Use role-based access control (Best Practice 7/10)

Role-based Access Control (RBAC) is probably the most ignored security option in Office365. Of the hundreds of clients that I have worked with, there have been only a handful of them that have explored the option of enabling RBAC. Access management for cloud resources is critical for any organization that uses the cloud. RBAC helps IT admin manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

This feature is designed to allow specific groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

You can use RBAC to assign permissions to users, groups, and applications at a certain scope. The scope of a role assignment can be a subscription, a resource group, or a single resource.

Best practice: Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a particular scope. Use built-in RBAC roles in Azure to assign privileges to users.

Enforce multi-factor verification for users (Best Practice 6/10)

Enabling two-factor authentication should be the standard and perhaps it should be enforced as the minimum requirements for authentication for any cloud service. Password are not safe, and users keeps making the same mistakes protection and securing their password.

I highly recommend that you require two-step verification for all of your users. This includes administrators and others in your organization who can have a significant impact if their account is compromised.

There are multiple options for requiring two-step verification. The best option for you depends on your goals, the Azure AD edition you’re running, and your licensing program. There are numerous options in Azure AD. From using the build-in option included in the regular subscription, to using Azure Multi-factor authentication server for on-premise services or using a third part solution such as DOU, VIPAccess, Okta, or RSAID with Federation.

Enable Conditional Access for cloud access. (Best Practice 5/10)

As an IT admin we are always challenge with users trying to access the cloud resources from multiple devices and locations. We need to make sure that these devices meet our standards for security and compliance. Just focusing on who can access a resource is not enough anymore.

To balance security and productivity, we need to think about how a resource is accessed before we can make a decision about access control. With Azure AD Conditional Access, we can address this requirement. With Conditional Access, we can make automated access control decisions based on conditions for accessing your cloud apps.

Best practice: Manage and control access to corporate resources. I recommend configuring Azure AD Conditional Access based on a group, location, and application sensitivity for SaaS apps and Azure AD–connected apps.

Best practice: Block legacy authentication protocols. Attackers exploit weaknesses in older protocols every day, particularly for password spray attacks. Configure Conditional Access to block legacy protocols.