© 2024 Created by Anuradha Samaranayake
Essential Azure Security Best Practices for Design, Deployment & Management
Essential Azure Security Best Practices for Design, Deployment and Management – Part 1
🛡️ Hey Folks,This is the first article of my Security Best practices for Microsoft Cloud series and This blog shares important security Best Practices in the Identity and Access management & Network Security to follow when you’re designing, deploying, and managing your cloud solutions with Microsoft Azure These tips are come from My Experience as well as Microsoft best practices Guide Lines for Microsoft Cloud Security.
✅ Who are these tips for?
These best practices are a helpful guide for IT professionals, including:
- Designers 🖌️: Crafting the layout and user experience of solutions.
- Architects 🏗️: Building strong and scalable cloud frameworks.
- Developers 💻: Writing code that keeps applications secure.
- IT Decision Makers 🔍: Making key choices about cloud strategies.
- Cyber Security Experts 🔐: Protecting systems from threats.
- Governance Teams 📋: Ensuring compliance and managing risks effectively.
If you’re someone who builds or deploys secure Azure solutions, this is for you 😊
🔍 For Each Best Practice, Here’s What I’ll Explain:
1️⃣ What the Best Practice Is
2️⃣ Why You Should Enable It
Azure Identity Management and access control security best practices
🛡️ Treat Identity as the Primary Security Perimeter
With the rise of BYOD devices and cloud applications, traditional network security is no longer enough. Identity has become the primary focus for security. 🌐 Microsoft Entra ID is Azure’s solution for identity and access management, combining directory services, application access, and identity protection in one platform.
Best Practice: Center security controls and detections around user and service identities 🔑
💡Use Microsoft Entra ID to collocate controls and detections with user and service identities. This ensures stronger protection and better threat detection at the identity level.
🌐 Centralize Identity Management
In a hybrid identity setup, integrating your on-premises and cloud directories is essential. This integration allows IT teams to manage accounts from one location and provides users with a unified identity for accessing both cloud and on-premises resources.
Best Practice: Establish a single Microsoft Entra instance 🔑
💡Create a single, consistent Microsoft Entra directory to serve as the authoritative source for all corporate and organizational accounts. This reduces security risks and simplifies management.
Best Practice: Integrate your on-premises directories with Microsoft Entra ID 🔄
💡 Use Microsoft Entra Connect to sync your on-premises directory with your cloud directory. This ensures seamless access to both environments for your users.
Best Practice: Don’t synchronize accounts with high privileges 🔒
💡 Avoid synchronizing accounts that have high privileges in your existing Active Directory. By not changing the default Microsoft Entra Connect configuration, you mitigate the risk of adversaries accessing on-premises assets through cloud accounts.
Best Practice: Turn on password hash synchronization 🔑
💡 Enable password hash synchronization to protect against leaked credentials and ensure users can sign in with the same password across on-premises and cloud systems. Even with federation (like AD FS), this serves as a backup to ensure users can access resources even if on-premises servers go down.
Best Practice: Use Microsoft Entra ID for new application development 🌐
💡 For new applications, use Microsoft Entra ID for authentication to streamline identity management.
- Microsoft Entra ID for employees
- Microsoft Entra B2B for guest users and partners
- Azure AD B2C for customer management
🔑 Enable Single Sign-On (SSO)
In a mobile-first, cloud-first world, enabling Single Sign-On (SSO) allows users to access devices, apps, and services from anywhere. This boosts productivity and simplifies the user experience by eliminating the need to remember multiple passwords. By using a single identity solution for all resources, both on-premises and in the cloud, you streamline access and enhance security.
Best Practice: Enable SSO 💡
💡Use Microsoft Entra ID to extend your on-premises Active Directory to the cloud, enabling users to access resources seamlessly.
- Users can sign in with their primary work or school account.
- No need to remember multiple usernames or passwords.
- Application access is automatically managed based on user group memberships and employment status.
By enabling SSO, users can access SaaS apps like Google Apps or Salesforce using their Microsoft Entra ID credentials. You can control access and ensure security through group-based permissions.
🔐 Turn on Conditional Access
As users access resources from various devices and apps, it’s crucial to ensure these devices meet your security and compliance standards. Focusing only on who can access a resource is no longer enough. With Microsoft Entra Conditional Access, you can automate access decisions based on specific conditions, balancing security with productivity.
