Professional Documents
Culture Documents
Cloud Security Checklist
Cloud Security Checklist
Sheet is used to perform an assessment of the current landing zone. Used in combination with explaining and discussing the L
zone best practices in combination with what is already implemented deployed in the current landing zone
A1.4 Audit Interval for EA Portal for Microsoft account and required Not Implemented 0%
access
A1.5 Make Use of Dev/Test EA subscription cost optimize Not Implemented 0%
A1.6 Assign Budget per account / Department to establish alerts Implemented 100%
A2.2 AAD PIM for all tenant and M365 roles Implemented 100%
A2.3 Break the glass accounts Implemented 100%
B1.2 "Azure AD only" groups for Azure control plane Partial Implemented 80%
B1.6 Separate admin accounts for cloud administrative tasks Implemented 100%
B2.4 Identity network segmentation and connectivity design and Implemented 100%
separation of concerns for inside landing zone (legacy)
authentication
C2.1 Create separate platform subscriptions for Management Partial Implemented 50%
(Monitoring), Connectivity and Identity when these are
required
C2.3 Group subscriptions under Management groups to ensures Not Implemented 10%
that subscriptions with the same set of policies and Azure role
assignments.
C2.4 Have new subscription as a service. Automate subscription Partial Implemented 40%
creation File > New > Landing Zone
C2.5 Other notes, recommendations
C3 Configure Subscription Quota and Capacity
C3.1 Ensure that sufficient capacity and SKUs are available and the Currently not applicable 100%
attained capacity can be understood and monitored
D2.2 Hybrid DNS Resolved (seamless resolving on-premise and the Implemented 100%
cloud )
D2.3 Central Private link private DNS zones when required Not Implemented 0%
D4 Connectivity to Azure
D4.1 connecting on-premises locations (other datacenters) to Azure Implemented 100%
D4.2 Deploy network components for connectivity to Azure zone Not Implemented 0%
redundant for higher availability when required
D5.2 Implement DNS setup to support Private Link services DNS Currently not applicable 0%
resolving
D6.1 Secure outbound connectivity to the public internet via Azure Not Implemented 0%
Firewall
D6.2 Secure inbound connectivity from the public internet via Partial Implemented 80%
Application Gateway with Web Application Firewall (WAF) or
FrontDoor WAF Policies
D6.3 Use DDOS Protection to enhance security and insight Currently not applicable 100%
D6.4 Deploy network components for connectivity to Azure zone Not Implemented 0%
redundant for higher availability when required
D8.2 Delegate Subnet creation to the landing zone owner Currently not applicable 100%
E1.2 Export logs to Azure Storage if log retention requirements Currently not applicable 100%
exceed two years,
E1.3 Use Azure Policy for access control and compliance reporting. Not Implemented 20%
E1.4 Update Management in Azure Automation as a long-term Currently not applicable 100%
patching mechanism for both Windows and Linux VMs.
E1.5 Use Network Watcher to proactively monitor traffic flows via Not applicable 100%
Network Watcher NSG flow logs v2.
F1.2 Use Region for DR scenario or always available multi region Currently not applicable 0%
deployments
G2.3 Map regulatory and compliance requirements to Azure Policy Implemented 100%
definitions and Azure role assignments.
G2.4 Policy Management via Management groups Not Implemented 20%
G2.5 Use policy to limit the services that can be used by the Currently not applicable 100%
application teams
G2.6 Enable policies to prevent data exfiltration concerns. Defining Not Implemented 0%
requirements for private endpoints (Service Endpoints, Private
Link)
G3.3 Enable Defender for Azure (Server, Storage, WebApp, Partial Implemented 70%
Container etc.) for E2E Security Monitoring
G3.4 Update management and inventory for Virtual machines Currently not applicable 100%
G4.3 Define responsibilities, Azure (MSFT), Platform (Customer) and Partial Implemented 30%
Application teams (Customer)
H Platform Automation and DevOps
H1 Planning for a DevOps Approach
H1.1 Establish a cross functional DevOps Platform Team to build, Partial Implemented 90%
manage and maintain your Enterprise Scale architecture. This
team should include members from your central IT, security,
compliance, and business units teams to ensure a wide
spectrum of your enterprise is represented.
H1.5 Consider azOps for managing the Enterprise scale landing zone Currently not applicable 100%
declaratively to determine target goal state of the overall ESLZ
platform.
H1.8 Implement automation for File > New > Region Not applicable 100%
H1.9 Implement automation for File > New > Landing Zone for Implemented 80%
applications and workloads
-
Remark is used to document
briefly the current state
--
--
-
Consider automated reporting when tags are Low
enforced and applied with Power BI
See tags sheet for proposed tags High
--
-
Considering Expressroute setup to get Low
dedicated lines. Could use SURFNet as ER
provider.
When having a clear Zone Redundant strategy Evaluate
implement also Zone Redundant VPN Gateway
-
Create clear policies when to use WAF and Low
evaluate FrontDoor with WAF.
No requirements
-
No requirements
-
No requirements
--
-
Implement central monitoring for IAAS and High
PAAS logging. Use policies to enforce logging to
central. Teams can deploy App Insight or
additional log analytics when need in LZ
subscriptions.
No requirements
--
-
Evaluate Native Backup Azure Backup for VM Medium
and PAAS backup driven by Policy to check
compliance. Deploy recovery vault for server
with TAG
Create guidance when to use Zone redundant Medium
deployment, see also then network components
redundancy.
--
-
Provision Azure Key Vault with the soft delete Medium
and purge policies enabled to allow retention
protection for deleted objects. Create written
policy when
No requirements
Create policies to enforce for TLS, HTTPS Medium
-
Implement WE , NE, Europe enforcement policy Low
No requirements
No requirements
--
-
No requirements
To be validated Low
To be validated Low
-
To be validated Low
Best practice
Do not move or rename an EA Account in Azure AD. Periodically audit EA portal to review who has access.
Setup the notification contact email address to ensure notifications are sent to an appropriate group mailbox.
Do not ignore notification emails sent to the notification account email address. Microsoft sends important EA wide communications to this account.
Only use the authentication type "Work and School Account" for all account types. Avoid using the MSA account type.
Restrict and minimize the number of Account Owners within the Enrollment to avoid the proliferation of admin access to Subscriptions and associated Azure resources.
If multiple Azure AD tenants are used, ensure the Account Owner is associated with the same tenant as where subscriptions for the account are provisioned.
90 Days
Setup enterprise Dev/Test/Prod environments at an EA account level to support creation of dev/test workload for active Visual Studio subscribers. See https://docs.micr
us/visualstudio/subscriptions/azure-ea-devtest
Assign a budget for each account and establish an alert associated with the budget.
Leverage Azure AD SSO based on the selected planning topology. (Azure AD Connect for each identity that is to be synchronized)
In case organization does not have existing identity infrastructure, then it is recommended to start by implementing Azure AD only identity deployment. Such deployme
AD domain services and Enterprise mobility suite provide end to end protection for SaaS & enterprise application as well as devices. Use the tenant where the identity p
implemented to connect the azure subscriptions, do not use dev/test tenants in combination with lifecycle of enterprise applications. If Dev/Test/Prod of a specific appli
going to be completely isolated environments and integrated with AAD from an identity perspective, separate them at a tenant level (i.e. use multiple tenants). Avoid cr
Azure AD tenant unless there is a strong IAM justification and processes are already in-place. Dev Test Active Directory can easily reside in an subscription connected to t
managed production tenant.
Use Azure AD privileged identity management for Identity and access management.
Plan and implement for emergency access or break-glass accounts to prevent tenant-wide account lockout. See also
https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning
Use Azure RBAC to manage data plane access to resources where possible (e.g. Key Vault, Storage account, Azure SQL Database).
Enforce MFA for any user with rights to the Azure environment(s). This is a requirement of many compliance frameworks and greatly lowers the risk of credential theft a
unauthorized access. MFA provides a second barrier of authentication adding another layer of security. It is recommended to enforce MFA and conditional access policie
privileged accounts to make it more secure. MFA does provide another barrier of authentication but does not stop phishing or social engineering such as hacker taking p
possession of your phone or Sim Swapping or cloning. It is recommended that MFA should be implemented with device management policy(such as strong pin locking an
and erasing device remotely when its lost). Out of band multifactor authentication (such as biometric) is also consider secure form of MFA. Deploy Azure AD Conditional
for any user with rights to the Azure environment(s). Doing so will provide another mechanism to help protect a controlled Azure environment from unauthorized acces
Use "Azure AD only" groups for Azure control plane resources in Azure AD PIM when granting access to resources.
Add on-premises groups to the "Azure AD only" group if there is an existing group management system already in place. Don't add users directly to Azure resource scope
users to defined roles, which are then assigned to resource scopes. Direct user assignments circumvent centralized management, greatly increasing the management re
prevent unauthorized access to restricted data.
Use Azure AD Privileged Identity Management (PIM) to establish zero standing access and least privilege. We recommend that customers map the organization roles to t
level of access needed. Azure AD PIM can either be an extension of existing tools and processes, utilize Azure native as outlined above, or both as needed.
Use Azure AD PIM access reviews to periodically validate resource entitlements. Access reviews are part of many compliance frameworks so many organizations will alre
process in place to address this requirement.
Integrate Azure AD logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organ
cloud native options to meet requirements around log collection and retention.
Use custom RBAC role definitions within the Azure AD tenant, considering the following key roles: Azure Platform Owner, NetOps, SecOps, DevOps
Creating separate admin accounts for users who need to conduct on-premises administrative tasks.
Deploying Privileged Access Workstations for Active Directory administrators. See also https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning
If an organization has a scenario where an application that uses integrated Windows authentication must be accessed remotely through Azure AD, consider using Azure
Proxy. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy
Use managed identities instead of service principals for authentication to Azure services. This approach reduces exposure to credential theft
Use a separate subscription and vNet. Alternative have Identity in a hub vNet.
Establish a dedicated management subscription in the Platform management group to support global management capabilities such as Azure Monitor Log Analytics wor
Azure Automation runbooks.
Establish a dedicated identity subscription in the Platform management group to host Windows Server Active Directory domain controllers, when necessary.
Establish a dedicated connectivity subscription in the Platform management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute
other networking resources. A dedicated subscription ensures that all foundation network resources are billed together and isolated from other workloads.
Subscriptions serve as a scale unit so that component workloads can scale within the platform subscription limits.
Subscriptions serve as a boundary for the assignment of Azure policies. For example, secure workloads, such as PCI workloads, typically require additional policies to ach
compliance. Instead of using a management group to group workloads that require PCI compliance, you can achieve the same isolation by using a subscription.
Subscriptions provide a management boundary for governance and isolation, allowing for a clear separation of concerns.
Avoid a rigid subscription model, and opt instead for a set of flexible criteria to group subscriptions across the organization. This flexibility ensures that as your organizati
and workload composition changes, you can create new subscription groups instead of using a fixed set of existing subscriptions. One size doesn't fit all for subscriptions
for one business unit might not work for another. Some applications might coexist within the same landing zone subscription while others might require their own subsc
Group subscriptions together under management groups aligned within the management group structure and policy requirements at scale. Grouping ensures that subsc
the same set of policies and Azure role assignments can inherit them from a management group, which avoids duplicate assignments.
Have in service catalog for appdev teams the service request new subscription.
Deploy a new landing zone (File > New > Landing Zone): These are recurring activities that are required to instantiate a new landing zone.
Leverage subscriptions as scale units, scaling out resources and subscriptions as required.
Use Azure Cost Management + Billing for cost aggregation. Make it available to application owners.
Use Azure resource tags for cost categorization and resource grouping. Using tags allows you to have a chargeback mechanism for workloads that share a subscription o
workload that spans across multiple subscriptions.
Plan for non-overlapping IP address spaces across Azure regions and on-premises locations well in advance.
Use IP addresses from the address allocation for private internets (RFC 1918).
For environments with limited private IP addresses (RFC 1918) availability, consider using IPv6.
Do not create unnecessarily large Virtual Networks (for example: /16) to ensure there is no unnecessary wastage of IP address space.
Do not create Virtual Networks without planning the required address space in advance, since adding address space will cause an outage once a Virtual Network is conne
Virtual Network Peering.
Do not use public IP addresses for Virtual Networks, especially if the public IP addresses do not belong to the customer.
For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution. Create a delegated zone for name resolution (such as
azure.contoso.com). Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual n
Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.
For environments where name resolution across Azure and on-premises is required, use existing DNS infrastructure (for example, Active Directory integrated DNS) deplo
least two virtual machines (VMs). Configure DNS settings in virtual networks to use those DNS servers.
You can still link an Azure Private DNS zone to the virtual networks and use DNS servers as hybrid resolvers with conditional forwarding to on-premises DNS names, such
onprem.contoso.com, by using on-premises DNS servers. You can configure on-premises servers with conditional forwarders to resolver VMs in Azure for the Azure Priva
(for example, azure.contoso.com). Use a virtual machine as a resolver for cross-premises DNS resolution with Azure Private DNS.
Create the Azure Private DNS zone within a global connectivity subscription. You might create other Azure Private DNS zones (for example, privatelink.database.window
privatelink.blob.core.windows.net for Azure Private Link).
Use ExpressRoute as the primary connectivity channel for connecting an on-premises network to Azure. You can use VPNs as a source of backup connectivity to enhance
resiliency. Use dual ExpressRoute circuits from different peering locations when you're connecting an on-premises location to virtual networks in Azure. This setup will e
redundant paths to Azure by removing single points of failure between on-premises and Azure. When you use multiple ExpressRoute circuits, optimize ExpressRoute rou
local preference and AS PATH prepending. Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requiremen
Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.
Use VNet injection for supported Azure services to make them available from within a customer Virtual Network.
Azure PaaS services that have been injected into a Virtual Network still perform management plane operations using public IP addresses. Ensure that this communication
down within the Virtual Network using UDRs and NSGs.
Use Azure Private Link, where available, for shared Azure PaaS services.
Create the Azure Private DNS zone within a global connectivity subscription. You might create other Azure Private DNS zones (for example, privatelink.database.window
privatelink.blob.core.windows.net for Azure Private Link).
Use Application Gateway WAF within a "Landing Zone" Virtual Network for protecting inbound HTTP/S traffic from the internet. Don't replicate on-premises perimeter n
concepts and architectures into Azure. Similar security capabilities are available in Azure, but the implementation and architecture must be adapted to the cloud.
Use Azure Front Door WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a "Landing Zone".
Use Azure DDoS Protection Standard protection plans to help protect all public endpoints hosted within your virtual networks.
For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled. Deploy Azure Application Gateway v2 or partn
for inbound HTTP/S connections within the landing-zone virtual network and with the apps that they're securing. Use Azure Front Door with WAF policies to deliver and
global HTTP/S apps that span Azure regions. Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.
Delegate subnet creation to the "Landing Zone" owner. This will enable them to define how to segment workloads across subnets (i.e. single large subnet, multi-tier app
app)
Implement default NSG config like Deny inbound RDP/SSH connections, Allow communication with domain controllers. NSGs must be used to protect traffic across subn
east-west traffic across the platform (inter "Landing Zone" traffic)
Application team should use Application Security Groups at the subnet level NSGs to protect multi-tier VMs within their "Landing Zone“.
Use NSGs and ASGs to microsegment traffic within the "Landing Zone" and avoid using a central NVA to filter these traffic flows.
The Platform team can use Azure Policy to ensure an NSG with specific rules (such as deny inbound SSH or RDP from Internet, or allow/block traffic across landing zones)
associated to subnets with Deny only policies
Is recommended to enable NSG Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.
