HR data error gave an intern Global Admin and I didn't catch it until they'd been using it for a week

Posted by Curious-Session4119@reddit | sysadmin | View on Reddit | 19 comments

Our Workday to Entra provisioning is automated based on job title. New hire gets tagged as Software Engineer and the system adds them to groups with Azure access for dev environments. Worked fine until it didn't. Intern started last week. HR fat-fingered their job code and put "Senior Software Engineer" instead of whatever the intern code is. Provisioning saw Senior Engineer and gave them the same access as our principal devs. Production Azure subscriptions, deployment pipelines, all of it. Kid spent the week deploying code to what they thought was dev but was actually prod. Logs looked normal because technically they had valid access. Caught it Friday during access review. Intern had access to customer databases and everything else. Nothing bad happened but that's just luck. The automation worked exactly like we built it but the input data was wrong. Now I need to add some kind of validation without making every new hire require manual approval because that kills the whole point of automating this.

19 Comments

[-]

PigeonRipper@reddit

Except you are a bot shill account, apparently you are also a teacher while simultaneously a sysadmin, not to mention an expert in a ridiculous number of other domains. Not sure why I bother anymore, but for other real humans here, be aware that we've probably crossed a point where most of these posts are just engagement bait, even the less obvious ones, like this one.

koliat@reddit

It’s outrageous Reddit admins just let it happen

Bughunter9001@reddit

It's good for the share price, that's all that matters There are still a good number of smaller niche subs that are worth sticking around for, but once anything becomes reasonably popular, they're worthless, full of ai spam, my subscribed subs list gets smaller and smaller by the day

We desperately need an alternative platform with a small but non refundable sign-up fee so that bans actually hurt. Finding myself engaging with closed discord communities more because of this bullshit, and I really don't like discord but it's at least mostly bot free...

EEEEclipse@reddit

Why can HR grant GA access? This either didn't happen or the onboarding procedure is flawed.

aretokas@reddit

And why is GA applicable to normal users? And why is GA even an automated role at any level? And And And So many red flags.

KareemPie81@reddit

And why is software dev a GA.

Cooleb09@reddit

Because they whine to someone high enough up the chain to approve and too spineless to reject.

Competitive_Smoke948@reddit

shouldn't have global admin except for break glass. should have 2 non MFA global admins for emergencies with stupid passwords. NO ONE ELSE should be global admin.....especially devs. Even Infrastructure guys should have rights that aren't global admin. If GA gets hacked; it's game over. shouldn't be using it

DarthTrader1@reddit

Bot account for rage engagement

B0797S458W@reddit

Giving out GA to job specific job roles is the problem here, not HR.

mike9874@reddit

You're going to get a lot of people disagreeing with your setup. * Why are people always active for privileged roles and not just eligible? * Why does a HR person have rights to make a Global Admin? Do you treat their account with the amount of security controls a Global Admin account would have? * Although not clearly said, your post suggests that the standard user account is the one getting the privileged access. That's bad practice because standard accounts are more likely to be compromised. There should be a separate admin account. * Why does a software developer need global admin? Why are they doing exchange, SharePoint, teams and intune work? There should be segregation of duties. Or do they just need to deal with app registrations and someone went overboard with permissions? Entra can be so granular these days there's no excuse for this one

malwareguy@reddit

Yep this is a breach or major outage waiting to happen, terrible design.

RunningAtTheMouth@reddit

Sounds like you need a little bit of management by exception. Automate all the standard roles. Anything that grants any kind of high-level access (the kind that can be a problem) automatically gets manual implementation. Script all the non-critical roles and ping the appropriate person/group to handle the dangerous accounts. Off the top of my head, that's probably the most reasonable course.

dmznet@reddit

There are so many issues here.. no way that automation passed a security audit.

SnooOwls5756@reddit

Why does a senior dev automatically gets GA? I would NEVER for the live of me hand out GA or admin roles automatically - it is probably a miracle that this is the first instance of a mishandling, but most likely there are major unknown security liabilities already in the system...

GrafEisen@reddit

I don't think you should be granting global admin via HR-derived automation. Most things can be accomplished with lesser roles, and the folks at your company with GA should have separate dedicated GA accounts. You can tie the lifecycle of those accounts into the HR automation feed, but I wouldn't grant high power directory roles based on HR data, since that means a compromised HR employee's account could elevate privilege to GA in your Entra tenant.

SinTheRellah@reddit

Why the fuck do you allow GA access to be handled out like that?

jimicus@reddit

Or you could separate out certain permissions so they’re not handled by the HR integration.

Reply to Post

19 Comments