Best Practice: Manage and control access to corporate resources 💡
💡Configure Microsoft Entra Conditional Access policies based on groups, locations, and application sensitivity. This ensures that only the right users with compliant devices can access your corporate resources.
Best Practice: Block legacy authentication protocols 🚫
💡Legacy authentication protocols are vulnerable to attacks, especially password spray attacks. Configure Conditional Access to block these older protocols and reduce security risks.
🔒 Plan for Routine Security Improvements
Security is constantly evolving, and it’s essential to incorporate regular reviews and improvements into your cloud and identity management practices. Microsoft’s Identity Secure Score provides a numerical score to help you objectively measure and track your security posture, compare with industry standards, and identify areas for improvement.
Best Practice: Plan routine security reviews and improvements based on best practices in your industry. 💡
💡 Use the Identity Secure Score to monitor your security progress and identify areas for future enhancements. This score helps you stay on track with industry best practices and adjust your security strategies accordingly.
🔑 Enable Password Management
Allowing users to reset their own passwords can improve efficiency, but it’s crucial to implement the right security policies to avoid misuse. Using features like self-service password reset (SSPR) can help manage this securely.
Best Practice: Set up self-service password reset (SSPR) for your users 💡
💡 Use Microsoft Entra ID’s self-service password reset feature to allow users to reset their passwords securely without IT involvement.
Best Practice: Monitor how or if SSPR is really being used 👀
💡 Track the usage of self-service password reset through the Microsoft Entra ID Password Reset Registration Activity report. Use prebuilt reports or custom queries to monitor and ensure that the feature is being used effectively.
Best Practice: Extend cloud-based password policies to your on-premises infrastructure 🔒
💡 Ensure consistency by applying the same password policies for both cloud and on-premises environments. Install Microsoft Entra password protection for Windows Server Active Directory agents to extend banned password lists across your entire infrastructure.
🔐 Enforce Multifactor Verification for Users
Two-step verification is a must for securing user accounts, especially for high-impact roles like admins and financial officers. It adds an extra layer of protection against potential credential theft attacks.
Best Practice: Enable MFA for all users and login methods with Microsoft Entra Security Defaults
💡 Quickly enforce MFA for all users using strict policies that challenge administrative accounts, require MFA via Microsoft Authenticator for all users, and restrict legacy authentication protocols. This is available to all licensing tiers but can’t be mixed with existing Conditional Access policies.
Best Practice: Enable multifactor authentication by changing user state
💡 The traditional method where users must verify their identity with MFA every time they sign in. This option works with Microsoft Entra MFA in the cloud and Azure MFA Server, overriding Conditional Access policies.
Best Practice: Enable multifactor authentication with Conditional Access policy
💡 Use Conditional Access to enable MFA under specific conditions (e.g., untrusted devices, risky locations). This provides flexibility and minimizes disruption to users by only prompting for MFA when needed. Available with Microsoft Entra ID Premium.
Best Practice: Enable multifactor authentication with Risk-based Conditional Access policies
💡 Leverage risk evaluation to detect potential vulnerabilities and automatically trigger MFA based on user or sign-in risk. This method helps mitigate risk from suspicious sign-ins and requires Microsoft Entra ID P2 licensing.
🛡️ Use Role-Based Access Control (RBAC)
Access management for cloud resources is critical for any organization using the cloud. Azure Role-Based Access Control (Azure RBAC) enables organizations to manage who can access Azure resources, what they can do, and where they have access.
Designating groups or roles for specific functions in Azure reduces confusion, minimizes security risks, and prevents unauthorized access. Enforcing the principle of least privilege ensures users only have the access they need to perform their tasks.
Best Practice: Segregate duties and grant only necessary permissions
💡 Instead of giving broad permissions to all users, limit access based on job functions. Use Azure built-in roles to assign permissions to users. Allow only specific actions at a defined scope (subscription, resource group, or individual resource).
Best Practice: Provide security teams with visibility into Azure resources
💡 Security teams need access to assess and remediate risks. Assign the Azure RBAC Security Reader role to security teams. Use the root management group for teams responsible for all enterprise resources. Use a segment management group for teams with limited responsibilities.
Best Practice: Assign operational roles to security teams
💡 Teams responsible for security operations require permissions beyond read-only access. Review the Azure built-in roles and assign appropriate permissions. If built-in roles don’t meet your needs, create custom roles and assign them at the subscription, resource group, or resource level.
