The most up-to-date Azure Security Benchmark is available here.
Identity and access management recommendations focus on addressing issues related to identity-based access control, locking down administrative access, alerting on identity-related events, abnormal account behavior, and role-based access control.
3.1: Maintain an inventory of administrative accounts
Azure ID
CIS IDs
Responsibility
3.1
4.1
Customer
Azure AD has built-in roles that must be explicitly assigned and are queryable. Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.
Azure AD does not have the concept of default passwords. Other Azure resources requiring a password forces a password to be created with complexity requirements and a minimum password length, which differs depending on the service. You are responsible for third-party applications and marketplace services that may use default passwords.
3.3: Use dedicated administrative accounts
Azure ID
CIS IDs
Responsibility
3.3
4.3
Customer
Create standard operating procedures around the use of dedicated administrative accounts. Use the recommendations in Azure Security Center's "Manage access and permissions" security control to monitor the number of administrative accounts.
You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.
3.4: Use single sign-on (SSO) with Azure Active Directory
Azure ID
CIS IDs
Responsibility
3.4
4.4
Customer
Wherever possible, use Azure Active Directory SSO instead than configuring individual stand-alone credentials per-service. Use the recommendations in Azure Security Center's "Manage access and permissions" security control.
3.7: Log and alert on suspicious activities from administrative accounts
Azure ID
CIS IDs
Responsibility
3.7
4.8, 4.9
Customer
Use Azure Active Directory security reports for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. Use Azure Security Center to monitor identity and access activity.
Use Azure Active Directory as the central authentication and authorization system. Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD also salts, hashes, and securely stores user credentials.
Azure AD provides logs to help discover stale accounts. In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access.
3.11: Monitor attempts to access deactivated credentials
Azure ID
CIS IDs
Responsibility
3.11
16.12
Customer
You have access to Azure AD Sign-in Activity, Audit and Risk Event log sources, which allow you to integrate with any SIEM/Monitoring tool.
You can streamline this process by creating Diagnostic Settings for Azure Active Directory user accounts and sending the audit logs and sign-in logs to a Log Analytics Workspace. You can configure desired Alerts within Log Analytics Workspace.
Use Azure AD Risk and Identity Protection features to configure automated responses to detected suspicious actions related to user identities. You can also ingest data into Azure Sentinel for further investigation.
3.13: Provide Microsoft with access to relevant customer data during support scenarios
Azure ID
CIS IDs
Responsibility
3.13
16
Customer
In support scenarios where Microsoft needs to access customer data, Customer Lockbox provides an interface for you to review, and approve or reject customer data access requests.
This module focuses on effectively managing security controls in Microsoft Entra ID by securing identities, authentication, and authorization to protect users, groups, and external identities against threats while ensuring secure and seamless access to resources.