LatestBest Practices for Identifying and Securing Non-Human Identities
Resource / Online Journal
Comprehensive Guide to Azure Identity and Access Management for Secure Cloud Operations
A Comprehensive Guide to Azure IAM: Understanding Tenants, Subscriptions, User Roles, Policies, Security Best Practices, and Compliance Strategies
Published on Mar 11, 2025
Access Management
Executive Summary
Azure IAM manages identities and access in Microsoft Azure, ensuring secure and scalable operations. This guide covers policy management, user and NHI administration, authentication, monitoring, and privileged access.
Key recommendations include using Microsoft Defender for Cloud for misconfiguration detection, Microsoft Sentinel for identity activity tracking, and terraform for scalable policy deployment. External tools like SailPoint, Saviynt, and CyberArk enhance governance, compliance, and monitoring.
By combining Azure’s native tools with external solutions and TechDemocracy’s custom connectors, organizations can achieve scalable identity governance, adaptive authentication, and proactive threat detection to secure and optimize cloud operations.
Azure IAM Concepts
- A tenant in Azure is a Microsoft Entra ID (formerly Azure AD) instance that defines ownership and isolation, similar to an OCI tenancy or AWS account. For example, a bank operates all cloud production resources within its tenant, BankTenant.onmicrosoft.com.
- A management group is a hierarchical structure for managing multiple subscriptions under a unified governance framework, similar to OCI or AWS Organizations. For example, a bank with separate Azure subscriptions for Insurance, Retail Banking, and Investment Banking tenants can group them under a management group for centralized access policies and compliance.
- A subscription in Azure serves as a billing unit and resource container within a tenant, defining quotas, access policies, and spending limits. For example, RetailBankingKYISubscription may contain all infrastructure for a KYC project in that tenant, ensuring clear cost segregation and governance. This is unique to Azure and has no direct equivalent in other clouds.
- A resource group is a logical container for organizing resources within a subscription, similar to an OCI compartment. Policies and IAM roles can be applied at this level. For example, a KYC-Analytics resource group in the RetailBanking subscription may include Azure SQL databases, AI models, and storage accounts for customer data analytics.
- A user is an identity managed in Microsoft Entra ID for authentication and authorization in Azure.
- A group is a collection of users for centralized role assignments and policy enforcement. Groups can be static (manual membership) or dynamic (rule-based). For example, the Database Admins group is assigned the SQL Admin role across multiple subscriptions for streamlined permissions management.
- A Managed Identity is an automated identity assigned to workloads (e.g., VMs, Azure Functions, AKS) for secure authentication without explicit credentials, similar to AWS IAM Roles or OCI Federated Identities. For example, a VM in DataPipeline-RG uses a System-Assigned Managed Identity to authenticate with Azure Key Vault and retrieve secrets securely.
- A service principal is an application identity for automation and programmatic access, comparable to Non-Human Identities (NHI) in OCI. For example, a Terraform deployment pipeline uses a service principal to provision Azure infrastructure automatically.
User Attributes
Unlike traditional identity stores, Microsoft Entra ID (formerly Azure AD) does not store attributes like first name or last name by default. These must be explicitly defined by the organization. Instead, each Azure identity includes the following attributes:
- User Object ID:
A unique identifier assigned to each user, formatted as a GUID (Globally Unique Identifier).
Example: 3b1f4a99-2d42-47f8-a54d-4b3c9b09c001 - User Principal Name (UPN):
The user's primary identifier, typically matching their email address, used for authentication.
Example: john.doe@bank.com - Federated Identity (if applicable):
When integrated with an external IdP (e.g., Okta, Google Workspace, AWS IAM), authentication is handled by the external provider, and the user is mapped to Microsoft Entra roles or groups.
Example: A user authenticated through Okta is assigned roles in Azure based on their IdP group membership. - Creation Time:
The timestamp showing when the user account was created in Microsoft Entra ID.
Example: 2025-01-01T10:00:00Z - Tags (Optional):
Custom key-value pairs used to categorize users in Microsoft Entra ID.
Example: FirstName=Jane, LastName=Doe, Department=Finance - Authentication Factors:
Required when authentication is not delegated to an external IdP.
Password: Used for Azure portal login, adhering to configurable policies (e.g., complexity, expiration). - MFA Configuration:
Set up using Azure MFA options like OTPs, push notifications, or hardware tokens (e.g., YubiKey). - Last Activity Time:
Records the user's most recent sign-in, API activity, or authentication attempt, aiding in identifying inactive accounts.
Example: LastLogin=2025-01-25T12:34:56Z - Tenant Membership:
Defines the user's association with a Microsoft Entra tenant, where users are created and managed. Permissions are assigned via groups and RBAC roles.
Example: john.doe@bank.com belongs to the BankCorp.onmicrosoft.com tenant. - Credential Types:
Includes OAuth tokens, certificates, and federated authentication credentials for programmatic access. These should be securely managed in Azure Key Vault.
Example: An OAuth token for API access is stored in Key Vault and auto rotated.
Entitlement Types & Their Attributes
Entitlement Type | Key Attributes | Description & Example |
| Role-Based Access Control (RBAC) | Role Name, Scope (Subscription/Resource Group/Resource), Assigned Users/Groups | The primary model for managing access in Azure, allowing granular permission control. Example: Assign the Contributor role to the DevOps team at the Resource Group level to enable resource modifications without full administrative access. |
| Privileged Identity Management (PIM) Assignments | Role Name, Just-In-Time (JIT) Activation, Approval Workflow, Time-Bound Access | PIM enables time-bound, approval-based elevation for privileged roles. Example: A security engineer requests temporary Global Admin access, which requires approval before activation. |
| Resource-Based Policies | Resource (VM, Storage, Key Vault), Principal (User/Group/Service Principal), Actions | Fine-Grained Resource Control: For advanced use cases like cross-tenant access or external workloads, resource-level policies may be necessary. However, they should generally be avoided in favor of identity-based policies for better governance and security. |
| Conditional Access Policies (CAPs) | Conditions (Device, Location, Risk Score), Authentication Strength (MFA, FIDO), Grant/Deny Actions | Dynamically enforce security rules based on context. Example: Require MFA for access from an untrusted IP but allow seamless login from a compliant corporate device. |
| Identity Protection Risk-Based Policies | Risk Detection Type, Remediation Action (Block, Require MFA, Force Password Reset) | Adapts security policies dynamically based on risk signals. Example: If unplanned travel is detected for a user, require an MFA challenge before granting access. |
| Service Principal & Managed Identity Permissions | Application ID, API Permissions, Scope (Tenant, Subscription, Resource) | Controls what applications and workloads can access in Azure. Example: An Azure Function uses a Managed Identity to retrieve secrets from Azure Key Vault instead of storing credentials. |
| Azure Lighthouse Delegated Access | Managing Tenant, Delegated Roles, Customer Subscription Scope | Facilitates governance for managed services across tenants. Example: A service provider is granted Reader access to monitor a customer’s Azure environment without full control. |
| Subscription Policies (Azure Policy) | Policy Definition, Enforcement Scope (Subscription/Resource Group), Effect (Audit, Enforce, Deny) | Enforces compliance and governance at scale. Example: A policy blocks VM deployments in non-compliant Azure regions. |
| Entitlement Management (Access Packages) | Package Name, Eligible Users, Lifecycle Rules, Apprval Flow | A group of resources that can be requested or assigned together. Example: A package containing all infrastructure resources for a business application can be assigned to infra or application SREs responsible for resolving production incidents. |
Recommendations
Policy Recommendations
Policies Included: Identity-Based Policies, Resource-Based Policies, IAM Conditions, Tags and Labels, Organization Policies, Role Definitions.
Options for Configuration:
| Azure Native Tools | Description |
|---|---|
| Azure Portal, Azure CLI, PowerShell, Terraform | Used to define and manage scalability, automation, and governance policies. |
| Microsoft Entra ID Dynamic Groups | Used to assign policies and enable programmatic access control. |
| Microsoft Defender for Cloud | Monitors and enforces organization-level security guardrails, detects misconfigurations, and identifies anomalous identity behavior across subscriptions. |
| External Tools | Description |
|---|---|
| IGA Tools (e.g., SailPoint, Saviynt) | Centralize governance for RBAC, Conditional Access, and access reviews, ensuring compliance with Azure identity frameworks. |
| CNAPP Tools (e.g., Wiz, Orca Security) | Provide visibility and enforcement of resource-based policies, excessive permissions, and workload security in Azure environments. |
| ITDR Tools (e.g. Microsoft Defender for Identity, CrowdStrike Falcon, SentinelOne) | Detect identity-based threats, such as privilege abuse, lateral movement, and compromised accounts.CSPM Tools (e.g., Check Point CloudGuard, Palo Alto Prisma Cloud, Lacework) |
| CSPM Tools (e.g., Check Point CloudGuard, Palo Alto Prisma Cloud, Lacework) | Monitor and enforce compliance policies across Azure subscriptions, identifying IAM misconfigurations and security drift. |
Aggregation Entities Administration Recommendations
Scope: tenant, management group, subscription, resource group, organizational policies (azure policy).
