Azure Managed Identities (technical service accounts)

Explaination

• Azure Managed Identities = technical service accounts
• Password is automatically managed, as it was the case in managed service accounts in OnPrem ActiveDirectory
• Managed Identity types:
• System Managed Idendity ==> strictly assigned to a single Azure system (like a VM), cant be shared with another system
• User Managed Identity ==> for example for HA-clusters, in which all HA-nodes need the same user

Managed Identities dont use a password, instead they use OAuth2 and its token --> https://169.254.169.254/metadata/identity/oauth2/token 

Source: https://medium.com/@siddiquimohammad0807/azure-managed-identity-types-and-importance-c64f6292577d

Example

• When using PowerShell Connect-AzAccount --> a new window for username+password+mfa is opened --> these will be used as credentials
  
  
  
• When using PowerShell Connect-AzAccount - Identity --> no new window is opened, instead the managed identity is used --> Powershell sends HTTPS OAuth2 Query to Azure IMDS "Instance Meta Data Service" and received a token, which is then used
  

Windows PowerShell
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\Administrator20>
PS C:\Users\Administrator20>
PS C:\Users\Administrator20> Install-Module Az 
NuGet provider is required to continue 
PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGetprovider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies'  or 'C:\Users\Administrator20\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install
 and import the NuGet provider now?
[Y] Yes[N] No[S] Suspend[?] Help (default is "Y"): y
 
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
'PSGallery'?
[Y] Yes[A] Yes to All[N] No[L] No to All[S] Suspend[?] Help (default is "N"): y
PS C:\Users\Administrator20>
PS C:\Users\Administrator20>
PS C:\Users\Administrator20> Connect-AzAccount -Identity
 
Subscription name Tenant
----------------- ------
274102ec-cd24-4af2-a4c2-832941ce526f
 
 
PS C:\Users\Administrator20>
PS C:\Users\Administrator20>




New LAPS version explained

Microsoft will release a new version of Local Administrator Password Solution (LAPS), which   provides new Azure AD features as well as new Active Directory OnPrem features and some migration features from the old version to the new one.

A video explaining everything in detail can be found here:

This video includes a nice overview showing how LAPS is working internally using CSP (lapscsp.dll), PowerShell (lapspsh.dll) or GPOs and LAPS core logic (laps.dll) which then reads and updates the expiry of accounts as well as updates their password, either in Azure Active Directory or in Windows Server Active Directory on premise:

Source: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts

LAPS can be used as solution against pass-the-hash (https://attack.mitre.org/techniques/T1550/002) and lateral-traversal attacks (https://attack.mitre.org/tactics/TA0008), as well as for securing user help desk access or recover to devices with a fine-grained security model and for RBAC in Azure AD.