Options to consider
apply media access control security (MACsec) in combination with EXPRESSROUTE Direct
With Virtual WAN use VPN gateway to establish IPsec tunnels over ExpressRoute private peering or use partner NVAs to establish IPsec tunnels when not implemented
Azure Virtual Network TAP (VTAP) is in preview, but your must reach to azurevnettap@microsoft.com for availability details.
Network Watcher packet captures in Network Watcher is GA, but captures are limited to a maximum period of 5 hours.
As alternative to Virtual Network TAP, evaluate the following options:
Use Network Watcher packet capture despite the limited capture window.
Evaluate if NSG Flow Logs v2 provide the level of detail required.
Use 3rd party solutions for scenarios where sustained deep packet inspection is required.
Do not develop a custom solution to mirror traffic. While this might be acceptable for small scale scenarios, this approach is not encouraged at scale due to complexity a
supportability issues which may arise.
Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements and data
policies mandate separate workspaces. Centralized logging is critical to the visibility required by operations management teams. Logging centralization drives reports ab
management, service health, configuration, and most other aspects of IT operations. Converging on a centralized workspace model reduces administrative effort and the
gaps in observability.
All IAAS and PAAS monitoring. Application insight is separate per workload , lifecycle.
Workspace configured in resource-centric access control mode, granular Azure RBAC is enforced to ensure application teams will only have access to the logs from their
Don't send raw log entries back to on-premises monitoring systems. Instead, adopt a principle that data born in Azure stays in Azure. If on-premises SIEM integration is r
send critical alerts instead of logs.
Export logs to Azure Storage if log retention requirements exceed two years. Use immutable storage with a write-once, read-many policy to make data non-erasable and
modifiable for a user-specified interval.
Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. For more information, see Und
Policy effects. Monitor in-guest virtual machine (VM) configuration drift using Azure Policy. Enabling guest configuration audit capabilities through policy helps applicatio
workloads to immediately consume feature capabilities with little effort. Use policies to enforce deployment of VM monitoring and dependency agent deployment
Enforcing Update Management configurations via Azure Policy ensures that all VMs are included in the patch management regimen and provides application teams with
manage patch deployment for their VMs. It also provides visibility and enforcement capabilities to the central IT team across all VMs.
Traffic Analytics analyzes NSG flow logs to gather deep insights about IP traffic within a virtual network and provides critical information for effective management and m
Traffic Analytics provide information such as most communicating hosts and application protocols, most conversing host pairs, allowed or blocked traffic, inbound and ou
traffic, open internet ports, most blocking rules, traffic distribution per an Azure datacenter, virtual network, subnets, or rogue networks.
Include service and resource health events as part of the overall platform monitoring solution. Tracking service and resource health from the platform perspective is an i
component of resource management in Azure.
Application Insight or second Log Analytics target is allowed. Application monitoring can use dedicated Log Analytics workspaces.
For applications that are deployed to virtual machines, logs should be stored centrally to the dedicated Log Analytics workspace from a platform perspective, and applica
can access the logs subject to the RBAC they have on their applications/virtual machines.
Use Azure Monitor Metrics for time sensitive analysis.
Use shared storage accounts within the "Landing Zone" for Azure Diagnostic Extension log storage when required.
Leverage Azure Monitor Alerts for the generation of operational alerts.
Don't use centralized instances of Key Vault for application keys or secrets.
Don't share Key Vault instances between applications to avoid secret sharing across environments. Use a federated Azure Key Vault model to avoid transaction scale lim
Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.
Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Azure Active Directory (Azure AD) role
Automate the certificate management and renewal process with public certificate authorities to ease administration.
Establish an automated process for key and certificate rotation.
Enable firewall and virtual network service endpoint on the vault to control access to the key vault.
Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.
Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.
Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.
Use policy to enforce Encryption in Transit for Azure services when applicable
If any data sovereignty requirements exist, custom user policies can be deployed to enforce them.
Identify required Azure tags and use the append policy mode to enforce usage.
Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments. Based on existing requirements, regulatory and compliance contro
(internal/external) - Determine what Azure Policies and Azure RBAC role are needed.
Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherited scopes.
Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.
Use Azure Policy to control resource provider registrations at the subscription and/or management group levels.
Use built-in policies where possible to minimize operational overhead.
Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.
Data retention periods for audit data. Azure AD Premium reports have a 30-day retention period.
Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-term storage beyond two years, if necessary.
Enable via Policy
Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.
Monitor base operating system patching drift via Azure Monitor Logs and Azure Security Center.
Security on by default using Azure Policy.
Use Azure Security Benchmark.
Develop a security allow-list plan to assess services security configuration, monitoring, alerts, and how to integrate these with existing systems.
Capture security requirements and map it to Azure Services. Define implementation plans (short/mid/long term) and align Azure roadmap items.
Using Service enablement framework.
Define an incident response plan for Azure services before allowing it into production.
Consider Shared responsibility, HA and DR.
The list below presents a recommended set of DevOps roles for the central Platform Team.
AppDevOps
In some instances, customers may wish to break AppDevOps into more granular roles such as AppDataOps for database management like traditional DBA roles, or AppSe
more security sensitive applications are concerned; this is to be expected.
Git allows sharing and working on the same code and provide a full version history of every changes.
