Cloud Security Checklist

WORK in Progress
Sheet is used to perform an assessment of the current landing zone. Used in combination with explaining and discussing the L
zone best practices in combination with what is already implemented deployed in the current landing zone
Please always validate the latest recommendation on https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/rea

To be validated completeness
Weight of score is under review, will be improve based on multiple assessment analyses. Use it as an indicator.
Other possble action, make also score per sub item
Estimated
Percentage
ID Item Status applied
A Enterprise Enrollment and Azure AD Tenants
A1 Planning for Enterprise Enrolment
A1.1 EA Administrator Notification Account Implemented 100%
A1.2 Number of Departments Implemented 100%
A1.3 Number and type of EA Account Partial Implemented 20%
A1.4 Audit Interval for EA Portal for Microsoft account and required Not Implemented 0%
access
A1.5 Make Use of Dev/Test EA subscription cost optimize Not Implemented 0%
A1.6 Assign Budget per account / Department to establish alerts Implemented 100%
A1.8 Other notes, recommendations

A2 Azure AD Tenants
A2.1 AAD Tenants Implemented 100%
A2.2 AAD PIM for all tenant and M365 roles Implemented 100%
A2.3 Break the glass accounts Implemented 100%
A2.4 Other notes, recommendations

B Identity and Access Management
B1 Planning for identity and access management
B1.1 Enforce MFA, Azure AD Conditional Access policies Implemented 100%
B1.2 "Azure AD only" groups for Azure control plane Partial Implemented 80%
B1.3 Custom Role Definitions + Not Implemented 20%

AAD PIM for Azure roles
B1.4 AAD Diagnostic Logs Implemented 100%

B1.5 Custom RBAC Roles and Usage Partial Implemented 80%
B1.6 Separate admin accounts for cloud administrative tasks Implemented 100%
B1.6 Other notes, recommendations

B2 Authentication Inside the Landing Zone
B2.1 Domain Controller in Azure or AADDS services Implemented 100%
B2.2 Use Azure AD Application Proxy for Intranet application Currently not applicable 100%
B2.3 Use Managed Identities to authenticate to azure resource Implemented 100%
B2.4 Identity network segmentation and connectivity design and Implemented 100%
separation of concerns for inside landing zone (legacy)
authentication
B2.5 Other notes, recommendations

C Management Group and Subscription Organization
C1 Management Group Hierarchy

C1.1 Use Management groups for both policies and management Partial Implemented 10%
RBAC
C1.2 Other notes, recommendations

C2 Subscription Organization and Governance
C2.1 Create separate platform subscriptions for Management Partial Implemented 50%
(Monitoring), Connectivity and Identity when these are
required
C2.2 Subscriptions as a democratized unit of management aligned Implemented 100%

with business needs and priorities.
C2.3 Group subscriptions under Management groups to ensures Not Implemented 10%
that subscriptions with the same set of policies and Azure role
assignments.
C2.4 Have new subscription as a service. Automate subscription Partial Implemented 40%
creation File > New > Landing Zone
C3 Configure Subscription Quota and Capacity
C3.1 Ensure that sufficient capacity and SKUs are available and the Currently not applicable 100%
attained capacity can be understood and monitored

C4 Establish Cost Management
C4.1 Implement Cost transparency across a technical estate. Partial Implemented 50%
C4.2 Tags enforced for billing Not Implemented 0%
C4.3 Additional Tags to be enforced or optional Not Implemented 0%

D Network Topology and Connectivity
D1 Planning for IP Addressing
D1.1 plans for IP addressing in Azure to ensure that IP address space Implemented 100%
doesn't overlap across on-premises locations and Azure regions
D2 DNS and name resolution for on-premises and Azure

resources
D2.1 Implement central DNS name resolution when required or use Implemented 100%
Azure DNS
D2.2 Hybrid DNS Resolved (seamless resolving on-premise and the Implemented 100%
cloud )
D2.3 Central Private link private DNS zones when required Not Implemented 0%
D3 Define an Azure Networking Topology

D3.1 Defined network topology based on Virtual-WAN or Hub Spoke Implemented 100%
or Cloud only network topologies
D4 Connectivity to Azure
D4.1 connecting on-premises locations (other datacenters) to Azure Implemented 100%
D4.2 Deploy network components for connectivity to Azure zone Not Implemented 0%
redundant for higher availability when required
D4.3 Monitor the connectivity to Azure capacity Not Implemented 30%

D5 Connectivity to Azure PaaS Services
D5.1 Use vNet integration to isolate PAAS endpoints when required Implemented 100%
D5.2 Implement DNS setup to support Private Link services DNS Currently not applicable 0%
resolving
D6 Planning for Inbound and Outbound Internet Connectivity
D6.1 Secure outbound connectivity to the public internet via Azure Not Implemented 0%
Firewall
D6.2 Secure inbound connectivity from the public internet via Partial Implemented 80%
Application Gateway with Web Application Firewall (WAF) or
FrontDoor WAF Policies
D6.3 Use DDOS Protection to enhance security and insight Currently not applicable 100%
D6.4 Deploy network components for connectivity to Azure zone Not Implemented 0%
redundant for higher availability when required
D7 Planning for Application Delivery

D7.1 Deliver internal-facing and external-facing apps in a secure, Partial Implemented 80%
highly scalable, and highly available way.
D8 Planning for "Landing Zone" Network Segmentation

D8.1 secure internal network segmentation within a landing zone to Implemented 100%
drive a network zero-trust implementation
D8.2 Delegate Subnet creation to the landing zone owner Currently not applicable 100%
D8.3 Implement NSG to protect traffic across subnets, as well as Implemented

east-west traffic across the platform.
D8.4 Enable NSG Flow Log Currently not applicable 100%
D9 Define Network Encryption Requirements

D9.1 Additional network encryption requirements between on- Currently not applicable 100%
premises and Azure as well as across Azure regions
D10 Plan for traffic inspection

D10.1 Packet capture requirements Currently not applicable 100%
D11 Other networking notes, recommendations

E Management and Monitoring
E1 Planning for Platform Management and Monitoring
E1.1 Single Log monitor workspace Not Implemented 10%
E1.2 Export logs to Azure Storage if log retention requirements Currently not applicable 100%
exceed two years,
E1.3 Use Azure Policy for access control and compliance reporting. Not Implemented 20%
E1.4 Update Management in Azure Automation as a long-term Currently not applicable 100%
patching mechanism for both Windows and Linux VMs.
E1.5 Use Network Watcher to proactively monitor traffic flows via Not applicable 100%
Network Watcher NSG flow logs v2.
E1.6 Implement Resource locks to prevent accidental deletion of Not Implemented 0%

critical shared services.
E1.7 Include Service and Health event in the monitoring Partial Implemented 30%
E2 Planning for Application Management and Monitoring

E2.1 Allow app owners to create/use their own monitoring tools Partial Implemented 100%
within the Landing Zone (RBAC).
F Business Continuity and Disaster Recovery

F1 Planning for BCDR
F1.1 Provide baseline backup/restore capabilities Partial Implemented 50%
F1.2 Use Availability Zones to make deployment High Available over Not Implemented 0%
several zones.
F1.2 Use Region for DR scenario or always available multi region Currently not applicable 0%
deployments
F1.3 Other notes, recommendations

G Security, Governance and Compliance
G1 Define Encryption and Key Management
G1.1 Keyvault best practices Partial Implemented 80%
G1.2 Encryption at rest Not applicable 100%

G1.3 Encryption in transit Partial Implemented 50%
G2 Plan for governance
G2.1 Region Policy for data sovereignty Partial Implemented 50%
G2.2 Tag policy Not Implemented 0%
G2.3 Map regulatory and compliance requirements to Azure Policy Implemented 100%
definitions and Azure role assignments.
G2.4 Policy Management via Management groups Not Implemented 20%
G2.5 Use policy to limit the services that can be used by the Currently not applicable 100%
application teams
G2.6 Enable policies to prevent data exfiltration concerns. Defining Not Implemented 0%
requirements for private endpoints (Service Endpoints, Private
Link)
G3 Define security monitoring and an audit policy

G3.1 Use Azure AD reporting capabilities to generate access control Implemented 100%
audit reports.
G3.2 Export Azure activity logs Not Implemented 0%
G3.3 Enable Defender for Azure (Server, Storage, WebApp, Partial Implemented 70%
Container etc.) for E2E Security Monitoring
G3.4 Update management and inventory for Virtual machines Currently not applicable 100%
G3.5 Data Retention policy for logging Not Implemented 100%

