Logo of Trend Micro

Enable Monitoring of Deprecated Accounts

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-021

Ensure that all the deprecated accounts within your Azure cloud subscription(s) are monitored so that Microsoft Azure Security Center can determine if there are any accounts that need to be removed in order protect against unauthorized access. Deprecated accounts are those accounts that are no longer needed, and blocked from signing in by Azure Active Directory (AAD).

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

By monitoring identity activities using Azure Security Center, you can take proactive actions before an incident occurs, or reactive actions to stop an attack attempt. If the monitoring of the deprecated accounts is enabled, Security Center can flag the deprecated accounts for removal.

Audit

To determine if the monitoring of deprecated accounts is enabled within Azure Security Center settings, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to examine to access the policy configuration settings for the selected subscription.

05 On the Security Policy page, choose the Security center default policy, then click View effective policy button.

06 On the default security policy page, within the Identity section, check the Deprecated accounts should be removed from your subscription setting status. If the configuration setting is Disabled, the monitoring of deprecated accounts within the selected Azure subscription is not enabled.

07 Repeat step no. 4 – 6 for each subscription available in your Microsoft Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to describe the monitoring status for the deprecated accounts available within the current subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.identityRemoveDeprecatedAccountMonitoringEffect.value'

02 The command output should return the requested Azure Security Center monitoring status: 

"Disabled"

If the account get-access-token command output returns "Disabled", as shown in the example above, the monitoring of deprecated accounts within the current Azure subscription is not enabled.

03 Repeat step no. 1 and 2 for each subscription created in your Microsoft Azure account.

Remediation / Resolution

To enable the monitoring of deprecated accounts within the Microsoft Azure Security Center settings, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to reconfigure to access the policy settings available for the selected subscription.

05 On the Security Policy page, click on the ASC Default (subscription: <azure-subscription-id>) link to edit the default policy assignment.

06 On the selected policy assignment page, perform the following actions:

  1. Choose the Parameters tab to access the policy parameters.
  2. Select AuditIfNotExists from Deprecated accounts should be removed from your subscription dropdown list to enable the monitoring of the deprecated accounts available in the selected subscription.
  3. Click Review + save to review the configuration changes, then click Save to apply the changes. If successful, the following message should be displayed: "Updating policy assignment succeeded". Once the configuration changes are saved, the Security Center service should start monitoring for any deprecated accounts available in the selected subscription.

07 If required, repeat steps no. 4 – 6 for other Microsoft Azure cloud subscriptions available.

Using Azure CLI

01 Define the necessary specifications for the account get-access-token command, where the identityRemoveDeprecatedAccountMonitoringEffect configuration parameter is enabled using the "AuditIfNotExists" flag. Save the following content to a JSON file named enable-deprecated-accounts-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account details: 

{
   "properties":{
      "displayName":"ASC Default (subscription: <azure-subscription-id>)",
"policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
      "scope":"/subscriptions/<azure-subscription-id>",
      "parameters":{
         "identityRemoveDeprecatedAccountMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      }
   },
"id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the specifications defined at the previous step (i.e. enable-deprecated-accounts-monitoring.json file) to enable the monitoring of the deprecated accounts available in the current Azure subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-deprecated-accounts-monitoring.json"'

03 If successful, the command output should return the updated Azure Security Center policy: 

{
   "sku":{
      "name":"A0",
      "tier":"Free"
   },
   "properties":{
      "displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
      "scope":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",
      "parameters":{
         "identityRemoveDeprecatedAccountMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      },
      "metadata":{
         "createdBy":"1234abcd-1234-abcd-1234-abcd1234abcd",
         "createdOn":"2019-05-17T15:55:40.00000000",
         "updatedBy":"abcd1234-abcd-1234-abcd-1234abcd1234",
         "updatedOn":"2020-03-17T13:12:48.00000000"
      }
   },
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscriptions available.

References

Publication date Mar 27, 2020

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Monitoring of Deprecated Accounts

Risk level: Medium