CRITICAL INFORMATION
Secure your identity in the cloud

Overview

As per the Microsoft Shared Responsibility, for all cloud deployment types, customer owns their data and identities. The customer is responsible for protecting the security of the data and identities, on-premises resources, and the cloud components they control (which varies by service type).

Microsoft identity and access management solutions help companies protect access to applications and resources across on-premises and into the cloud. Such protection enables role based authentication, additional levels of validation, such as Multi-Factor Authentication, Conditional Access, Azure Policy based governance, resource consistency, regulatory compliance, security, cost, and management. Monitoring suspicious activity through advanced security reporting, auditing, and alerting helps mitigate potential security issues.

The goal of this document is to provide an overview of some core Azure Security actions according to Microsoft security guidelines that can help with Identity management and security that derive from customer experiences. This is by no means an exhaustive list but it gives an indication on how to get started with identity security and management in the cloud.

Treat identity as the primary security perimeter

In cloud-based architecture, identity provides the basis of a large percentage of security assurances. Many consider identity to be the primary perimeter for security. Below collection of Azure identity management and access control security checklist will help to proactively deploy some critical actions and to protect the customers’ organization following Microsoft guidelines.

Microsoft guidelines:
Enforce multi-factor verification for users:

Enable and require Azure AD Multi-Factor Authentication (MFA) at least for all administrators in your organization using Azure AD Security Defaults, or Conditional Access. It is recommended that you require two-step verification for all of your users

Turn on Conditional Access:

Configure common Azure AD Conditional Access policies based on a group, location, and application sensitivity for SaaS apps and Azure AD–connected apps.

Configure Conditional Access to block legacy protocols.

To prevent being accidentally locked out of Azure AD emergency access "break glass" access accounts in your organization can be created in the organization.

Use role-based access control (RBAC):

Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Restrict access based on the need to know and least privilege security principles.

Lower exposure of privileged accounts:

It is recommended that you develop and follow a roadmap to secure privileged access against cyber attackers. For information about creating a detailed roadmap to secure identities and access that are managed or reported in Azure AD, Microsoft Azure, Microsoft 365, and other cloud services, review Securing privileged access for hybrid and cloud deployments in Azure AD.

Plan for routine security improvements:

Plan routine security reviews and improvements based on best practices in your industry. Use the Azure Identity Secure Score feature to rank your improvements over time.

Control locations where resources are created:

You can use Azure Resource Manager to create security policies whose definitions describe the actions or resources that are specifically denied. You assign those policy definitions at the desired scope, such as the subscription, the resource group, or an individual resource.

Actively monitor for suspicious activities:

Use Azure AD Premium anomaly reports. Use Azure AD Identity Protection, which flags the current risks on its own dashboard and sends daily summary notifications via email.