Monitor identity and access in Azure Security Center (Preview)

This article helps you use Azure Security Center to monitor users' identity and access activity.

Note

Monitoring identity and access is in preview and available only on the Standard tier of Security Center. See Pricing to learn more about Security Center's pricing tiers.

Identity should be the control plane for your enterprise, and protecting your identity should be your top priority. The security perimeter has evolved from a network perimeter to an identity perimeter. Security becomes less about defending your network and more about defending your data, as well as managing the security of your apps and users. Nowadays, with more data and more apps moving to the cloud, identity becomes the new perimeter.

By monitoring identity activities, you can take proactive actions before an incident takes place or reactive actions to stop an attack attempt. The Identity & Access dashboard provides you with recommendations such as:

  • Enable MFA for privileged accounts on your subscription
  • Remove external accounts with write permissions from your subscription
  • Remove privileged external accounts from your subscription

Note

If your subscription has more than 600 accounts, Security Center is unable to run the Identity recommendations against your subscription. Recommendations that are not run are listed under “unavailable assessments” which is discussed below. Security Center is unable to run the Identity recommendations against a Cloud Solution Provider (CSP) partner's admin agents.

See Recommendations for a list of the Identity and Access recommendations provided by Security Center.

Monitoring security health

You can monitor the security state of your resources on the Security Center – Overview dashboard. The Resources section is a health indicator showing the severities for each resource type.

You can view a list of all issues by selecting Recommendations. Under Resources, you can view a list of issues specific to compute & apps, data security, networking, or identity & access. For more information about how to apply recommendations, see Implementing security recommendations in Azure Security Center.

For a complete list of Identity and Access recommendations, see recommendations.

To continue, select Identity & access under Resources or the Security Center main menu.

Security Center dashboard

Monitor identity and access

Under Identity & Access, there are two tabs:

  • Overview: recommendations identified by Security Center.
  • Subscriptions: list of your subscriptions and current security state of each.

Identity & Access

Overview section

Under Overview, there is a list of recommendations. The first column lists the recommendation. The second column shows the total number of subscriptions that are affected by that recommendation. The third column shows the severity of the issue.

  1. Select a recommendation. The recommendation’s window opens and displays:

    • Description of the recommendation
    • List of unhealthy and healthy subscriptions
    • List of resources that are unscanned due to a failed assessment or the resource is under a subscription running on the Free tier and is not assessed

    Recommendation's window

  2. Select a subscription in the list for additional detail.

Subscriptions section

Under Subscriptions, there is a list of subscriptions. The first column lists the subscriptions. The second column shows the total number of recommendations for each subscription. The third column shows the severities of the issues.

Subscription's tab

  1. Select a subscription. A summary view opens with three tabs:

    • Recommendations: based on assessments performed by Security Center that failed.
    • Passed assessments: list of assessments performed by Security Center that passed.
    • Unavailable assessments: list of assessments that failed to run due to an error or because the subscription has more than 600 accounts.

    Under Recommendations is a list of the recommendations for the selected subscription and severity of each recommendation.

    Recommendations for select subscription

  2. Select a recommendation for a description of the recommendation, a list of unhealthy and healthy subscriptions, and a list of unscanned resources.

    Description of recommendation

    Under Passed assessments is a list of passed assessments. Severity of these assessments is always green.

    Passed assessments

  3. Select a passed assessment from the list for a description of the assessment and a list of healthy subscriptions. There is a tab for unhealthy subscriptions that lists all the subscriptions that failed.

    Passed assessments

Recommendations

Use the table below as a reference to help you understand the available Identity & Access recommendations and what each one does if you apply it.

Resource type Secure score Recommendation Description
Subscription 50 Enable MFA for Azure Management App accounts with owner permissions on your subscription Enable Multi-Factor Authentication (MFA) for all subscription accounts with administrator privileges to prevent a breach of accounts or resources.
Subscription 50 Enable security center on your subscriptions Enable Security center on all your subscriptions for advanced threat detection, JIT , application whitelisting and advanced recommendations
Subscription 50 Enable security center standard tier on your subscriptions Enable Security center Standard Tier on all your subscriptions for advanced threat detection, JIT , application whitelisting and advanced recommendations.
Subscription 40 Enable MFA for Azure Management App accounts with write permissions on your subscription Enable Multi-Factor Authentication (MFA) for all subscription accounts with write privileges to prevent a breach of accounts or resources.
Subscription 30 Remove external accounts with owner permissions from your subscription Remove external accounts with owner permissions from your subscription in order to prevent unmonitored access.
Subscription 30 Enable MFA for Azure Management App accounts with read permissions on your subscription Enable Multi-Factor Authentication (MFA) for all subscription accounts with read privileges to prevent a breach of accounts or resources.
Subscription 25 Remove external accounts with write permissions from your subscription Remove external accounts with write permissions from your subscription in order to prevent unmonitored access.
Subscription 20 Remove deprecated accounts with owner permissions from your subscription Remove deprecated accounts with owner permissions from your subscriptions.
Subscription 5 Remove deprecated accounts from your subscription Remove deprecated accounts from your subscriptions to enable access to only current users.
Subscription 5 Designate more than one owner on your subscription Designate more than one subscription owner in order to have administrator access redundancy.
Subscription 5 Designate up to 3 owners on your subscription Designate less than 3 subscription owners in order to reduce the potential for breach by a compromised owner.
Key vault 5 Enable diagnostic logs in Key Vault Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
Subscription 15 Remove external accounts with read permissions from your subscription Remove external accounts with read privileges from your subscription in order to prevent unmonitored access.
Subscription 1 Provide security contact details Provide security contact information for each of your subscriptions. Contact information is an email address and phone number. The information is used to contact you if our security team finds that your resources are compromised

![NOTE] If you created a conditional access policy that necessitates MFA but has exclusions set, the Security Center MFA recommendation assessment considers the policy non-compliant, because it enables some users to sign in to Azure without MFA.

Next steps

To learn more about recommendations that apply to other Azure resource types, see the following:

To learn more about Security Center, see the following: