IAM - razmipatel/Random GitHub Wiki

IAM & Access Management – BAU/RUN Handover Checklist Tenant Access Control Document Global Admins, privileged roles, PIM configuration, and conditional access policies.

Subscription Ownership & Roles Define and document Owner/Contributor/Reader roles for each subscription with PIM enforcement.

Azure RBAC Model Document RBAC structure across management groups, subscriptions, and resource groups based on least privilege.

Azure RBAC Groups (AAD Groups) List Entra ID groups mapped to specific RBAC roles; ensure dynamic membership rules and ownership are defined.

Privileged Identity Management (PIM) Configuration Include eligible role assignments, approval workflow, activation duration, justification, and alerts.

Break Glass Accounts Identify break glass accounts, MFA exclusions, conditional access exceptions, and monthly test results.

Service Principals Inventory Document all service principals with purpose, assigned roles, expiry, and owner.

Credential Rotation for SPNs Define schedule and mechanism for rotating secrets/certificates; automate where possible.

Managed Identity Usage List managed identities in use (system/user-assigned) with assigned permissions and role scope.

External Identities Management Document guest user policies, review schedule, access expiration settings, and collaboration controls.

Identity Governance Schedule access reviews, certification campaigns, and orphaned account clean-up.

Logging & Monitoring Confirm sign-in, audit, and privilege escalation logs are sent to Sentinel/Log Analytics with alerting in place.

Compliance with CIS / Benchmarks Validate IAM configurations against CIS benchmarks, Secure Score, and internal policies.

Identity Incident Procedures Provide documented response and escalation process for identity-related incidents.

Group Membership Review Schedule Define cadence for RBAC group membership reviews and evidence of review completion.