![]() As discussed in previous sections, nonproduction environments can potentially utilize Microsoft Entra B2B collaboration to onboard privileged accounts to the non-production tenants using the same posture and security controls designed for privileged access in their production environment.Ĭloud-only accounts are the simplest way to provision human identities in a Microsoft Entra tenant and it's a good fit for green field environments. This enables you to add stronger security policies such as device-based access control for secure workstations. Provision accounts in the isolated environment for administrative personnel and IT teams who operate the environment. Human identity provisioning Privileged Accounts In addition to the guidance in the Microsoft Entra general operations guide, we also recommend the following considerations for isolated environments. Enable access only through modern authentication for services and secure remote access (also protected by modern authentication) for the infrastructure.ĭirectory-level role assignments - Avoid or reduce numbers of directory-level role assignments (User Administrator on directory scope instead of AU-scoping) or service-specific directory roles with control plane actions (Knowledge Admin with permissions to manage security group memberships). ![]() Isolate services - Minimize the surface attack area by protecting underlying identities and service infrastructure from exposure. All trusts between environments should be established with modern constructs such as federation and claims-based identity. Use Conditional Access and filter for devices as a condition.Įliminate legacy trust mechanisms - Isolated directories and services shouldn't establish trust relationships with other environments through legacy mechanisms such as Active Directory trusts. Use Windows 365 Cloud PCs (Cloud PC) with the Microsoft Graph API. Whenever possible, passwordless authentication such as Windows for Business Hello or a FIDO2 security keys should be used.ĭeploy secure workstations - Secure workstations provide the mechanism to ensure that the platform and the identity that platform represents is properly attested and secured against exploitation. This way, legacy applications that have dependency on legacy authentication methods such as NT LAN Manager (NTLM) won't carry forward in isolated environments.Įnforce strong authentication - Strong authentication must always be used when accessing the isolated environment services and infrastructure. Use only modern authentication - Applications deployed in isolated environments must use claims-based modern authentication (for example, SAML, * Auth, OAuth2, and OpenID Connect) to use capabilities such as federation, Microsoft Entra B2B collaboration, delegation, and the consent framework. When designing isolated environments, it's important to consider the following principles: ![]() For all isolated tenants we suggest you use clear and differentiated branding to help avoid human error of working in the wrong tenant.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |