Identity and Access Management
Last updated: 2024-11-28
The identity and access management design area provides best practices that you can use to establish the foundation of your secure and fully compliant public cloud architecture.
Enterprises can have complex and heterogeneous technological landscapes, so security is critical. Robust identity and access management (IAM) forms the basis of modern protection by creating a security perimeter in a public cloud. Authorization and access controls ensure that only authenticated users with verified devices can access and administer applications and resources. IAM ensures that the right individual can access the right resources at the right time, and for the right reason. It also provides reliable audit logging and nonrepudiation of user or workload identity actions.
You should provide consistent enterprise access control—covering user access, control and management planes, external access, and privileged access—to improve productivity and mitigate the risk of unauthorized privilege escalation or data exfiltration.
Azure offers a comprehensive set of services, tools, and reference architectures to help your organization create highly secure and operationally efficient environments. There are several options for managing identity in a cloud environment. Each option varies in cost and complexity. Determine your cloud-based identity services based on how much you need to integrate them with your existing on-premises identity infrastructure.
Identity and Access Management in Fabric Landing Zones
IAM is a core consideration in both platform and application landing zones. Under the design principle of subscription democratization, application owners should have the autonomy to manage their own applications and resources with minimal intervention from the platform team. Landing zones act as a security boundary, and IAM is a critical mechanism to enforce separation between them—complemented by networking and policy boundaries.
The platform team is responsible for foundational IAM services, such as Microsoft Entra ID, Microsoft Entra Domain Services, and AD DS. These services are then consumed by application teams to build secure, scalable solutions. Application teams are expected to manage access to their resources such as Azure SQL, Fabric Workspaces, Lakehouses, or Pipelines, always adhering to least privilege and RBAC principles.
Design Area Review
Functions:
- Cloud platform team
- Cloud center of excellence
- Cloud security team
Scope:
- Authenticate users and workloads
- Assign access to resources
- Define separation of duties
- Synchronize hybrid identities with Microsoft Entra ID
Out of Scope:
- Zero Trust architecture
- Privileged access management
- Automated guardrails
These aspects are covered in the compliance design areas for security and governance. For comprehensive guidance, see Azure identity management and access control security best practices.
Related Guidance
- Hybrid identity with Active Directory and Microsoft Entra ID
- Landing zone identity and access management
- Application identity and access management
- Identity architecture design
- Multiple Microsoft Entra tenants
![github-actions[bot] avatar](https://github.com/41898282.png){kind=small}
41898282
TheTrustedAdvisor (Matthias Falland)