Microsoft gives its partners power to change AD privileges on customer systems – without permission

Somewhat counterintuitively, this is being done to improve security

Updated Microsoft has created a window of time in which its partners can – without permission – create new roles for themselves in customers' Active Directory implementations.

Which sounds bonkers, so let's explain why Microsoft has even entertained the prospect.

To begin, remember that criminals have figured out that attacking IT service providers offers a great way to find many other targets. Evidence of that approach can be found in attacks on ConnectWise, SolarWinds, Kaseya and other vendors that provide software to IT service providers.

Microsoft wised up to the fact that its partners would likely be targeted, too, and spotted a weakness in the delegated admin privileges (DAP) that partners are given to manage their customers' software purchases.

The company's fix is granular delegated admin privileges (GDAP) that, as the name implies, still allow partners to administer their customers but offers finer control and follows zero-trust principles so that partners are limited to certain actions.

Today, GDAP "allows the partner to request and the customer to approve specific Azure Active Directory roles, allowing the partner to perform admin activities on behalf of the customer."

Microsoft is very keen on GDAP. So keen that on June 30 it announced the following:

Starting July 25, Microsoft will provide a tool that allows partners with existing delegated admin privileges (DAP) relationships to create a GDAP relationship with Azure AD roles – without customer consent.

Microsoft's motive is simple: it wants partners to adopt GDAP so their interactions with customers are more secure.

Partners won't keep this power to change customer rigs forever. The tool will only work until October 31, 2022, and after that date customers will again have to approve the creation of new GDAP relationships.

But for the 98 days that elapse from this tool's debut to its end of life, partners can create GDAP roles without customer intervention.

The Register submits that criminals might be busy on those days, too – making just the sort of attacks on partners that Microsoft hopes GDAP will prevent.

Microsoft will deliver more info about the tool on July 11.

Clearly, customers that work with Microsoft partners might want to have a chat about GDAP before the tool debuts. ®

Updated, 03:00 UTC, July 19th Microsoft has delayed the release of the tool it promised above to August 1st. The tool will still work until October 31st.

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022