IAM checklist - razmipatel/Random GitHub Wiki

✅ IAM Service Transition to BAU Checklist Tenant Access Control: Document Global Admins, PIM roles, Conditional Access policies.

Subscription Ownership & Roles: Define Owner/Contributor/Reader roles with PIM enforcement.

Azure RBAC Model: Document RBAC structure aligned to least privilege.

Azure RBAC Groups: Define RBAC groups with dynamic membership rules and ownership.

PIM Configuration: Document eligible roles, approval workflows, notifications.

Break Glass Accounts: Document and test emergency access accounts with exemptions.

Service Principals Inventory: Track SPNs with roles, expiry, and owners.

Credential Rotation for SPNs: Document rotation policy and tooling for secrets/certs.

Managed Identity Usage: List of managed identities and associated access roles.

External Identities Management: Policy for guest access, reviews, lifecycle management.

Identity Governance: Access reviews, re-certification, orphaned identity clean-up.

App Registration Request Process: Workflow for app reg requests, approval, documentation.

AAD Group Request Process: Approval and lifecycle management for Entra ID groups.

RBAC Role Assignment Process: Approval flow and documentation for role assignments.

SPN Lifecycle Request Process: Process to create, assign, and rotate service principals.

Managed Identity Request Process: Defined process for requesting managed identities.

IAM Incident Handling Procedures: Runbooks and escalation for identity-related incidents.

IAM Alerts & Monitoring: Monitoring of sign-ins, privilege use, and anomalies.

Runbook for Identity Incidents: Documented remediation actions and contact paths.

Defined SLAs for IAM Services: SLA definitions for requests, roles, incidents.

Availability & Maintenance Windows: Documented operating windows and maintenance plans.

DR Plan for IAM Services: Recovery plan for identity outages or credential loss.

DR Test Results: Annual tests of DR procedures for identity systems.

App Reg & Group Backup: Backup approach for identity objects and config.

IAM Logging: Audit and sign-in logs routed to SIEM with retention.

IAM Compliance Checkpoints: Benchmarks against CIS/Secure Score/internal policy.

Joiner-Mover-Leaver (JML): Documented onboarding, modification, and offboarding flows.

Automated Provisioning/Deprovisioning: SCIM or Graph-based automation with monitoring.

Account Expiration and Inactivity Policies: Logic for disabling stale accounts or guests.

Role Review & Recertification: Scheduled reviews of PIM, Entra ID roles.

Approval Chains for Privileged Access: Delegation paths for approving privileged access.

Secrets and Certificate Expiry Monitoring: Dashboard or alerts for expiring credentials.

Key Vault Access Management: Controlled access to secrets and logging practices.

Custom Admin Roles and Scoping: Documentation and review of custom Entra roles.

Administrative Unit (AU) Delegation: If used, document AU structure and delegation scopes.

SSO & Federation Integration: Document federated app configurations and token settings.

Legacy IDP Offboarding: Migration plan from AD FS or third-party IDPs.

Conditional Access Policies: Version-controlled CA policies with rollback procedures.

Identity Threat Detection: Integrate with Defender, Sentinel, or third-party SIEMs.

Automated Remediation Playbooks: Logic Apps or Sentinel Playbooks for identity risks.

Access Logs and Audit Trails: Export, archive, and retention policies.

KPI/Scorecard Dashboards: Dashboards for expired secrets, inactive accounts, and reviews.

Ops Runbooks: Procedures for PIM elevation, MFA resets, sign-in troubleshooting.

Onboarding Materials: How-to guides, architecture diagrams, and BAU knowledge packs.

Service Catalogue Entry: Identity-related services (e.g., App Reg, RBAC) with SLAs.

CI/CD for Identity Infrastructure: Document Terraform/Bicep pipelines for RBAC, SPNs, etc.

Change Control for Identity: Release process for policy or configuration changes.