Create an Identity & Access Management (IAM) baseline

Identity management is key to granting access and to the security enhancement of corporate assets. To secure and control your cloud-based assets you must manage identity and access for your Azure administrators, application developers, and application users.

IAM recommendations
Here are the recommendations for identity and access management. Included with each recommendation are the basic steps to follow in the Azure portal.

Restrict access to the Azure AD administration portal

All non-Administrators should not have access due to the sensitive data and the rules of least privilege.

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Users.
3. Go to User settings.
4. Ensure that Restrict access to Azure AD administration portal is set to Yes. Setting this value to Yes restricts all non-administrators from accessing any Azure AD data in the administration portal, but does not restrict such access using PowerShell or another client such as Visual Studio.
5. Click Save.

Enable Azure Multi-Factor Authentication (MFA)

Enable it for privileged and non-privileged users.

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Users.
3. Click + New User.
4. On the New user blade, enter the following details and click Create:
   • Username: Abbi
   • Name: Abbi Skinner
   • First name: Abbi
   • Last Name: Skinner
   • Roles: Select Global Admin
5. On the left, select Azure Active Directory > Users > All users.
6. Select Multi-Factor Authentication. This will open a new window.
7. Select Abbi Skinner and click Enable
8. Select enable multi-factor auth then click Close.
9. Abbi is now enabled for MFA.

Block remembering MFA on trusted devices

Remember Multi-Factor Authentication feature for devices and browsers that are trusted by the user is a free feature for all Multi-Factor Authentication users. Users can bypass subsequent verifications for a specified number of days, after they've successfully signed-in to a device by using Multi-Factor Authentication. If an account or device is compromised, remembering Multi-Factor Authentication for trusted devices can negatively affect security.

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Users > All users.
3. Select Multi-Factor Authentication.
4. Select Abi Skinner, then click Manage users settings.
5. Ensure that Restore multi-factoe authentication on all remembered devices is Selected then click Save.

About guests

In this task you will ensure that no guest users exist, or alternatively if the business requires guest users, ensure to limit their permissions.

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Users > All users.
3. Select the Show drop down and select Guest users only.
4. Verify that there are no guest users listed (USER TYPE=Guest).

Password options

With dual identification set, an attacker would require compromising both the identity forms before they could maliciously reset a user's password.

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Users.
3. Select Password reset.
4. Go to Authentication methods.
5. Set the Number of methods required to reset to 2.
6. Select two methods and click Save.

Establish an interval for reconfirming user authentication methods

If authentication reconfirmation is set to disabled, register users will never be prompted to re-confirm their authentication information.

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Users.
3. Go to Password reset.
4. Go to Registration.
5. Ensure that Number of days before users are asked to re-confirm their authentication information is not set to 0. The default is 180 days.

Members and guests can invite

This should be set to No. Restricting invitations through administrators only ensures that only authorized accounts have access Azure resources.

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Users.
3. Go to User settings.
4. Go to External users, click Manage external collaboration settings.
5. Ensure that Members can invite is set to No.

Users to create and manage security groups

When this feature is enabled, all users in AAD are allowed to create new security groups. Security Group creation should be restricted to administrators

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Groups.
3. Go to General under the settings section.
4. Ensure that Users can create security groups is set to No.

Self-service group management enabled

Until your business requires this delegation to various users, it is a best practice to disable this feature.

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Groups
3. Go to General under the settings section.
4. Ensure that Self-service group management enabled is set to No.

Application options - Allow users to register apps

Require administrators to register custom applications.

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Users
3. Go to User settings.
4. Ensure that User can register applications is set to No then click Save.