The document discusses a conference on managing privileges on the Microsoft Cloud. It includes an agenda covering topics like Azure Active Directory roles, Privileged Identity Management, Azure roles and role-based access control, account protection, conditional access, privileged access devices, interface security levels, intermediaries, Azure Bastion, and a conclusion. It provides information on many aspects of securing access and managing privileges for cloud resources.
11. There are about 60 Azure Active Directory (Azure AD) built-in roles, which are roles with a fixed set of role permissions. To supplement the built-in roles, Azure AD also
supports custom roles.
There are many different services in Microsoft 365, such as Azure AD and Intune. Some of these services have their own role-based access control systems (AAD,
Exchange, Intune, MDCA, 365 Defender, Purview, Cost Management + Billing).
Azure has its own role-based access control system for Azure resources such as virtual machines, and this system is not the same as Azure AD roles.
27 octobre 2022 - PARIS
Identity Days 2022
Understand Azure Active Directory role concepts - Microsoft Entra | Microsoft Learn
12. Secure access with Microsoft Entra
Multicloud identity and access management
Oversee all your organization’s identities in one place
Microsoft Entra encompasses all of Microsoft’s identity and access capabilities. The Entra family
includes Microsoft Azure Active Directory (Azure AD), as well as two new product categories: Cloud
Infrastructure Entitlement Management (CIEM) and decentralized identity.
27 octobre 2022 - PARIS
Identity Days 2022
Microsoft Entra Datasheet
14. What is Privileged Identity Management (PIM)?
PIM is a service in Azure Active Directory (Azure AD) that enables you to manage,
control, and monitor access to important resources in your organization. Such
resources include those in Azure AD, Azure, and other Microsoft Online Services,
such as Microsoft 365 or Microsoft Intune
27 octobre 2022 - PARIS
Identity Days 2022
15. What does PIM do?
PIM provides time-based and approval-based role activation to mitigate the
risks of excessive, unnecessary, or misused access permissions on resources
that you care about. Key features of PIM include:
✓ Provide just-in-time privileged access to Azure AD and Azure resources
✓ Assign time-bound access to resources using start and end dates
✓ Require approval to activate privileged roles
✓ Enforce multifactor authentication to activate any role
✓ Use justification to understand why users activate
✓ Get notifications when privileged roles are activated
✓ Conduct access reviews to ensure users still need roles
✓ Download audit history for internal or external audit
Identity Days 2022
27 octobre 2022 - PARIS
Identity Days 2022
16. PIM for Azure resource roles
• Azure Active Directory (Azure AD)
Privileged Identity Management
(PIM) can manage the built-in
Azure resource roles, as well as
custom roles, including (but not
limited to):
❑ Owner
❑ User Access Administrator
❑ Contributor
❑ Security Admin
❑ Security Manager
27 octobre 2022 - PARIS
Identity Days 2022
17. Management capabilities for
Privileged Access groups
• In Privileged Identity Management (PIM), you can now assign
eligibility for membership or ownership of privileged access groups.
27 octobre 2022 - PARIS
Identity Days 2022
18. Azure roles & RBAC
Identity Days 2022
27 octobre 2022 - PARIS
19. Understanding Azure Roles and RBAC
What is Azure role-based access control (Azure RBAC)? | Microsoft Learn
27 octobre 2022 - PARIS
Identity Days 2022
20. Best practices for Azure RBAC
• Only grant the access users need
• Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they
need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or
resources, you can allow only certain actions at a particular scope.
• Limit the number of subscription owners
• You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner.
This recommendation can be monitored in Microsoft Defender for Cloud.
• Use Azure AD Privileged Identity Management
• PIM helps protect privileged accounts by providing just-in-time privileged access to Azure AD and Azure resources.
Access can be time bound after which privileges are revoked automatically.
