As per the Microsoft Shared Responsibility, for all cloud deployment types, customer owns their data and identities. The customer is responsible for protecting the security of the data and identities, on-premises resources, and the cloud components they control (which varies by service type).
Microsoft identity and access management solutions help companies protect access to applications and resources across on-premises and into the cloud. Such protection enables role based authentication, additional levels of validation, such as Multi-Factor Authentication, Conditional Access, Azure Policy based governance, resource consistency, regulatory compliance, security, cost, and management. Monitoring suspicious activity through advanced security reporting, auditing, and alerting helps mitigate potential security issues.
The goal of this document is to provide an overview of some core Azure Security actions according to Microsoft security guidelines that can help with Identity management and security that derive from customer experiences. This is by no means an exhaustive list but it gives an indication on how to get started with identity security and management in the cloud.
In cloud-based architecture, identity provides the basis of a large percentage of security assurances. Many consider identity to be the primary perimeter for security. Below collection of Azure identity management and access control security checklist will help to proactively deploy some critical actions and to protect the customers’ organization following Microsoft guidelines.
Microsoft is automatically enrolling eligible tenants into Conditional Access policies based on customer risk signals, current usage, and licensing. Microsoft-managed conditional access policies will start with three policies that enforce multifactor authentication (MFA) in high-risk scenarios.
More details on the Automatic Conditional Access policies in Microsoft Entra streamline identity protection announcement.
Configure common Azure AD Conditional Access policies based on a group, location, and application sensitivity for SaaS apps and Azure AD–connected apps.
Configure Conditional Access to block legacy protocols.
To prevent being accidentally locked out of Azure AD emergency access "break glass" access accounts in your organization can be created in the organization.
It is recommended that you develop and follow a roadmap to secure privileged access against cyber attackers. For information about creating a detailed roadmap to secure identities and access that are managed or reported in Azure AD, Microsoft Azure, Microsoft 365, and other cloud services, review Securing privileged access for hybrid and cloud deployments in Azure AD.
Plan routine security reviews and improvements based on best practices in your industry. Use the Azure Identity Secure Score feature to rank your improvements over time.
You can use Azure Resource Manager to create security policies whose definitions describe the actions or resources that are specifically denied. You assign those policy definitions at the desired scope, such as the subscription, the resource group, or an individual resource.
A new intuitive report, that provides our Resellers detailed information on privileged accounts Multi-Factor Authentication (MFA) status for all customer Microsoft tenants that are using Azure Plan in Logicom Cloud Marketplace, in order to take action to have maximum MFA protection. More Info
|Introduction to Azure security
|How to configure and enforce multi-factor authentication in your tenant
|Shared responsibility in the cloud
|Azure identity management security overview
|Azure Identity Management and access control security best practices
|Five steps to securing your identity infrastructure
|Recovering from systemic identity compromise
|Managing nonpayment, fraud, or misuse
|Raising the Baseline Security for all Organizations in the World
|6 Best Security Practices
|Microsoft-managed conditional access policies