-by Eyal Estrin, Cloud Architect, Inter-University Computation Center (IUCC)

The fundamental Cloud Security concepts were covered in documents 1-9 and can be found here.

This document addresses another important aspect of cloud security – Identity Management. While the concepts are common, the implementation approach varies for each cloud provider. This document concentrates on Microsoft Azure and provides an overview of Microsoft’s approach to identity Management and some of the key security services and resources it provides to cloud architects.

The foundation of Microsoft’s approach is Azure Active Directory (Azure AD), Microsoft’s cloud-based identity and access management service, which helps employees sign in and securely access resources in Azure. The following are some of the key elements related to implementing Identity Management using Azure AD.

Azure tenant

A dedicated and trusted instance of Azure which includes its own Azure AD that is automatically created when the organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft Intune, or Office 365. An Azure tenant represents a single organization.

Azure AD Directory

Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the tenant’s users, groups, and apps and is used to perform identity and access management functions for tenant resources.

Azure AD account

An identity created through Azure AD or another Microsoft cloud service, such as Office 365. Identities are stored in Azure AD and accessible to your organization’s cloud service subscriptions.

Owner

This role helps you manage all Azure resources, including access. This role is built on a newer authorization system called role-based access control (RBAC) that provides fine-grained access management to Azure resources.

Azure AD Global administrator

This administrator role is automatically assigned to whoever created the Azure AD tenant. Global administrators can do all of the administrative functions for Azure AD and any services that federate to Azure AD, such as Exchange Online, SharePoint Online, and Skype for Business Online.

MFA (Multi-Factor Authentication)

Azure AD supports the ability to configure strong authentication with Multifactor Authentication using a software device (using Microsoft Authenticator).

For best practice, it is strongly recommended to enable MFA for any privileged identity inside an Azure AD.

References:

Azure Identity Management and access control security best practices

https://docs.microsoft.com/en-us/azure/security/azure-security-identity-management-best-practices

Securing privileged access for hybrid and cloud deployments in Azure AD

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure

Security best practices for Azure solutions

https://azure.microsoft.com/mediahandler/files/resourcefiles/security-best-practices-for-azure-solutions/Azure%20Security%20Best%20Practices.pdf

Secure your Azure AD Domain Services managed domain

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-your-domain

Azure Active Directory Data Security Considerations

https://download.microsoft.com/download/A/A/4/AA48DC38-DBC8-4C5E-AF07-D1433B55363D/Azure-AD-Data-Security-Considerations.pdf

Five steps to securing your identity infrastructure

https://docs.microsoft.com/en-us/azure/security/azure-ad-secure-steps

73 Azure Security Best Practices Everyone Must Follow

https://www.skyhighnetworks.com/cloud-security-blog/73-azure-security-best-practices/