{"id":101727,"date":"2021-11-22T10:00:11","date_gmt":"2021-11-22T18:00:11","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=101727"},"modified":"2023-08-07T15:23:41","modified_gmt":"2023-08-07T22:23:41","slug":"how-to-investigate-service-provider-trust-chains-in-the-cloud","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/","title":{"rendered":"How to investigate service provider trust chains in the cloud"},"content":{"rendered":"<p>In a recent <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/25\/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks\/\" target=\"_blank\" rel=\"noopener\">Microsoft blog post<\/a>, we documented technical guidance for organizations to protect themselves from the latest NOBELIUM activity that was found to target technology service providers, which are privileged in their downstream customer tenants, as a method to gain access to their downstream customers and other organizations within the trust chain.<\/p>\n<p>Microsoft Detection and Response Team (DART) has been assisting multiple organizations around the world in investigating the impact of NOBELIUM\u2019s activities. While we have already engaged directly with affected customers to assist with incident response related to NOBELIUM\u2019s recent activity, our goal with this blog is to help you answer the common and fundamental questions: How do I determine if I am a victim? If I am a victim, what did the threat actor do? How can I regain control over my environment and make it more difficult for this threat actor to regain access to our environments?<\/p>\n<p>This blog outlines steps incident responders can take to investigate potential abuse of these delegated admin permissions, independent of the threat actor. In this blog, we\u2019ll cover:<\/p>\n<ul>\n<li>Identifying trust chains in Microsoft 365 and Microsoft Azure.<\/li>\n<li>Investigating trust chains.<\/li>\n<li>Mitigating malicious activity.<\/li>\n<li>Recommendations: detect and protect.<\/li>\n<\/ul>\n<h2>Identifying trust chains in Microsoft 365 and Microsoft Azure<\/h2>\n<p>Several types of trust chains exist in Microsoft 365 and Microsoft Azure, which include delegated administration privileges (DAP), Azure admin-on-behalf-of (AOBO), Microsoft Azure Active Directory (Azure AD) business-to-business (B2B), multi-tenant Azure AD applications, as well as guest users. Many of these trust chains can grant a high level of access to Azure resources and Microsoft 365, requiring close monitoring.<\/p>\n<h3>Delegated administration privileges<\/h3>\n<p>DAP is a method by which your service providers can administer a Microsoft 365 environment without needing to maintain local identities. DAP can be beneficial for both the service provider and end customer because it allows a service provider to administer a downstream tenant using their own identities and security policies. More information about delegated administration privileges and other admin-on-behalf-of scenarios are available in the following resources:<\/p>\n<ul>\n<li><a href=\"https:\/\/channel9.msdn.com\/Series\/cspdev\/Module-11-Admin-On-Behalf-Of-AOBO#:~:text=Admin%20on%20behalf%20of%20%28AOBO%29%20is%20where%20an,Azure%20AD%20tenant%20on%20behalf%20of%20the%20customer\" target=\"_blank\" rel=\"noopener\">Azure AOBO<\/a>.<\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/partner-center\/azure-plan-manage\" target=\"_blank\" rel=\"noopener\">Manage subscriptions and resources under the Azure plan<\/a>.<\/li>\n<\/ul>\n<p>Service providers with DAP can be identified in the <a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/business-video\/admin-center-overview?view=o365-worldwide\" target=\"_blank\" rel=\"noopener\">Microsoft 365 admin center<\/a> by navigating to <strong>Settings <\/strong>then to <strong>Partner relationships. <\/strong>In the Partner relationships pane, you can view a list of all service providers that have established a billing relationship with the tenant and whether the service provider has any roles assigned (refer to Figure 1).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-101769 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-1.png\" alt=\"Partner relationships page in the Microsoft 365 admin center.\" width=\"2528\" height=\"952\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-1.png 2528w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-1-300x113.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-1-1024x386.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-1-768x289.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-1-1536x578.png 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-1-2048x771.png 2048w\" sizes=\"auto, (max-width: 2528px) 100vw, 2528px\" \/><\/p>\n<p><em>Figure 1. Identifying DAP as a downstream customer.<\/em><\/p>\n<p>While end customers cannot see a list of all users in the service provider\u2019s tenant that can make administrative changes to the end customer tenant, they can view logins by a service provider (refer to Figure 2) by viewing the <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/reports-monitoring\/concept-sign-ins\" target=\"_blank\" rel=\"noopener\">Azure Active Directory sign-in logs<\/a> and filtering for a <strong>Cross tenant access type <\/strong>of <strong>Service provider<\/strong>. The results can be exported by clicking <strong>Download<\/strong> and leveraged to further target your triage across Azure and Microsoft 365.