Brian 2 - razmipatel/Random GitHub Wiki

Hi Team,

Expanding on the previous thread, Iโ€™m sharing this update with a wider group, including members of the Identity and Security teams, to ensure alignment across stakeholders working on PAM controls and the Azure Landing Zone.

Following our recent discussions, here are a few additional points related to Azure event monitoring, B2B/external access, and a clarification on threat actor risks:

  1. Azure Event Monitoring and Alerting The current logging and event collection setup for the Azure Landing Zone is documented here: ๐Ÿ”— Azure Security Logging Requirements โ€“ CISO โ€“ AIB IT WIKI

  2. B2B / External User Access Controls The Azure Landing Zone is structured according to Microsoftโ€™s best practices for subscription separation and hierarchy: ๐Ÿ”— Microsoft Azure Landing Zone Architecture โ€“ CAF ๐Ÿ”— LLD - Azure Enterprise Landing Zone 2024 โ€“ Cloud Foundations โ€“ AIB IT WIKI

Key access control highlights:

MFA Enforcement: All users must perform Multi-Factor Authentication for Azure Portal access per Microsoftโ€™s mandatory MFA policy. ๐Ÿ”— Microsoft Blog: Mandatory MFA

Device Compliance: Access requires authentication from an Intune-compliant device based on pre-agreed device compliance policies.

B2B Access Requirements:

Explicit invitation from a User Administrator or Global Administrator.

Membership in a specific RBAC group associated with the partner organization.

Failure to meet MFA, device compliance, or group membership requirements will result in blocked access.

RBAC Group Assignments:

Managed via Cloud-only groups.

Only users with User Administrator or Global Administrator roles can manage group membership.

Only users with Owner privileges can assign identities to roles at the subscription level.

Production Environment Access:

Segregated by subscription.

Access is restricted to AZZ privileged accounts (AIB Staff ID required via SAP onboarding).

Access is provisioned Just-In-Time using Entra PIM, and all PIM activity is logged and auditable.

CyberArk Vaulting:

AZZ accounts with Owner, User Administrator, or Global Administrator roles are managed in CyberArk. ๐Ÿ”— PAM Controls โ€“ Azure Landing Zone โ€“ CISO WIKI

Additional Security Controls:

Role activations require MFA step-up and approval from another role member.

  1. Threat Actor Scenario โ€“ Credential Compromise In response to the query on the potential elevation risk from a compromised B2B account:

If a B2B user's credentials are compromised:

The threat actor must still authenticate from a compliant device.

They will be subject to the B2B user's home tenant MFA.

They will only have access to pre-approved non-production workloads (if any), assuming prior PIM eligibility has been granted.

New group access cannot be requested externally; this must be initiated via Remedy by a verified AIB staff member.

In summary, elevation to sensitive or production workloads from a compromised B2B account is mitigated by multiple layers: device compliance, MFA, RBAC membership, PIM activation, and strict access governance processes.

Please let me know if you need any clarifications or further details ahead of our next session.

Best regards, Razmi