An easy and obvious first step into Public Cloud transformation for identity protection
In today’s business age, it is imperative to enable directory synchronization for all users across your business – a key enabler for single sign-on is Azure Active Directory (Azure AD).
With Azure AD you can now seamlessly integrate identity management capabilities including multi-factor authentication, device registration, role-based access control, and security monitoring and alerting.
Deploying domain controllers in Azure is an important step in providing a business with resilient identity. By taking precautions like you would for on-premise environments, you can have a safe and secure cloud environment.
The best practices listed are not an exhaustive list of all configurations and settings that you should implement to have a secure domain controller environment in the cloud. It is however a a great guideline to get started with Azure Active Directory. The information needs to be applied to the specific security requirements and standards your customer requires.
The following guidelines has been provided by Mike Hacker:
- Review the guide for hosting Active Directory domain controllers in Azure.
- Use a dedicated Azure storage account for Active Directory domain controller disks.
- Ensure that the storage container for the domain controller’s OS and data disks is set to private access type (this is the default for new containers).
- Use role based access control (RBAC) to limit who has access to manage the storage account and access keys.
- Enable Azure Disk Encryption with key encryption key (KEK) for both the operating system and data disks. This will utilize Azure Key Vault for storing the keys. The Key Vault must reside in the same Azure region and subscription as the virtual machine.
- Use RBAC to limit who has access to manage the Key Vault.
- Keep domain controllers in their own virtual network subnet.
- Implement an incoming deny all network security group rule on the domain controller subnet and then configure only the required ports for the domain controllers.
- Set a static IP for the domain controller using PowerShell or the Azure Management Portal. Never set a static IP address directly in the operating system. You must always set the operating system to use DHCP.
- Do not set public IP addresses on domain controllers.
Turn relationships into revenue by bringing digital intelligence into every deal
|Azure Active Directory Basic||A robust set of capabilities to empower organizations with more demanding needs on identity and access management.||$0.91||R11.74|
|Azure Active Directory Premium P1||A robust set of capabilities to empower organizations with more demanding needs on identity and access management.||$5.45||R70.47|
|Azure Active Directory Premium P2||A comprehensive cloud Identity and access management solution with advanced identity protection for all your users and administrators||$8.18||R105.70|