Best Practice: Grant Microsoft Defender for Cloud access to security teams
💡 Defender for Cloud helps security teams quickly identify and remediate risks. Assign security teams the Azure RBAC Security Admin role to:
- View and edit security policies.
- Monitor security alerts and recommendations.
- Take necessary remediation actions.
- Assign permissions at the root management group or segment management group level based on scope.
🚨 Risk of Not Enforcing Access Control
Organizations that do not enforce Azure RBAC might unintentionally grant excessive privileges, increasing the risk of data breaches and compliance violations. Enforcing role-based access control ensures secure, structured, and compliant access management.
🔑 Lower Exposure of Privileged Accounts
Securing privileged access is a critical first step in protecting business assets. Minimizing privileged access reduces the risk of cyberattacks and accidental misconfigurations. Privileged accounts, which administer IT systems, are high-value targets for attackers. Isolating and securing these accounts is essential.
Organizations should develop and follow a roadmap to secure privileged access across Microsoft Entra ID, Azure, Microsoft 365, and other cloud services.
Best Practice: Manage, control, and monitor privileged accounts
💡 Enable Microsoft Entra Privileged Identity Management (PIM) to receive notifications for privileged role changes. Get alerts when users are added to highly privileged roles in your directory.
Best Practice: Ensure all critical admin accounts are Microsoft Entra accounts
💡 Remove consumer accounts (e.g., Hotmail, Outlook) from critical admin roles. Only use work or school accounts for administrative tasks.
Best Practice: Use separate admin accounts for administrative tasks
💡 Prevent phishing and other attacks targeting admin privileges. Block the use of admin accounts for daily productivity tasks like email and browsing.
Best Practice: Identify and categorize highly privileged accounts
💡 Review Microsoft Entra PIM to identify accounts in privileged roles.
Categorize accounts based on their usage:
- Personal email access
- Dedicated admin use
- Shared accounts
- Emergency access
- Automated scripts
- External users
Best Practice: Implement Just-In-Time (JIT) Access
💡 Use Microsoft Entra PIM to limit privileged access duration. Ensure privileges are automatically revoked when no longer needed.
Best Practice: Define at least two emergency access accounts
💡 Emergency accounts help regain access if normal admin accounts fail. Use .onmicrosoft.com cloud-only accounts for emergency scenarios.
Best Practice: Have a “Break Glass” process
💡 Ensure an emergency response plan exists.
Best Practice: Require Passwordless or Multi-Factor Authentication (MFA)
💡 Use Microsoft Authenticator for passwordless sign-in. Require MFA for all critical admin accounts like Global Administrator, Privileged Role Administrator, Exchange Online Administrator, and SharePoint Online Administrator.
Best Practice: Use Secure Admin Workstations
💡 Protect admin accounts from attacks via browsing or email. Deploy Privileged Access Workstations (PAWs) for admin tasks.
Best Practice: Deprovision Admin Accounts When Employees Leave
💡 Disable or delete admin accounts immediately when employees exit. Implement an automated process for deprovisioning admin accounts.
Best Practice: Test Admin Accounts with Attack Simulations
💡 Use Microsoft 365 Attack Simulator to test security defenses. Identify and mitigate vulnerabilities before real attacks occur.
Best Practice: Mitigate Common Attack Techniques
💡 Ensure work or school accounts are used instead of personal Microsoft accounts in admin roles. Regularly review and update security policies to address evolving threats.
By implementing these best practices, organizations can significantly reduce the risk associated with privileged accounts and strengthen their overall security posture. 🚀
Azure best practices for network security
Azure Virtual Networks (VNets) allow secure communication between Azure VMs, appliances, on-premises networks, and the internet. By implementing strong network controls, you can enhance security, reduce attack surfaces, and improve network governance.
📌 Logically Segment Subnets
Azure Virtual Networks (VNets) function similarly to on-premises LANs, providing a private IP address space for Azure VMs and services. Proper subnet segmentation enhances security, scalability, and manageability.
Best Practice: Don’t assign allow rules with broad ranges
💡 Do not use wide-ranging allow rules (e.g., 0.0.0.0 – 255.255.255.255) as they create a false sense of security and are easily exploited. Implement strict access control policies and educate teams on secure troubleshooting procedures.
Best Practice: Segment larger address spaces into subnets
💡 Use CIDR-based subnetting principles to create logical and efficient subnets. Proper segmentation improves performance, security, and management flexibility.