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-101772 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-2.jpg\" alt=\"Sign-on logs sorted by service provider in Azure Active Directory\" width=\"1847\" height=\"762\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-2.jpg 1847w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-2-300x124.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-2-1024x422.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-2-768x317.jpg 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-2-1536x634.jpg 1536w\" sizes=\"auto, (max-width: 1847px) 100vw, 1847px\" \/><\/p>\n<p><em>Figure 2. Sign-ins by service providers.<\/em><\/p>\n<h3>Azure AOBO<\/h3>\n<p>Azure AOBO is similar in nature to DAP, albeit the access is scoped to Azure Resource Manager (ARM) role assignments on individual Azure subscriptions and resources, as well as Azure Key Vault access policies. Azure AOBO brings similar management benefits as DAP does.<\/p>\n<p>Note: To fully assess the AOBO permissions in your subscriptions, ensure you have granted access to the Global Administrator who will be assessing service provider access to all subscriptions in each tenant. Read our documentation for details on <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/role-based-access-control\/elevate-access-global-admin\" target=\"_blank\" rel=\"noopener\">how to elevate to user access administrator<\/a> on the tenant root group.<\/p>\n<p>The Azure AOBO access is added at subscription creation time and can be seen under <strong>Access control (IAM) <\/strong>on a given Azure subscription (refer to Figure 3).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-101775 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-3.png\" alt=\"Foreign principal selected under the role assignments tab in an Azure subscription.\" width=\"2184\" height=\"816\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-3.png 2184w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-3-300x112.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-3-1024x383.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-3-768x287.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-3-1536x574.png 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-3-2048x765.png 2048w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-3-1420x530.png 1420w\" sizes=\"auto, (max-width: 2184px) 100vw, 2184px\" \/><\/p>\n<p><em>Figure 3. Foreign Principal with Owner role on subscription.<\/em><\/p>\n<p>If you have multiple subscriptions, consider running the following command to identify subscriptions where service providers might have access to resources:<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">Get-AzSubscription % { Set-AzContext -Subscription $_; Get-AzRoleAssignment -Scope &quot;\/subscriptions\/$($_.Id)&quot; Where-Object {$_.DisplayName -like &quot;Foreign Principal for * in Role 'TenantAdmins' (*)&quot;} Select DisplayName, Scope Format-Table}<\/pre>\n<p>It is also possible to grant CSPs direct access to Key Vaults. The following PowerShell command can be used to identify Key Vaults with access policies that allow access via AOBO:<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">Get-AzKeyVault % { $vault = Get-AzKeyVault -VaultName $_.VaultName; if ($vault.AccessPolicies Where-Object {$_.DisplayName -like &quot;Foreign Principal for '*' in role 'TenantAdmins' (*)&quot;}) { $vault |select VaultName,ResourceId Format-Table}}<\/pre>\n<p>The <a href=\"https:\/\/aka.ms\/stormspotter\" target=\"_blank\" rel=\"noopener\">Azure Red Team tool Stormspotter<\/a> can also be used in addition to the above commands for large environments.<\/p>\n<p>The information gathered from the previous steps will be used to scope log review during triage.<\/p>\n<h3>Azure AD B2B<\/h3>\n<p>Azure AD B2B accounts (guests) can be used to administer Azure and Microsoft 365 resources. This method of administrative access leverages an individual existing identity in another tenant and is not typically recommended by Microsoft due to the limitations of control over the identity. Investigators should be mindful of the many ways in which guests can be granted access to resources in Microsoft 365, which may include Exchange Online roles and SharePoint online roles. The guidance for this type of identity should be considered non-exhaustive and focused on Azure AD and Azure specifically. For more information, read our documentation about <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/external-identities\/b2b-fundamentals\" target=\"_blank\" rel=\"noopener\">Azure AD B2B best practices<\/a>.<\/p>\n<h3>Azure subscriptions<\/h3>\n<p>In order to fully assess the B2B permissions in your subscriptions, ensure you have granted access to users who will be assessing service provider access to all subscriptions in each tenant by following the following guidance: <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/role-based-access-control\/elevate-access-global-admin\" target=\"_blank\" rel=\"noopener\">Elevate access to manage all Azure subscriptions and management groups.<\/a><\/p>\n<p>Azure AD B2B identities granted Azure roles appear in the <strong>Access control <\/strong>blade in the Azure Portal with <em>(Guest) <\/em>next to them (see Figure 4).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-101778 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-4.png\" alt=\"The name Joe Fabrikam is selected as a guest user under the role assignments tab in an Azure subscription.\" width=\"2621\" height=\"860\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-4.png 2621w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-4-300x98.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-4-1024x336.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-4-768x252.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-4-1536x504.png 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-4-2048x672.png 2048w\" sizes=\"auto, (max-width: 2621px) 100vw, 2621px\" \/><\/p>\n<p><em>Figure 4. Guest user with Owner role on subscription.<\/em><\/p>\n<p>Azure AD B2B identities can be systematically identified with the following command, which will produce a list of identities and resources that can be used to target initial triage.<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">Get-AzSubscription % { Set-AzContext -Subscription $_; Get-AzRoleAssignment -Scope &quot;\/subscriptions\/$($_.Id)&quot; Where-Object {$_.SignInName -like &quot;*#EXT#@*&quot;} Select DisplayName, SignInName, Scope Format-Table}<\/pre>\n<h3>Microsoft 365 (Azure AD)<\/h3>\n<p>Azure AD B2B identities that have been granted roles in Azure AD can be <a href=\"https:\/\/aad.portal.azure.com\/#blade\/Microsoft_Azure_PIMCommon\/ResourceMenuBlade\/members\/resourceId\/\/resourceType\/tenant\/provider\/aadroles\" target=\"_blank\" rel=\"noopener\">viewed in the assignments blade<\/a> of Azure AD Privileged Identity Management blade. Filtering for \u201c#EXT#\u201d will allow you to view all guest users assigned to administrative roles (see Figure 5).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-101787 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-5.png\" alt=\"The name Joe Fabrikam is selected as a guest user listed under all active assignments in the Azure A D Privileged Identity Management blade.\" width=\"2436\" height=\"536\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-5.png 2436w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-5-300x66.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-5-1024x225.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-5-768x169.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-5-1536x338.png 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Figure-5-2048x451.png 2048w\" sizes=\"auto, (max-width: 2436px) 100vw, 2436px\" \/><\/p>\n<p><em>Figure 5. Filtering for guest users.<\/em><\/p>\n<p>The following PowerShell can also be used to identify guest accounts with administrative roles. This identity information will be used to help target triage.<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">Get-AzureADDirectoryRole Get-AzureADDirectoryRoleMember Where-Object {$_.UserPrincipalName -like &quot;*#EXT#@*&quot;}<\/pre>\n<h2>Investigating trust chains<\/h2>\n<p>In Microsoft 365 and Microsoft Azure, there are multiple points of observability where activity via trust chains can be seen, including the Azure AD Audit log, Azure Activity log, Intune audit log, and the unified audit log. Using the data collected in the \u201cidentification\u201d phase, a targeted review of logs can be performed to identify trust chain abuse. Each log should be reviewed for activity sourced from trust chains, specifically with a focus on activity that facilitates persistence, data collection, and reconnaissance.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-101793 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture6.png\" alt=\"12 indicators of tenant compromise: Mailbox notifications, transport rule\/email forwarding, administrator elevation\/sign in, user\/group\/guest modification, risk event activity, characteristics of the targeted users, new\/unusual IP addresses, domain changes\/additions, alert closure, application modifications, e Discovery activity, and file\/access activity.\" width=\"1320\" height=\"1151\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture6.png 1320w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture6-300x262.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture6-1024x893.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture6-768x670.png 768w\" sizes=\"auto, (max-width: 1320px) 100vw, 1320px\" \/><\/p>\n<p><em>Figure 6. Indicators of tenant compromise.