is "Y"): y
 
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
'PSGallery'?
[Y] Yes[A] Yes to All[N] No[L] No to All[S] Suspend[?] Help (default is "N"): y
PS C:\Users\Administrator20>
PS C:\Users\Administrator20>
PS C:\Users\Administrator20> Connect-AzAccount -Identity
 
Subscription name Tenant
----------------- ------
274102ec-cd24-4af2-a4c2-832941ce526f
 
 
PS C:\Users\Administrator20>
PS C:\Users\Administrator20>


at No comments:
Labels: , ,
Subscribe to: Posts (Atom)

Splunk UseCase for attacks against FortiGate Firewall management interfaces

If you are using Splunk as your SIEM you can try to detect attacks against your FortiGate firewalls by using the following SPL query: index...