This is Part#2 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.
Passwordless Or Multi-factor Authentication For Admins
What : Require all critical impact admins to be passwordless (preferred) or require MFA.
Why : Passwords cannot protect accounts against common attacks.
- Passwordless (Windows Hello)
- Passwordless (Authenticator App)
- Multifactor Authentication
- 3rd Party MFA Solution
No Standing Access
What : No standing access for critical impact admins
Why : Permanent privileges increase business risk by increasing attack surface of accounts (time)
- Just in Time : Enable Azure AD PIM or 3rd party solution) for all of these accounts
- Break glass : Process for accounts (preferred for low use accounts like global admin)