<\/em><\/p>\n<h3>Azure AD<\/h3>\n<p>Adversaries will often establish persistence using various methods including the creation of new service principals, addition of new secrets on to existing application registrations, service principals, creation of new privileged users, and the takeover of existing privileged accounts. You can identify modifications made to Azure AD via trust chains by reviewing the <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/reports-monitoring\/concept-audit-logs\" target=\"_blank\" rel=\"noopener\">Azure AD Audit log<\/a> and filtering for the users identified as having recent sign-ins during the \u201cidentification\u201d phase. Some specific activities of interest:<\/p>\n<ul>\n<li>Password resets.<\/li>\n<li>Modification of service principals.<\/li>\n<li>Addition of users to privileged roles.<\/li>\n<li>Changes to multifactor authentication (MFA).<\/li>\n<li>Creation of new users.<\/li>\n<\/ul>\n<h3>Unified audit log<\/h3>\n<p>The unified audit log can be used to identify activity performed via trust chains in SharePoint Online, Exchange Online, Azure AD, and other Microsoft 365 products.<\/p>\n<p>Keep in mind that the unified audit log ingests data from across Azure AD and Office 365 and retains this data for at least 90 days, making it an incredibly valuable source of centralized information, typically with longer retention than the source (for example, Azure AD only retains data for up to 30 days). If E5 licenses are applied, this data will be retained for 1 year, with a maximum configurable retention period of 10 years using <a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/advanced-audit?view=o365-worldwide\" target=\"_blank\" rel=\"noopener\">Advanced Audit<\/a>.<\/p>\n<p>The <a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/audit-log-search-script?view=o365-worldwide\" target=\"_blank\" rel=\"noopener\">Search-UnifiedAuditLog<\/a> cmdlet can be used to search for actions performed by the users identified during the \u201cidentification\u201d phase. Alternatively, the logs can be searched using a GUI in the <a href=\"https:\/\/security.microsoft.com\/auditlogsearch\" target=\"_blank\" rel=\"noopener\">Microsoft 365 Defender<\/a> portal.<\/p>\n<h3>Azure activity<\/h3>\n<p>Access by a malicious actor to Azure resources enables them to exfiltrate data and move laterally to other environments that are connected to the targeted Azure environment. Actors with access to the subscription can deploy new resources, access existing resources via virtual machine extensions, or simply exfiltrate data and keys directly from the Azure subscription. Access and manipulation of Azure resources can be audited by reviewing the Azure Activity logs that are present in each subscription. Refer to our blog post, <a href=\"https:\/\/aka.ms\/mstic-azure-activity-blog\" target=\"_blank\" rel=\"noopener\">Investigating Azure Activity with Microsoft Sentinel<\/a>, for information about using Microsoft Sentinel queries to identify areas of interest.<\/p>\n<h3>Microsoft Endpoint Manager<\/h3>\n<p>It may be possible for a malicious actor to access Microsoft Endpoint Manager via various trust chains and as Microsoft Endpoint Manager manages the configuration of devices, it is another important audit log to review. The Microsoft Endpoint Manager audit log can be accessed under the <strong>Tenant Administration<\/strong> blade of the Microsoft Endpoint Manager portal. In the audit log, the initiator, \u201cPartner,\u201d can be used to filter for actions initiated by Partners. Actions taken by guest users, identified as having privileges during the \u201cidentification\u201d phase, will need to be searched for by User Principal Name. These log events should be reviewed to ensure no malicious activity occurred via the identified trust chains.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-101796 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture7.png\" alt=\"Details associated with the Partner type in the audit logs in the Microsoft Endpoint Manager admin center.\" width=\"1463\" height=\"398\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture7.png 1463w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture7-300x82.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture7-1024x279.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/Picture7-768x209.png 768w\" sizes=\"auto, (max-width: 1463px) 100vw, 1463px\" \/><\/p>\n<p><em>Figure 7. Actions initiated by Partners.<\/em><\/p>\n<h2>Mitigating malicious activity<\/h2>\n<p>If during the investigation, malicious activity is discovered and confirmed or unneeded and overly permissive trust chains are discovered, decisive action should be taken to block or minimize access. Depending on the type of trust chain, different steps may need to be taken to block access. It is not recommended to fully delete the artifacts until the conclusion of any ongoing investigation; deleting certain artifacts may delay or make completing an investigation more difficult. Customers should talk with their service provider to understand what protections they have in place, and in the event of potential malicious activity, notify their service provider to obtain their assistance with activity validation.