Microsoft has built a set of security controls for its customers to use across Azure services, and it is up to the customer to make the most of these built-in capabilities. Here are best practices security experts recommend you follow:
1. Ensure that multifactor authentication (MFA) is enabled for all users
2. Enable MFA on privileged accounts and strongly consider layering in some conditional access policies (e.g., geo, IP address, device state, etc.)
3. Ensure that users can consent to apps accessing company data on their behalf is set to ‘no’
4. Ensure that there are no guest users
5. Use Role-Based Access Control for all admin accounts instead of assigning all privileged accounts Global Administrator privileges
6. Ensure that ‘enable users to memorize multifactor authentication on devices they trust’ is disabled
7. Ensure that the ‘number of processes required to reset’ is set to 2
8. Assure that ‘number of days before users are asked to re-confirm their authentication report’ is not set to 0
9. Assure that ‘caution users on password resets’ is set to ‘yes’
10. Ensure that ‘notify all admins when other admins reset their password?’ is set to ‘yes’
11. Ensure that ‘users can comply with apps obtaining company data on their account’ is set to ‘none‘
12. Guarantee that ‘users can add gallery apps to their Entrance Panel’ is set to ‘no‘
13. Guarantee that ‘guest users agreements are limited’ is set to ‘yes’
14. Ensure that ‘users can disclose applications’ is fixed to ‘no‘
15. Ensure that ‘members can request’ is set to ‘no‘
16. Guarantee that ‘guests can invite’ is set to ‘no‘
17. Ensure that entrance to the Azure AD administration portal should be limited
18. Ensure that ‘users can create security associations’ is set to ‘none’
19. Ensure that ‘self-service group administration enabled’ is established to ‘no‘
20. Make sure ‘users who can handle security groups’ is set to ‘none’
21. Make sure ‘require multifactor auth to join devices’ is set to ‘yes’
22. Ensure that ‘secure transfer required’ is arranged to ‘enabled’
23. Ensure that ‘storage service encryption’ is set to ‘enabled’
24. On SQL servers, ensure that ‘auditing’ is set to ‘on’
25. On SQL servers, ensure that ‘auditing type’ is set to a blob
26. Ensure on SQL servers that ‘threat detection’ is set to ‘on’
27. On SQL servers, ensure that ‘threat detection types’ is set to ‘all’
28. On SQL servers, ensure that ‘send alerts to’ is set
29. On SQL servers ensure that email service and co-administrators is enabled
30. On SQL servers, ensure that firewall rules are set as appropriate
31. Disable RDP access on network security groups from the internet
32. Disable SSH access on network security groups from the internet
33. Enable Privileged Identity Management for privileged roles
34. Enable JIT Access For IaaS VM’s
35. Encrypt IaaS VM Hard Disks
36. ‘OS vulnerabilities’ is set to ‘on’
37. ‘Endpoint protection’ is set to ‘on’
38. ‘JIT network access’ is set to ‘on’
39. Ensure that ‘restrict access to Azure AD administration portal’ is set to ‘yes’
40. ‘Secure transfer required’ is set to ‘enabled’
41. ‘Storage service encryption’ is set to ‘enabled’
42. On SQL database or servers, ensure ‘Auditing’ is set to ‘on’
43. On SQL database or servers, ‘Threat detection’ is set to ‘on’
44. On SQL database or servers, ‘Transparent data encryption’ is set to ‘on’
45. Disable on network security groups from internet: Disable RDP
46. Disable on network security groups from internet: Disable SSH
47. Disable on network security groups from internet: Disable Telnet (port 23)
48. Secure the subscription
49. Minimize the number of admins/owners
50. Do not grant permissions to external accounts (i.e., accounts outside the native directory for the subscription)