Deploy applications and infrastructure via continuous integration and either continuous delivery or continuous deployment.
Deploy infrastructure as code and sore these in git and integrate in CI/CD pipelines
azOps Discover existing services (subscription, policy, roles) deployed and bring them under source control so changes are done via code and pull request to have full tra
Shift to left security, part of the development cycle, include security in pipelines, sample vulnerability scanning of container registry of known Open Source vulnerabilitie
Shift to left security, part of the development cycle, include security in pipelines, sample vulnerability scanning of container registry of known Open Source vulnerabilitie
Create a subscription and move it under the Landing Zones management group scope.
Create Azure AD groups for the subscription, such as Owner, Reader, and Contributor.
Create Azure AD PIM entitlements for established Azure AD groups.
Application functions
-Application migration and transformation.
-Application management and monitoring (application resources).
-Key management (application keys).
-Azure RBAC (application resources).
-Security monitoring and audit (application resources).
-Cost management (application resources).
-Network management (application resources).
Central functions
-Architecture governance.
-Subscription management.
-Platform as code (management of templates, scripts, and other assets).
-Policy management and enforcement (holistic).
-Platform management and monitoring (holistic).
-Azure RBAC (holistic).
-Key management (central services).
-Network management (including networks and network virtual appliances).
-Security monitoring and audit (holistic).
-Cost management (holistic).
Score
Weight Score percentage
27 22.4 83%
5 5
5 5
2 0.4
2 0
1 0
2 2
5 5
2 2
3 3
0
34 30.8 91%
5 5
4 3.2
2 0.4
3 3
4 3.2
5 5
3 3
2 2
3 3
3 3
28 11.6 41%
5 0.5
2 1
5 5
2 0.2
1 0.4
2 2
5 2.5
4 0
2 0
0
61 41.6 68%
5 5
4 4
2 2
1 0
5 5
0
5 5
1 0
2 0.6
3 3
2 0
5 0
5 4
2 2
2 0
5 4
3 3
1 1
5 0
1 1
1 1
1 1
0
26 13.7 53%
5 0.5
1 1
5 1
5 5
1 1
1 0
4 1.2
4 4
11 2.5 23%
5 2.5
2 0
4 0
4 0
50 30.9 62%
4 3.2
4 4
4 2
1 0.5
1 0
3 3
4 0.8
1 1
2 0
4 4
2 0
2 1.4
5 5
2 2
2 1
4 0.8
1 1
4 1.2
26 18.8 72%
5 4.5
5 5
5 5
5 1.5
1 1
1 0
1 0
1 1
1 0.8
1 0
Priority --
100%
H C Management Group and Subscription Organization
50%
Sum of Score percentage 83%
0%
Priority ID
High C1.1
C2.1
C2.3
C4.2
E1.1
E1.3
E1.7
G2.4
G4.1
G4.3
Medium A1.3
A1.4
B1.2
B1.5
D2.3
D5.2
D6.2
F1.1
F1.2
G1.1
G1.3
G3.2
G3.5
Low A1.5
B2.2
C2.4
C4.1
C4.3
D4.1
D4.3
D7.1
E1.2
E1.4
E1.6
G2.1
G2.2
G2.6
G3.3
G3.4
G3.6
H1.4
H1.6
H1.7
H1.9
H2.1
Total Result
Item
Use Management groups for both policies and management RBAC
Create separate platform subscriptions for Management (Monitoring), Connectivity and Iden
Group subscriptions under Management groups to ensures that subscriptions with the same s
Tags enforced for billing
Single Log monitor workspace
Use Availability Zones to make deployment High Available over several zones.
Use Region for DR scenario or always available multi region deployments
Keyvault best practices
Encryption in transit
Export Azure activity logs
Data Retention policy for logging
Make Use of Dev/Test EA subscription cost optimize
Use Azure AD Application Proxy for Intranet application
Have new subscription as a service. Automate subscription creation File > New > Landing Zo
Implement Cost transparency across a technical estate.
Additional Tags to be enforced or optional
connecting on-premises locations (other datacenters) to Azure
Monitor the connectivity to Azure capacity
Deliver internal-facing and external-facing apps in a secure, highly scalable, and highly avail
Export logs to Azure Storage if log retention requirements exceed two years,
Update Management in Azure Automation as a long-term patching mechanism for both Win
Evaluate Native Backup Azure Backup for VM and PAAS backup driven by Policy to check compliance. Deploy recovery vault fo
Create guidance for DR, Backup with Global Redundant storage for DR or ASR.
Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects. Cr
Create policies to enforce for TLS, HTTPS
Implement Policy to enforce export
Evaluate current LA retention when guidance is ready
If dev having already Visual studio subscription this could be a cost optimization for dev/test subscriptions
Investigate the use of Azure AD Application proxy for Intranet applications
Create automation see https://github.com/Azure/Enterprise-Scale/tree/main/examples/landing-zones
Consider automated reporting when tags are enforced and applied with Power BI
See tagging sheet for other options
Considering Expressroute setup to get dedicated lines. Could use SURFNet as ER provider.
