Hey, I am approaching Azure from an AWS background and was going through the Azure portal today. Whenever I create a new account in AWS I have a list of items I do to improve my security posture, which I was trying to mimic in Azure, but could not.
1. Enable MFA on Root Account
2. Create Admin Group
3. Apply elevated, yet less than Root, permissions to Admin Group
4. Create IAM User and place in Group
5. Switch User
6. Enable MFA on IAM User
I struggled with the MFA features saying that I needed to upgrade my plan before I could enable it. I found the Pricing page from Microsoft that supports that statement with $6/user/month cost.
https://azure.microsoft.com/en-us/pricing/details/active-directory/
—
I’m only planning on using this account for learning before I sit my AZ exams. However, I’m really worried about leaving the account so insecure. Do you have any suggestions on how I can protect my account while keeping the account free?
1 Answers
Good question, and fantastic use of Best Practice. For non-technical people learning about Azure, it may not be as critical of a concern, but for technical professionals, this is always wise!
Microsoft makes this pretty vague, and it’s not as intuitive as one might expect. When it comes to fine-grained use of access controls, like MFA for individual users, or protecting only certain resources, Azure AD Premium is definitely the way to go. But for us, we have a much simpler option: Enabling Security Defaults.
Security Defaults gives you a pre-configured set of security features and rules that would normally require Azure AD Premium. It’s been designed as a stop-gap for organizations who aren’t ready for the full power of Azure AD yet, or cases where it would be otherwise excessive, as for the testing accounts of individual professionals.
All you have to do is log in to the Azure Portal, and turn it on in Azure AD. No specific features to configure, no flashy lists of rules. It’s either on, or it’s off. This is a great introduction to a secure Azure account, and customers who need more control can utilize Azure AD Premium.
Bonus mode, as an ACG Member, if you find you’re curious about other Security features on our platform, check out our AZ-500 Microsoft Azure Security Technologies course. Even if you’re not interested in the whole course, if any individual video interests you, check it out for more handy info.
Best of luck with your studies!
Thanks for your answer. I setup this Security Default on my Active Directory and it prompted me to setup MFA on my next login. I think that MFA is so important considering the havoc a malicious actor can cause on an unprotected cloud account. I’d say that a quick 1-min lecture on configuring this for new Azure accounts should be included into the AZ-900 to help protect people that don’t want to pay for Premium P1 just to learn.