As per the Microsoft Shared Responsibility, for all cloud deployment types, customer owns their data and identities. The customer is responsible for protecting the security of the data and identities, on-premises resources, and the cloud components they control (which varies by service type).
Microsoft identity and access management solutions help companies protect access to applications and resources across on-premises and into the cloud. Such protection enables role based authentication, additional levels of validation, such as Multi-Factor Authentication, Conditional Access, Azure Policy based governance, resource consistency, regulatory compliance, security, cost, and management. Monitoring suspicious activity through advanced security reporting, auditing, and alerting helps mitigate potential security issues.
The goal of this document is to provide an overview of some core Azure Security actions according to Microsoft security guidelines that can help with Identity management and security that derive from customer experiences. This is by no means an exhaustive list but it gives an indication on how to get started with identity security and management in the cloud.
In cloud-based architecture, identity provides the basis of a large percentage of security assurances. Many consider identity to be the primary perimeter for security. Below collection of Azure identity management and access control security checklist will help to proactively deploy some critical actions and to protect the customers’ organization following Microsoft guidelines.
Microsoft is automatically enrolling eligible tenants into Conditional Access policies based on customer risk signals, current usage, and licensing. Microsoft-managed conditional access policies will start with three policies that enforce multifactor authentication (MFA) in high-risk scenarios.
More details on the Automatic Conditional Access policies in Microsoft Entra streamline identity protection announcement.
Enable and require Azure AD Multi-Factor Authentication (MFA) at least for all administrators in your organization using Azure AD Security Defaults, or Conditional Access. It is recommended that you require two-step verification for all of your users
How to configure and enforce
Configure common Azure AD Conditional Access policies based on a group, location, and application sensitivity for SaaS apps and Azure AD–connected apps.
Configure Conditional Access to block legacy protocols.
To prevent being accidentally locked out of Azure AD emergency access "break glass" access accounts in your organization can be created in the organization.
Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Restrict access based on the need to know and least privilege security principles.
It is recommended that you develop and follow a roadmap to secure privileged access against cyber attackers. For information about creating a detailed roadmap to secure identities and access that are managed or reported in Azure AD, Microsoft Azure, Microsoft 365, and other cloud services, review Securing privileged access for hybrid and cloud deployments in Azure AD.
Plan routine security reviews and improvements based on best practices in your industry. Use the Azure Identity Secure Score feature to rank your improvements over time.
You can use Azure Resource Manager to create security policies whose definitions describe the actions or resources that are specifically denied. You assign those policy definitions at the desired scope, such as the subscription, the resource group, or an individual resource.
Use Azure AD Premium anomaly reports. Use Azure AD Identity Protection, which flags the current risks on its own dashboard and sends daily summary notifications via email.
A new intuitive report, that provides our Resellers detailed information on privileged accounts Multi-Factor Authentication (MFA) status for all customer Microsoft tenants that are using Azure Plan in Logicom Cloud Marketplace, in order to take action to have maximum MFA protection. More Info
