Microsoft has advised its reseller community it needs to pay attention to the debut of improve security tooling aimed at making it harder for attackers to worm their way into your systems through partners.
That service providers can be used to attack their customers is not in dispute: recent exploits targeting ConnectWise, SolarWinds, and Kaseya made that plain. If you need extra proof, recall that just last week the Five Eyes nations’ intelligence agencies urged managed services providers to harden up in the face of increased attacks.
Microsoft currently lets its resellers gain “delegated administration privileges” (DAP) that let them manage a customer’s services, software, or subscriptions.
Customers must authorize partners before a DAP will work. If an attacker can secure DAP access, it’s bad news for customers as it could allow access to their systems and/or cloudy resources, and potentially expensive for partners as they’re controversially on the hook if customers don’t pay their bills.
Microsoft knows DAP is not perfect so is replacing it with granular delegated admin privileges (GDAP). As the name implies, GDAP offers finer controls and a zero-trust model. DGAP authorizations can last from a day to two years, can’t be auto-renewed, and do not permit partners to take actions such as administering external identities in Active Directory.
Microsoft reckons that users with regulatory requirements to only offer outsiders least-privileged access will appreciate GDAP.
GDAP will become generally available “by early June 2022” according to a Microsoft notice for partners. It’s already possible to use it on production workloads, if resellers want to skill up in advance of its formal debut.
GDAP will replace DAP by the end of 2022, so some hands-on time seems advisable.
One of the recommended steps to adopt GDAP is to review any unused DAP authorizations – Microsoft reckons they’re ripe for exploitation by criminals – ahead of a move to GDAP.
Early in Q3, Microsoft will release a tool to migrate remaining DAPs to GDAPs, but that software will only be available temporarily. Also in Q3, Microsoft will stop allowing creation of new DAPs. And in Q4, Microsoft will help partners to finish the job of moving from DAPs to GDAPs.
Microsoft users clearly need to have a chat with whoever sells and/or tends their software about whether they are rooting out old DAPs and making the transition to GDAP, and how they plan to put the new gear to work. And Microsoft resellers need to be able to answer that question – because nobody wants a DAP-to-GDAP gap. ®