Microsoft tightening Azure security with “granular” permissions

Company hopes to minimize the potential damage of a leaked PAT credential in its cloud platform

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

All of Azure DevOps REST APIs are now getting granular Personal Access Tokens (PAT). The goal of the change, which was met with glee in the cybersecurity community, is to minimize the potential damage of a leaked PAT credential.

Announcing the news via an AzureDevOpsblogpost, product manager Barry Wolfson said that prior to the change, there was a “significant security risk to organizations, given the potential to access source code, production infrastructure, and other valuable assets.”

“Previously, a number of Azure DevOps REST APIs were not associated with a PAT scope, which at times led customers to consume these APIs using full-scoped PATs.” The wide range of permissions associated with these were the cause for concern.

Praetorian’s trigger

While Wolfson did not mention specifics, others have speculated that the change seems to have came after Praetorian researchers used REST API PATs to get into corporate networks of other companies.

One of those was theMicrosoft-owned website GitHub, which was compromised thanks to a leaked PAT. The company is currently trialing the use of fine-grained PATs in its public Beta to remedy the issue.

Now, Wolfson is suggesting DevOps teams should make the change sooner, rather than later. “If you are currently using a full-scoped PAT to authenticate to one of the Azure DevOps REST APIs, consider migrating to a PAT with the specific scope accepted by the API to avoid unnecessary access”, he said.

Microsoft may be the latest victim of Lapsus$>The Microsoft source code breach may be much bigger than we thought>Check out the best identity management software right now

The supported granular PAT scope(s) for a given REST API can be found in the Security - Scopes section of the REST API documentation pages, he added.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Additionally, the changes should enable customers to restrict how full-scoped PATs are created, via a control plane policy.

“We look forward to continuing to ship improvements which will help customers secure their DevOps environments,” Wolfson concluded.

Via:The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

LG Electronics sets ambitious B2B revenue goal to offset declining consumer demand

New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics