Security News > 2022 > July > Microsoft gives its partners power to change AD privileges on customer systems – without permission

Microsoft has created a window of time in which its partners can - without permission - create new roles for themselves in customers' Active Directory implementations.

Microsoft wised up to the fact that its partners would likely be targeted, too, and spotted a weakness in the delegated admin privileges that partners are given to manage their customers' software purchases.

The company's fix is granular delegated admin privileges that, as the name implies, still allow partners to administer their customers but offers finer control and follows zero-trust principles so that partners are limited to certain actions.

Starting July 25, Microsoft will provide a tool that allows partners with existing delegated admin privileges relationships to create a GDAP relationship with Azure AD roles - without customer consent.

Partners won't keep this power to change customer rigs forever.

The Register submits that criminals might be busy on those days, too - making just the sort of attacks on partners that Microsoft hopes GDAP will prevent.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/07/01/gdap_permissionless_change_window/