Best Practice: Implement network access controls between subnets
💡 By default, Azure automatically routes traffic between subnets without restrictions. Use Network Security Groups (NSGs) to enforce security policies and filter traffic using the 5-tuple method (source IP, source port, destination IP, destination port, protocol).
Best Practice: Avoid small virtual networks and subnets
💡 Many organizations outgrow their initial network allocations, making reallocation complex. Define subnets with future scalability in mind to minimize unnecessary security overhead.
Best Practice: Use Application Security Groups (ASGs) for simpler rule management
💡 ASGs allow grouping resources logically, reducing the complexity of network security group (NSG) rules. Clearly name ASGs for easy understanding and maintainability.
🚫 Adopt a Zero Trust Approach
Traditional perimeter-based security assumes that everything within the network can be trusted, but with today’s distributed workforce, this approach is no longer effective. Zero Trust models eliminate the concept of trust based on network location, focusing instead on continuous verification of user and device trust for accessing organizational resources.
Best Practice: Use Conditional Access for resource control based on multiple factors
💡 Leverage Microsoft Entra Conditional Access to apply the right access controls, considering device, identity, assurance, network location, and other factors. Enforce automated access policies to ensure only authorized users can access resources under specific conditions.
Best Practice: Enable port access only after workflow approval
💡 Use just-in-time (JIT) access for VMs in Microsoft Defender for Cloud to minimize exposure to attacks. Restrict inbound traffic to Azure VMs and allow access only when necessary, reducing the attack surface.
Best Practice: Grant temporary permissions for privileged tasks
💡 Use just-in-time access through Microsoft Entra Privileged Identity Management or a third-party solution to grant permissions that expire once tasks are completed. Ensure that privileged access is only granted when needed, limiting the window of potential abuse.
Zero Trust is essential in modern network security, where an “assume breach” mindset is critical. This approach enhances security while empowering a flexible and productive workforce across any device, anywhere, and at any time. 🚀
📡 Control routing behavior
When you place a virtual machine (VM) on an Azure virtual network, by default, the VM can communicate with other VMs on the same network, regardless of whether they reside on different subnets. This is possible due to default system routes that enable such communications, including outbound connections to the internet.
Best Practice: Use User-Defined Routes (UDR) for customized routing
💡 Customize the routing behavior by defining specific next-hop addresses for traffic directed to particular destinations. Configuring user-defined routes (UDRs) allows precise control over how network traffic flows within your virtual network, enhancing security and optimizing performance.
Best Practice: Deploy security appliances with custom routes
💡 When deploying security appliances within a virtual network, it’s essential to configure UDRs to ensure that traffic flows through the security appliance for inspection or enforcement. For example, route traffic through a virtual network appliance to apply deep packet inspection or enforce other security measures.
Routing configuration flexibility is critical for achieving the desired network behavior. By customizing routes, organizations can improve both security and performance in their Azure environments. 🚀
🌐 Use Virtual Network Appliances
While Network Security Groups (NSGs) and User-Defined Routes (UDRs) offer basic network security at the network and transport layers, more advanced security features are often required to protect applications and resources at higher levels of the OSI model. For these scenarios, we recommend deploying virtual network security appliances from trusted Azure partners.
Best Practice: Deploy security appliances for advanced protection
💡 Leverage Azure network security appliances to provide enhanced security capabilities at higher layers of the network stack. These appliances are designed to offer more sophisticated protection beyond basic controls.
I don’t want to make this blog any longer, but here are some important networking best practices to keep in mind
🔵 Deploy Perimeter Networks for Security Zones
Ensure your critical resources are isolated by implementing perimeter networks. This strategy limits access and minimizes risk to sensitive data.
🔵 Avoid Exposure to the Internet with Dedicated WAN Links
Leverage dedicated WAN links for secure communication between on-premises infrastructure and Azure, reducing exposure to external threats.
🔵 Optimize Uptime and Performance
Design your network with redundancy in mind. Utilize Azure’s Availability Zones and Virtual Network Peering to ensure high availability and low-latency connections.
🔵 Disable RDP/SSH Access to Virtual Machines
Minimize attack surfaces by disabling unnecessary remote access protocols like RDP and SSH. Use Bastion or VPN for secure remote management instead.
🔵 Secure Critical Azure Service Resources to Only Your Virtual Networks
Protect your vital Azure resources by restricting access to only the designated virtual networks, ensuring tight control over who can access them.
