You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security/fundamentals/identity-management-best-practices.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -103,7 +103,7 @@ In a mobile-first, cloud-first world, you want to enable single sign-on (SSO) to
103
103
By using the same identity solution for all your apps and resources, you can achieve SSO. And your users can use the same set of credentials to sign in and access the resources that they need, whether the resources are located on-premises or in the cloud.
104
104
105
105
**Best practice**: Enable SSO.
106
-
**Detail**: Microsoft Entra ID [extends on-premises Active Directory](/entra/identity/hybrid/whatis-hybrid-identity) to the cloud. Users can use their primary work or school account for their domain-joined devices, company resources, and all of the web and SaaS applications that they need to get their jobs done. Users don't have to remember multiple sets of usernames and passwords, and their application access can be automatically provisioned (or deprovisioned) based on their organization group memberships and their status as an employee. And you can control that access for gallery apps or for your own on-premises apps that you've developed and published through the [Microsoft Entra application proxy](/entra/identity/app-proxy/application-proxy).
106
+
**Detail**: Microsoft Entra ID [extends on-premises Active Directory](/entra/identity/hybrid/whatis-hybrid-identity) to the cloud. Users can use their primary work or school account for their domain-joined devices, company resources, and all of the web and SaaS applications that they need to get their jobs done. Users don't have to remember multiple sets of usernames and passwords, and their application access can be automatically provisioned (or deprovisioned) based on their organization group memberships and their status as an employee. And you can control that access for gallery apps or for your own on-premises apps that you've developed and published through the [Microsoft Entra application proxy](/entra/identity/app-proxy/what-is-application-proxy).
107
107
108
108
Use SSO to enable users to access their [SaaS applications](/entra/identity/enterprise-apps/what-is-single-sign-on) based on their work or school account in Microsoft Entra ID. This is applicable not only for Microsoft SaaS apps, but also other apps, such as [Google Apps](/entra/identity/saas-apps/google-apps-tutorial) and [Salesforce](/entra/identity/saas-apps/salesforce-tutorial). You can configure your application to use Microsoft Entra ID as a [SAML-based identity](/entra/fundamentals/whatis) provider. As a security control, Microsoft Entra ID does not issue a token that allows users to sign in to the application unless they have been granted access through Microsoft Entra ID. You can grant access directly, or through a group that users are a member of.
109
109
@@ -191,7 +191,7 @@ This method uses the Microsoft Entra ID Protection risk evaluation to determine
191
191
> Option 2, enabling multifactor authentication by changing the user state, overrides Conditional Access policies. Because options 3 and 4 use Conditional Access policies, you cannot use option 2 with them.
192
192
193
193
**Best practice**: Migrate user-based service accounts to workload identities.
194
-
**Detail**: Some customers use user accounts in Microsoft Entra ID as service accounts for automation. With mandatory MFA enforcement, it's critical to migrate these user-based service accounts to [secure cloud-based service accounts with workload identities](https://learn.microsoft.com/entra/workload-id/workload-identities-overview). Workload identities such as managed identities and service principals are designed for automation scenarios and don't require MFA, providing a more secure and manageable solution. For migration guidance, see [Sign in to Azure with a managed identity using the Azure CLI](https://learn.microsoft.com/cli/azure/authenticate-azure-cli-managed-identity) and [Sign in to Azure PowerShell non-interactively for automation scenarios](https://learn.microsoft.com/powershell/azure/authenticate-noninteractive).
194
+
**Detail**: Some customers use user accounts in Microsoft Entra ID as service accounts for automation. With mandatory MFA enforcement, it's critical to migrate these user-based service accounts to [secure cloud-based service accounts with workload identities](/entra/workload-id/workload-identities-overview). Workload identities such as managed identities and service principals are designed for automation scenarios and don't require MFA, providing a more secure and manageable solution. For migration guidance, see [Sign in to Azure with a managed identity using the Azure CLI](/cli/azure/authenticate-azure-cli-managed-identity) and [Sign in to Azure PowerShell non-interactively for automation scenarios](/powershell/azure/authenticate-noninteractive).
195
195
196
196
Organizations that don't add extra layers of identity protection, such as multifactor authentication, are more susceptible for credential theft attack. A credential theft attack can lead to data compromise.
Copy file name to clipboardExpand all lines: articles/security/fundamentals/operational-best-practices.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -239,7 +239,7 @@ Azure has two DDoS [service offerings](../../ddos-protection/ddos-protection-ove
239
239
Enable Azure Policy to monitor and enforce your organization's written policy. This will ensure compliance with your company or regulatory security requirements by centrally managing security policies across your hybrid cloud workloads. Learn how to [create and manage policies to enforce compliance](../../governance/policy/tutorials/create-and-manage.md). See [Azure Policy definition structure](../../governance/policy/concepts/definition-structure.md) for an overview of the elements of a policy.
240
240
241
241
**Best practice**: Use Azure Policy to enforce Microsoft Cloud Security Benchmark v2 (preview) recommendations across your environment.
242
-
**Detail**: The [Microsoft Cloud Security Benchmark v2 (preview)](https://learn.microsoft.com/security/benchmark/azure/overview) provides comprehensive security best practices with expanded Azure Policy coverage (420+ policy-based measurements). Assign Microsoft Cloud Security Benchmark v2 (preview) policies to your subscriptions and management groups to continuously audit and enforce secure configurations. The benchmark includes new controls for AI security, confidential computing, and enhanced threat detection. Use the [Defender for Cloud regulatory compliance dashboard](https://learn.microsoft.com/azure/defender-for-cloud/update-regulatory-compliance-packages) to track compliance and identify security gaps requiring remediation.
242
+
**Detail**: The [Microsoft Cloud Security Benchmark v2 (preview)](/security/benchmark/azure/overview) provides comprehensive security best practices with expanded Azure Policy coverage (420+ policy-based measurements). Assign Microsoft Cloud Security Benchmark v2 (preview) policies to your subscriptions and management groups to continuously audit and enforce secure configurations. The benchmark includes new controls for AI security, confidential computing, and enhanced threat detection. Use the [Defender for Cloud regulatory compliance dashboard](../../defender-for-cloud/update-regulatory-compliance-packages.md) to track compliance and identify security gaps requiring remediation.
243
243
244
244
Here are some security best practices to follow after you adopt Azure Policy:
0 commit comments