<\/p>\n<h3>Delegated administrative privileges<\/h3>\n<p>DAP should be removed if it is not required for the active, day-to-day administration of the tenant by the service provider. In some cases, permissions are required to facilitate administration by the service provider. In these instances, Microsoft will be<a href=\"https:\/\/docs.microsoft.com\/en-us\/partner-center\/announcements\/2021-october#18\" target=\"_blank\" rel=\"noopener\"> introducing granular delegated admin privileges (GDAP)<\/a>, which will allow partners to control more granular and time-bound access to their customers&#8217; workloads.<\/p>\n<p>We recommend service providers leverage named accounts in the customer tenant to reduce blast radius and risk. In the event there is evidence of compromise stemming from a service provider relationship, it is recommended to remove the delegated admin privileges from the relationship at least until the conclusion of the investigation.<\/p>\n<p>To remove delegated admin privileges, navigate to <strong>Settings <\/strong>then to <strong>Partner relationships <\/strong>in the <a href=\"https:\/\/admin.microsoft.com\/#\/partners\/\" target=\"_blank\" rel=\"noopener\">Microsoft 365 admin center<\/a>. From the Partner relationships pane, click on the relationship and then select <strong>Remove roles<\/strong> in the details pane. Taking this action will prevent the service provider from accessing the tenant as a Global Administrator or Helpdesk Administrator. Removing this access will not change or alter the billing relationship or licenses currently purchased through the service provider.<\/p>\n<h3>Azure AOBO<\/h3>\n<p>Azure AOBO access should be removed if it is not required for the active, day-to-day administration of the Azure subscription. If the service provider requires access to the Azure subscriptions, least privilege should be applied by adding the Foreign Principal with the proper roles and permissions. If there is evidence of compromise stemming from a service provider, the foreign group principal should be removed from every Azure Subscription.<\/p>\n<p>Permissions granted via AOBO can be monitored by leveraging <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/governance\/policy\/overview\" target=\"_blank\" rel=\"noopener\">Azure Policy<\/a>. You can deploy an Azure Policy at the Tenant Root Group that will throw non-compliance if a foreign principal is assigned permissions to resources in Azure. While the Azure Policy cannot block the creation of subscriptions with foreign principals, it simplifies reporting on the existence of them and allows the automation of their removal or prevention of creation if desired.<\/p>\n<p>Azure AOBO permissions can be removed by navigating to the <strong>Access control (IAM) <\/strong>blade on the impacted subscription, selecting the foreign principal for the service provider, and then pressing <strong>Remove.<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-102048\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/foreign-principal.jpg\" alt=\"Foreign principal selected with a Remove button to remove Azure A O B O permissions in the Access control section in an Azure subscription.\" width=\"1264\" height=\"435\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/foreign-principal.jpg 1264w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/foreign-principal-300x103.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/foreign-principal-1024x352.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/foreign-principal-768x264.jpg 768w\" sizes=\"auto, (max-width: 1264px) 100vw, 1264px\" \/><\/p>\n<p><em>Figure 8. Removing Azure AOBO permissions for the foreign principal.&nbsp;<\/em><\/p>\n<p>The foreign principal can be added back with more specific permissions if required, following the best practice of least privilege.<\/p>\n<h2>Recommendations<\/h2>\n<h3>Detect<\/h3>\n<p>The centralized availability of logging is critical for responding to and investigating potential incidents and is the top blocker to DART investigations of this type. If an organization is monitoring their cloud environment for privileged access and administrative changes, then malicious activities involving delegated admin privilege abuse should be discoverable and alerted.<\/p>\n<p>Cloud activity logs should be ingested into a security information and event manager (SIEM) and retained for analysis. This should include:<\/p>\n<ul>\n<li>Office 365 unified audit log.<\/li>\n<li>Azure AD admin audit logs and sign-in logs.<\/li>\n<li>Microsoft Endpoint Manager audit log.<\/li>\n<li>Azure Activity logs and specific data plane logs, such as Azure Key Vault and Storage Azure Policy, can be leveraged to enforce a consistent logging standard.<\/li>\n<\/ul>\n<p>As incident responders, DART are at their most effective when there is data available which is rich in both quantity and quality. One log type of interest is sign-in logs; identity events can tell us a lot about an actor\u2019s activity. Patterns can often be identified in these logs to give us confidence in our analysis of threat actor activity. These patterns can be something as simple as an IP address matching, or as complex as a UserAgent string, time of day, and application ID match.<\/p>\n<p>With that said, the most critical logging is that of administrative activity. Any usage of or actions performed by administrative accounts are of great interest and should be monitored and deconflicted. In enterprise environments, most changes are usually made during approved change windows, and changes outside of this should be assessed for their validity and integrity.