MFA Required for “High Risk” Logins- If login is noticed as anomalous then MFA will be required.Blocking of Legacy Authentication Methods- These methods are more susceptible to compromise via man in the middle / brute force attacks, thus are blocked by policy.All Tenant Administrators MUST use MFA- All privileged users with admin directory roles must use MFA for all Azure sessions.All Users Must Register for MFA- This ensures all users register for MFA when accessing the tenant for the first time, making it less disruptive to roll out future MFA policies.Security Defaults will enable the following features on your tenant (which also are good inspiration for custom conditional access policies!): Note: These Security Defaults can not be used in parallel with custom conditional access policies, this can be a good quick win for free tier tenants, however more complex licensed tenants will likely need custom conditional access policies to meet the needs of various users - see point 3. Use the power of Identity Governance - a more advanced yet powerful offering to deliver tightly controlled and time bound access packages for privileged Azure Identities.Įnabling Security Defaults is a great baseline for tenants (Source: Azure Portal).Review Collaboration Settings - if you are going to be collaborating with users from other tenants via Azure B2B it’s worth checking out collaboration settings.Implement Custom Conditional Access Policies - there are many different uses of conditional access policies that will suit different needs, it’s essential that you carve an access baseline for your tenant.Consider Enabling Security Defaults - for any new free tier tenants, or if you want to quickly establish a baseline on an existing tenant that has no access policies in place. Consult your Identity Secure Score - a great place to start on an existing tenant, by quickly viewing your current state of play to drive further improvements.Speaking from experience here are some items to consider when thinking about Azure Tenant & Identity Governance: Member Users - These originate within the “home” tenant itself and may look like the following or users may be from any Azure registered custom domain such as Guest Users - These originate from other Azure Active Directory tenants, these could be companies you need to collaborate with or even users from other directories that your organisation manages.įrom my experience organisations will tend to have a tenant that is aligned to their local on premise directory with access federation in place, however many organisations tend to have various other Azure Tenants at their disposal.Ī logical place to start with your security journey is the Azure Tenant and effectively governing identities, as these can be seen as the “front door” to your cloud environment.Īs this set up is responsible for authenticating stakeholders to administer cloud resources at the management plane, poor governance and control can be a a real sweet spot for attackers! So Don’t leave your front door open!.Loosely speaking there are two main types of users to care about within an Azure tenant: In Azure a tenant is the highest level of segregation in your environment, it is a dedicated and managed Azure Active Directory instance that is used to govern access to your cloud resources and subscriptions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |