Security Control: Identity and Access Control

Note

The most up-to-date Azure Security Benchmark is available here.

Identity and access management recommendations focus on addressing issues related to identity-based access control, locking down administrative access, alerting on identity-related events, abnormal account behavior, and role-based access control.

3.1: Maintain an inventory of administrative accounts

Azure ID CIS IDs Responsibility
3.1 4.1 Customer

Azure AD has built-in roles that must be explicitly assigned and are queryable. Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

3.2: Change default passwords where applicable

Azure ID CIS IDs Responsibility
3.2 4.2 Customer

Azure AD does not have the concept of default passwords. Other Azure resources requiring a password forces a password to be created with complexity requirements and a minimum password length, which differs depending on the service. You are responsible for third-party applications and marketplace services that may use default passwords.

3.3: Use dedicated administrative accounts

Azure ID CIS IDs Responsibility
3.3 4.3 Customer

Create standard operating procedures around the use of dedicated administrative accounts. Use the recommendations in Azure Security Center's "Manage access and permissions" security control to monitor the number of administrative accounts.

You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.

3.4: Use single sign-on (SSO) with Azure Active Directory

Azure ID CIS IDs Responsibility
3.4 4.4 Customer

Wherever possible, use Azure Active Directory SSO instead than configuring individual stand-alone credentials per-service. Use the recommendations in Azure Security Center's "Manage access and permissions" security control.

3.5: Use multi-factor authentication for all Azure Active Directory based access

Azure ID CIS IDs Responsibility
3.5 4.5, 11.5, 12.11, 16.3 Customer

Enable Azure AD MFA and follow Azure Security Center Identity and Access Management recommendations.

3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

Azure ID CIS IDs Responsibility
3.6 4.6, 11.6, 12.12 Customer

Use PAWs (privileged access workstations) with MFA configured to log into and configure Azure resources.

3.7: Log and alert on suspicious activities from administrative accounts

Azure ID CIS IDs Responsibility
3.7 4.8, 4.9 Customer

Use Azure Active Directory security reports for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. Use Azure Security Center to monitor identity and access activity.

3.8: Manage Azure resources from only approved locations

Azure ID CIS IDs Responsibility
3.8 11.7 Customer

Use Conditional Access Named Locations to allow access from only specific logical groupings of IP address ranges or countries/regions.

3.9: Use Azure Active Directory

Azure ID CIS IDs Responsibility
3.9 16.1, 16.2, 16.4, 16.5, 16.6 Customer

Use Azure Active Directory as the central authentication and authorization system. Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD also salts, hashes, and securely stores user credentials.

3.10: Regularly review and reconcile user access

Azure ID CIS IDs Responsibility
3.10 16.9, 16.10 Customer

Azure AD provides logs to help discover stale accounts. In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access.

3.11: Monitor attempts to access deactivated credentials

Azure ID CIS IDs Responsibility
3.11 16.12 Customer

You have access to Azure AD Sign-in Activity, Audit and Risk Event log sources, which allow you to integrate with any SIEM/Monitoring tool.

You can streamline this process by creating Diagnostic Settings for Azure Active Directory user accounts and sending the audit logs and sign-in logs to a Log Analytics Workspace. You can configure desired Alerts within Log Analytics Workspace.

3.12: Alert on account login behavior deviation

Azure ID CIS IDs Responsibility
3.12 16.13 Customer

Use Azure AD Risk and Identity Protection features to configure automated responses to detected suspicious actions related to user identities. You can also ingest data into Azure Sentinel for further investigation.

3.13: Provide Microsoft with access to relevant customer data during support scenarios

Azure ID CIS IDs Responsibility
3.13 16 Customer

In support scenarios where Microsoft needs to access customer data, Customer Lockbox provides an interface for you to review, and approve or reject customer data access requests.

Next steps