Implement NPM monitoring over S2S
Create clear policies when to use WAF and evaluate FrontDoor with WAF.
evaluate when retention policy is ready
Evaluate if Azure Update Management could have value
Planned used scripting to implement all production tag workloads should be locked
Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation
Include service and resource health events as part of the overall platform monitoring solution. Tracking service and resource h
Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherited scopes.Ma
Security on by default using Azure Policy.Use Azure Security Benchmark.
Define an incident response plan for Azure services before allowing it into production.Consider Shared responsibility, HA and D
Only use the authentication type "Work and School Account" for all account types. Avoid using the MSA account type.Restrict
90 Days
Use "Azure AD only" groups for Azure control plane resources in Azure AD PIM when granting access to resources.Add on-prem
Use custom RBAC role definitions within the Azure AD tenant, considering the following key roles: Azure Platform Owner, NetO
Create the Azure Private DNS zone within a global connectivity subscription. You might create other Azure Private DNS zones (
Create the Azure Private DNS zone within a global connectivity subscription. You might create other Azure Private DNS zones (
Use Application Gateway WAF within a "Landing Zone" Virtual Network for protecting inbound HTTP/S traffic from the interne
Leverage Azure native backup capabilities.Use native PaaS service disaster recovery capabilities.Use Azure VM backup VM sna
Use Azure paired regions when planning for BCDR.Employ Azure Site Recovery for Azure-to-Azure Virtual Machines disaster re
Don't use centralized instances of Key Vault for application keys or secrets.Don't share Key Vault instances between applicatio
Use policy to enforce Encryption in Transit for Azure services when applicable
Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-term storage b
(empty)
Setup enterprise Dev/Test/Prod environments at an EA account level to support creation of dev/test workload for active Visua
If an organization has a scenario where an application that uses integrated Windows authentication must be accessed remote
Have in service catalog for appdev teams the service request new subscription. Deploy a new landing zone (File > New > Landi
Use Azure Cost Management + Billing for cost aggregation. Make it available to application owners.
(empty)
Use ExpressRoute as the primary connectivity channel for connecting an on-premises network to Azure. You can use VPNs as a
Proactively monitor ExpressRoute circuits by using Network Performance Monitor.
For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled. Dep
Export logs to Azure Storage if log retention requirements exceed two years. Use immutable storage with a write-once, read-m
Enforcing Update Management configurations via Azure Policy ensures that all VMs are included in the patch management reg
If any data sovereignty requirements exist, custom user policies can be deployed to enforce them.
Identify required Azure tags and use the append policy mode to enforce usage.
(empty)
(empty)
Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline V
(empty)
Deploy infrastructure as code and sore these in git and integrate in CI/CD pipelines
Shift to left security, part of the development cycle, include security in pipelines, sample vulnerability scanning of container re
Shift to left security, part of the development cycle, include security in pipelines, sample vulnerability scanning of container re
Create a subscription and move it under the Landing Zones management group scope.Create Azure AD groups for the subscrip
Application functions-Application migration and transformation.-Application management and monitoring (application resour
(empty)
Server Active Directory domain controllers, when necessary.Establish a dedicated connectivity subscription in the Platform management g
s. Logging centralization drives reports about change management, service health, configuration, and most other aspects of IT operations.
dit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort. Use policies
and/or management group levels.Use built-in policies where possible to minimize operational overhead.Limit the number of Azure Policy a
tenants are used, ensure the Account Owner is associated with the same tenant as where subscriptions for the account are provisioned.
defined roles, which are then assigned to resource scopes. Direct user assignments circumvent centralized management, greatly increasin
e must be adapted to the cloud.Use Azure Front Door WAF policies to provide global protection across Azure regions for inbound HTTP/S c
e event of an outage affecting an Azure region or peering provider location. Avoid using overlapping IP address ranges for production and
icies enabled to allow retention protection for deleted objects.Follow a least privilege model by limiting authorization to permanently dele
o virtual networks in Azure. This setup will ensure redundant paths to Azure by removing single points of failure between on-premises and
Front Door with WAF policies to deliver and help protect global HTTP/S apps that span Azure regions. Use Traffic Manager to deliver glob
work management (application resources).Central functions-Architecture governance.-Subscription management.-Platform as code (mana
n the Platform management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and othe
other aspects of IT operations. Converging on a centralized workspace model reduces administrative effort and the chances for gaps in obs
s with little effort. Use policies to enforce deployment of VM monitoring and dependency agent deployment
it the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited
management, greatly increasing the management required to prevent unauthorized access to restricted data.
lure between on-premises and Azure. When you use multiple ExpressRoute circuits, optimize ExpressRoute routing via BGP local preferen
Traffic Manager to deliver global apps that span protocols other than HTTP/S.
ment.-Platform as code (management of templates, scripts, and other assets).-Policy management and enforcement (holistic).-Platform m
ExpressRoute circuit, and other networking resources. A dedicated subscription ensures that all foundation network resources are billed to
nd the chances for gaps in observability.All IAAS and PAAS monitoring. Application insight is separate per workload , lifecycle. Workspace c
(Azure AD) roles.Automate the certificate management and renewal process with public certificate authorities to ease administration.Esta
routing via BGP local preference and AS PATH prepending. Ensure that you're using the right SKU for the ExpressRoute/VPN gateways bas
rcement (holistic).-Platform management and monitoring (holistic).-Azure RBAC (holistic).-Key management (central services).-Network m
network resources are billed together and isolated from other workloads.
orkload , lifecycle. Workspace configured in resource-centric access control mode, granular Azure RBAC is enforced to ensure application te
ties to ease administration.Establish an automated process for key and certificate rotation.Enable firewall and virtual network service endp
d virtual network service endpoint on the vault to control access to the key vault.Use the platform-central Azure Monitor Log Analytics wo
nitoring and audit (holistic).-Cost management (holistic).
entries back to on-premises monitoring systems. Instead, adopt a principle that data born in Azure stays in Azure. If on-premises SIEM int
zure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.Delegate Key Vault insta
Azure. If on-premises SIEM integration is required, then send critical alerts instead of logs.
