Hi everyone,
I got an email from Microsoft last week that I just hadn’t had time to write up on yet, so here we go.
On the 3rd April Microsoft mitigated an issue that could cause guest users of an Azure AD tenant to be granted a subscription “Classic Co-Administrator” Role beyond its expiry.
The workflow for this issue was as follows:
- Guest gets invited to another Azure AD Tenant.
- An Azure AD Subscription Administrator grants the guest the “Classic Co-Administrator” Role.
- Guest Account is removed from Azure AD Tenant
- Guest Account continues to have access to the subscription despite this deletion.
Microsoft have mitigated the issue by disallowing requests that are made by Classic Co-Administrators that aren’t in the tenant. Error messages will include that they don’t have authorization to perform the actions, and/or the scope is invalid.
Microsoft have provided the following guidance:
- If you legitimately require this functionality, re-invite these users to your tenant. Grant them the least-privileged access possible for their requirements using Azure RBAC. As Classic Co-Administrator is soon to be deprecated.
- Review your activity logs, cost management, and resource changes to ensure configurations are as expected, and no unexpected changes have been performed to your tenant.
Microsoft should have emailed you if any of your subscriptions could’ve been impacted by this issue, but it’s certainly good practice to carry out random health checks around the times of these events!