Options for Configuration:
| Azure Native Tools | Description |
|---|---|
| Azure Portal | Create and manage tenants, management groups, subscriptions, resource groups, and organizational policies through the Azure Portal. Best for smaller-scale setups or one-off configurations. |
| Azure CLI | Use for scripting and programmatically managing tenants, management groups, and subscriptions to enable automation and governance. |
| Azure API | Integrate Azure REST APIs into workflows to dynamically create and manage tenants, management groups, and subscriptions for scalability and security. |
| Terraform | Define and deploy tenants, management groups, subscriptions, and resource groups as Infrastructure-as-Code (IaC) for auditability, version control, and CI/CD integration. |
| Microsoft Defender for Cloud | Monitor and enforce organizational guardrails (Azure Policy) to detect and remediate misconfigurations, excessive permissions, and compliance violations across management groups and subscriptions. |
| External Tools | Description |
|---|---|
| IGA Tools (e.g., SailPoint, Saviynt) | Provide centralized governance for RBAC roles, management group policies, and organizational security policies. Enable workflows for role provisioning, policy governance, and periodic compliance reviews. |
| CSPM Tools (e.g., Check Point CloudGuard, Palo Alto Prisma Cloud) | Monitor and enforce subscription-level policies, organizational guardrails, and compliance frameworks to ensure security best practices. |
User Administration
Scope: User Account Creation, User Group Assignments, and Identity Policy Assignments to Users.
Options for Configuration:
| Azure Native Tools | Description |
|---|---|
| Azure Portal, Azure CLI, Azure API, Terraform, Entra ID Access Review | Native OCI tools for managing resources, automating governance, defining infrastructure as code, and enforcing access controls. |
| External Tools | Description |
|---|---|
| IGA Tools (e.g., SailPoint, Saviynt) | Support centralized governance for user lifecycle management, group assignments, and access policy enforcement, ensuring compliance with Azure IAM frameworks. |
| CNAPP Tools (e.g., Wiz, Orca Security) | Provide visibility into misconfigured IAM roles, excessive user permissions, and policy drift in Azure environments. |
| CSPM Tools (e.g., Palo Alto Prisma Cloud, Check Point CloudGuard) | Extend compliance monitoring to Azure IAM, ensuring identity policies and user role assignments align with best practices. |
PAM (Privileged Account Monitoring)
Scope: Monitor and manage Break The Glass Activities, Emergency Assignments, Privileged Session Recording, Shared Accounts Administration, and Break The Glass Account Administration.
Options for Configuration:
| Azure Native Tools | Description |
|---|---|
| Microsoft Entra ID PIM | Enables just-in-time access for privileged roles, reducing standing admin privileges and enforcing approval workflows. |
| Azure Monitor & Microsoft Defender for Cloud | Provides secure remote access to VMs without exposing RDP/SSH over the internet. |
| Azure Bastion | Track privileged activity, detect anomalies, and enforce real-time security monitoring. |
| Azure Policy | Enforces least privilege access rules and privileged access expiration for sensitive resources |
Note
Determining Scope for PAM in Microsoft Entra ID:
Policies and Permissions: Accounts with high-risk permissions (e.g., Global Admin, Subscription Owner) require PAM, while low-risk, read-only accounts may not.
Application Classification: Compliance, risk severity, and business criticality of accessed applications determine the need for PAM.
Nature of the Account: Named, shared, break-glass, and non-human identity (NHI) accounts should be evaluated based on usage and associated risks.
Frequency and Scope: Rare, high-impact activities warrant PAM, while frequent, low-risk actions may not.
This approach ensures PAM is implemented where it provides the greatest security benefit while avoiding unnecessary complexity.
NHI Administration
Scope: Create NHIs (Non-Human Identities) and assign entitlements (roles, policies) to them, while ensuring proper governance, secure storage, and lifecycle management.
Options for Configuration:
| Azure Native Tools | Description |
|---|---|
| Azure Portal | Create and manage NHIs, including service principals and managed identities, through the Azure Portal. |
| Azure CLI | Automate the provisioning and governance of service principals and managed identities. |
| Azure API | Integrate Azure REST APIs to dynamically create, assign, and manage NHIs at scale. |
| Terraform | Define NHIs, assign roles, and manage policies as Infrastructure-as-Code (IaC) for scalability and auditability. |
| Microsoft Entra ID Workload Identities | Enforce secure authentication for workloads while eliminating long-lived credentials. |
| Azure Key Vault | Securely store secrets, certificates, and API keys associated with NHIs. |
| External Tools | Description |
|---|---|
| IGA Tools (e.g., SailPoint, Saviynt) | With lifecycle management integration, ithese tools provide governance workflows for NHI entitlements, such as approval procedures, recurrent reviews, and surveillance of compliance. |
| NHI Governance Tools (e.g., Veza, Astrix, Entro) | Automate NHI lifecycle management, including creation, secure credential storage, credential rotation, and enforcement of Zero Trust principles. |
A Note on Role vs NHI
Navigating workload security and Non-Human Identities (NHIs) presents opportunities for threat modeling and best practice development. Here are three approaches for securing machine interactions in Microsoft Entra ID.
Role-Based Approach:
- Avoid creating an NHI.
- Instead, allow the workload to assume a managed identity to perform necessary operations.
NHI-Based Approach:
- Create an NHI (service principal or managed identity).
- Have the consuming workload use it to perform Azure IAM operations.
Hybrid Defense-in-Depth Approach:
- Implements multiple layers of defense aligned with Zero Trust Architecture principles:
- Create the NHI and store its secrets securely in Azure Key Vault.
- IAM Policy: Ensure any program retrieving credentials must first assume a managed identity.
- Credential Rotation: Use Azure Automation or third-party tools to rotate credentials after each use. This prevents credential reuse by ensuring immediate expiration, requiring workloads to fetch new credentials dynamically.
Authentication
Scope: Enable secure access using Federation, Single Sign-On (SSO), and Multi-Factor Authentication (MFA) for robust and scalable identity authentication, including passwordless authentication options.
Options for Configuration:
| Azure Native Tools | Description |
|---|---|
| Microsoft Entra ID | Provides centralized identity and access management, including support for SSO, federation, and MFA enforcement. |
| Microsoft Entra ID Identity Protection | Detects and responds to authentication-based risks, enforcing Conditional Access policies for high-risk sign-ins. |
| Azure AD B2B and B2C | Enables secure external authentication for partners, customers, and suppliers. |
| Azure MFA | Enforces MFA using various authentication factors, including OTPs, biometrics, and hardware tokens. |
| Azure Conditional Access | Defines context-aware authentication policies, requiring MFA based on risk, location, or device posture. |
| Passwordless Authentication | Enables passwordless sign-ins using Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app. |
| External Tools | Description |
|---|---|
| SSO and Federation Tools like Okta, Ping Identity, Microsoft Entra ID | Provide centralized identity federation and SSO capabilities for seamless and secure authentication across Azure and other cloud applications. |
| MFA Tools (e.g., Duo Security, YubiKey, Microsoft Authenticator) | Enforce MFA for enhanced security, supporting push notifications, biometrics, hardware tokens, and passwordless options. |
| Passwordless Authentication Tools like Beyond Identity, Ping Identity, HYPR | Use cryptography, device-based trust, and biometrics to enable safe, password-free authentication. |
Monitoring, Detection, and Response Recommendations
Scope: Log storage, event and incident detection, and incident response for cloud security and governance.