G3.6 Use Azure Sentinel as SIEM SOAR Partial Implemented 50%
G4 Planning for Platform Security

G4.1 Set Platform Security Baseline Not Implemented 20%
G4.2 security/service allow-list plan Currently not applicable 100%
G4.3 Define responsibilities, Azure (MSFT), Platform (Customer) and Partial Implemented 30%
Application teams (Customer)
H Platform Automation and DevOps
H1 Planning for a DevOps Approach
H1.1 Establish a cross functional DevOps Platform Team to build, Partial Implemented 90%
manage and maintain your Enterprise Scale architecture. This
team should include members from your central IT, security,
compliance, and business units teams to ensure a wide
spectrum of your enterprise is represented.
H1.2 Use Code Repositories Implemented 100%

H1.3 Use CI/CD pipeline Implemented 100%
H1.4 Use Infrastructure as Code Partial Implemented 30%
H1.5 Consider azOps for managing the Enterprise scale landing zone Currently not applicable 100%
declaratively to determine target goal state of the overall ESLZ
platform.
H1.6 Implement DevSecOps Unknown to be validated 0%

H1.7 File > New > Landing Zone also set up a Git repository to host Unknown to be validated 0%
IaC and service principals for use with a platform pipeline for
continuous integration and continuous deployment.
H1.8 Implement automation for File > New > Region Not applicable 100%
H1.9 Implement automation for File > New > Landing Zone for Implemented 80%
applications and workloads
H2 Define Central and Federated Responsibilities

H2.1 recommended distribution of responsibilities between the Unknown to be validated 0%
central IT team and application teams
Remark Action Priority
--
-
Remark is used to document
briefly the current state
Validate if not should be privileged named Medium

accounts
Implement periodic reviews Medium
If dev having already Visual studio subscription Low

this could be a cost optimization for dev/test
subscriptions
--
Use Azure AAD group for role RBAC on Medium

Management group level instead of direct
assignments
Add also Azure role

Use Azure AAD group for role RBAC on Medium
Management group level instead of direct
assignments
Investigate the use of Azure AD Application Low

proxy for Intranet applications
--
Create a management group structure based on High

enterprise landing zone with platform and
landing zone to be able to apply policies and
RBAC for management role like platform owner,
SysOps, NetOps and SecOps. See sample setup
provided in document.
Create new subscription for Management with High

new Log Analytics, to isolate logging as this also
will contain security logging. Keep Connectivity
and identity in " General"
Create the default grouping of Enterprise High

landing zone as a default and adopt new
grouping when required
Create automation see Low

https://github.com/Azure/Enterprise-Scale/tree
/main/examples/landing-zones
-
-
Consider automated reporting when tags are Low
enforced and applied with Power BI
See tags sheet for proposed tags High
See tagging sheet for other options Low
--
Implement central connected Private DNS zones Medium

for PAAS private Link to the General vNet
where the domain controllers are placed
-
Considering Expressroute setup to get Low
dedicated lines. Could use SURFNet as ER
provider.
When having a clear Zone Redundant strategy Evaluate
implement also Zone Redundant VPN Gateway
Implement NPM monitoring over S2S Low

-
Implement central connected Private DNS zones Medium

for PAAS private Link to the General vNet
where the domain controllers are placed
Use Firewall to secure outbound internet traffic.

Implement by deployment and add UDR on GW
subnet and Landing Zone Subscription vNet. Can
be done one by one. Implement FQDN rules to
allow only the necessary outbound websites
that are required for windows and Linux
servers.
Create clear policies when to use WAF and Medium

evaluate FrontDoor with WAF.
Implement when needed to have additional Evaluate

protection of public IP (LB), App GW etc.
When having a clear Zone Redundant strategy Evaluate
implement also Zone Redundant Firewall
-
Create clear policies when to use WAF and Low
evaluate FrontDoor with WAF.
No requirements
-
No requirements
-
No requirements
--
-
Implement central monitoring for IAAS and High
PAAS logging. Use policies to enforce logging to
central. Teams can deploy App Insight or
additional log analytics when need in LZ
subscriptions.
evaluate when retention policy is ready Low
See policy sheet for proposed policies High
Evaluate if Azure Update Management could Low

have value
No requirements
Planned used scripting to implement all Low

production tag workloads should be locked
Include alerts and add in the monitoring High
--
-
Evaluate Native Backup Azure Backup for VM Medium
and PAAS backup driven by Policy to check
compliance. Deploy recovery vault for server
with TAG
Create guidance when to use Zone redundant Medium
deployment, see also then network components
redundancy.
Create guidance for DR, Backup with Global Medium

Redundant storage for DR or ASR.
--
-
Provision Azure Key Vault with the soft delete Medium
and purge policies enabled to allow retention
protection for deleted objects. Create written
policy when
No requirements
Create policies to enforce for TLS, HTTPS Medium
-
Implement WE , NE, Europe enforcement policy Low
When having defined the required tags create Low

policy to append and enforce
No requirements
Evaluate requirements, if needed enforce via Low

Policy
Implement Policy to enforce export Medium
Evaluate current settings and create policy Low

based on Management group
check if Azure Update Management could be Low
used in parallel
Evaluate current LA retention when guidance is Medium
ready
Evaluate to enable on new central LA or Low
alternative import Azure Security Center alerts
into existing Sentinel
-
No requirements
Include alerts and add in the monitoring High
--
-
Select ARM, Terraform as standard and provide Low

sample deployments to include in pipeline
No requirements
To be validated Low
To be validated Low
Evaluate PIM also for Subscription owners Low
-
To be validated Low
Best practice
Do not move or rename an EA Account in Azure AD. Periodically audit EA portal to review who has access.
Setup the notification contact email address to ensure notifications are sent to an appropriate group mailbox.
Do not ignore notification emails sent to the notification account email address. Microsoft sends important EA wide communications to this account.
Create a new department for IT if business domains have independent IT capabilities.

Organization can have a variety of structures such as functional, divisional, geographic, matrix or team structure. Leverage organizational structure to map organization s
enterprise enrollment.
Only use the authentication type "Work and School Account" for all account types. Avoid using the MSA account type.
Restrict and minimize the number of Account Owners within the Enrollment to avoid the proliferation of admin access to Subscriptions and associated Azure resources.
If multiple Azure AD tenants are used, ensure the Account Owner is associated with the same tenant as where subscriptions for the account are provisioned.
90 Days
Setup enterprise Dev/Test/Prod environments at an EA account level to support creation of dev/test workload for active Visual Studio subscribers. See https://docs.micr
us/visualstudio/subscriptions/azure-ea-devtest
Assign a budget for each account and establish an alert associated with the budget.
Leverage Azure AD SSO based on the selected planning topology. (Azure AD Connect for each identity that is to be synchronized)
In case organization does not have existing identity infrastructure, then it is recommended to start by implementing Azure AD only identity deployment. Such deployme
AD domain services and Enterprise mobility suite provide end to end protection for SaaS & enterprise application as well as devices. Use the tenant where the identity p
implemented to connect the azure subscriptions, do not use dev/test tenants in combination with lifecycle of enterprise applications. If Dev/Test/Prod of a specific appli
going to be completely isolated environments and integrated with AAD from an identity perspective, separate them at a tenant level (i.e. use multiple tenants). Avoid cr
Azure AD tenant unless there is a strong IAM justification and processes are already in-place. Dev Test Active Directory can easily reside in an subscription connected to t
managed production tenant.
Use Azure AD privileged identity management for Identity and access management.
Plan and implement for emergency access or break-glass accounts to prevent tenant-wide account lockout. See also
https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning
Use Azure RBAC to manage data plane access to resources where possible (e.g. Key Vault, Storage account, Azure SQL Database).
Enforce MFA for any user with rights to the Azure environment(s). This is a requirement of many compliance frameworks and greatly lowers the risk of credential theft a
unauthorized access. MFA provides a second barrier of authentication adding another layer of security. It is recommended to enforce MFA and conditional access policie
privileged accounts to make it more secure. MFA does provide another barrier of authentication but does not stop phishing or social engineering such as hacker taking p
possession of your phone or Sim Swapping or cloning. It is recommended that MFA should be implemented with device management policy(such as strong pin locking an
and erasing device remotely when its lost). Out of band multifactor authentication (such as biometric) is also consider secure form of MFA. Deploy Azure AD Conditional
for any user with rights to the Azure environment(s). Doing so will provide another mechanism to help protect a controlled Azure environment from unauthorized acces
Use "Azure AD only" groups for Azure control plane resources in Azure AD PIM when granting access to resources.
Add on-premises groups to the "Azure AD only" group if there is an existing group management system already in place. Don't add users directly to Azure resource scope
users to defined roles, which are then assigned to resource scopes. Direct user assignments circumvent centralized management, greatly increasing the management re
prevent unauthorized access to restricted data.
Use Azure AD Privileged Identity Management (PIM) to establish zero standing access and least privilege. We recommend that customers map the organization roles to t
level of access needed. Azure AD PIM can either be an extension of existing tools and processes, utilize Azure native as outlined above, or both as needed.
Use Azure AD PIM access reviews to periodically validate resource entitlements. Access reviews are part of many compliance frameworks so many organizations will alre
process in place to address this requirement.
Integrate Azure AD logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organ
cloud native options to meet requirements around log collection and retention.
Use custom RBAC role definitions within the Azure AD tenant, considering the following key roles: Azure Platform Owner, NetOps, SecOps, DevOps
Creating separate admin accounts for users who need to conduct on-premises administrative tasks.
Deploying Privileged Access Workstations for Active Directory administrators. See also https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning
If an organization has a scenario where an application that uses integrated Windows authentication must be accessed remotely through Azure AD, consider using Azure
Proxy. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy
Use managed identities instead of service principals for authentication to Azure services. This approach reduces exposure to credential theft
Use a separate subscription and vNet. Alternative have Identity in a hub vNet.
Use management groups to enforce governance over all subscriptions.

Keep the Management Group hierarchy reasonably flat with ideally no more than 3-4 levels.
Avoid duplicating your organizational structure into a deeply nested management group hierarchy. Management groups should be used for policy assignment purposes,
purposes.
Create management groups under your root level management group that represent the types of workloads (archetype) that you will host, based on their security, comp
connectivity, and feature needs.
Create a Platform Management Group under the top-level (root) Management Group to support common platform policy and RBAC assignment.
Limit the number of Azure Policy assignments made at the root Management Group scope.
Do not create any subscriptions under the "root" Management Group.
Create a top-level Sandboxes management group to allow users to immediately experiment with Azure.
Establish a dedicated management subscription in the Platform management group to support global management capabilities such as Azure Monitor Log Analytics wor
Azure Automation runbooks.
Establish a dedicated identity subscription in the Platform management group to host Windows Server Active Directory domain controllers, when necessary.
Establish a dedicated connectivity subscription in the Platform management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute
other networking resources. A dedicated subscription ensures that all foundation network resources are billed together and isolated from other workloads.
Subscriptions serve as a scale unit so that component workloads can scale within the platform subscription limits.
Subscriptions serve as a boundary for the assignment of Azure policies. For example, secure workloads, such as PCI workloads, typically require additional policies to ach
compliance. Instead of using a management group to group workloads that require PCI compliance, you can achieve the same isolation by using a subscription.
Subscriptions provide a management boundary for governance and isolation, allowing for a clear separation of concerns.
Avoid a rigid subscription model, and opt instead for a set of flexible criteria to group subscriptions across the organization. This flexibility ensures that as your organizati
and workload composition changes, you can create new subscription groups instead of using a fixed set of existing subscriptions. One size doesn't fit all for subscriptions
for one business unit might not work for another. Some applications might coexist within the same landing zone subscription while others might require their own subsc
Group subscriptions together under management groups aligned within the management group structure and policy requirements at scale. Grouping ensures that subsc
the same set of policies and Azure role assignments can inherit them from a management group, which avoids duplicate assignments.
Have in service catalog for appdev teams the service request new subscription.
Deploy a new landing zone (File > New > Landing Zone): These are recurring activities that are required to instantiate a new landing zone.
Leverage subscriptions as scale units, scaling out resources and subscriptions as required.
Use reserved instances to prioritize reserved capacity in required regions.

This ensures that your workload will have the required services, even if there is a high demand for that resource in a given region at any time.
Establish a dashboard with custom views to monitor utilized capacity levels. Setup alerts if capacity utilization is reaching critical levels (e.g. 90% CPU utilization).
Configure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription).
Govern subscription quotas using Azure Policy
Ensure required services and features are available within the chosen deployment regions.
Use Azure Cost Management + Billing for cost aggregation. Make it available to application owners.
Use Azure resource tags for cost categorization and resource grouping. Using tags allows you to have a chargeback mechanism for workloads that share a subscription o
workload that spans across multiple subscriptions.
Plan for non-overlapping IP address spaces across Azure regions and on-premises locations well in advance.
Use IP addresses from the address allocation for private internets (RFC 1918).
For environments with limited private IP addresses (RFC 1918) availability, consider using IPv6.
Do not create unnecessarily large Virtual Networks (for example: /16) to ensure there is no unnecessary wastage of IP address space.
Do not create Virtual Networks without planning the required address space in advance, since adding address space will cause an outage once a Virtual Network is conne
Virtual Network Peering.
Do not use public IP addresses for Virtual Networks, especially if the public IP addresses do not belong to the customer.
For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution. Create a delegated zone for name resolution (such as
azure.contoso.com). Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual n
Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.
For environments where name resolution across Azure and on-premises is required, use existing DNS infrastructure (for example, Active Directory integrated DNS) deplo
least two virtual machines (VMs). Configure DNS settings in virtual networks to use those DNS servers.
You can still link an Azure Private DNS zone to the virtual networks and use DNS servers as hybrid resolvers with conditional forwarding to on-premises DNS names, such
onprem.contoso.com, by using on-premises DNS servers. You can configure on-premises servers with conditional forwarders to resolver VMs in Azure for the Azure Priva
(for example, azure.contoso.com). Use a virtual machine as a resolver for cross-premises DNS resolution with Azure Private DNS.
Create the Azure Private DNS zone within a global connectivity subscription. You might create other Azure Private DNS zones (for example, privatelink.database.window
privatelink.blob.core.windows.net for Azure Private Link).
Create Hybrid connectivity network topology when required.

Consider Virtual WAN doing new large or global network deployments in Azure and/or multiple Branches based on SD WAN technology.
Consider Hub Spoke when have limited region deployments and not planning direct Branche connectivity.
Use ExpressRoute as the primary connectivity channel for connecting an on-premises network to Azure. You can use VPNs as a source of backup connectivity to enhance
resiliency. Use dual ExpressRoute circuits from different peering locations when you're connecting an on-premises location to virtual networks in Azure. This setup will e
redundant paths to Azure by removing single points of failure between on-premises and Azure. When you use multiple ExpressRoute circuits, optimize ExpressRoute rou
local preference and AS PATH prepending. Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requiremen
Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.
Proactively monitor ExpressRoute circuits by using Network Performance Monitor.
Use VNet injection for supported Azure services to make them available from within a customer Virtual Network.
Azure PaaS services that have been injected into a Virtual Network still perform management plane operations using public IP addresses. Ensure that this communication
down within the Virtual Network using UDRs and NSGs.
Use Azure Private Link, where available, for shared Azure PaaS services.
Create the Azure Private DNS zone within a global connectivity subscription. You might create other Azure Private DNS zones (for example, privatelink.database.window
privatelink.blob.core.windows.net for Azure Private Link).
Use Azure Firewall to govern:

Azure outbound traffic to the internet.
Non-HTTP/S inbound connections.
East/west traffic filtering (if your organization requires it).
Use NVA when Azure Firewall does not fit to requirements or when there is a policy that enforce specific ISV
Use Application Gateway WAF within a "Landing Zone" Virtual Network for protecting inbound HTTP/S traffic from the internet. Don't replicate on-premises perimeter n
concepts and architectures into Azure. Similar security capabilities are available in Azure, but the implementation and architecture must be adapted to the cloud.
Use Azure Front Door WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a "Landing Zone".
Use Azure DDoS Protection Standard protection plans to help protect all public endpoints hosted within your virtual networks.
For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled. Deploy Azure Application Gateway v2 or partn
for inbound HTTP/S connections within the landing-zone virtual network and with the apps that they're securing. Use Azure Front Door with WAF policies to deliver and
global HTTP/S apps that span Azure regions. Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.
Use NSGs to selectively allow inter "Landing Zone" connectivity.

For VWAN-based network topologies, route traffic across "Landing Zones" via Azure Firewall only if the customer requires filtering and logging capabilities for traffic flow
"Landing Zones". The application team should use application security groups at the subnet-level NSGs to help protect multitier VMs within the landing zone. Use NSGs a
security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.
Delegate subnet creation to the "Landing Zone" owner. This will enable them to define how to segment workloads across subnets (i.e. single large subnet, multi-tier app
app)
Implement default NSG config like Deny inbound RDP/SSH connections, Allow communication with domain controllers. NSGs must be used to protect traffic across subn
east-west traffic across the platform (inter "Landing Zone" traffic)
Application team should use Application Security Groups at the subnet level NSGs to protect multi-tier VMs within their "Landing Zone“.
Use NSGs and ASGs to microsegment traffic within the "Landing Zone" and avoid using a central NVA to filter these traffic flows.
The Platform team can use Azure Policy to ensure an NSG with specific rules (such as deny inbound SSH or RDP from Internet, or allow/block traffic across landing zones)
associated to subnets with Deny only policies
Is recommended to enable NSG Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.
Options to consider
apply media access control security (MACsec) in combination with EXPRESSROUTE Direct
With Virtual WAN use VPN gateway to establish IPsec tunnels over ExpressRoute private peering or use partner NVAs to establish IPsec tunnels when not implemented
Azure Virtual Network TAP (VTAP) is in preview, but your must reach to azurevnettap@microsoft.com for availability details.
Network Watcher packet captures in Network Watcher is GA, but captures are limited to a maximum period of 5 hours.
As alternative to Virtual Network TAP, evaluate the following options:
Use Network Watcher packet capture despite the limited capture window.
Evaluate if NSG Flow Logs v2 provide the level of detail required.
Use 3rd party solutions for scenarios where sustained deep packet inspection is required.
Do not develop a custom solution to mirror traffic. While this might be acceptable for small scale scenarios, this approach is not encouraged at scale due to complexity a
supportability issues which may arise.
Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements and data
policies mandate separate workspaces. Centralized logging is critical to the visibility required by operations management teams. Logging centralization drives reports ab
management, service health, configuration, and most other aspects of IT operations. Converging on a centralized workspace model reduces administrative effort and the
gaps in observability.
All IAAS and PAAS monitoring. Application insight is separate per workload , lifecycle.
Workspace configured in resource-centric access control mode, granular Azure RBAC is enforced to ensure application teams will only have access to the logs from their
Don't send raw log entries back to on-premises monitoring systems. Instead, adopt a principle that data born in Azure stays in Azure. If on-premises SIEM integration is r
send critical alerts instead of logs.
Export logs to Azure Storage if log retention requirements exceed two years. Use immutable storage with a write-once, read-many policy to make data non-erasable and
modifiable for a user-specified interval.
Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. For more information, see Und
Policy effects. Monitor in-guest virtual machine (VM) configuration drift using Azure Policy. Enabling guest configuration audit capabilities through policy helps applicatio
workloads to immediately consume feature capabilities with little effort. Use policies to enforce deployment of VM monitoring and dependency agent deployment
Enforcing Update Management configurations via Azure Policy ensures that all VMs are included in the patch management regimen and provides application teams with
manage patch deployment for their VMs. It also provides visibility and enforcement capabilities to the central IT team across all VMs.
Traffic Analytics analyzes NSG flow logs to gather deep insights about IP traffic within a virtual network and provides critical information for effective management and m
Traffic Analytics provide information such as most communicating hosts and application protocols, most conversing host pairs, allowed or blocked traffic, inbound and ou
traffic, open internet ports, most blocking rules, traffic distribution per an Azure datacenter, virtual network, subnets, or rogue networks.
Protect logs and other critical data resources to be deleted.
Include service and resource health events as part of the overall platform monitoring solution. Tracking service and resource health from the platform perspective is an i
component of resource management in Azure.
Application Insight or second Log Analytics target is allowed. Application monitoring can use dedicated Log Analytics workspaces.
For applications that are deployed to virtual machines, logs should be stored centrally to the dedicated Log Analytics workspace from a platform perspective, and applica
can access the logs subject to the RBAC they have on their applications/virtual machines.
Use Azure Monitor Metrics for time sensitive analysis.
Use shared storage accounts within the "Landing Zone" for Azure Diagnostic Extension log storage when required.
Leverage Azure Monitor Alerts for the generation of operational alerts.
Leverage Azure native backup capabilities.

Use native PaaS service disaster recovery capabilities.
Use Azure VM backup VM snapshots and using Azure Backup and Recovery Services vaults.
Subscription limits restricting the number of Recovery Services vaults and the size of each vault.
Geo-replication and DR capabilities for PaaS services.
Workload suitability for Availability Zones or availability sets.
Data sharing and dependencies between zones.
The impact of Availability Zones on update domains compared to availability sets and the percentage of workloads that can be under maintenance simultaneously.
Support for specific virtual machine (VM) stock-keeping units with Availability Zones.
Using Availability Zones is required if Microsoft Azure ultra disk storage is used.
Use Azure paired regions when planning for BCDR.

Employ Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.
Consider redundant hybrid network architecture to ensure uninterrupted cross-premises connectivity in the event of an outage affecting an Azure region or peering pro
Avoid using overlapping IP address ranges for production and DR sites.
Don't use centralized instances of Key Vault for application keys or secrets.
Don't share Key Vault instances between applications to avoid secret sharing across environments. Use a federated Azure Key Vault model to avoid transaction scale lim
Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.
Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Azure Active Directory (Azure AD) role
Automate the certificate management and renewal process with public certificate authorities to ease administration.
Establish an automated process for key and certificate rotation.
Enable firewall and virtual network service endpoint on the vault to control access to the key vault.
Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.
Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.
Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.
Use policy to enforce Encryption in Transit for Azure services when applicable
If any data sovereignty requirements exist, custom user policies can be deployed to enforce them.
Identify required Azure tags and use the append policy mode to enforce usage.
Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments. Based on existing requirements, regulatory and compliance contro
(internal/external) - Determine what Azure Policies and Azure RBAC role are needed.
Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherited scopes.
Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.
Use Azure Policy to control resource provider registrations at the subscription and/or management group levels.
Use built-in policies where possible to minimize operational overhead.
Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.
Data retention periods for audit data. Azure AD Premium reports have a 30-day retention period.
Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-term storage beyond two years, if necessary.
Enable via Policy
Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.
Monitor base operating system patching drift via Azure Monitor Logs and Azure Security Center.
Security on by default using Azure Policy.
Use Azure Security Benchmark.
Develop a security allow-list plan to assess services security configuration, monitoring, alerts, and how to integrate these with existing systems.
Capture security requirements and map it to Azure Services. Define implementation plans (short/mid/long term) and align Azure roadmap items.
Using Service enablement framework.
Define an incident response plan for Azure services before allowing it into production.
Consider Shared responsibility, HA and DR.
The list below presents a recommended set of DevOps roles for the central Platform Team.
Platform Ops (Platform Operations) to
Subscription provisioning and delegation of required network, IAM, and policies.

Platform management and monitoring (holistic).
Cost Management (holistic).
"Platform as Code" (management of templates, scripts and other assets).
Responsible for overall operations on Azure within the Azure AD tenant, such as managing service principles, Graph API registration, and role definitions.
SecOps (Security Operations)
Role based access control (holistic).

Key management (for central services, for example SMTP, Domain Controller).
Policy management and enforcement (holistic).
Security monitoring and audit (holistic).
NetOps (Network Operations)
Network Management (holistic).

Allow application owners to create and manage application resources through a DevOps model.
The list below presents a recommended DevOps role for application teams.
AppDevOps
Application migration and/or transformation.

