Perform hands-on prototyping of AAD PIM for Groups to plan Scuba baseline document and source code changes

[tkol2022]

💡 Summary

Perform hands-on prototyping of the AAD PIM for Groups features within the context of AAD baseline section 7 privileged user policies. The purpose of this work is to plan the detailed Scuba baseline document and ScubaGear source code changes related to PIM for Groups.

Implementation notes

• Review the previous hands-on impact analysis that was performed in issue Update AAD baseline policies and instructions to include PIM for Groups #376
• Recreate Ted's PIM Test Group and assign some test users to the group
• Repeat each of the hands-on analysis steps in Update AAD baseline policies and instructions to include PIM for Groups #376 with the new group of test users
• Test the double approval scenario and document how we might handle it appropriately in the baseline and code. The complication comes in when you consider that we probably wouldn't want to create a scenario where there is an approval to active a role and an approval to activate membership in a group assigned to the role. That would create the need for a double approval which wouldn't make operational sense. Therefore we may end up having to create logic for checking if the role requires approval to activate or if the group requires approval to activate membership, but NOT both.
• PIM for Groups has a concept of a Member versus an Owner of a group. Each type has their own configuration settings and therefore we might need to check both for the policies. This requires further hands-on prototyping and analysis.
• Document the outcome of each test
• Document the changes that are necessary to both the baseline document policies and the policy instructions
• Document what changes are necessary to the ScubaGear AAD provider code to acquire the data needed to evaluate each of the policies

[tkol2022]

Test results

I tested the various ways in which users can be assigned to PIM groups and the various ways in which PIM groups can be assigned to PIM roles. I also tested the PIM group "owner" versus "member" feature to determine the difference between the two.

This spreadsheet contains the details of the test results.
PIM role assignment scenarios.xlsx

Some of our existing AAD provider code in Get-PrivilegedUser handles when users are assigned to PIM groups, but there are a couple of gap scenarios which are described below. I enhanced the code to account for the gap scenarios using an additional PIM cmdlet. Below are the gaps:

• Scubagear does not detect the user when they are in the PIM group as Eligible even though the group is assigned to a role as Active.
• Scubagear does not detect the user when they are in the PIM group as Eligible and the group is assigned to a role as Eligible.

Regarding PIM group owner versus member:

• Being a PIM group owner gives a user the ability to assign other users to the group but does not give the owner the roles assigned to the group
• Being a PIM group member gives the user whatever roles are assigned to the group

[tkol2022]

Future Changes

The testing that was performed was localized to AAD section policies 7.1 through 7.5 which deal with user assignments to privileged roles. I opened a separate issue #792 to perform testing on policies 7.6 through 7.9 which deal with the PIM configuration settings for each role - we need to perform some hands-on testing (maybe in next release) to determine how the existing 7.6 through 7.9 configurations affect users that are assigned to roles via PIM for Groups.