Script to audit managed identities on VM and their role assignment

Managed Identity in Azure is not new. Everyone loves it. People use it more often these days. Managed Identity would reduce the overhead of managing secrets or kind of certificate. However, the Managed Identity feature also introduces a new risk if misused.

This article is not going to introduce Azure Managed Identity again. Instead, it will provide a PowerShell script to help you quickly audit your VM(s) and VM Scale set(s) in your Azure environment to check if they have managed identities attached and their respective role assignments.

Use Case

As a SecOps analyst, your job is to assess your environment to see if system-assigned managed identity (SAMI) or user-assigned managed identity (UAMI) are enabled/attached on VM(s) or VM Scale set(s). Moreover, you would like to see if those managed identities have unnecessary role assignments in your environment. The assessment would give you an insight and help mitigate threats as possible. If a virtual machine is compromised, chances are the attacker has already successfully acquired the access token then performs wider reconnaissance.

This is an example of how a compromised managed identity’s access token on a VM can lead to a successful lateral movement

Script

I have developed a script to help check SAMI and UAMI on VM(s) and VM Scale set(s). The script also provides role assignments of all managed identities found.

  • [+] The script can be found here.

You can modify the script to loop all subscriptions or export to a CSV. You can also upload them to Azure Sentinel Watchlist. Refer to the article below:

Create an Azure Role Assignment Watchlist in Azure Sentinel

Resource Graph Explorer

I know I can do almost everything with Azure PowerShell. I’m wondering if I can write a query to do something real quick in Resource Graph Explorer? The answer is no. In Resource Graph Explorer you can only check if VM(s) or VM Scale set(s) has managed identity or not. Use the below one:

// SAMI = System-assigned Managed Identity
// UAMI = User-assigned Managed Identity
// Query to check if VM or VMSS has SAMI or/and UAMI
resources
| join kind=leftouter(
    resourcecontainers 
    | where type=='microsoft.resources/subscriptions' 
    | project subscriptionName=name, subscriptionId
) on subscriptionId
| where type =~ "microsoft.compute/virtualmachines" or
        type =~ "microsoft.compute/virtualMachineScaleSets"
| extend identityType = identity.type
| extend hasManagedIdentity = iff(identity == "", "No", "Yes"),
         isSystemAssignedEnable = iff(identityType contains "SystemAssigned", "Yes", "No")
| project subscriptionId, 
          subscriptionName, 
          name, 
          resourceGroup, 
          identityType, 
          hasManagedIdentity, 
          isSystemAssignedEnable

If you have any feedback, please feel free to leave a comment in the Comment box or create a new GitHub issue.

This entry was posted in Identity & Access Control, Security Automation and tagged , . Bookmark the permalink.

1 Response to Script to audit managed identities on VM and their role assignment

  1. minwag says:

    Awesome work Azsec! This script saves me a lot in auditing my environment. I found many unnecessary system-assigned managed identities on unattended VMs.

    Thank you very much for your time supporting the community

Leave a Reply

Your email address will not be published.