Options for Configuration:
| Azure Native Tools | Description |
|---|---|
| Azure Monitor | Collects and analyzes logs, metrics, and events from Azure resources for proactive security monitoring. |
| Microsoft Sentinel | Provides SIEM and SOAR capabilities for real-time threat detection and automated response to security incidents. |
| Microsoft Defender for Cloud | Continuously assesses and strengthens Azure security posture, detecting misconfigurations and compliance risks. |
| Microsoft Defender for Identity | Monitors for identity-based threats, including credential compromise, lateral movement, and privilege escalation. |
| Azure Policy | Enforces security policies and governance controls across Azure resources to detect and prevent non-compliant configurations. |
| External Tools | Description |
|---|---|
| NHITDR Tools (e.g., Entro, Astrix) | Detect and respond to threats targeting NHIs by monitoring abnormal behaviors, unauthorized interactions, and potential compromises, ensuring the security of machine identities. |
| ITDR Tools (e.g., Microsoft Defender for Identity, CrowdStrike Falcon, and SentinelOne) | Monitor and respond to identity-related threats by detecting compromised credentials, unauthorized access, and privilege escalations, enhancing security posture. |
| IGA Tools (e.g., SailPoint, Saviynt) | Implement governance workflows for NHI entitlements, including approval processes, periodic reviews, and compliance tracking, with integration for lifecycle management. |
Decision Making
How to Make the Right Decision
Building a secure and efficient Azure security strategy for IAM requires a comprehensive approach that balances risk, compliance, security, tools, and processes. These decisions can be complex, but TechDemocracy’s Cloud Security Decision Framework—trusted by Fortune 100 companies—provides a proven methodology to help you make tailored, informed choices for your cloud security needs.
Factors to Consider:
1. Risk, Compliance, and Security Context
- Risk Tolerance and Appetite:
Understand your organization’s risk acceptance levels, ensuring the security strategy aligns with operational goals and acceptable risks. - Audit and Compliance Needs:
To guarantee adherence to industry standards, evaluate the regulatory requirements for vulnerability management, change management, and monitoring.
Determine any gaps in compliance and create a plan for improvement. - Risk Classification of Cloud-Deployed Applications:
Categorize workloads based on sensitivity (e.g., critical, high-risk, low risk) to prioritize security investments and monitoring efforts.
2. Landscape and Roadmap for Tools
a. Current Landscape for Cloud Security and Detect & Respond:
Evaluate deployed security tools (CWPP, CNAPP, CSPM) based on:
- Maturity: How well tools are integrated and utilized.
- Skillsets: Availability of expertise for management and optimization.
- Ownership & Responsibilities: Clear governance and accountability.
- Roadmap & Priorities: Plans for upgrades, expansion, or replacements.
b. Current Detect and Response Tools:
- Assess existing DR solutions (EDR, XDR, CDR) and SIEM tools for effectiveness and integration.
- Identify gaps and opportunities to enhance detection with ITDR and NHITDR solutions.
c. IDM Landscape:
Analyze deployments of IGA, PAM, NHI, and SSO/MFA tools for seamless integration and governance within the identity and access ecosystem.
d. Complexity & Effort in Data Synchronization & Integrations:
- Evaluate the effort required to integrate Azure IAM with external tools (IGA, CNAPP, CSPM, ITDR).
- Identify automation opportunities to reduce manual overhead and improve efficiency.
3. Processes, Budget, and Ownership
DevOps Maturity:
Evaluate the automation, scalability, and integration levels in DevOps processes to determine readiness for identity and security management solutions.
Organizational Structure and Responsibilities:
Clearly define ownership, budget allocation, and accountability for:
- Cloud Infrastructure: Who manages infrastructure setup and operations?
- Cloud Security: Who governs cloud security tools and processes?
- Security in DevOps: Who ensures CI/CD pipeline security and secure workload deployment?
- Cloud Security Tools Deployment: Who oversees selecting, deploying, and maintaining security tools (CNAPP, CSPM, CWPP, ITDR)?
Conclusion
Implementing Azure IAM effectively requires a strategic approach to managing policies, users, and non-human identities, while integrating with external tools to strengthen security and compliance. Decisions should consider organizational risk tolerance, DevOps maturity, and existing tool landscapes to ensure a seamless deployment.
Why TechDemocracy?
At TechDemocracy, we design and implement secure, scalable cloud architectures tailored to your unique environment. Using our Cloud Security Decision Framework, we:
- Align risk, compliance, and security goals with operational needs.
- Assess & optimize your tool landscape and roadmap.
- Streamline integrations, improve governance, and enhance organizational processes.
Contact TechDemocracy, a top IAM provider in the USA, today! to refresh your cloud security architecture, develop a comprehensive strategy, and implement cutting-edge solutions for identity governance, cloud security, and threat detection.
Let’s build a secure foundation for your cloud journey!
Recommended articles
Comprehensive Guide to Oracle Cloud Infrastructure Identity Access Management Concepts
Take Your Identity Strategy
to the Next Level
Strengthen your organization's digital identity for a secure and worry-free tomorrow. Kickstart the journey with a complimentary consultation to explore personalized solutions.