Cloud Technology

How to properly secure Azure resources using RBAC and Conditional Access policies?

JE Asked by Jessica White · 20-11-2023
0 upvotes 11,330 views 0 comments
The question

I'm trying to tighten security for our Azure SQL Database and Storage Accounts. We currently have too many "Owner" roles assigned. What is the best way to implement Least Privilege Access using Role-Based Access Control (RBAC)? Also, how can I ensure that admins can only log in if they are on a trusted device or using MFA?

 

3 answers

0
MA
Answered on 22-11-2023

You need to move away from Subscription-level "Owner" roles immediately. Use Built-in Roles like "SQL DB Contributor" or "Storage Blob Data Reader" at the Resource Group level. For your admins, implement Microsoft Entra ID (formerly Azure AD) Conditional Access. You can create a policy that requires Multi-Factor Authentication (MFA) and a "Compliant Device" for any user accessing the Azure Portal. Also, look into Privileged Identity Management (PIM) to provide "Just-In-Time" access rather than permanent assignments

0
RI
Answered on 24-11-2023

Are you planning to use Managed Identities for your applications to access these databases without storing credentials in code?

JO 26-11-2023

Managed Identities are a security must-have. By using System-Assigned Identities, your App Service can authenticate to the SQL Database without a single connection string password. This eliminates the risk of secrets leaking through your source code repositories. It's a core pillar of a Zero Trust strategy in the cloud.

0
NA
Answered on 27-11-2023

Don't forget to review your "Guest" users in Entra ID. They often have more permissions than they actually need.

MA 28-11-2023

Absolutely agree with Nancy. Regular Access Reviews are part of the PIM feature set and help clean up those stale guest accounts.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session