This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Microsoft Defenderfor Identity. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Microsoft Defenderfor Identity.
Note
Controls not applicable to Microsoft Defender for Identity, and those for which the global guidance is recommended verbatim, have been excluded. To see how Microsoft Defender for Identity completely maps to the Azure Security Benchmark, see the full Microsoft Defender for Identity security baseline mapping file.
Network Security
For more information, see the Azure Security Benchmark: Network Security.
NS-6: Simplify network security rules
Guidance: Use Azure Virtual Network Service Tags to define network access controls on network security groups or Azure Firewall configured for your Defender for Identity resources. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (For example: “AzureAdvancedThreatProtection”) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.
- Enable access to Defender for Identity service URLs in the proxy server
- Understand and using Service Tags
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Identity Management
For more information, see the Azure Security Benchmark: Identity Management.
IM-1: Standardize Azure Active Directory as the central identity and authentication system
Guidance: Defender for Identity uses Azure Active Directory (Azure AD) as the default identity and access management service. You should standardize Azure AD to govern your organization’s identity and access management in:
- Microsoft Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machine (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.
- Your organization’s resources, such as applications on Azure or your corporate network resources.
Securing Azure AD should be a high priority in your organization’s cloud security practice. Azure AD provides an identity secure score to help you assess identity security posture relative to Microsoft’s best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.
Note: Azure AD supports external identity that allows users without a Microsoft account to sign in to their applications and resources with their external identity.
- Tenancy in Azure AD
- How to create and configure an Azure AD instance
- Use external identity providers for application
- What is the identity secure score in Azure AD
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Privileged Access
For more information, see the Azure Security Benchmark: Privileged Access.
PA-1: Protect and limit highly privileged users
Guidance: Defender for Identity has the following highly-privileged accounts:
Global administrator
Security administrator
Limit the number of highly privileged accounts or roles and protect these accounts at an elevated level because users with this privilege can directly or indirectly read and modify every resource in your Azure environment.
You can enable just-in-time (JIT) privileged access to Azure resources and Azure Active Directory (Azure AD) using Azure AD Privileged Identity Management (PIM). JIT grants temporary permissions to perform privileged tasks only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization.
- Microsoft Defender for Identity role groups
- Administrator role permissions in Azure AD
- Use Azure Privileged Identity Management security alerts
- Securing privileged access for hybrid and cloud deployments in Azure AD
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-3: Review and reconcile user access regularly
Guidance: Defender for Identity uses Azure Active Directory (Azure AD) accounts to manage its resources, review user accounts, and access assignment regularly to ensure the accounts and their access are valid. You can use Azure AD access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also use Azure AD Privileged Identity Management to create an access review report workflow to facilitate the review process.
In addition, Azure Privileged Identity Management can also be configured to alert when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.
Note: Some Azure services support local users and roles which are not managed through Azure AD. You will need to manage these users separately.
- Create an access review of Azure resource roles in Privileged Identity Management (PIM)
- How to use Azure AD identity and access reviews
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-6: Use privileged access workstations
Guidance: Secured, isolated workstations are critically important for the security of sensitive roles like administrators, developers, and critical service operators. Use highly secured user workstations and/or Azure Bastion for administrative tasks. Use Azure Active Directory, Microsoft Defender for Endpoint, and/or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstations can be centrally managed to enforce secured configuration including strong authentication, software and hardware baselines, restricted logical and network access.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Data Protection
For more information, see the Azure Security Benchmark: Data Protection.
DP-2: Protect sensitive data
Guidance: Defender for Identity protects sensitive data by restricting access using Azure Active Directory (Azure AD) roles.
To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business-critical data and systems.
For the underlying platform, which is managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft implements default data protection controls and capabilities.
- Azure AD roles with access to Microsoft Defender for Cloud Apps
- Azure Role-based Access Control (RBAC)
- Understand customer data protection in Azure
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
DP-4: Encrypt sensitive information in transit
Guidance: To complement access controls, data in transit should be protected against ‘out-of-band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
Defender for Identity supports data encryption in transit with TLS v1.2 or greater.
While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsolete SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled.
By default, Azure provides encryption for data in transit between Azure data centers.
- TLS v1.2 Release for Defender for Identity
- Understand encryption in transit with Azure
- Information on TLS Security
- Double encryption for Azure data in transit
Responsibility: Microsoft
Microsoft Defender for Cloud monitoring: None
DP-5: Encrypt sensitive data at rest
- Guidance: To complement access controls, Defender for Identity encrypts data at rest to protect against ‘out-of-band’ attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data.Understand encryption at rest in Azure Data at rest double encryption in Azure: /azure/security/fundamentals/encryption-atrest
Responsibility: Microsoft
Microsoft Defender for Cloud monitoring: None
Asset Management
For more information, see the Azure Security Benchmark: Asset Management.
AM-1: Ensure security team has visibility into risks for assets
Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud.
Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.
Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.
Note: Additional permissions might be required to get visibility into workloads and services.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Logging and Threat Detection
For more information, see the Azure Security Benchmark: Logging and Threat Detection.
LT-1: Enable threat detection for Azure resources
Guidance: Defender for Identity can notify you when it detects suspicious activities, by sending security and health alerts to your Syslog server through a nominated sensor. Forward any logs from Defender for Identity to your SIEM which can be used to set up custom threat detections. Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.
- How to integrate with Syslog
- Create custom analytics rules to detect threats Cyber threat intelligence with Microsoft Sentinel: /azure/architecture/example-scenario/data/sentinel-threat-intelligence
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-2: Enable threat detection for Azure identity and access management
Guidance: Azure Active Directory (Azure AD) provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel, or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:
- Sign-ins – The sign-ins report provides information about the usage of managed applications and user sign-in activities.
- Audit logs – Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles, and policies.
- Risky sign-ins – A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
- Users flagged for risk – A risky user is an indicator for a user account that might have been compromised.
Microsoft Defender for Cloud can also alert on certain suspicious activities such as an excessive number of failed authentication attempts, deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud’s Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources.
- Audit activity reports in the Azure Active Directory
- Enable Azure Identity Protection
- Threat protection in Microsoft Defender for Cloud
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-5: Centralize security log management and analysis
Guidance: Ensure you are integrating Azure activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.
In addition, enable and onboard data to Microsoft Sentinel or a third-party SIEM.
Many organizations choose to use Microsoft Sentinel for “hot” data that is used frequently and Azure Storage for “cold” data that is used less frequently.
Defender for Identity offers to forward all security-related logs to your SIEM for centralized management.
- How to collect platform logs and metrics with Azure Monitor
- How to onboard Microsoft Sentinel
- Integrate Defender for Identity with Syslog
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-7: Use approved time synchronization sources
Guidance: Not applicable; Defender for Identity does not support configuring your own time synchronization sources. The Defender for Identity relies on Microsoft time synchronization sources and is not exposed to customers for configuration.
Responsibility: Microsoft
Microsoft Defender for Cloud monitoring: None
Posture and Vulnerability Management
For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.
PV-6: Perform software vulnerability assessments
Guidance: Microsoft performs vulnerability management on the underlying systems that support Defender for Identity.
Responsibility: Microsoft
Microsoft Defender for Cloud monitoring: None
PV-8: Conduct regular attack simulation
Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft’s strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
Next steps
- See the Azure Security Benchmark V2 overview
- Learn more about Azure security baselines