Strong identity management practices are critical if you want to be able to adequately secure your Microsoft Azure subscriptions. For most organizations, the foundation begins with your on-premises Active Directory (AD) forest. Microsoft offers several add-on features in Entra ID (formerly Azure Active Directory) Premium (AADP) that you can use to further secure access to Microsoft Azure and even other cloud providers such as Amazon Web Services (AWS).
On-Premises Identity Management
In nearly every organization, user identities in Entra ID (AAD) begin on-premises in a traditional AD forest. If an account is active on-premises, chances are it’s also active in AAD. Likewise, if an on-premises account has been compromised, there’s a good possibility that the compromise extends to AAD. With these principles in mind, it’s clear why the accounts you use for administering Microsoft Azure (and any other system) must be well-managed.
Identities used to manage Microsoft Azure should be treated the same as any other privileged identity. You should use a separate account from your day-to-day login. This account should be secured with strong password policies and two-factor authentication, and it must match the life cycle of the parent user account. If someone with an administrative account leaves the organization, that administrative account should be immediately deactivated.
Conditional Access in Entra ID
With a strong on-premises foundation, you can extend additional security to privileged identities in Microsoft Azure with AADP. AADP offers a multitude of features and capabilities, but you should begin with conditional access. Conditional access allows you to define policies for when, how, and where users can authenticate to different applications.
At a minimum, you should use conditional access to require multi-factor authentication (MFA) any time a user accesses the Azure management portal. You can take this a step further and define additional criteria such as requiring the user to not only perform MFA but also connect from a known, managed device when the user is outside the enterprise network. Policies like this are easy to implement and add a great deal of security for a low cost.
You can even implement these policies for AWS. If you federate your AWS subscription with AAD, the same conditional access policies that you apply to Microsoft systems such as the Azure management portal or Office 365 can be applied to third-party services such as AWS.
Privileged Identity Management
With AADP Plan 2 (P2), you can add additional security by taking advantage of Privileged Identity Management (PIM). PIM removes permanent administrative access to AAD, Office 365, and Azure resources. Once PIM is enabled, administrators must activate their access to administer a subscription or resource. This is often known as just-in-time (JIT) identity management.
When a user activates administrative access, his or her access will only be valid for a period you specify. Once that time expires, the user will need to re-activate his or her access. You can optionally require users to provide a business justification for activating their access, a ticket number, and/or complete MFA.
These controls provide added security by limiting access to a defined time, and only when that access is necessary. By collecting information about why a user is activating privileged access, you can keep an audit trail that can be used later if something goes wrong. The audit trail is also very helpful when reviewing access to determine if it is still necessary. If a user has not activated privileged access in a long time, he or she may not require that access anymore.
If you’re concerned about the cost of upgrading to AADP P2 just to use PIM, there’s good news. You only need to purchase enough P2 licenses to cover all of your administrators who will be using PIM. In addition to Microsoft Azure resources, you can also use PIM to protect AAD/Office 365 roles such as Global Admin, Exchange Administrator, etc.
Another feature of AADP P2 is known as access reviews. Access reviews let you conduct periodic re-attestation campaigns for privileged roles, as well as any group in AAD. Access reviews are designed to be performed by end users through a friendly user interface in the AAD access panel.
You can configure access reviews to automatically occur on a regular basis for a given role. For example, you might want to review the Owner role in Microsoft Azure monthly, but the Reader role may only need to be evaluated annually. Based on the schedule you define, AAD will automatically email reminders to the reviewers you define. Once reviewers act, AAD can be configured to automatically revoke access for any users who the reviewers determine no longer require access.
In addition to controlling incremental privileged access expansion, access reviews can also help you meet regulatory and compliance requirements by providing an easy-to-use and inexpensive access certification/attestation system.
Like PIM, access reviews require AADP P2; however, you only need to license the users who will be performing access reviews or whose access will be reviewed.
Are You Following Azure Identity Management Best Practices?
Now that we’ve reviewed a few easy ways to secure identity management in Microsoft Azure, how do you measure up? Are your on-premises identities well-managed? Are you using conditional access to require MFA? What about JIT access to privileged roles in Microsoft Azure?
We help organizations plan and deploy these technologies every day. Get in touch now and let us know how we can help you.