Azure AD Identity Protection - Risky Workload alert e-mail notification

Derk van der Woude
5 min readDec 2, 2022

--

Let’s start with thanks and credits for the Azure AD Identity Protection product group for working closely together on the latest detection and remediation features. For our partner webinar Azure AD Identity Protection on Azure AD Workloads see https://www.youtube.com/watch?v=r_pPc6QhPlM

In my previous blog Leaked credentials for Workload identities,
I described Azure AD Identity Protection detecting Leaked credentials (App ID & Secret) for Service Principal(s) credentials found on public GitHub repositories.

Since the new workload detection(s) are not yet visible in Microsoft 365 Defender (and Microsoft Sentinel via the bi-directional data connector) I wrote this blog describes which to explain how to leverage Azure logic apps for e-mail notification of workload identity (high) risk events to the application owners of the compromised application.

E-mail notification of workload identity risk events to application owners

If a workload identity risk is detected, an e-mail is automatically send to the application owner.

An Application Owner is specified in the Azure AD - Enterprise Application - Owners section (the account should be mail-enabled to receive the notification).

High level configuration of the notification process:

  • Stream Risky Events to an Event Hub
  • Create a Logic App

1.1 Stream Risky Events to an Event Hub

Create an Azure Event Hub, Azure Event Hubs is a managed service for real-time data ingestion. Then configure Azure AD Diagnostic settings to stream Azure AD (Service Principal Risk) logs to the Azure Event Hub namespace (leave the optional Event Hub name empty).

To simulate a risk event dismiss or confirm a service principal compromise.

After ~5–10 minutes the event is visible in the Event Hub.

Event Hub name(s) are automatically created from the events logs, e.g. the Azure AD category ServicePrincipalRiskEvents (selected in the Diagnostic settings).

is created as the Event Hub name insights-logs-serviceprincipalriskevents, which is required for the Logic App to function.

1.2.1 Create a Logic App

Download the NotifyAppOwner.json template. Open the Azure Portal and search for Deploy a custom template.

Select Build your own template in the editor, select Load file, select the NotifyAppOwner.json file and click Save. Select the previous resource group, keep the defaults as shown below and click Review + create.

1.2.2 Set permissions for the Logic App ‘NotifyAppOwner’

The deployment of the logic app ‘NotifyAppOwner’ automatically enables the managed identity for the logic app, we only need to add the following permissions:

Event Hub permissions

Go to the Event Hub and assign the Access control (IAM) role Azure Event Hub Data Receiver to the Managed Identity ‘NotifyAppOwner’.

Graph API permissions

Grant the following graph permissions (see below) to the logic app ‘NotifyAppOwner’ managed identity via the Graph API (UX not available):

  • User.Read.All
  • Application.Read.All

The PowerShell script below (set per permission so run two times, change the $PermissionName) requires Global Administrator permissions.

# Install the AzureAD module
Install-Module AzureAD

# Variables
$TenantID=”provide the tenant ID”
$GraphAppId = “00000003–0000–0000-c000–000000000000”
$DisplayNameOfMSI=”Provide the Logic App name”
$PermissionName = “graph permissions”

# Set Permissions
Connect-AzureAD -TenantId $TenantID
$MSI = (Get-AzureADServicePrincipal -Filter “displayName eq ‘$DisplayNameOfMSI’”)
Start-Sleep -Seconds 10
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter “appId eq ‘$GraphAppId’”

$AppRole = $GraphServicePrincipal.AppRoles | `
Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains “Application”}
New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id

1.2.3 Authorize the API Connections in the Logic App

Select the Logic app designer in the Logic App ‘NotifyAppOwner’ and expand the Connections (Step 1 - When events are available in Event Hub).

Click Add new connection and use the parameters below (Namespace Endpoint is the Host name of the Event Hub namespace).

sb://EH-RWIAR.servicebus.windows.net/

Click Create

Verify the settings above and click Save. Finally authorize the office 365 API connection with an mail-enabled (mailbox) account.

The end result is as follows

1.3 Validate the process

Validate via workload identity risk simulation (simulate leaked credential, see my previous blog or dismiss / confirm a service principle risk) and check the Logic app Run history.

The result is the application owner gets an e-mail if there is a workload (service principal) risk detection via Azure AD Identity Protection.

Ps. at first I was not seeing the Risk Details for the Leaked Credentials detection, by making the small modification (add riskEventType and additionalInfo) below to the Logic App it solved the issue.

Thanks for reading and I hope this will help customers to quickly detect and remediate Azure AD workload compromise detected by Azure AD Identity Protection.

--

--