<\/p>\n<p>Logs on their own are useful, but alerting is critical to surfacing unusual or malicious activity in a timely manner. The Microsoft 365 Defender portal has some useful alerting built-in to identify suspicious activity. Some examples of these are:<\/p>\n<ul>\n<li>Elevation of Exchange admin privilege.<\/li>\n<li>eDiscovery search started or exported.<\/li>\n<li>Creation of forwarding or redirect rule.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/alerts?view=o365-worldwide\" target=\"_blank\" rel=\"noopener\">Custom alerts<\/a> can also be created to alert for other types of activity. Another excellent tool for alerting is Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security). This tool can ingest data from Azure AD, Office 365, Azure, Defender for Endpoint, Defender for Identity, along with many third-party services. A policy engine can be used to create alert policies based on built in templates or custom definitions. Some examples of the templated policies are:<\/p>\n<ul>\n<li>Administrative activity from a non-corporate IP address.<\/li>\n<li>Unusual administrative activity (by user).<\/li>\n<li>Unusual addition of credentials to an OAuth application.<\/li>\n<li>Suspicious OAuth application file download activities.<\/li>\n<li>Multiple virtual machine creation activities.<\/li>\n<\/ul>\n<h3>Protect<\/h3>\n<p>We recommend customers engage in a dialogue with their service providers on a regular basis to understand security controls that are in place for access to their tenant. Access to resources by the service provider should be closely monitored, and if unused for a period, removed following a strong least privilege process.<\/p>\n<p>Review the&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/compass\" target=\"_blank\" rel=\"noopener\">Microsoft Security Best Practices<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/benchmark\/azure\/\" target=\"_blank\" rel=\"noopener\">Azure Security Benchmark<\/a> for guidance on improving security posture in combination with&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/defender\/microsoft-secure-score?view=o365-worldwide\" target=\"_blank\" rel=\"noopener\">Microsoft Secure Score<\/a> in the Microsoft 365 Security Center and&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/defender-for-cloud\/secure-score-security-controls\" target=\"_blank\" rel=\"noopener\">Secure Score in Microsoft Defender for Cloud<\/a>.<\/p>\n<p>Some specific examples for protecting administrative access includes using just-in-time administrative solutions such as <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/identity-access-management\/privileged-identity-management-pim\" target=\"_blank\" rel=\"noopener\">Privileged Identity Management<\/a>, including regular reviews of administrators to ensure their access is still required. MFA is also critical, and not just the enablement of MFA, but also ensuring that all administrators have registered MFA methods. DART has seen threat actors find an account which is enabled for MFA but has never been registered, and this allows the threat actor to register their own MFA details, elevating their level of trust in the environment.<\/p>\n<h2>Learn more<\/h2>\n<p>To learn more about Microsoft Security solutions,&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/solutions\" target=\"_blank\" rel=\"noopener\">visit our&nbsp;website<\/a>.&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\" target=\"_blank\" rel=\"noopener\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us at&nbsp;<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener\">@MSFTSecurity<\/a>&nbsp;for the latest news and updates on cybersecurity.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog outlines DART\u2019s recommendations for incident responders to investigate potential abuse of these delegated admin permissions, independent of the threat actor.<\/p>\n","protected":false},"author":106,"featured_media":101817,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"content-type":[3659],"topic":[3667,3674,3685],"products":[3702,3703,3726],"threat-intelligence":[],"tags":[3742,3898,3828],"coauthors":[2064,2886],"class_list":["post-101727","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-best-practices","topic-cloud-security","topic-incident-response","topic-siem-and-xdr","products-microsoft-entra","products-microsoft-entra-id","products-microsoft-sentinel","tag-azure","tag-elevation-of-privilege","tag-midnight-blizzard-nobelium"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to investigate service provider trust chains in the cloud | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to investigate service provider trust chains in the cloud | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"This blog outlines DART\u2019s recommendations for incident responders to investigate potential abuse of these delegated admin permissions, independent of the threat actor.