Skip to main content

Azure IAM

Updated Nov 16, 2020 ·

Identity and Access Management

Azure provides tools to manage identities and control access, and it helps organizations secure their resources effectively.

FeatureDescription
RBAC
  • Gives precise control over who can access Azure resources
Azure AD
  • Manages user identities and application access
  • Supports external partners
Azure AD DS & Azure MFA
  • Strengthen security
  • Simplify authentication

Role-Based Access Control (RBAC)

RBAC is built on Azure Resource Manager and provides detailed access control for Azure resources.

  • Assigns users to roles with specific permissions and scope.
  • Ensures users have only the access they need (least privilege).
  • Helps separate duties across teams.
  • Ideal for organizations with multiple resources and teams.

Example Scenario:

  • Different teams manage specific resources (e.g., VMs, networks, databases).
  • Each user gets only the access needed for their role, reducing risk.

Microsoft Entra ID

Previously known as "Azure Active Directory", Microsoft Entra ID is a cloud-based identity and access management service by Microsoft which allows you to control access to internal and external resources.

For more information, please see Microsoft Entra ID.

RoleDescription
IT Admins
  • Control access to applications
  • Enforce multi-factor authentication
  • Automate user provisioning
App Developers
  • Add single sign-on to applications
Subscribers
  • Automatic Azure AD tenants for services like Microsoft 365, Office 365, and Azure

Identity Protection

This feature automatically detects and assesses risks associated with user logins. Key functionalities include:

  • Automated Risk Detection

  • Detects suspicious logins (e.g., unusual locations or anonymous IPs)

  • Identifies password spray attacks (same password across multiple accounts)

  • Flags other risky sign-in behaviors

  • Automated Remediation

  • Triggers can be configured for risky logins

  • Can require MFA or blockng the login attempt

  • Manual Investigation

  • Allows administrators to review risky sign-ins

  • Can override automated actions

  • Supports custom investigation processes

  • Integration with SIEM

  • Export risk detection data to SIEM systems

  • Supports centralized monitoring and advanced analysis

Privileged Identity Management (PIM)

Microsoft’s Privileged Identity Management (PIM) protects administrator accounts and prevents unauthorized access, and it ensures that elevated privileges are granted only when needed.

FeatureDescription
Access ReviewsPIM requires regular reviews of administrator accounts, and Access Reviews are the process to ensure only necessary privileges remain assigned.
Just-In-Time AccessPIM enforces temporary elevation of privileges, and Just-In-Time Access is how eligible users request and gain those elevated roles only when needed.
Audit TrailPIM logs all privileged activities, and the Audit Trail provides a detailed record of who activated roles, when, and what actions were taken, ensuring accountability.

How "Just-In-Time Access" works

  1. Certain users are marked as eligible for administrator tasks
  2. These certain users do not have permanent permissions.
  3. When they need elevated access, they request role activation.
  4. They may complete multifactor authentication and provide a reason.
  5. If approval is required, an approver activates the role.
  6. The activation lasts for a limited time, and users must repeat the process for future tasks.