
# Azure Landing Zone: Security

## Overview

Security is a foundational pillar of any Azure Landing Zone. It covers identity management, access control, policy enforcement, and monitoring. Implementing robust security from day one ensures long-term compliance, resilience, and trust.



## 🔐 Identity and Access Management

### 🔹 Azure Active Directory (Azure AD)
- Central identity provider for Azure services and applications.
- Manages users, groups, service principals, and enterprise applications.

### 🔹 Role-Based Access Control (RBAC)
- Grants fine-grained permissions to users and applications.
- Supports assignment at multiple scopes: Management Group, Subscription, Resource Group, and individual Resources.



# Assign 'Contributor' role to a user at the resource group scope
az role assignment create \
  --assignee user@example.com \
  --role Contributor \
  --resource-group rg-demo



### 🔹 Least Privilege Principle
- Only grant users the minimum level of access necessary to perform their job.
- Regularly audit and remove unnecessary permissions.



## 🔒 Authentication Enhancements

### 🔸 Multi-Factor Authentication (MFA)
- Adds a second layer of identity verification (e.g., app notification, SMS).
- Strongly recommended for all users, especially admins.

### 🔸 Single Sign-On (SSO)
- Enables users to log in once and access multiple applications.
- Reduces the number of credentials users need to remember.

### 🔸 Federation
- Connects Azure AD with on-premises AD or third-party providers (e.g., Okta, ADFS).
- Supports hybrid identity scenarios.



## 📜 Governance and Policy Enforcement

### 🔹 Azure Policy
- Defines and enforces resource compliance rules.
- Helps maintain standards like allowed locations, required tags, or VM SKUs.



# Example: Create a policy that requires the 'Environment' tag
az policy definition create \
  --name require-environment-tag \
  --display-name "Require Environment Tag" \
  --description "Ensures resources have an Environment tag" \
  --rules policy-rule.json \
  --params policy-params.json \
  --mode All



### 🔹 Azure Blueprints
- Combine policies, role assignments, and resource templates.
- Deploy compliant environments faster and consistently.



## 🧪 Security Monitoring and Threat Protection

### 🔸 Microsoft Defender for Cloud
- Detects vulnerabilities and threats across services.

### 🔸 Azure Sentinel
- A SIEM tool for detecting and responding to security incidents.
- Uses KQL for querying logs.



# Query sign-in logs to detect failed login attempts
SigninLogs
| where ResultType != 0
| summarize count() by UserPrincipalName



## ✅ Best Practices

| Best Practice              | Description                                                         |
|---------------------------|---------------------------------------------------------------------|
| 🔑 Enable MFA              | Strongly recommended for all users                                  |
| 👤 Use RBAC                | Assign roles at appropriate scopes, avoid using Owner role          |
| 📄 Apply Azure Policies    | Enforce resource standards automatically                            |
| 🔍 Monitor and audit       | Use Defender and Sentinel for visibility and detection              |
| 🧾 Least privilege         | Continuously review and minimize access rights                      |



## ✅ Summary

> Security in Azure is not a one-time setup. It is a continuous practice involving identity protection, policy enforcement, threat monitoring, and access control—all working together to protect your cloud environment.