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-22T18:00:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-07T22:23:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/SUR22_Laptop4_COMMR_HigherED_Contextual_353_RGB.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Incident Response, Azure Red Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/SUR22_Laptop4_COMMR_HigherED_Contextual_353_RGB.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Incident Response, Azure Red Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Incident Response\"},{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/azure-red-team\/\",\"@type\":\"Person\",\"@name\":\"Azure Red Team\"}],\"headline\":\"How to investigate service provider trust chains in the cloud\",\"datePublished\":\"2021-11-22T18:00:11+00:00\",\"dateModified\":\"2023-08-07T22:23:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/\"},\"wordCount\":2792,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/SUR22_Laptop4_COMMR_HigherED_Contextual_353_RGB.jpg\",\"keywords\":[\"Azure\",\"Elevation of privilege\",\"Midnight Blizzard (NOBELIUM)\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/\",\"name\":\"How to investigate service provider trust chains in the cloud | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/SUR22_Laptop4_COMMR_HigherED_Contextual_353_RGB.jpg\",\"datePublished\":\"2021-11-22T18:00:11+00:00\",\"dateModified\":\"2023-08-07T22:23:41+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/SUR22_Laptop4_COMMR_HigherED_Contextual_353_RGB.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/SUR22_Laptop4_COMMR_HigherED_Contextual_353_RGB.jpg\",\"width\":1200,\"height\":900,\"caption\":\"Adult male typing on laptop in lap.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to investigate service provider trust chains in the cloud\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to investigate service provider trust chains in the cloud | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/","og_locale":"en_US","og_type":"article","og_title":"How to investigate service provider trust chains in the cloud | Microsoft Security Blog","og_description":"This blog outlines DART\u2019s recommendations for incident responders to investigate potential abuse of these delegated admin permissions, independent of the threat actor.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/","og_site_name":"Microsoft Security Blog","article_published_time":"2021-11-22T18:00:11+00:00","article_modified_time":"2023-08-07T22:23:41+00:00","og_image":[{"width":1200,"height":900,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/SUR22_Laptop4_COMMR_HigherED_Contextual_353_RGB.jpg","type":"image\/jpeg"}],"author":"Microsoft Incident Response, Azure Red Team","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/SUR22_Laptop4_COMMR_HigherED_Contextual_353_RGB.jpg","twitter_misc":{"Written by":"Microsoft Incident Response, Azure Red Team","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/","@type":"Person","@name":"Microsoft Incident Response"},{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/azure-red-team\/","@type":"Person","@name":"Azure Red Team"}],"headline":"How to investigate service provider trust chains in the cloud","datePublished":"2021-11-22T18:00:11+00:00","dateModified":"2023-08-07T22:23:41+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/"},"wordCount":2792,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/SUR22_Laptop4_COMMR_HigherED_Contextual_353_RGB.jpg","keywords":["Azure","Elevation of privilege","Midnight Blizzard (NOBELIUM)"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/","name":"How to investigate service provider trust chains in the cloud | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/SUR22_Laptop4_COMMR_HigherED_Contextual_353_RGB.jpg","datePublished":"2021-11-22T18:00:11+00:00","dateModified":"2023-08-07T22:23:41+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/SUR22_Laptop4_COMMR_HigherED_Contextual_353_RGB.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/11\/SUR22_Laptop4_COMMR_HigherED_Contextual_353_RGB.jpg","width":1200,"height":900,"caption":"Adult male typing on laptop in lap."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/11\/22\/how-to-investigate-service-provider-trust-chains-in-the-cloud\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"How to investigate service provider trust chains in the cloud"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/101727","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/106"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=101727"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/101727\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/101817"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=101727"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=101727"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=101727"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=101727"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=101727"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=101727"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=101727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}