back to article Microsoft gives its partners power to change AD privileges on customer systems – without permission

Microsoft has created a window of time in which its partners can – without permission – create new roles for themselves in customers' Active Directory implementations. Which sounds bonkers, so let's explain why Microsoft has even entertained the prospect. To begin, remember that criminals have figured out that attacking IT …

  1. Warm Braw

    Partners with existing delegated admin privileges (DAP) relationships

    This would seem to be the key phrase: they've already been given specific and potentially broad permission to mess around withmanage their customers' systems. All that's happening is that for a limited period of time that permission is being extended to the new model. I can't immediately see what access this gives to "partners" they did not already have.

    1. Michael Wojcik Silver badge

      Re: Partners with existing delegated admin privileges (DAP) relationships

      Agreed. I don't see how this changes the threat model. Existing administrators get to create accounts with fewer privileges for themselves.

      As for the comment in the article about attackers: if those attackers already have control of a DAP account, you're hosed. This move by Microsoft appears to change nothing in that regard. It's simply to ease the transition to more narrowly scoped privileges, which is a Good Thing.

      I may be missing something, but if so it's certainly not clear from the article or the whinging in comments below.

  2. Binraider Silver badge

    Follow up article saying this has been closed early because; in …3…2…

  3. sitta_europea Silver badge

    What could possibly go wrong?

  4. YetAnotherJoeBlow

    And what if one of those unapproved accounts gets used as the attack vector? While I am not litigious by nature, I would sue everyone and their grandmothers - then retire.

  5. Horst U Rodeinon

    Thank God

    I severed ties with Redmond years ago.

  6. GraXXoR

    One downvote.

    I see one Microsoft parter has downvoted all your comments. Lol

    1. Binraider Silver badge

      Re: One downvote.

      And yours :-P

  7. Jake Maverick

    I read that as government as well....if the don't already have it :-(

  8. razorfishsl

    I have a very angry "support partner" who is spitting blood because i wont give them or allow Admin support in our tenant.

    Even MS says "we have to" so that they can file "support" against any problems we might have....

    apparently they have to go into your tenant and press the support button from INSIDE to get proper support from MS.

    Seems like bullshit to me....

    This was after finding that one of their staff had made an admin object that they "did not know what it was for or when it was made or by whom"

    keeping in mind we are a publicly traded company... and "admin" has the rights to read every email.

    1. Wzrd1

      "keeping in mind we are a publicly traded company... and "admin" has the rights to read every email."

      Odd, as in DoD we configured exchange message stores and the entire exchange system so that only exchange administrators could access exchange beyond their own mailbox and only specific exchange administrators could access the message store and hence, the e-mails.

      A hint that one doesn't have access is to exmerge and the pst files are empty and 32k in size and of course, logged errors in attempting to access the exchange data store.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like