Azure identity and access management considerations

Most architectures have shared services that are hosted and accessed across networks. Those services share common infrastructure and users need to access resources and data from anywhere. For such architectures, a common way to secure resources is to use network controls. However, that isn't enough.

Provide security assurance through identity management: the process of authenticating and authorizing security principals. Use identity management services to authenticate and grant permission to users, partners, customers, applications, services, and other entities.


Identity management is typically a centralized function not controlled by the workload team as a part of the workload's architecture. Unless the workload team is responsible for a dedicated identity store, the guidance in the Azure identity and access management design area of the Cloud Adoption Framework should be referenced when implementing identity solutions which support multiple workloads.


How are you managing the identity for your workload?

  • Define clear lines of responsibility and separation of duties for each function. Restrict access based on a need-to-know basis and least privilege security principles.
  • Assign permissions to users, groups, and applications at a certain scope through Azure RBAC. Use built-in roles when possible.
  • Prevent deletion or modification of a resource, resource group, or subscription through management locks.
  • Use managed identities to access resources in Azure.
  • Support a single enterprise directory. Keep the cloud and on-premises directories synchronized, except for critical-impact accounts.
  • Set up Azure AD Conditional Access. Enforce and measure key security attributes when authenticating all users, especially for critical-impact accounts.
  • Have a separate identity source for non-employees.
  • Preferably use passwordless methods or opt for modern password methods.
  • Block legacy protocols and authentication methods.

Azure security benchmark

The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure the services you use in Azure:

Security Benchmark The questions in this section are aligned to the Azure Security Benchmarks Identity and Access Control.

Azure services for identity

The considerations and best practices in this section are based on these Azure services:

Reference architecture

Here are some reference architectures related to identity and access management:

Integrate on-premises AD domains with Azure AD

Integrate on-premises AD with Azure

Next steps

Monitor the communication between segments. Use data to identify anomalies, set alerts, or block traffic to mitigate the risk of attackers crossing segmentation boundaries.

Five steps to securing your identity infrastructure

Go back to the main article: Overview of the security pillar