Azure Administrator Account Security

In this short post I wanted to share a couple of recommendations that I give to customers to ensure their Azure administrator accounts are secured. Because the resources you deploy in Azure (or any cloud for that matter) are in all likelihood critical to running your business, you need to ensure the credentials themselves used to access and administer these environments are properly secured, else putting substantial risk on your business. A compromised credential could expose sensitive data, it could open up risk of deletion of your resources, and could risk the unauthorized creation of resources leaving you with the bill. Given that, it's imperative that these accounts leverage mechanisms to ensure they minimize the risk and likelihood of compromise. Let's go through a couple things that can help in this regard.

Enable MFA for Azure administrators

Any time I see a customer who is logging on to their Azure environment without multi-factor authentication enabled, I call it out. This is one of the most basic things you can and should do to protect accounts that have access to administer Azure resources. Any account that is an Azure AD Global Administrator can have this enabled at no cost, and for other users it's a pretty inexpensive option to enable, currently $1.40 per month for each user and has an option to be purchased through a consumption based model. If you think about the resources these identities have access to and the cost per user, it's a low cost mechanism to protect your administrative accounts from a potentially exposed credential.

MFA is enabled in the portal. Rather than go through it step by step here (because the portal workflow can change) I'll recommend you take a look at the documentation, where you can find guides to enable and administer MFA as well as user guides with explanations of the various options and settings. In short, if you want to use a consumption based model you'll create an MFA provider within your Azure AD directory using either the per-user or per-authentication usage model. Then you'll be able to assign licenses to your users and enable MFA on their accounts. Users can use phone calls, text messages, or the authenticator app (available for iOS and Android).

MFA Options - /en-us/azure/multi-factor-authentication/multi-factor-authentication-versions-plans

Create an MFA provider - /en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider

Enable/Disable MFA - /en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states

MFA User Guide - /en-us/azure/multi-factor-authentication/end-user/multi-factor-authentication-end-user

MFA Pricing - https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/

Isolate administrator accounts

One other recommendation I typically make to customers is to leverage separate accounts for Azure administrators. These accounts essentially have the keys to your business' technology environment and should be treated as highly sensitive accounts, even if they only have read-only access. Do not use the same account you use to log on to your laptop or email, as these increase the risk of compromise. Set up a separate administrator account, username-adm@company.com or something similar, and only give access to Azure to these accounts. By limiting the usage of these accounts, you can reduce the risk the account, and subsequent Azure environment, becomes compromised. These could be either accounts sourced from an AD environment (when using Azure AD Connect) or they could be cloud-only accounts that reside only in Azure AD. See the previous recommendation and ensure you've enabled MFA.

Wrap up

There's nothing here that is super complex, groundbreaking or hard to do, just a couple basic recommendations that should be leveraged when using resources on Azure. These can often be overlooked as customers move forward with expansion into cloud services, but are a copule of easy and inexpensive things you can do to ensure you minimze the risk of compromised credentials. Take advantage of these options to help ensure your cloud resources are secure.