I'm trying to tighten security for our Azure SQL Database and Storage Accounts. We currently have too many "Owner" roles assigned. What is the best way to implement Least Privilege Access using Role-Based Access Control (RBAC)? Also, how can I ensure that admins can only log in if they are on a trusted device or using MFA?
3 answers
You need to move away from Subscription-level "Owner" roles immediately. Use Built-in Roles like "SQL DB Contributor" or "Storage Blob Data Reader" at the Resource Group level. For your admins, implement Microsoft Entra ID (formerly Azure AD) Conditional Access. You can create a policy that requires Multi-Factor Authentication (MFA) and a "Compliant Device" for any user accessing the Azure Portal. Also, look into Privileged Identity Management (PIM) to provide "Just-In-Time" access rather than permanent assignments
Are you planning to use Managed Identities for your applications to access these databases without storing credentials in code?
Don't forget to review your "Guest" users in Entra ID. They often have more permissions than they actually need.
Absolutely agree with Nancy. Regular Access Reviews are part of the PIM feature set and help clean up those stale guest accounts.
Managed Identities are a security must-have. By using System-Assigned Identities, your App Service can authenticate to the SQL Database without a single connection string password. This eliminates the risk of secrets leaking through your source code repositories. It's a core pillar of a Zero Trust strategy in the cloud.