What are the common IAM policies an organization create in Azure AD

Manu Sharma 1 Reputation point
2022-09-22T18:34:14.853+00:00

I am working on a project where I need to suggest common policies and procedures that an organization need to create for IAM in Azure AD so that IAM and managed securely

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
976 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2022-09-26T23:42:33.667+00:00

    @Manu Sharma
    Thank you for your post and I apologize for the delayed response!

    Adding onto the Identity and access management operations reference guide shared by @Dillon Silzer , you can also refer to our best practices documentation for Identity and Access Management (IAM) / role-based access control (RBAC) articles for more info.

    Best practices for Azure AD roles:
    This article describes some of the best practices for using Azure Active Directory role-based access control (Azure AD RBAC). These best practices are derived from our experience with Azure AD RBAC and the experiences of customers.
    244948-image.png

    1. Manage to least privilege
    2. Use Privileged Identity Management to grant just-in-time access
    3. Turn on multi-factor authentication for all your administrator accounts
    4. Turn on multi-factor authentication for all your administrator accounts
    5. Limit the number of Global Administrators to less than 5
    6. Use groups for Azure AD role assignments and delegate the role assignment
    7. Activate multiple roles at once using privileged access groups
    8. se cloud native accounts for Azure AD roles

    Additional Links:
    How Azure AD roles are different from other Microsoft 365 roles
    Securing privileged access for hybrid and cloud deployments in Azure AD
    Understand roles in Azure Active Directory
    Azure AD built-in roles
    Create and assign a custom role in Azure Active Directory

    ---------------------

    Best practices for Azure RBAC
    This article describes some best practices for using Azure role-based access control (Azure RBAC).
    244934-image.png

    1. Only grant the access users need
    2. Limit the number of subscription owners
    3. Use Azure AD Privileged Identity Management
    4. Assign roles to groups, not users
    5. Assign roles using the unique role ID instead of the role name
    6. Avoid using a wildcard when creating custom roles

    Additional Links:
    Security recommendations - a reference guide
    What is Azure AD Privileged Identity Management?
    Azure RBAC limits
    Wildcard permissions

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

  2. Dillon Silzer 57,831 Reputation points Volunteer Moderator
    2022-09-22T18:37:51.08+00:00

    Hi @Manu Sharma

    Please see:

    Azure Active Directory Identity and access management operations reference guide

    This section of the Azure AD operations reference guide describes the checks and actions you should consider to secure and manage the lifecycle of identities and their assignments.

    https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-ops-guide-iam

    ----------------------------------

    If this is helpful please accept answer.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.