As we know Microsoft Azure Cloud platform works seamlessly with Azure Active Directory (AAD).
The following products are three of many cloud-based Microsoft products.
As demonstrated below each of them has its own RBAC. But only AAD manages the identities and the Azure Subscription & Azure DevOps and also the other products which can use ADD use the AAD’s identities.
We see that the users/identities are managed via AAD and products which can connect to ADD can profit from centralized identity management. AAD supports the single common digital identity. It means a user/identity must not have a separate identity to work with different services or products.
To keep this post simple I considered a user as an identity.
Identity is actually more than a user. It can be an identity of a user, or an identity of a service.
Identity protection in AAD
When having a single identity which is a great idea for identity management especially when you are talking about it at an enterprise scale, the security and protection of the identity are getting more important. An identity breach can cause unexpected and unimaginable consequences. Such as provisioning expensive resources on subscription, deleting a Repo, or a Project in DevOps.
For such breaches/compromises, there are different solutions. The easiest and quickest one is activating Multi-Factor Authentication (MFA) for the whole AAD. It means all the users that are managed with ADD must sign in with MFA.
How to activate MFA? watch the answer in this video.
I recommend having a comprehensive concept for activating MFA in huge projects or at an enterprise scale.
It doesn’t matter which cloud provider you are using never forget identity security and protection.
After activating MFA in this way the user has to log in to all the services, which are connected to this AAD, with MFA. MFA means using not only the username and password method but also a second authentication factor to identify who the user is.