There are some simple steps you can do to add a little extra security to your Azure Subscriptions to protect against accidental or malicious behaviour from impacting your cloud services.
In this series I'll go over some basic control measures that be used to help reduce your attack surface and hopefully make things just a little bit more secure!
Prevent Subscriptions leaving or entering Azure AD
Log in to your Azure Portal with a Global Admin account and go to Subscriptions, then click "Manage Policies".
By default, anyone who's a subscription owner can change the directory to another tenant or add a subscription to the existing tenant. Whilst adding a new subscription is often acceptable, there could be situations where malicious behaviour could move your subscription outside the organisation to their own tenant. At which point you're in trouble!
Change both options to "Permit no one" and then choose the accounts that are exempt from these policies. Ideally they should be Global Admins who also have owner role at the subscription level.
Note: Non Global Admins can still navigate to this page, but only have read only access.
Further information on this feature is available from Microsoft here:
Comments