Application management and monitoring.
Role based access control (app resources).
Security monitoring and audit (app resources).
Cost Management (app resources).
Network Management (app resources).
In some instances, customers may wish to break AppDevOps into more granular roles such as AppDataOps for database management like traditional DBA roles, or AppSe
more security sensitive applications are concerned; this is to be expected.
Git allows sharing and working on the same code and provide a full version history of every changes.
Deploy applications and infrastructure via continuous integration and either continuous delivery or continuous deployment.
Deploy infrastructure as code and sore these in git and integrate in CI/CD pipelines
azOps Discover existing services (subscription, policy, roles) deployed and bring them under source control so changes are done via code and pull request to have full tra
Shift to left security, part of the development cycle, include security in pipelines, sample vulnerability scanning of container registry of known Open Source vulnerabilitie
Shift to left security, part of the development cycle, include security in pipelines, sample vulnerability scanning of container registry of known Open Source vulnerabilitie
Create a subscription and move it under the Landing Zones management group scope.
Create Azure AD groups for the subscription, such as Owner, Reader, and Contributor.
Create Azure AD PIM entitlements for established Azure AD groups.
Application functions
-Application migration and transformation.
-Application management and monitoring (application resources).
-Key management (application keys).
-Azure RBAC (application resources).
-Security monitoring and audit (application resources).
-Cost management (application resources).
-Network management (application resources).
Central functions
-Architecture governance.
-Subscription management.
-Platform as code (management of templates, scripts, and other assets).
-Policy management and enforcement (holistic).
-Platform management and monitoring (holistic).
-Azure RBAC (holistic).
-Key management (central services).
-Network management (including networks and network virtual appliances).
-Security monitoring and audit (holistic).
-Cost management (holistic).
Score
Weight Score percentage
27 22.4 83%
5 5
5 5
2 0.4
2 0
1 0
2 2
5 5
2 2
3 3
0
34 30.8 91%
5 5
4 3.2
2 0.4
3 3
4 3.2
5 5
3 3
2 2
3 3
3 3
28 11.6 41%
5 0.5
2 1
5 5
2 0.2
1 0.4
2 2
5 2.5
4 0
2 0
0
61 41.6 68%
5 5
4 4
2 2
1 0
5 5
0
5 5
1 0
2 0.6
3 3
2 0
5 0
5 4
2 2
2 0
5 4
3 3
1 1
5 0
1 1
1 1
1 1
0
26 13.7 53%
5 0.5
1 1
5 1
5 5
1 1
1 0
4 1.2
4 4
11 2.5 23%
5 2.5
2 0
4 0
4 0
50 30.9 62%
4 3.2
4 4
4 2
1 0.5
1 0
3 3
4 0.8
1 1
2 0
4 4
2 0
2 1.4
5 5
2 2
2 1
4 0.8
1 1
4 1.2
26 18.8 72%
5 4.5
5 5
5 5
5 1.5
1 1
1 0
1 0
1 1
1 0.8
1 0
Priority --
ID Item Sum of Score percentage

A Enterprise Enrollment and Azure AD Tenants 83%
B Identity and Access Management 91%
C Management Group and Subscription Organization 41%
D Network Topology and Connectivity 68%
E Management and Monitoring 53%
F Business Continuity and Disaster Recovery 23%
G Security, Governance and Compliance 62%
H Platform Automation and DevOps 72%
H Platform Automation and DevOps
G Security, Governance and Com

Total
B Identity and Access Management
100%
H C Management Group and Subscription Organization
50%
Sum of Score percentage 83%
0%
H Platform Automation and DevOps D Network Topology and Connectivity
G Security, Governance and Compliance E Management and Monitoring
F Business Continuity and Disaster Recovery

Overview of reccommentations
Priority ID
High C1.1
C2.1
C2.3
C4.2
E1.1
E1.3
E1.7
G2.4
G4.1
G4.3
Medium A1.3
A1.4
B1.2
B1.5
D2.3
D5.2
D6.2
F1.1
F1.2
G1.1
G1.3
G3.2
G3.5
Low A1.5
B2.2
C2.4
C4.1
C4.3
D4.1
D4.3
D7.1
E1.2
E1.4
E1.6
G2.1
G2.2
G2.6
G3.3
G3.4
G3.6
H1.4
H1.6
H1.7
H1.9
H2.1
Total Result
Item
Use Management groups for both policies and management RBAC
Create separate platform subscriptions for Management (Monitoring), Connectivity and Iden
Group subscriptions under Management groups to ensures that subscriptions with the same s
Tags enforced for billing
Single Log monitor workspace
Use Azure Policy for access control and compliance reporting.

Include Service and Health event in the monitoring
Policy Management via Management groups
Set Platform Security Baseline
Define responsibilities, Azure (MSFT), Platform (Customer) and Application teams (Customer
Number and type of EA Account

Audit Interval for EA Portal for Microsoft account and required access
"Azure AD only" groups for Azure control plane
Custom RBAC Roles and Usage
Central Private link private DNS zones when required
Implement DNS setup to support Private Link services DNS resolving
Secure inbound connectivity from the public internet via Application Gateway with Web App
Provide baseline backup/restore capabilities
Use Availability Zones to make deployment High Available over several zones.
Use Region for DR scenario or always available multi region deployments
Keyvault best practices
Encryption in transit
Export Azure activity logs
Data Retention policy for logging
Make Use of Dev/Test EA subscription cost optimize
Use Azure AD Application Proxy for Intranet application
Have new subscription as a service. Automate subscription creation File > New > Landing Zo
Implement Cost transparency across a technical estate.
Additional Tags to be enforced or optional
connecting on-premises locations (other datacenters) to Azure
Monitor the connectivity to Azure capacity
Deliver internal-facing and external-facing apps in a secure, highly scalable, and highly avail
Export logs to Azure Storage if log retention requirements exceed two years,
Update Management in Azure Automation as a long-term patching mechanism for both Win
Implement Resource locks to prevent accidental deletion of critical shared services.
Region Policy for data sovereignty

Tag policy
Enable policies to prevent data exfiltration concerns. Defining requirements for private endp
Enable Defender for Azure (Server, Storage, WebApp, Container etc.) for E2E Security Moni
Update management and inventory for Virtual machines
Use Azure Sentinel as SIEM SOAR
Use Infrastructure as Code
Implement DevSecOps
File > New > Landing Zone also set up a Git repository to host IaC and service principals for
Implement automation for File > New > Landing Zone for applications and workloads
recommended distribution of responsibilities between the central IT team and application
Action
Create a management group structure based on enterprise landing zone with platform and landing zone to be able to apply po
Create new subscription for Management with new Log Analytics, to isolate logging as this also will contain security logging. K
Create the default grouping of Enterprise landing zone as a default and adopt new grouping when required
See tags sheet for proposed tags
Implement central monitoring for IAAS and PAAS logging. Use policies to enforce logging to central. Teams can deploy App Ins
See policy sheet for proposed policies

Include alerts and add in the monitoring
Include alerts and add in the monitoring
Validate if not should be privileged named accounts

Implement periodic reviews
Use Azure AAD group for role RBAC on Management group level instead of direct assignments
Use Azure AAD group for role RBAC on Management group level instead of direct assignments
Implement central connected Private DNS zones for PAAS private Link to the General vNet where the domain controllers are p
Implement central connected Private DNS zones for PAAS private Link to the General vNet where the domain controllers are p
Create clear policies when to use WAF and evaluate FrontDoor with WAF.
Evaluate Native Backup Azure Backup for VM and PAAS backup driven by Policy to check compliance. Deploy recovery vault fo
Create guidance for DR, Backup with Global Redundant storage for DR or ASR.
Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects. Cr
Create policies to enforce for TLS, HTTPS
Implement Policy to enforce export
Evaluate current LA retention when guidance is ready
If dev having already Visual studio subscription this could be a cost optimization for dev/test subscriptions
Investigate the use of Azure AD Application proxy for Intranet applications
Create automation see https://github.com/Azure/Enterprise-Scale/tree/main/examples/landing-zones
Consider automated reporting when tags are enforced and applied with Power BI
See tagging sheet for other options
Considering Expressroute setup to get dedicated lines. Could use SURFNet as ER provider.
Implement NPM monitoring over S2S
Create clear policies when to use WAF and evaluate FrontDoor with WAF.
evaluate when retention policy is ready
Evaluate if Azure Update Management could have value
Planned used scripting to implement all production tag workloads should be locked
Implement WE , NE, Europe enforcement policy