• Assign roles to groups, not users
• Assigning roles to groups instead of users also helps minimize the number of role assignments
• Assign roles using the unique role ID instead of the role name
• Even if a role is renamed, the role ID does not change
Identity Days 2022
27 octobre 2022 - PARIS
Best practices for Azure RBAC | Microsoft Learn Identity Days 2022
21. Azure RACI Template
• The purpose of this RACI is to provide a foundation for organizations beginning the journey into
Microsoft Azure. It contains common tasks across both governance and operations that
organizations should identify owners and operators for.
Identity Days 2022
27 octobre 2022 - PARIS
GitHub - jkstant/AzureRACIToolkit Identity Days 2022
24. CRITICAL BEST PRACTICES
BLOCK LEGACY AUTHENTICATION
password spray attacks (majority use legacy auth)
https://techcommunity.microsoft.com/t5/Azure-Active-
Directory-Identity/Azure-AD-Conditional-Access-
support-for-blocking-legacy-auth-is/ba-p/245417
Identity Days 2022
27 octobre 2022 - PARIS
Azure identity & access security best practices | Microsoft Learn
25. AAD B2B Collaboration
Identity Days 2022
27 octobre 2022 - PARIS
Azure identity & access security best practices | Microsoft Learn
26. Identity Days 2022
27 octobre 2022 - PARIS
Azure identity & access security best practices | Microsoft Learn
27. where
normal administrative accounts can’t be
used (federation unavailable, etc.)
Managing
emergency access administrative accounts in
Azure AD
Identity Days 2022
27 octobre 2022 - PARIS
Azure identity & access security best practices | Microsoft Learn
29. Get started using Attack simulation training - Office 365 | Microsoft Docs
Identity Days 2022
27 octobre 2022 - PARIS
Azure identity & access security best practices | Microsoft Learn
31. Different forms of MFA and passwordless authentication
Identity Days 2022
27 octobre 2022 - PARIS
Identity Days 2022
Authentication methods and features - Azure Active Directory - Microsoft Entra | Microsoft Learn
32. Conditional Access authentication strength (preview)
Identity Days 2022
27 octobre 2022 - PARIS
Identity Days 2022
Overview of Azure Active Directory authentication strength (preview) - Microsoft Entra | Microsoft Learn
38. Privileged interface
Security controls for specialized interfaces should include
• Zero Trust policy enforcement - on inbound sessions using Conditional Access to ensure that users and devices are secured at the privileged level
• Role-Based Access Control (RBAC) - Model should ensure that the application is administered only by roles at the privileged security level
• Just in time access workflows (required) - that enforce least privilege by ensuring privileges are used only by authorized users during the time they
are needed.
Identity Days 2022
27 octobre 2022 - PARIS
Securing privileged access interfaces | Microsoft Learn
42. Azure BastionArchitecture
Identity Days 2022
27 octobre 2022 - PARIS
About Azure Bastion | Microsoft Learn
Azure Bastion is a service
you deploy that lets you
connect to a virtual
machine using your
browser and the Azure
portal, or via the native
SSH or RDP client
already installed on your
local computer.
44. CLEAR LINES OF RESPONSIBILITY
CRITICAL BEST PRACTICES
Document and Socialize this widely
with all teams working on Azure
T I P
27 octobre 2022 - PARIS
Identity Days 2022
Microsoft Security Best Practices module: Governance, risk, and compliance | Microsoft Learn
45. Microsoft Zero Trust Principles
To help secure both data and
productivity, limit user access using
• Just-in-time (JIT)
• Just-enough-access (JEA)
• Risk-based adaptive polices
• Data protection against out of
band vectors
Always validate all available data
points including
• User identity and location
• Device health
• Service or workload context
• Data classification
• Anomalies
Minimize blast radius for breaches
and prevent lateral movement by
• Segmenting access by network,
user, devices, and app awareness.
• Encrypting all sessions end to
end.
• Use analytics for threat detection,
posture visibility and improving
defenses
Verify explicitly
27 octobre 2022 - PARIS
Identity Days 2022
Zero Trust Model - Modern Security Architecture | Microsoft Security
46. Merci à tous nos partenaires !
27 octobre 2022 - PARIS
@IdentityDays #identitydays2022