Azure Security best practice: Administration – Account protection

This is Part#2 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Passwordless Or Multi-factor Authentication For Admins

What : Require all critical impact admins to be passwordless (preferred) or require MFA.

Why : Passwords cannot protect accounts against common attacks.

How :

  • Passwordless (Windows Hello)
  • Passwordless (Authenticator App)
  • Multifactor Authentication
  • 3rd Party MFA Solution

No Standing Access

What : No standing access for critical impact admins

Why : Permanent privileges increase business risk by increasing attack surface of accounts (time)

How :

  • Just in Time : Enable Azure AD PIM or 3rd party solution) for all of these accounts
  • Break glass : Process for accounts (preferred for low use accounts like global admin)