Vault.Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.
mpliant configuration.
Role Usage Type
Azure platform owner (such as the built-in Management group and subscription build-in
Owner role) lifecycle management
Network management (NetOps) Platform-wide global connectivity build-in
management: virtual networks, UDRs,
NSGs, NVAs, VPN, Azure ExpressRoute,
and others
SecOps "*/read",
"*/register/action",
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/policyAssignments/*",
"Microsoft.Authorization/policyDefinitions/*",
"Microsoft.Authorization/policyExemptions/*",
"Microsoft.Authorization/policySetDefinitions/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Management/managementGroups/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.Support/*",
"Microsoft.KeyVault/locations/deletedVaults/purge/action",
"Microsoft.PolicyInsights/*"
Owner *
Contributor *
SubscriptionOwner *
SubscriptionOwnerNoNetwork *
Contributor *
Reader */read
DevOpsAppOps *
DevOpsAppOpsHybridNetworkA *
ccess
No actions Proposed Proposed scope
YES <prefix>
YES <prefix>
NO <prefix>
NO <prefix>
YES <subsciption>
"Microsoft.Authorization/*/Delete", NO <subsciption>
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action"
"Microsoft.Authorization/*/write", NO <subsciption>
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Network/vpnGateways/*",
"Microsoft.Network/expressRouteCircuits/*",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/delete",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/delete",
"Microsoft.Network/vpnSites/*"
"Microsoft.Authorization/*/write", NO <subsciption>
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/vpnGateways/*",
"Microsoft.Network/azurefirewalls/*",
"Microsoft.Network/expressRouteCircuits/*",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/delete",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/delete",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Network/vpnSites/*"
YES <subsciption>
"Microsoft.Authorization/*/write", NO <Resourcegroup level>
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.KeyVault/locations/deletedVaults/purge/action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Network/vpnGateways/*",
"Microsoft.Network/azurefirewalls/*",
"Microsoft.Network/expressRouteCircuits/*",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/delete",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/delete",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.Network/vpnSites/*"
"Microsoft.Authorization/*/read", NO <Resourcegroup level>
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/
join/action",
"Microsoft.Network/applicationSecurityGroups/read",
"Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/
action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
Proposed AAD group name Implemented Remark
Direct assigned, azure-<prefix>-platform- NO Direct assignment now used should be
owners AAD group with PIM enabled
azure-<prefix>-platform-netOps NO
azure-<prefix>-platform-secOps
azure-<prefix>-platform-secOps
<<subscription name>-owners
<subscription name>-owners
<subscription name>-owners
Allowed-ResourceLocation Definition
Allowed-RGLocation Definition
Deploy-ASC-CE Definition
Enforce-Tags Definition
Deploy-LA-Config Definition (used in initial deploy)
Deploy-LogAnalytics Definition (used in initial deploy)
Deploy-FirewallPolicy Definition (used in initial deploy)
Deploy-HUB Definition (used in initial deploy)
Deploy-vHUB Definition (used in initial deploy)
Deploy-vWAN Definition (used in initial deploy)
Append-KV-SoftDelete Definition
Deny-AppGW-Without-WAF Definition
Deploy-VM-Backup Definition YES
Deny-IP-forwarding Definition YES
Deploy-SQL-Security Definition YES
Deploy-SQL-DB-Auditing Definition YES
Enforce-SQL-Encryption Definition YES
Deny-Storage-http Definition YES
Deploy-Storage-ATP Definition YES
Deploy-AKS-Policy Definition YES
Deny-Privileged-AKS Definition YES
Deny-Privileged-Escalations-AKS Definition YES
Enforce-AKS-HTTPS Definition YES
Deny-Subnets-Without-NSG Definition YES
Deny-RDP-From-Internet Definition YES
Deny-SSH-From-Internet Definition
Deploy-Network-Watcher Definition
Deploy-Budget Definition
Denied-Resources Definition
Denied-Vmsizes Definition
Deny-VNet-Peering Definition
Deny-PublicIP Definition
Deny-Public-Endpoints-for-PaaS-Services Initiative
Deny-Private-DNS-Zones Definition
Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint Definition
Deploy-DNSZoneGroup-For-File-PrivateEndpoint Definition
Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint Definition
Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint Definition
Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint Definition
Deploy-DNSZoneGroup-For-Table-PrivateEndpoint Definition
Deploy-vNet Definition
Deploy-VNET-HubSpoke Definition
Deploy-DDoSProtection Definition
Deploy-Nsg-FlowLogs Definition
Deploy-Windows-DomainJoin Definition
Deny-AA-child-resources Definition
Custom policy Proposed effect
location reference when not leave
custom policies or Proposed Management default. Or
AZ State Proposed Applied Group Default Values Count Type
75714362-cae7-409e-9b99-a8e5075b7fad DeployIfNotExists
69af7d4a-7b18-4044-93a9-2651498ef203 deployIfNotExists
e56962a6-4747-49cd-b67b-bf8b01975c4c deny
e765b5de-1225-4ba3-bd56-1ac6695af988 Deny
ffb6f416-7bd2-4488-8828-56585fef2be9 deployIfNotExists
<prefix>/Deploy-Budget DeployIfNotExists
