Friday, November 16, 2018

Customer Lockbox for Azure

Azure is always try to ease up your data as much as confidential and secure. To improve much more Azure is introducing Customer Lockbox for Microsoft Azure.
What it does:
Customer Lockbox for Microsoft Azure is a service which is integrated into Azure portal.It gives you explicit control in the very rare instance when a Microsoft Support Engineer may need access to your data to resolve an issue.
Some instances may occur where a Microsoft Microsoft Support Engineer requires elevated permissions to resolve this issue such like debugging remote access issue.On that scenario Microsoft engineers use just-in-time access service that provides limited, time-bound authorization with access limited to the service.
But when you have a Customer Lockbox, customer can review and approve or deny such requests from Azure Portal. And until the request is approved, Microsoft Support Engineer will not be granted access.

The whole process will be audited and customer visibility is at its max. It works like a activity log. The entire Customer Lockbox activity will be available in Azure Portal.
And the best part is, If you are using Azure Security Center, the VM agent that you have installed on your virtual machines can provide logs on activities carried out on these VMs. If a user requires to do an analysis these logs can also be easily integrated to security monitoring and reporting systems. User receive Customer Lockbox by default for their azure subscriptions free of charge. But it stills in preview mode. So user will need to take a few steps to enable the feature.

  • Following are the instructions given by Microsoft to enable the feature.

During public preview phase, customers will need to opt-in to enable this feature. Follow steps detailed below to enable customer lockbox for your Tenant. This will enable Customer Lockbox service to send email notifications to approvers and route requests for approval to Customer Lockbox blade in Azure portal.
Note: You must be in Global Administrator role to enable customer lockbox for your tenant.
1. Launch Azure PowerShell in Administrator Mode and execute the following:
2. Install-Module -Name AzureRM
3. Import-Module AzureRm.profile
4. Login-AzureRmAccount
When prompted, login using Global Administrator credentials.
5. Select-AzureRmSubscription –TenantID " xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" –SubscriptionID "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
TenantID: Enter the Directory ID (GUID) of your Azure Active Directory Tenant. Refer to the ‘Get TenantID’ section if you need more details on how to get TenantID.
SubscriptionID = Enter any SubscriptionID within your Tenant.
6. New-AzureRmADServicePrincipal –ApplicationID a0551534-cfc9-4e1f-9a7a-65093b32bb38
7. New-AzureRmADServicePrincipal –ApplicationID 01fc33a7-78ba-4d2f-a4b7-768e336e890e
This command enables Customer Lockbox Service Principal (SPN) for your tenant. Please do not change the ApplicationID.
You can verify that the provisioning is completed using the following command:
8. Get-AzureRmADServicePrincipal | ? { $_.applicationID -match "a0551534-cfc9-4e1f-9a7a-65093b32bb38"}
Get-AzureRmADServicePrincipal | ? { $_.applicationID -match "01fc33a7-78ba-4d2f-a4b7-768e336e890e"}
This should list ApplicationID “a0551534-cfc9-4e1f-9a7a-65093b32bb38” with Application Name “Azure Lockbox” and ApplicationID “01fc33a7-78ba-4d2f-a4b7-768e336e890e" with Application Name “MS-PIM.”
Customer Lockbox for Azure is now in public preview for Azure Compute workloads (Azure Virtual Machines). This feature will replace the existing approval process followed by the Microsoft support team for their support ticket workflow.

No comments:

Post a Comment