Turn on Azure AD Privileged Identity Management (PIM). After you turn on Privileged Identity Management, you’ll receive notification email messages for privileged access role changes. These notifications provide early warning when additional users are added to highly privileged roles in your directory.

Role-based Access Control (RBAC) is probably the most ignored security option in Office365. Of the hundreds of clients that I have worked with, there have been only a handful of them that have explored the option of enabling RBAC. Access management for cloud resources is critical for any organization that uses the cloud. RBAC helps IT admin manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

This feature is designed to allow specific groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

You can use RBAC to assign permissions to users, groups, and applications at a certain scope. The scope of a role assignment can be a subscription, a resource group, or a single resource.

Best practice: Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a particular scope. Use built-in RBAC roles in Azure to assign privileges to users.

As an IT admin we are always challenge with users trying to access the cloud resources from multiple devices and locations. We need to make sure that these devices meet our standards for security and compliance. Just focusing on who can access a resource is not enough anymore.

To balance security and productivity, we need to think about how a resource is accessed before we can make a decision about access control. With Azure AD Conditional Access, we can address this requirement. With Conditional Access, we can make automated access control decisions based on conditions for accessing your cloud apps.

Best practice: Manage and control access to corporate resources. I recommend configuring Azure AD Conditional Access based on a group, location, and application sensitivity for SaaS apps and Azure AD–connected apps.

Best practice: Block legacy authentication protocols. Attackers exploit weaknesses in older protocols every day, particularly for password spray attacks. Configure Conditional Access to block legacy protocols.