When having defined the required tags create policy to append and enforce
Evaluate requirements, if needed enforce via Policy
Evaluate current settings and create policy based on Management group
check if Azure Update Management could be used in parallel
Evaluate to enable on new central LA or alternative import Azure Security Center alerts into existing Sentinel
Select ARM, Terraform as standard and provide sample deployments to include in pipeline
To be validated
To be validated
Evaluate PIM also for Subscription owners
To be validated
Best practice
Do not create any subscriptions under the "root" Management Group.
Create a top-level Sandboxes management group to allow users to immediately experiment with Azure.
Establish a dedicated management subscription in the Platform management group to support global management capabilitie
Group subscriptions together under management groups aligned within the management group structure and policy requirem
Use Azure resource tags for cost categorization and resource grouping. Using tags allows you to have a chargeback mechanism
Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC
Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation
Include service and resource health events as part of the overall platform monitoring solution. Tracking service and resource h
Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherited scopes.Ma
Security on by default using Azure Policy.Use Azure Security Benchmark.
Define an incident response plan for Azure services before allowing it into production.Consider Shared responsibility, HA and D
Only use the authentication type "Work and School Account" for all account types. Avoid using the MSA account type.Restrict
90 Days
Use "Azure AD only" groups for Azure control plane resources in Azure AD PIM when granting access to resources.Add on-prem
Use custom RBAC role definitions within the Azure AD tenant, considering the following key roles: Azure Platform Owner, NetO
Create the Azure Private DNS zone within a global connectivity subscription. You might create other Azure Private DNS zones (
Create the Azure Private DNS zone within a global connectivity subscription. You might create other Azure Private DNS zones (
Use Application Gateway WAF within a "Landing Zone" Virtual Network for protecting inbound HTTP/S traffic from the interne
Leverage Azure native backup capabilities.Use native PaaS service disaster recovery capabilities.Use Azure VM backup VM sna
Use Azure paired regions when planning for BCDR.Employ Azure Site Recovery for Azure-to-Azure Virtual Machines disaster re
Don't use centralized instances of Key Vault for application keys or secrets.Don't share Key Vault instances between applicatio
Use policy to enforce Encryption in Transit for Azure services when applicable
Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-term storage b
(empty)
Setup enterprise Dev/Test/Prod environments at an EA account level to support creation of dev/test workload for active Visua
If an organization has a scenario where an application that uses integrated Windows authentication must be accessed remote
Have in service catalog for appdev teams the service request new subscription. Deploy a new landing zone (File > New > Landi
Use Azure Cost Management + Billing for cost aggregation. Make it available to application owners.
(empty)
Use ExpressRoute as the primary connectivity channel for connecting an on-premises network to Azure. You can use VPNs as a
Proactively monitor ExpressRoute circuits by using Network Performance Monitor.
For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled. Dep
Export logs to Azure Storage if log retention requirements exceed two years. Use immutable storage with a write-once, read-m
Enforcing Update Management configurations via Azure Policy ensures that all VMs are included in the patch management reg
Protect logs and other critical data resources to be deleted.
If any data sovereignty requirements exist, custom user policies can be deployed to enforce them.
Identify required Azure tags and use the append policy mode to enforce usage.
(empty)
(empty)
Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline V
(empty)
Deploy infrastructure as code and sore these in git and integrate in CI/CD pipelines
Shift to left security, part of the development cycle, include security in pipelines, sample vulnerability scanning of container re
Shift to left security, part of the development cycle, include security in pipelines, sample vulnerability scanning of container re
Create a subscription and move it under the Landing Zones management group scope.Create Azure AD groups for the subscrip
Application functions-Application migration and transformation.-Application management and monitoring (application resour
(empty)
Server Active Directory domain controllers, when necessary.Establish a dedicated connectivity subscription in the Platform management g
s. Logging centralization drives reports about change management, service health, configuration, and most other aspects of IT operations.
dit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort. Use policies
and/or management group levels.Use built-in policies where possible to minimize operational overhead.Limit the number of Azure Policy a
tenants are used, ensure the Account Owner is associated with the same tenant as where subscriptions for the account are provisioned.
defined roles, which are then assigned to resource scopes. Direct user assignments circumvent centralized management, greatly increasin
e must be adapted to the cloud.Use Azure Front Door WAF policies to provide global protection across Azure regions for inbound HTTP/S c
R capabilities for PaaS services.
e event of an outage affecting an Azure region or peering provider location. Avoid using overlapping IP address ranges for production and
icies enabled to allow retention protection for deleted objects.Follow a least privilege model by limiting authorization to permanently dele
o virtual networks in Azure. This setup will ensure redundant paths to Azure by removing single points of failure between on-premises and
Front Door with WAF policies to deliver and help protect global HTTP/S apps that span Azure regions. Use Traffic Manager to deliver glob
work management (application resources).Central functions-Architecture governance.-Subscription management.-Platform as code (mana
n the Platform management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and othe
other aspects of IT operations. Converging on a centralized workspace model reduces administrative effort and the chances for gaps in obs
s with little effort. Use policies to enforce deployment of VM monitoring and dependency agent deployment
it the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited
the account are provisioned.
management, greatly increasing the management required to prevent unauthorized access to restricted data.
regions for inbound HTTP/S connections to a "Landing Zone".
ess ranges for production and DR sites.

horization to permanently delete keys, secrets, and certificates to specialized custom Azure Active Directory (Azure AD) roles.Automate th
lure between on-premises and Azure. When you use multiple ExpressRoute circuits, optimize ExpressRoute routing via BGP local preferen
Traffic Manager to deliver global apps that span protocols other than HTTP/S.
ment.-Platform as code (management of templates, scripts, and other assets).-Policy management and enforcement (holistic).-Platform m
ExpressRoute circuit, and other networking resources. A dedicated subscription ensures that all foundation network resources are billed to
nd the chances for gaps in observability.All IAAS and PAAS monitoring. Application insight is separate per workload , lifecycle. Workspace c
rough exclusions at inherited scopes.
(Azure AD) roles.Automate the certificate management and renewal process with public certificate authorities to ease administration.Esta
routing via BGP local preference and AS PATH prepending. Ensure that you're using the right SKU for the ExpressRoute/VPN gateways bas
rcement (holistic).-Platform management and monitoring (holistic).-Azure RBAC (holistic).-Key management (central services).-Network m
network resources are billed together and isolated from other workloads.
orkload , lifecycle. Workspace configured in resource-centric access control mode, granular Azure RBAC is enforced to ensure application te
ties to ease administration.Establish an automated process for key and certificate rotation.Enable firewall and virtual network service endp
pressRoute/VPN gateways based on bandwidth and performance requirements.

(central services).-Network management (including networks and network virtual appliances).-Security monitoring and audit (holistic).-Co
forced to ensure application teams will only have access to the logs from their resources.Don't send raw log entries back to on-premises m
d virtual network service endpoint on the vault to control access to the key vault.Use the platform-central Azure Monitor Log Analytics wo
nitoring and audit (holistic).-Cost management (holistic).
entries back to on-premises monitoring systems. Instead, adopt a principle that data born in Azure stays in Azure. If on-premises SIEM int
zure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.Delegate Key Vault insta
Azure. If on-premises SIEM integration is required, then send critical alerts instead of logs.
Vault.Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.
mpliant configuration.
Role Usage Type
Azure platform owner (such as the built-in Management group and subscription build-in
Owner role) lifecycle management
Network management (NetOps) Platform-wide global connectivity build-in
management: virtual networks, UDRs,
NSGs, NVAs, VPN, Azure ExpressRoute,
and others
Security operations (SecOps) Option 1: Build in Security Admin role build-in
Security operations (SecOps) Option 2: Security administrator role Custom

with a horizontal view across the entire
Azure estate and the Azure Key Vault
purge policy
Subscription owner Option 1: use build in roles owner build-in
Subscription owner Option 2: use build in roles contributor build-in

Subscription owner Option 3: Delegated role for Custom
subscription owner derived from
subscription Owner role, no modify
rights on role assignment and routes
Subscription Owner no Network write Option 4: Delegated role for Custom

subscription owner derived from
subscription Owner role, no modify
rights on role assignment and routes
and no network write delete
permissions
Subscription Contributor Create separate AAD group per build-in

subscription for contributor access.
The oner can manage this group
(owner of group)
Subscription Reader Create separate AAD group per build-in

subscription for reader access. The
oner can manage this group (owner of
group)
Application owners (DevOps/AppOps) Contributor role granted for Custom
application/operations team at
resource group level, can also be
applied on subscription. This role
derived from contributor role with
additional restrictions to modify
network resources. Consider when
using this role only on the resource
group level to add the delete resource
group right to the notactions
Application owners hybrid network access Give application owners the right to Custom
(DevOps/AppOps) create network interfaces in the hybrid
network. This role should be applied
only to the hybrid network resource
group. This should only be used in
when Application owner
(DevOps/AppOps) is used on resource
group level, this is not needed when
this role is applied on subscription
level.
Role name or custom name Actions
Owner *
Network Contributor "Microsoft.Authorization/*/read",

"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
Security Admin "Microsoft.Authorization/*/read",

