Azure Landing Zone Review Checklist- Identity, authentication and access management


Protecting your applications and data at the front gate with Azure identity and access management solutions. Defend against malicious login attempts and safeguard credentials with risk-based access controls, identity protection tools, and strong authentication options—without disrupting productivity. Building Azure landing Zone with all the right controls and services will provide you the comfort of landing any workload. in the Azure environment without any worries.

Here is a quick checklist to make sure :

Recommendation SeverityCommentLink to more information
Implement for emergency access or break-glass accounts to prevent tenant-wide account lockoutHighHave you created multiple (2 X) cloud-only accounts for access if hybrid identities are NOT available?
Enforce an RBAC model for management groups, subscriptions, resource groups and resourcesHighDo you have an RBAC model that caters to Management Groups, Subscriptions, Resource Groups, and resources?What is Azure role-based access control (Azure RBAC)? | Microsoft Docs
Enforce Azure AD conditional-access policies for any user with rights to Azure environmentsLowAre you using Conditional Access for access to the Azure Portal?
Enforce multi-factor authentication for any user with rights to the Azure environmentsHighAre you using MFA for access to the Azure Portal?
Enforce centralized and delegated responsibilities to manage resources deployed inside the landing zone based on role and security requirementsMediumHave you got an IAM process in place for granting access to resources based upon the user role and access level?What is Azure role-based access control (Azure RBAC)? | Microsoft Docs
Enforce Azure AD Privileged Identity Management (PIM) to establish zero standing access and least privilege MediumAre you using PIM to grant minimal access to resources and only when needed?What is Privileged Identity Management? – Azure AD | Microsoft Docs
Only use the authentication type Work or school account for all account types. Avoid using the Microsoft accountHighDo you have any “Microsoft” (non-Organizational) accounts assigned rights to the Azure Portal?,access%20applications%20or%20manage%20tenants.
Only use groups to assign permissions. Add on-premises groups to the Azure-AD-only group if a group management system is already in place.MediumAre you assigning permissions to groups and NOT to individuals?Create a basic group and add members – Azure Active Directory | Microsoft Docs
If the following roles are considered, use Azure custom roles:
Azure platform owner, network management, security operations, subscription owner, application owner
MediumAre you using roles that are correct for you based upon least privilege?
If any data sovereignty requirements exist, custom user policies can be deployed to enforce themMediumDo you have any data policies from your orgainzation that can be enforced with Azure Policies?
If Azure DS is in use, deploy ADS within the primary region because this service can only be projected into one subscriptionMediumIf using Azure DS, have you deployed Azure DS into your PRIMARY region?
If Azure DS is in use, evaluate the compatibility of all workloadsMediumHave you checked the limitations of Azure DS and confirmed that your use case is correct?
If AD on the Windows server is in use, can all required resources access the correct domain controller?MediumIf using AD on Windows Server have you configured the sites and services correctly for this technology?Deploy AD DS in an Azure virtual network – Azure Architecture Center | Microsoft Docs
Has Azure AD Application Proxy been considered for remote access to on-premises applications? MediumHave you considered using Azure AD Proxy for access to on-prem technologies?Remote access to on-premises apps – Azure AD Application Proxy | Microsoft Docs

Leave a Reply

Your email address will not be published. Required fields are marked *