You should follow a few more security recommendations to set general security and operational controls on your Azure subscription.
More security recommendations
The following sections describe additional recommendations that are in CIS Microsoft Azure Foundations Security Benchmark v. 3.0.0. Included with each recommendation are the basic steps to complete in the Azure portal. You should complete these steps for your own subscription and by using your own resources to validate each security recommendation. Keep in mind that Level 2 options might restrict some features or activity, so carefully consider which security options you decide to enforce.
Azure Policy is an Azure service you can use to create, assign, and manage policies. The policies you create enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service-level agreements. Azure Policy meets this need by evaluating your resources for noncompliance with assigned policies. For example, you can have a policy to allow only a certain SKU size of VM in your environment. After this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, you can bring existing resources into compliance.
Azure VM security recommendations
The following sections describe the Azure VM security recommendations that are in CIS Microsoft Azure Foundations Security Benchmark v. 3.0.0. Included with each recommendation are the basic steps to complete in the Azure portal. You should complete these steps for your own subscription and by using your own resources to validate each security recommendation. Keep in mind that Level 2 options might restrict some features or activity, so carefully consider which security options you decide to enforce.
By design, Azure networking services maximize flexibility, availability, resiliency, security, and integrity. Network connectivity is possible between resources that are located in Azure, between on-premises and Azure-hosted resources, and to and from the internet and Azure.
Azure networking security recommendations
The following sections describe the Azure networking recommendations that are in CIS Microsoft Azure Foundations Security Benchmark v. 3.0.0. Included with each recommendation are the basic steps to complete in the Azure portal. You should complete these steps for your own subscription and by using your own resources to validate each security recommendation. Keep in mind that Level 2 options might restrict some features or activity, so carefully consider which security options you decide to enforce.
Azure SQL Database is a cloud-based relational database family of products that support many of the same features offered in Microsoft SQL Server. Azure SQL Database provides an easy transition from an on-premises database to a cloud-based database that has built-in diagnostics, redundancy, security, and scalability.
Azure SQL Database security recommendations
The following sections describe the Azure SQL Database recommendations that are in CIS Microsoft Azure Foundations Security Benchmark v. 3.0.0. Included with each recommendation are the basic steps to complete in the Azure portal. You should complete these steps for your own subscription and by using your own resources to validate each security recommendation.
An Azure Storage account provides a unique namespace where you can store and access your Azure Storage data objects.
Azure Storage account security recommendations
The following sections describe the Azure Storage recommendations that are in CIS Microsoft Azure Foundations Security Benchmark v. 3.0.0. Included with each recommendation are the basic steps to complete in the Azure portal. You should complete these steps for your own subscription and by using your own resources to validate each security recommendation. Keep in mind that Level 2 options might restrict some features or activity, so carefully consider which security options you decide to enforce.
Microsoft Defender for Cloud provides unified security management and advanced threat protection for workloads that run in Azure, on-premises, and in other clouds. The following Defender for Cloud recommendations, if followed, will set various security policies on an Azure subscription. These policies define the set of controls that are recommended for your resources with an Azure subscription.
Microsoft Defender for Cloud security recommendations
The following sections describe the Microsoft Defender for Cloud recommendations that are in CIS Microsoft Azure Foundations Security Benchmark v. 3.0.0. Included with each recommendation are the basic steps to complete in the Azure portal. You should complete these steps for your own subscription and by using your own resources to validate each security recommendation. Keep in mind that Level 2 options might restrict some features or activity, so carefully consider which security options you decide to enforce.
Your organization decides to use Microsoft Entra ID to manage secure access. Users include doctors, external healthcare partners, and all internal staff members. You’re asked to look into implementing secure access for your organization.
Here, you learn how to take a phased approach to deploying Microsoft Entra ID for your organization. You learn how to lay a foundation, deploy Microsoft Entra ID by creating a tenant, and associate a subscription with it.
Deploy in phases
A good way to deploy Microsoft Entra ID is in phases. Your deployment is split into several stages. Each stage addresses a key aspect of Microsoft Entra ID. A phase includes the tasks you need to complete before you go to the next stage. This approach lays a secure foundation for your Microsoft Entra instance.
You can also use Azure AD B2C to manage your customers’ identities and access. You want to give your doctors’ accounts protected access to resources and services. Use Azure AD B2C to securely authenticate the doctors through their preferred identity providers.
AD B2C also helps you monitor for threats like brute force attacks and denial-of-service attacks on doctors’ user accounts. To use Azure AD B2C, you first register your apps. Then, you configure user flows to set up the user’s journey to access an app.
For example, a flow for the sign-in process might go like this:
On their browser or mobile phone, the user goes to the app they want to access.
The user is required to complete the sign-in form.
If the credentials are verified and multifactor authentication is enabled, the user receives a verification code on their phone.
The user provides the code they received.
The user is granted access to the app.
This feature is available on a pay-as-you-go basis.
Microsoft Entra Domain Services
Microsoft Entra Domain Services lets you add virtual machines to a domain without needing domain controllers. Your internal staff users can access virtual machines by using their company Microsoft Entra credentials.
Use this service to reduce the complexity of migrating on-premises apps to Azure. An organization could also use Microsoft Entra Domain Services to handle its infrastructure if it runs apps both on-premises and in the cloud. The process might go like this:
The organization deploys its apps and servers in a virtual network on Azure.
Microsoft Entra Connect Sync synchronizes identity information between the on-premises Active Directory instance and the organization’s tenant in Microsoft Entra ID.
The company enables Microsoft Entra Domain Services on their Microsoft Entra tenant.
The apps and servers in Azure can use features like domain joining and Kerberos authentication.
This feature is available for pay-as-you-go, based on the total number of objects in your domain managed by Microsoft Entra Domain Services. Objects can include users, groups, and domain-joined computers.
Your company wants to improve how it provides services to doctors and how it collaborates with external healthcare organizations. You’re asked to investigate what other capabilities and services Microsoft Entra ID can provide for the organization.
Here, we explore some essential features of Microsoft Entra ID and how you can use them. Specifically, we look at Microsoft Entra B2B, Azure AD B2C, Microsoft Entra Domain Services (AD DS), and Microsoft Entra ID Protection. Features, that you can use to help improve how you manage apps in Microsoft Entra ID.
Microsoft Entra B2B
Use Microsoft Entra ID to invite external users to your tenant. Your organization can then collaborate with external healthcare partner staff members through Microsoft Entra B2B Collaboration.
For example, your company works with external healthcare partners. You can invite these partners as guest users to your tenant. When their work is done, you can revoke access for those external partners until they need it again.
Here’s the B2B collaboration process:
The external user either receives an email invitation that includes a redemption link or gets a direct link.
The user selects the redemption link to access the apps they were invited to.
If multifactor authentication is set up, the user receives a verification code on their phone.
The user provides the code they received.
The user can access the app, whether it’s on-premises or in the cloud.
This feature is available for all licensing tiers in Microsoft Entra ID.
Your company always looks for the most experienced healthcare professionals and external contractors with whom to work. Research projects can become costly if they’re not managed properly. Your company wants to improve its cost effectiveness. The company asks you to investigate how Microsoft Entra ID is licensed. They also want you to provide a clear and concise outline of the critical terminology they might come across in Microsoft Entra ID.
In this unit, you explore how Microsoft Entra ID is licensed and which features fall under the different licenses. You see how to add or change licenses in Microsoft Entra ID, and you learn the key terms you need to understand when you use Microsoft Entra ID.
Microsoft Entra ID licenses
You can use different features of Microsoft Entra ID, depending on the type of license you choose:
Microsoft Entra ID Free: You can manage users and groups, and you get necessary reports, on-premises Active Directory synchronization, and self-service password reset for Microsoft Entra users. You also get single sign-on for Microsoft 365, Azure services, and many non-Microsoft SaaS applications.
Pay-as-you-go licenses for specific features: You can access specific Microsoft Entra features, like Azure AD B2C, on a pay-as-you-go basis. Azure AD B2C lets you manage identity and access for consumer users and the applications they use.
Office 365 Apps: You get all the free tier features, but you can also have custom sign-in and sign out pages, self-service password reset for cloud users, and device write-back.
Microsoft Entra ID P1: You get all the features from the free tier, but you can also let users access on-premises and cloud-based services and resources. You can use self-service group management or dynamic groups, where users are added and removed automatically based on your criteria. This tier supports on-premises identity-management suites like Microsoft Identity Manager. Self-service password reset is also supported for users who are based on-premises.
Microsoft Entra ID P2: You get all the features of the previous two tiers, along with Microsoft Entra ID Protection. This feature helps you configure risk-based Conditional Access to protect applications from identity risks. You can also use privileged identity management, which lets you monitor and put detailed restrictions on Administrators.
Microsoft Entra ID Governance: An advanced set of identity governance capabilities available for Microsoft Entra ID P1 and P2 customers. Microsoft Entra ID Governance is available as six products: Microsoft Entra ID Governance, Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2, Entra ID Governance Frontline Worker, Microsoft Entra ID Governance Step up for Microsoft Entra ID F2, Microsoft Entra ID Governance for Government, and Microsoft Entra ID Governance Add-on for Microsoft Entra ID P2 for Government. These six products differ only in their prerequisites. They contain the entitlement management, privileged identity management, and access reviews capabilities that were in Microsoft Entra ID P2, plus additional advanced identity governance capabilities.
Microsoft Entra Suite: A complete cloud-based solution for workforce access, available for Microsoft Entra ID P1 and P2 customers. Microsoft Entra Suite brings together Microsoft Entra Private Access, Microsoft Entra Internet Access, Microsoft Entra ID Governance, Microsoft Entra ID Protection, and Microsoft Entra Verified ID. The Microsoft Entra ID Governance portion provides the same identity governance capabilities as the Microsoft Entra ID Governance product. The difference is that they have different prerequisites.