"Microsoft.Authorization/policyAssignments/*",
"Microsoft.Authorization/policyDefinitions/*",
"Microsoft.Authorization/policyExemptions/*",
"Microsoft.Authorization/policySetDefinitions/*",
"Microsoft.Management/managementGroups/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Security/*",
SecOps "*/read",
"*/register/action",
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/policyAssignments/*",
"Microsoft.Authorization/policyDefinitions/*",
"Microsoft.Authorization/policyExemptions/*",
"Microsoft.Authorization/policySetDefinitions/*",
"Microsoft.Management/managementGroups/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Security/*",
"Microsoft.Support/*",
"Microsoft.KeyVault/locations/deletedVaults/purge/action",
"Microsoft.PolicyInsights/*"
Owner *
Contributor *
SubscriptionOwner *
SubscriptionOwnerNoNetwork *
Contributor *
Reader */read
DevOpsAppOps *
DevOpsAppOpsHybridNetworkA *
ccess
No actions Proposed Proposed scope
YES <prefix>
YES <prefix>
NO <prefix>
NO <prefix>
YES <subsciption>
"Microsoft.Authorization/*/Delete", NO <subsciption>
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action"
"Microsoft.Authorization/*/write", NO <subsciption>
"Microsoft.Authorization/*/Delete",
"Microsoft.Network/vpnGateways/*",
"Microsoft.Network/expressRouteCircuits/*",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/delete",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/delete",
"Microsoft.Network/vpnSites/*"
"Microsoft.Authorization/*/write", NO <subsciption>
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/azurefirewalls/*",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Authorization/*/write", YES <subsciption>

YES <subsciption>
"Microsoft.Authorization/*/write", NO <Resourcegroup level>
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.KeyVault/locations/deletedVaults/purge/action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.Authorization/*/read", NO <Resourcegroup level>
"Microsoft.Network/applicationGateways/backendAddressPools/
join/action",
"Microsoft.Network/applicationSecurityGroups/read",
"Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/
action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
Proposed AAD group name Implemented Remark
Direct assigned, azure-<prefix>-platform- NO Direct assignment now used should be
owners AAD group with PIM enabled
azure-<prefix>-platform-netOps NO
azure-<prefix>-platform-secOps
azure-<prefix>-platform-secOps
<subscription name>-owners YES
<<subscription name>-owners
<subscription name>-owners
<subscription name>-owners
<subscription name>-contributors YES
<subscription name>-readers YES

azure-<subscription name>-<resourceGroup
name>-appOwners
azure-<subscription name>-<resourceGroup
name>-appOwners
Part of Reference
Policy Asignement Name Name Definition Assignment
ASC-Monitoring Initiative YES

Deploy-Resource-Diag Initiative YES
Deploy-Sql-Security Initiative
Deploy-ASC-Standard Definition YES
Deploy-AzActivity-Log Definition YES
Deploy-Linux-Arc-Monitoring Definition YES
Deploy-VM-Monitoring Initiative YES
Deploy-VMSS-Monitoring Initiative YES

Deploy-Windows-Arc-Monitoring Definition YES
Allowed-ResourceLocation Definition
Allowed-RGLocation Definition
Deploy-ASC-CE Definition
Enforce-Tags Definition
Deploy-LA-Config Definition (used in initial deploy)
Deploy-LogAnalytics Definition (used in initial deploy)
Deploy-FirewallPolicy Definition (used in initial deploy)
Deploy-HUB Definition (used in initial deploy)
Deploy-vHUB Definition (used in initial deploy)
Deploy-vWAN Definition (used in initial deploy)
Append-KV-SoftDelete Definition
Deny-AppGW-Without-WAF Definition
Deploy-VM-Backup Definition YES
Deny-IP-forwarding Definition YES
Deploy-SQL-Security Definition YES
Deploy-SQL-DB-Auditing Definition YES
Enforce-SQL-Encryption Definition YES
Deny-Storage-http Definition YES
Deploy-Storage-ATP Definition YES
Deploy-AKS-Policy Definition YES
Deny-Privileged-AKS Definition YES
Deny-Privileged-Escalations-AKS Definition YES
Enforce-AKS-HTTPS Definition YES
Deny-Subnets-Without-NSG Definition YES
Deny-RDP-From-Internet Definition YES
Deny-SSH-From-Internet Definition
Deploy-Network-Watcher Definition
Deploy-Budget Definition
Denied-Resources Definition
Denied-Vmsizes Definition
Deny-VNet-Peering Definition
Deny-PublicIP Definition
Deny-Public-Endpoints-for-PaaS-Services Initiative
Deny-Private-DNS-Zones Definition
Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint Definition
Deploy-DNSZoneGroup-For-File-PrivateEndpoint Definition
Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint Definition
Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint Definition
Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint Definition
Deploy-DNSZoneGroup-For-Table-PrivateEndpoint Definition
Deploy-vNet Definition
Deploy-VNET-HubSpoke Definition
Deploy-DDoSProtection Definition
Deploy-Nsg-FlowLogs Definition
Deploy-Windows-DomainJoin Definition
Deny-AA-child-resources Definition
Custom policy Proposed effect
location reference when not leave
custom policies or Proposed Management default. Or
AZ State Proposed Applied Group Default Values Count Type
YES NO <prefix> 177 Build In

REF Policies YES NO <prefix> 55 Custom
REF Policies NO 4 Custom
REF Policies YES NO <prefix> Custom
REF Policies YES NO <prefix> Custom
REF Policies YES NO <prefix> Build In
REF Policies YES NO <prefix> 10 Build In
REF Policies YES NO <prefix> 6 Build In

REF Policies YES NO <prefix> Build In
WestEurope,
NorthEurope,
YES NO <prefix> Europe Build In
WestEurope,
NorthEurope,
YES NO <prefix> Europe Build In
YES NO <prefix> Build In

Create
custom
YES NO <prefix> initiative
REF Policies NO <prefix>-management Custom
REF Policies NO <prefix>-management Custom
REF Policies NO <prefix-connectivity Custom
REF Policies YES NO <prefix>-landingzones Productie Custom
REF Policies YES NO <prefix>-landingzones Audit Custom
NO <prefix>-landingzones Build In
YES NO <prefix>-landingzones Build In
<prefix>-landingzones,
REF Policies NO <prefix>-sandbox Custom
NO <prefix>-sandbox Build In
NO <prefix>-sandbox
<prefix>-online-isolated,
REF Policies YES NO <prefix>-sandbox Custom
REF Policies YES NO <prefix>-corp Custom
REF Policies YES NO <prefix>-corp Audit 8 Custom
REF Policies NO <prefix>-corp Custom

REF Policies NO <prefix>-Online Custom
REF Policies NO <prefix>-Online Custom
REF Policies NO Specific Resourcegroup Custom
Reference to resource (default) Effect
1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Audit or AUditifNotExists

<prefix>/Deploy-Diag-LogAnalytics deployIfNotExists
<prefix>/Deploy-Sql-Security DeployIfNotExists
<prefix>/Deploy-ASC-Standard DeployIfNotExists
<Prefix>/Deploy-Diagnostics-ActivityLog DeployIfNotExists
9d2b61b4-1d14-4a63-be30-d4498e7ad2cf deployIfNotExists
55f3eceb-5573-4f18-9695-226972c6d74a DeployIfNotExists
75714362-cae7-409e-9b99-a8e5075b7fad DeployIfNotExists
69af7d4a-7b18-4044-93a9-2651498ef203 deployIfNotExists
e56962a6-4747-49cd-b67b-bf8b01975c4c deny
e765b5de-1225-4ba3-bd56-1ac6695af988 Deny
ffb6f416-7bd2-4488-8828-56585fef2be9 deployIfNotExists
Create initiative or use existing tag policies Append or deny

<prefix>/Deploy-LA-Config DeployIfNotExists
<prefix>/Deploy-Log-Analytics deployIfNotExists
<prefix>/Deploy-FirewallPolicy DeployIfNotExists
<prefix>/Deploy-HUB DeployIfNotExists
<prefix>/Deploy-vHUB deployIfNotExists
<prefix>/Deploy-vWAN DeployIfNotExists
<prefix>/Append-KV-SoftDelete append
<prefix>/Deny-AppGW-Without-WAF Deny
98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 deployIfNotExists
88c0b9da-ce96-4b03-9635-f29a937e2900 Deny
f4c68484-132f-41f9-9b6d-3e4b1cb55036 DeployIfNotExists
a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 AuditIfNotExists
86a912f6-9a06-4e26-b447-11b16ba8659f DeployIfNotExists
404c3081-a854-4457-ae30-26a93ef643f9 Audit
361c2074-3595-4e5d-8cab-4f21dffc835c DeployIfNotExists
a8eff44f-8c92-45c3-a3fb-9880802d67a7 deployIfNotExists
95edb821-ddaf-4404-9732-666045e056b4 Deny
1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Deny
1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Deny
<prefix>/Deny-Subnet-Without-Nsg Deny
<prefix>/Deny-RDP-From-Internet Deny
2c89a2e5-7285-40fe-afe0-ae8654b92fab Audit
a9b99dd8-06c5-4317-8629-9d86a3c6e7d9 DeployIfNotExists
<prefix>/Deploy-Budget DeployIfNotExists
6c112d4e-5bc7-47ae-a041-ea2d9dccd749 Deny
<prefix>/Deny-VNet-Peering Deny
<prefix>/Deny-PublicIP Deny
<prefix>s/Deny-PublicEndpoints Deny
<prefix>/Deny-Private-DNS-Zones Deny
<prefix>/Deploy-DNSZoneGroup-For-Blob-
PrivateEndpoint DeployIfNotExists
<prefix>/Deploy-DNSZoneGroup-For-File-
<prefix>/Deploy-DNSZoneGroup-For-KeyVault-
<prefix>/Deploy-DNSZoneGroup-For-Queue-
<prefix>/Deploy-DNSZoneGroup-For-Sql-
<prefix>/Deploy-DNSZoneGroup-For-Table-
<prefix>/Deploy-vNet DeployIfNotExists
<prefix>/Deploy-VNET-HubSpoke DeployIfNotExists
<prefix>/Deploy-DDoSProtection DeployIfNotExists
<prefix>/Deploy-Nsg-FlowLogs DeployIfNotExists
<prefix>/Deploy-Windows-DomainJoin DeployIfNotExists
<prefix>/Deny-AA-child-resources Deny
Description
Enable Monitoring in Azure Security Center

