More Info:
Ensure that the external accounts with write permissions are monitored using Azure Security Center.Risk Level
MediumAddress
Security, Operational MaturityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
The misconfiguration “Monitor External Accounts with Write Permissions” in Azure means that external accounts have write permissions to your Azure resources, which can potentially lead to unauthorized access or data breaches. To remediate this, follow the steps below:
- Open the Azure portal and sign in with your credentials.
- Navigate to the “Azure Active Directory” service.
- Click on “External Identities” in the left-hand menu.
- Click on “Azure AD Domain Services” in the External Identities menu.
- Click on the “Properties” tab.
- Under “Write Access,” select “Disabled.”
- Click “Save” to apply the changes.
Using CLI
Using CLI
The following are the step-by-step instructions to remediate the “Monitor External Accounts with Write Permissions” misconfiguration in Azure using Azure CLI:
- Open the Azure CLI on your local machine or Azure Cloud Shell.
-
Run the following command to list all the external accounts with write permissions in your subscription:
This command will return a list of all the external accounts with write permissions in your subscription.
- Review the list of external accounts and identify any that should not have write permissions.
-
Run the following command to remove write permissions for an external account:
Replace
<external-account-id>
with the ID of the external account you want to remove write permissions for, and<role-name>
with the name of the role that grants write permissions. - Repeat step 4 for any other external accounts that should not have write permissions.
- Run the command from step 2 again to confirm that all external accounts with write permissions have been removed.
- Monitor your subscription for any unauthorized write activity and investigate any suspicious activity.
Using Python
Using Python
To remediate the misconfiguration “Monitor External Accounts with Write Permissions” in Azure using Python, you can follow the below steps:Step 1: Install the Azure SDK for Python using the pip command.Step 2: Authenticate with Azure using the Azure CLI or by providing the credentials in code.Step 3: Get the list of external accounts with write permissions.Step 4: Disable write permissions for the external accounts.By following these steps, you can remediate the “Monitor External Accounts with Write Permissions” misconfiguration in Azure using Python.