3 Ways to protect your Azure Landing Zone with EntraID
As you move more services to your Azure Landing Zone, the importance of securing your assets grow. Not only are you hosting more business services, but you are opening up access to on-premises networks and potentially having more of your business users and partners administering and managing resources. Here are three great ways to improve your security posture using Entra ID with some help of Intune.
#1 Use Privileged Identity Management
Following a principle of least privilege, you are able to lock down administrative actions and roles within your environment. User account compromise is one of the most popular ways to breach an organisation, so any steps you can take to limit what access these have, can only be a good thing.
Using Microsoft PIM, you are able to apply policy to your administrative accounts on how they get the elevated access, for how long they get it and audit it every step of the way. Examples include forcing administrators to request Global Admin for a maximum of 2 hours with approvals from IT security to locking down access to Azure roles for subscriptions or management groups.
Once access has been granted, it will automatically be removed. Integrate this with other automation capabilities such as identity governance, you can have regular audits and reports pretty easily.
It does require an EntraID P2 license, but it is definitely worth the investment for your administrator accounts.
#2 Use privileged access workstations
This is probably one of the most effective controls an organisation can put in place to protect their tier 0 workloads. Having dedicated, locked down machines for access critical management services lowers the risk of attacks such as token theft, malware or the impact of phishing.
To do this, create a locked down build in Intune, have an allow list on internet access (only Azure portals for example) and use Conditional Access to block access to Administrative portals unless a device is compliant, EntraID joined and tagged as a privileged access workstation.
#3 User authentication strengths
The third and final one for today’s post is the use of Authentication strengths. You have all heard of how not all multi-factors are created equal. SMS and phone call is never great, and with more advanced tooling and phishing techniques (I’m look at your EvilGinx), the need for stronger authentication is required.
Creating dedicated conditional access policies for your Administrative users when access Tier 0 services to require authentication mechanisms such as FIDO tokens or Passkeys can greatly improve your security posture. It requires physical access to the devices and makes man in the middle attacks almost impossible. Pair this with #2, and it adds a whole new level of protection.
Hope these helped:
There are plenty more ways out there to help you protect access to your management infrastructure. Integrating with other Microsoft and third party tools can expand your capabilities and give the cyber bad guys a run for their money. What are your favourite way to protect it? Let me know in the comments 😄
If you like this?
Why not subscribe free to my site and get posts sent directly to your inbox? I might even start posting exclusive content to members 😄
Sign up for A blog by Paul Sanders
Ramblings of an architect
No spam. Unsubscribe anytime.