Deploy Diagnostic Settings to Azure Services. 50+ Azure Resource enable diagnostic monitoring to central Log analytics
Deploy SQL Database built-in SQL security configuration. Initiative enables , SQL security, TDE, vulnibility assesement
Deploy Azure Defender settings in Azure Security Center.
Deploy Diagnostic Settings for Activity Log to Log Analytics workspace
[Preview]: Deploy Log Analytics agent to Linux Azure Arc machines
Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Take
Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). T
update-instances.
[Preview]: Deploy Log Analytics agent to Windows Azure Arc machines
This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-com
This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance r
Enable export to Log Analytics workspace of Azure Security Center data. This policy deploys an export to Log Analytics workspace confi
a remediation task.
Use any of the existing Resource tag policies like "Require a tag on resource groups" , "Inherit a tag from the resource group if missing
Deploy the configurations to the Log Analytics in the subscription. This includes a list of solutions like update, automation etc and enab
Deploy the Log Analytics in the subscription
Deploys Azure Firewall Manager policy in subscription where the policy is assigned.
Deploys Virtual Network to be used as hub virtual network in desired region in the subscription where this policy is assigned.
Deploy Virtual Hub network with Virtual Wan and Gateway and Firewall configured in the desired region.
Deploy the Virtual WAN in the specific region.
This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.
This policy enables you to restrict that Application Gateways is always deployed with WAF enabled
[Preview]: Configure backup on VMs without a given tag to a new recovery services vault with a default policy
Network interfaces should disable IP forwarding
Deploy Auditing on SQL servers
Auditing on SQL server should be enabled
Deploy SQL DB transparent data encryption
Secure transfer to storage accounts should be enabled
Deploy Advanced Threat Protection on Storage Accounts
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
Do not allow privileged containers in Kubernetes cluster
Kubernetes clusters should not allow container privilege escalation
Enforce HTTPS ingress in Kubernetes cluster
Subnets should have a Network Security Group
RDP access from the Internet should be blocked
This policy audits any network security rule that allows SSH access from Internet
This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group nam
Deploy a default budget on all subscriptions under the assigned scope
This policy enables you to specify the resource types that your organization cannot deploy.
This policy denies the creation of vNet Peerings under the assigned scope.
This policy denies creation of Public IPs under the assigned scope.
Public network access should be disabled for PAAS services. Denies the creation of PAAS services with public endpoints on all landing
This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private
Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Blob Private Endpoint. Used enforce the configura
Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-File Private Endpoint. Used enforce the configurati
Deploys the configurations of a Private DNS Zone Group by a parameter for Key Vault Private Endpoint. Used enforce the configuration
Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Queue Private Endpoint. Used enforce the configu
Deploys the configurations of a Private DNS Zone Group by a parameter for SQL Private Private Endpoint. Used enforce the configurati
Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Table Private Endpoint. Used enforce the configur
Deploy spoke network with configuration to hub network based on ipam configuration object
This policy deploys virtual network and peer to the hub
Deploys an Azure DDoS Protection Standard plan
Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period.
Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Ma
This policy denies the creation of child resources on the Automation Account
Tag type Examples Description
Functional app = catalogsearch1 Categorize resources in relation to their purpose within a
tier = web workload, what environment they've been deployed to, or
webserver = apache other functionality and operational details. These tags are also
env = prod usefull for accounting to dril down in the cost per app and per
env = staging env
env = dev
Classification confidentiality = private Classifies a resource by how it is used and what policies apply
SLA = 24hours to it.
Accounting costcenter=2100 Allows a resource to be associated with specific groups within

department = finance an organization for billing purposes.
program = business-initiative
region = northamerica
Partnership owner = jsmith Provides information about what people (outside of IT) are
contactalias = catsearchowners related or otherwise affected by the resource.
stakeholders = user1;user2;user3
Purpose businessprocess = support Aligns resources to business functions to better support

businessimpact = moderate investment decisions.
revenueimpact = high
See https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/resource-tagging/
Proposed category Proposed tags Implemented
YES app = catalogsearch1 NO
env = p
env = t
env = o
env = t
NO
YES productgroup = fin NO

productgroup =sis
NO
NO
Status Priority
Not Implemented High
Partial Implemented Medium
Implemented Low
Unknown to be validated -
Not applicable Evaluate
Currently not applicable --

Cloud Security Checklist

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cloud Security Checklist

Uploaded by

Copyright:

Available Formats

WORK in Progress

Please always validate the latest recommendation on https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/rea

A1.2 Number of Departments Implemented 100%

A1.3 Number and type of EA Account Partial Implemented 20%

A1.8 Other notes, recommendations

A2.4 Other notes, recommendations

B1.3 Custom Role Definitions + Not Implemented 20%

B1.4 AAD Diagnostic Logs Implemented 100%

B1.6 Other notes, recommendations

B2.3 Use Managed Identities to authenticate to azure resource Implemented 100%

B2.5 Other notes, recommendations

C1 Management Group Hierarchy

C1.2 Other notes, recommendations

C2.2 Subscriptions as a democratized unit of management aligned Implemented 100%

C3.2 Other notes, recommendations

C4.2 Tags enforced for billing Not Implemented 0%

C4.3 Additional Tags to be enforced or optional Not Implemented 0%

D2 DNS and name resolution for on-premises and Azure

D3 Define an Azure Networking Topology

D4.3 Monitor the connectivity to Azure capacity Not Implemented 30%

D6 Planning for Inbound and Outbound Internet Connectivity

D7 Planning for Application Delivery

D8 Planning for "Landing Zone" Network Segmentation

D8.3 Implement NSG to protect traffic across subnets, as well as Implemented

D8.4 Enable NSG Flow Log Currently not applicable 100%

D9 Define Network Encryption Requirements

D10 Plan for traffic inspection

D11 Other networking notes, recommendations

E1.6 Implement Resource locks to prevent accidental deletion of Not Implemented 0%

E2 Planning for Application Management and Monitoring

F Business Continuity and Disaster Recovery

F1.3 Other notes, recommendations

G1.2 Encryption at rest Not applicable 100%

G2.2 Tag policy Not Implemented 0%

G3 Define security monitoring and an audit policy

G3.5 Data Retention policy for logging Not Implemented 100%

G4 Planning for Platform Security

G4.2 security/service allow-list plan Currently not applicable 100%

H1.2 Use Code Repositories Implemented 100%

H1.6 Implement DevSecOps Unknown to be validated 0%

H2 Define Central and Federated Responsibilities

Validate if not should be privileged named Medium

Implement periodic reviews Medium

If dev having already Visual studio subscription Low

Use Azure AAD group for role RBAC on Medium

Add also Azure role

Investigate the use of Azure AD Application Low

Create a management group structure based on High

Create new subscription for Management with High

Create the default grouping of Enterprise High

Create automation see Low

See tagging sheet for other options Low

Implement central connected Private DNS zones Medium

Implement NPM monitoring over S2S Low

Implement central connected Private DNS zones Medium

Use Firewall to secure outbound internet traffic.

Create clear policies when to use WAF and Medium

Implement when needed to have additional Evaluate

evaluate when retention policy is ready Low

See policy sheet for proposed policies High

Evaluate if Azure Update Management could Low

Planned used scripting to implement all Low

Create guidance for DR, Backup with Global Medium