AZURE ACTIVE DIRECTORY DEVELOPER SUPPORT TEAM
-
choose an identity management approach
-
design an identity delegation strategy
-
design an identity repository
- TODO: All Link
-
design self-service identity management
-
requires premium Azure Active Directory account
-
Azure Active Directory -> Password Reset
-
Quickstart: Configure Azure Active Directory self-service password reset
-
-
design user and persona provisioning
-
define personas
- TODO: All Link
-
define roles
-
recommend appropriate access control strategy
-
choose an authentication approach
Authentication Method | Usage |
---|---|
Password | MFA and SSPR |
Security questions | SSPR Only |
Email address | SSPR Only |
Microsoft Authenticator app | MFA and SSPR |
OATH Hardware token | Public preview for MFA and SSPR |
SMS | MFA and SSPR |
Voice call | MFA and SSPR |
App passwords | MFA only in certain cases |
-
design a single-sign on approach
-
design for IPSec authentication
- IPSec = Internet Protocol Security
-
design for logon authentication
-
design for multi-factor authentication
-
design for network access authentication
-
design for remote authentication
-
choose an authorization approach
-
Use RBAC, define user groups and assigns users to user groups to manage access to resources
-
Take adventage of built in Azure roles
- ReadOnly
- Contributor
- Owner
-
-
define access permissions and privileges
- Access persmissions can be defined for users directly or via user groups or also to applications
-
design secure delegated access
-
recommend when and how to use API Keys
- Use API Keys to carry claims and ohter authorozation info between APIs, for this leverage Azure API Management
-
design a risk assessment strategy
-
Take adventage of Users flagged for risk report and Risky sign-ins report to be aware and asses risk to identity integrity
-
evaluate agreements involving services or products from vendors and contractors
-
update solution design to address and mitigate changes to existing security policies, standards, guidelines and procedures
-
design for alert notifications
- Use predefined, but configurable Azure AD Privileged Identity Management alerting notifications to check fules of accessing important resources
-
design an alert and metrics strategy
-
Secure access into applications using identity by synchronize your on prem AD with Azure AD Connect
-
Use Azure AD Connect Health to monitor identity synchronization between Azure AD and on-premises identity
-
Enable integration with Azure Log Analytics to monitor identity related logs in detail
-
-
recommend authentication monitors
-
Use Azure Identity Protection to detect and remediate identity based risks
-
Configure and get notifications from Azure Identity Protection
-