Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Organizations can leverage Microsoft Azure for tooling in an identity and access management (IAM) program, but it requires clear objectives and goals for each capability within the program. This piece covers these and provides IAM best practices and metrics for measuring success or surfacing potential problem areas.
Microsoft has evolved and enhanced its approach to identity with the move to cloud services. In past years, organizations would deploy a suite of separate tools for identity governance, access management and privileged identity management. For some organizations
and use cases, these can now all be covered with Microsoft’s Azure AD security features.
For example, Azure AD functionality can help automate and simplify cloud IAM for the following areas:
Goals and metrics for each of these are addressed below.
READ: Centralized IAM Best Practices
The human resource management system (HRMS) should be the central source of truth for the workforce. When employees are hired and HR adds them into the HRMS, they should also be created automatically in Azure AD. When changes occur, such as the employee’s
name or manager, HR should update the employee information in the HRMS, and these changes should be automatically synchronized in Azure AD. When the individual is no longer employed by the organization, this too should be automatically reflected in
both the HRMS and Azure AD.
At the time of this writing, Azure AD natively supports Workday and SAP SuccessFactors. It is important to note if you use another HRMS, additional steps may be involved.
Identity lifecycle goals and metrics are shown in Figure 1.
People in the workforce should have access to the resources they need to complete their job duties. This access should be automatically provisioned based on their job role or through aspects of their work, i.e., through a combination of role-based access
control (RBAC) and attribute-based access control (ABAC). Manual provisioning of applications and access should be minimized.
AD has long supported RBAC through group membership. Azure AD introduces dynamic groups, where membership is based on user attributes. Most of the access should be granted through the information synchronized with the HRMS, reflected in Azure AD group
Access control goals and metrics are shown in Figure 2.
User accounts and access controls (groups, roles, attributes, claims) exist in both the identity provider and in the application. This can create risk if the application owner over-provisions a user or delays in removing accounts when the organization
revokes a person’s access and removes their account in AD and the HRMS. Ideally, the application tightly integrates with the identity provider, and creation, modification and deletion of accounts is synchronized.
Azure AD supports such application integrations through systems for cross-domain identity management (SCIM). When the application doesn’t support SCIM, Azure AD can achieve the objective of identity synchronization using federation protocols such
as security assertion markup language (SAML) and Open ID Connect (OIDC).
Application lifecycle goals and metrics are shown in Figure 3.
Appropriate access shifts over time due to edge cases where automation isn’t effective, or manual efforts outside of normal provisioning. At best, this results in out-of-role access. At worst, it can result in toxic combinations and separation of
duties (SoD) violations. Periodic access reviews help prevent these risks from occurring. Access reviews also can uncover stale accounts, orphaned accounts and over-provisioned access. These point to gaps in process and identify opportunities for
improving account automation and access control (i.e., RBAC and ABAC).
Azure AD provides access reviews and certification programs as a component of identity governance. These reviews are tied to specific groups and performed by group owners or designated reviewers. Azure AD provides recommendations during the review process,
for example, removing individuals who have not used their accounts in months.
Access review goals and metrics are shown in Figure 4.
MFA adds additional factors of authentication to the primary factor which is, typically, a text password. Azure provides MFA through a combination of factors, providing a strong authentication for applications and resources.
MFA goals and metrics are shown in Figure 5.
We trust identities to use the privileges we’ve assigned them. This can be as simple as an identity knowing the password for its user account (primary authentication factor). While the principle of least privilege has been consistently improved
with access controls, the principle of least trust around identities connecting to resources has only recently begun to be developed. In modern systems, we consider the context and conditions of authentication before allowing user accounts to access
applications and resources.
Azure AD collects signals of trust on authentication and enforces decisions based on these signals. Examples of signals include location, device state or risky behaviors. Decisions include block, allow or require stronger authentication. Collectively,
this is the conditional access feature in Azure AD.
Conditional access goals and metrics are shown in Figure 6.
Privileged identity management (PIM) and privileged access management (PAM) are capabilities for enforcing least privilege and SoD for accounts with administrative-level access. PIM/PAM build on IAM concepts previously discussed; they require role-based
access and access reviews, enforce strong authentication, and validate trust before privileged access. PIM also includes the concept of just-in-time access and time-bound access to limit the time an account has elevated access to the environment.
Azure AD includes PIM functionality to manage and monitor privileged access to Azure and Office 365 resources.
PIM goals and metrics are shown in Figure 7.
Azure offers several features to make out-of-box IAM in the cloud possible. To be successful consider the following IAM best practices:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.