More Info:

Ensure that the external accounts with write permissions are monitored using Azure Security Center.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

The misconfiguration “Monitor External Accounts with Write Permissions” in Azure means that external accounts have write permissions to your Azure resources, which can potentially lead to unauthorized access or data breaches. To remediate this, follow the steps below:
  1. Open the Azure portal and sign in with your credentials.
  2. Navigate to the “Azure Active Directory” service.
  3. Click on “External Identities” in the left-hand menu.
  4. Click on “Azure AD Domain Services” in the External Identities menu.
  5. Click on the “Properties” tab.
  6. Under “Write Access,” select “Disabled.”
  7. Click “Save” to apply the changes.
By disabling write access for external accounts, you are limiting their ability to modify your Azure resources. This helps prevent unauthorized access or data breaches.

The following are the step-by-step instructions to remediate the “Monitor External Accounts with Write Permissions” misconfiguration in Azure using Azure CLI:
  1. Open the Azure CLI on your local machine or Azure Cloud Shell.
  2. Run the following command to list all the external accounts with write permissions in your subscription: 
    az monitor activity-log list --query "[?category=='Administrative' and operationName.value=='Microsoft.Authorization/roleAssignments/write' and authorization.scope=='/subscriptions/{subscriptionId}'].caller"
    This command will return a list of all the external accounts with write permissions in your subscription.
  3. Review the list of external accounts and identify any that should not have write permissions.
  4. Run the following command to remove write permissions for an external account: 
    az role assignment delete --assignee <external-account-id> --role <role-name> --scope /subscriptions/{subscriptionId}
    Replace <external-account-id> with the ID of the external account you want to remove write permissions for, and <role-name> with the name of the role that grants write permissions.
  5. Repeat step 4 for any other external accounts that should not have write permissions.
  6. Run the command from step 2 again to confirm that all external accounts with write permissions have been removed.
  7. Monitor your subscription for any unauthorized write activity and investigate any suspicious activity.
By following these steps, you can remediate the “Monitor External Accounts with Write Permissions” misconfiguration in Azure using Azure CLI.
To remediate the misconfiguration “Monitor External Accounts with Write Permissions” in Azure using Python, you can follow the below steps:Step 1: Install the Azure SDK for Python using the pip command.
pip install azure
Step 2: Authenticate with Azure using the Azure CLI or by providing the credentials in code.
from azure.common.credentials import UserPassCredentials
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.resource import ResourceManagementClient

# Replace the values with your own
subscription_id = 'SUBSCRIPTION_ID'
username = 'USERNAME'
password = 'PASSWORD'
tenant_id = 'TENANT_ID'

credentials = UserPassCredentials(username, password, tenant_id)
monitor_client = MonitorManagementClient(
    credentials,
    subscription_id
)
resource_client = ResourceManagementClient(
    credentials,
    subscription_id
)
Step 3: Get the list of external accounts with write permissions.
# Get the list of external accounts with write permissions
external_accounts = monitor_client.external_monitoring_configurations.list_by_subscription()

external_accounts_with_write_permissions = []
for account in external_accounts:
    if account.enabled and account.type == 'Azure' and account.write_access_enabled:
        external_accounts_with_write_permissions.append(account)
Step 4: Disable write permissions for the external accounts.
# Disable write permissions for the external accounts
for account in external_accounts_with_write_permissions:
    account.write_access_enabled = False
    monitor_client.external_monitoring_configurations.create_or_update(
        resource_group_name=account.resource_group_name,
        configuration_name=account.name,
        parameters=account
    )
By following these steps, you can remediate the “Monitor External Accounts with Write Permissions” misconfiguration in Azure using Python.