Authentication & Authorisation

Let Pre-authenticated user to access application via Entra ID

  1. Entra ID Enterprise Application.
    1. This would be most suitable solution to meet the requirement of pre-authenticating users using their Entra ID accounts.
    2. It allows for seamless integration with Entra ID accounts and ensures that users are authenticated before accessing the application.
  2. Other wrong options
    1. Azure Traffic Manager. This is a DNS-based traffic load balancer that directs user traffic to specific endpoints based on routing rules.
    2. Azure Load Balancer. This is a Layer 4 (TCP, UDP) load balancer that distributes incoming network traffic across multiple servers.
    3. Azure Application Gateway. This is a web traffic load balancer that provides various application delivery controller functionalities.

Privileged Identity Management (PIM)

  1. Azure AD Privileged Identity Management (PIM) is a service in Entra ID that enables you to manage, control, and monitor access to important resources in your organisation.
    1. It enables the management and monitoring of privileged access within the department.
    2. It allows for implementing strict access controls and ensuring least privilege principles.
  2. Privileged Identity Management (PIM) can provide time-based and approval-based role activation, with following key features:
    1. Provide just-in-time privileged access to Microsoft Entra ID and Azure resources.
    2. Assign time-bound access to resources using start and end dates.
    3. Require approval to activate privileged roles.
    4. Enforce multifactor authentications to activate any role
    5. Use justification to understand why users activate.
    6. Get notification when privileged roles are activated.
    7. Conduct access reviews to ensure users still need roles.
    8. Download audit history for internal or external audit
    9. Prevents removal of the last active Global Administrator role and Privileged Role Administrator role assignments.
  3. PIM is not a solution for setting up the hierarchical structure of management groups, subscriptions, and resource groups.

Enable Principle of Least Possible Privilege, Just-in-Time access, and periodic review access

  1. Privileged Identity Management (PIM).
    1. It helps enforce the principle of least privilege by providing just-in-time access to Azure AD roles.
    2. It allows users to request elevated access when needed and ensure that high-level permissions are only granted for a limited time.
  2. Access Reviews.
    1. It is essential for periodically reviewing and validating high-level access permissions granted to roles.
    2. By conducting regular access reviews, organisations can ensure that the least possible access and just-in-time access principles are always followed.

Monitoring and Alerting

Receive alerts based on conditions met in the application

  1. Azure Monitor.
    1. This is the best fit for ensuring that IT administrators receive alerts based on critical conditions met in the application.
    2. It provides a comprehensive solution for collecting, analysing, and acting on telemetry data from applications and infrastructure.
    3. With Azure Monitor, administrators can set up alerts based on specific metrics, logs, and events to proactively respond to critical conditions.
  2. Other wrong options
    1. Application Insights. This is used for monitoring and analysing the performance and usage of applications.
    2. Azure Advisor. This provides recommendations for optimising Azure resources based on best practices.
    3. Azure Policies. This is used to enforce rules and regulations on Azure resources to ensure compliance with organisational standards and security requirements.

Logging

Correlate Azure Resources Usage and Performance data

  1. Azure Log Analytics.
    1. This collects and analyses data from various sources, including Azure resources and applications.
    2. It can be used to correlate Azure resource usage and performance data with the actual application configuration and performance data.

Miscellaneous

Azure Bicep

  1. Bicep is a domain-specific language for deploying Azure resources declaratively.
  2. It allows you to define and deploy all the required components, including management groups, subscriptions, and resource groups, in a structured and repeatable way.