6c112d4e-5bc7-47ae-a041-ea2d9dccd749 Deny
<prefix>/Deny-VNet-Peering Deny
<prefix>/Deny-PublicIP Deny
<prefix>s/Deny-PublicEndpoints Deny
<prefix>/Deny-Private-DNS-Zones Deny
<prefix>/Deploy-DNSZoneGroup-For-Blob-
PrivateEndpoint DeployIfNotExists
<prefix>/Deploy-DNSZoneGroup-For-File-
PrivateEndpoint DeployIfNotExists
<prefix>/Deploy-DNSZoneGroup-For-KeyVault-
PrivateEndpoint DeployIfNotExists
<prefix>/Deploy-DNSZoneGroup-For-Queue-
PrivateEndpoint DeployIfNotExists
<prefix>/Deploy-DNSZoneGroup-For-Sql-
PrivateEndpoint DeployIfNotExists
<prefix>/Deploy-DNSZoneGroup-For-Table-
PrivateEndpoint DeployIfNotExists
<prefix>/Deploy-vNet DeployIfNotExists
<prefix>/Deploy-VNET-HubSpoke DeployIfNotExists
<prefix>/Deploy-DDoSProtection DeployIfNotExists
<prefix>/Deploy-Nsg-FlowLogs DeployIfNotExists
<prefix>/Deploy-Windows-DomainJoin DeployIfNotExists
<prefix>/Deny-AA-child-resources Deny
Description
This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-com
This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance r
Enable export to Log Analytics workspace of Azure Security Center data. This policy deploys an export to Log Analytics workspace confi
a remediation task.
Use any of the existing Resource tag policies like "Require a tag on resource groups" , "Inherit a tag from the resource group if missing
Deploy the configurations to the Log Analytics in the subscription. This includes a list of solutions like update, automation etc and enab
Deploy the Log Analytics in the subscription
Deploys Azure Firewall Manager policy in subscription where the policy is assigned.
Deploys Virtual Network to be used as hub virtual network in desired region in the subscription where this policy is assigned.
Deploy Virtual Hub network with Virtual Wan and Gateway and Firewall configured in the desired region.
Deploy the Virtual WAN in the specific region.
This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.
This policy enables you to restrict that Application Gateways is always deployed with WAF enabled
[Preview]: Configure backup on VMs without a given tag to a new recovery services vault with a default policy
Network interfaces should disable IP forwarding
Deploy Auditing on SQL servers
Auditing on SQL server should be enabled
Deploy SQL DB transparent data encryption
Secure transfer to storage accounts should be enabled
Deploy Advanced Threat Protection on Storage Accounts
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
Do not allow privileged containers in Kubernetes cluster
Kubernetes clusters should not allow container privilege escalation
Enforce HTTPS ingress in Kubernetes cluster
Subnets should have a Network Security Group
RDP access from the Internet should be blocked
This policy audits any network security rule that allows SSH access from Internet
This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group nam
This policy enables you to specify the resource types that your organization cannot deploy.
This policy denies the creation of vNet Peerings under the assigned scope.
This policy denies creation of Public IPs under the assigned scope.
Public network access should be disabled for PAAS services. Denies the creation of PAAS services with public endpoints on all landing
This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private
Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Blob Private Endpoint. Used enforce the configura
Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-File Private Endpoint. Used enforce the configurati
Deploys the configurations of a Private DNS Zone Group by a parameter for Key Vault Private Endpoint. Used enforce the configuration
Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Queue Private Endpoint. Used enforce the configu
Deploys the configurations of a Private DNS Zone Group by a parameter for SQL Private Private Endpoint. Used enforce the configurati
Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Table Private Endpoint. Used enforce the configur
Deploy spoke network with configuration to hub network based on ipam configuration object
This policy deploys virtual network and peer to the hub
Deploys an Azure DDoS Protection Standard plan
Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period.
Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Ma
This policy denies the creation of child resources on the Automation Account
Tag type Examples Description
Functional app = catalogsearch1 Categorize resources in relation to their purpose within a
tier = web workload, what environment they've been deployed to, or
webserver = apache other functionality and operational details. These tags are also
env = prod usefull for accounting to dril down in the cost per app and per
env = staging env
env = dev
Classification confidentiality = private Classifies a resource by how it is used and what policies apply
SLA = 24hours to it.
Partnership owner = jsmith Provides information about what people (outside of IT) are
contactalias = catsearchowners related or otherwise affected by the resource.
stakeholders = user1;user2;user3
See https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/resource-tagging/
Proposed category Proposed tags Implemented
YES app = catalogsearch1 NO
env = p
env = t
env = o
env = t
NO
NO
NO
Status Priority
Not Implemented High
Partial Implemented Medium
Implemented Low
Unknown to be validated -
Not applicable Evaluate
Currently not applicable --