Least Privilege for Azure: Temporary Access

a year ago
Written by
Dan Gillespie
Elsie Phillips

Managing user permissions and group membership within Azure is a time suck. The weeks of back and forth between requesters, managers, and admins cuts into valuable work time.

When pursuing least privilege, you multiply the complexity and time necessary to do that management. Automation is the only way to dynamically manage permissions and roles for your cloud resources in a scalable way.

With Indent’s new native integration, you can easily automate least privilege within Azure Active Directory.

Indent is built to get temporary access to engineers quickly through a Slack or email-based workflow. Requests are automatically routed based on your compliance policies and revoked after the approver’s set duration. Certain resources can also be configured to instantly approve based on the requester’s on-call status.

With guardrails that expedite and protect the entire access lifecycle, your access control policies are followed every time.

Rather than slowing teams down, moving to on-demand, least-privilege access has helped teams like Modern Treasury give access to their production resources securely in under one minute.

By implementing time-bound, role-based access control for Azure with Indent, you give valuable time back to your team while also protecting against resource misuse and attacks.

If you’re ready to automate least privilege in Azure: Get early access

What Does Using Microsoft Azure AD + Indent Look Like?

Let’s look at an example of how Indent can help your team get access faster and more securely. Story time!

Alex is an engineer at Acme Corp, which uses Azure for their cloud resources. This week Alex is on-call.

At the beginning of their on-call rotation week, Alex opens Indent, and requests membership of the on-call mailing list.

By requesting membership of the list for only when Alex is on-call, their inbox is less cluttered, and there’s less sensitive information floating around needlessly.

A few days later, Alex gets pinged. There’s an outage on the website which requires SQL server access to resolve.

Again, Alex opens Indent and requests access to the “Engineering: Production” Active Directory group for three hours and gives the following reason: “On-call to resolve issue #5543”.

If Alex wasn’t on-call, that request would get routed according to Acme’s policies to Alex’s manager, the VP of Engineering, for approval.

Because Alex is on-call though, Indent is able to verify Alex’s on-call status in PagerDuty. Then Alex is instantly granted access to the “Engineering: Production” group which has admin SQL server permissions, so they can get to work investigating the incident.

Alex is able to resolve the outage within those three hours and goes back to bed. At the three hour mark, Indent goes in and automatically deprovisions Alex’s elevated access to the SQL server by moving them out of the “Engineering: Production” group.

All those access changes gets logged in an easily exportable way for security and compliance purposes. At the end of the week, Alex is also automatically removed from the on-call mailing list.

At the end of the quarter, admins at Acme Corp do not need to review Alex’s elevated SQL server permissions because it was automatically deprovisioned.

Microsoft Azure + Indent Use Cases

Here some examples of how Indent can help you manage resource access within Azure:

  • Grant and revoke access to resources in Azure
    • Indent is able to move users in and out of groups in Azure AD.
  • Lock down access in Microsoft 365 to implement least privilege
    • Set up Azure AD groups that grant role-based access to documents in Sharepoint or a Power BI workspace.
  • Add and remove users from sensitive mailing lists
    • When a user has a specific need to be part of a sensitive mailing list (gdpr@) they can request time-bound membership on-demand.
  • Streamline contractor onboarding and offboarding
    • Allow contractors to request only the access they need and automatically expire their permissions after the end of their contract.

Benefits of Azure + Indent

By managing Azure resources with Indent you can:

  1. Simplify Management of Azure Resources
    • Indent provides a centralized platform to manage cloud apps and infra.
    • This means that businesses can easily manage access to their resources inside and outside Azure through Indent.com or Slack, rather than navigating multiple portals.
  2. Automate Provisioning and Deprovisioning
    • With Indent you can automatically provision and deprovision users for Azure services, automatically ensuring that users have access only to the resources they presently need.
  3. Enhance Security & Simplify Compliance in Microsoft 365
    • Complementing Microsoft Entra's Security features, Indent helps teams enforce their access control policies across their cloud resources, ensuring that access is granted only to authorized users when they need it.
    • All access related data is logged for a later security review or for inclusion in compliance audits.
    • By allowing users to request access on-demand, your team is doing real-time access reviews, greatly reducing the amount of user access reviews at the end of the quarter to maintain compliance.
  4. Optimize Spend
    • With Azure’s group policies, you can install software on a user’s machine based on their membership of an Active Directory group.
    • By dynamically moving users in and out of those groups, teams are able to save on money on unused software licenses.

Join the Early Access Program

At this point, you might have two questions:

  1. What does set up look like? How do I start using Indent for Azure?
  2. How do I start using Indent for Azure?

Setting up the Indent integration for Azure is as easy as clicking through an OAuth flow for your Azure AD tenant. From there you can set up your policies and start granting group membership.

Start automating least privilege in Azure and help shape the future of Indent for Azure, sign up now or talk to our team for a demo.

Try Indent for free.