Azure Landing Zone Review Checklist- Identity, authentication and access management
Protecting your applications and data at the front gate with Azure identity and access management solutions. Defend against malicious login attempts and safeguard credentials with risk-based access controls, identity protection tools, and strong authentication options—without disrupting productivity. Building Azure landing Zone with all the right controls and services will provide you the comfort of landing any workload. in the Azure environment without any worries.
Here is a quick checklist to make sure :
Recommendation | Severity | Comment | Link to more information |
Implement for emergency access or break-glass accounts to prevent tenant-wide account lockout | High | Have you created multiple (2 X) cloud-only accounts for access if hybrid identities are NOT available? | https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access |
Enforce an RBAC model for management groups, subscriptions, resource groups and resources | High | Do you have an RBAC model that caters to Management Groups, Subscriptions, Resource Groups, and resources? | What is Azure role-based access control (Azure RBAC)? | Microsoft Docs |
Enforce Azure AD conditional-access policies for any user with rights to Azure environments | Low | Are you using Conditional Access for access to the Azure Portal? | https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview |
Enforce multi-factor authentication for any user with rights to the Azure environments | High | Are you using MFA for access to the Azure Portal? | https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks |
Enforce centralized and delegated responsibilities to manage resources deployed inside the landing zone based on role and security requirements | Medium | Have you got an IAM process in place for granting access to resources based upon the user role and access level? | What is Azure role-based access control (Azure RBAC)? | Microsoft Docs |
Enforce Azure AD Privileged Identity Management (PIM) to establish zero standing access and least privilege | Medium | Are you using PIM to grant minimal access to resources and only when needed? | What is Privileged Identity Management? – Azure AD | Microsoft Docs |
Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account | High | Do you have any “Microsoft” (non-Organizational) accounts assigned rights to the Azure Portal? | https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-overview#:~:text=The%20following%20types%20of%20accounts,access%20applications%20or%20manage%20tenants. |
Only use groups to assign permissions. Add on-premises groups to the Azure-AD-only group if a group management system is already in place. | Medium | Are you assigning permissions to groups and NOT to individuals? | Create a basic group and add members – Azure Active Directory | Microsoft Docs |
If the following roles are considered, use Azure custom roles: Azure platform owner, network management, security operations, subscription owner, application owner | Medium | Are you using roles that are correct for you based upon least privilege? | https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles |
If any data sovereignty requirements exist, custom user policies can be deployed to enforce them | Medium | Do you have any data policies from your orgainzation that can be enforced with Azure Policies? | https://azure.microsoft.com/en-us/resources/achieving-compliant-data-residency-and-security-with-azure/ |
If Azure DS is in use, deploy ADS within the primary region because this service can only be projected into one subscription | Medium | If using Azure DS, have you deployed Azure DS into your PRIMARY region? | https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview |
If Azure DS is in use, evaluate the compatibility of all workloads | Medium | Have you checked the limitations of Azure DS and confirmed that your use case is correct? | https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview |
If AD on the Windows server is in use, can all required resources access the correct domain controller? | Medium | If using AD on Windows Server have you configured the sites and services correctly for this technology? | Deploy AD DS in an Azure virtual network – Azure Architecture Center | Microsoft Docs |
Has Azure AD Application Proxy been considered for remote access to on-premises applications? | Medium | Have you considered using Azure AD Proxy for access to on-prem technologies? | Remote access to on-premises apps – Azure AD Application Proxy | Microsoft Docs |