View a markdown version of this page

MSFTSEC02-BP01 Align your Microsoft workload access with organizational identity strategy - Microsoft Workloads Lens - AWS Well-Architected Framework
Implementation guidanceResources

MSFTSEC02-BP01 Align your Microsoft workload access with organizational identity strategy

Microsoft workloads, including .NET applications and SQL Server environments, typically integrate with Active Directory (AD) or similar identity management systems. A centralized approach to user management, regardless of the specific solution, can significantly reduce security risks and operational complexity. This comprehensive approach enhances security, streamlines user access, and provides a consistent identity management experience across your Microsoft workloads in the cloud.

Desired outcome: Establish a unified identity management strategy that integrates Microsoft workloads with organizational identity systems, providing centralized authentication, authorization, and user lifecycle management while maintaining security and operational efficiency across cloud and on-premises environments.

Common anti-patterns:

  • Creating isolated identity silos for different Microsoft workloads without integration with centralized identity systems, leading to inconsistent access controls and increased administrative overhead.

  • Implementing local user accounts on individual systems instead of using centralized identity management, making it difficult to maintain consistent security policies and user lifecycle management.

  • Failing to implement multi-factor authentication (MFA) and single sign-on (SSO) capabilities, resulting in weaker security posture and poor user experience across Microsoft applications.

Benefits of establishing this best practice:

  • Enhanced security through centralized identity management that enables consistent policy enforcement, better access control, and improved visibility into user activities across your Microsoft workloads.

  • Reduced operational complexity through unified user lifecycle management, automated provisioning and deprovisioning, and streamlined access request and approval processes.

  • Improved user experience through single sign-on capabilities that reduce password fatigue while maintaining strong authentication requirements including multi-factor authentication.

Level of risk exposed if this best practice is not established: Medium

Implementation guidance

When designing your identity strategy for Microsoft environments in AWS, consider using AWS services and compatible third-party tools to implement centralized user management, single sign-on (SSO) capabilities, and multi-factor authentication (MFA). Aligning Microsoft workload access with organizational identity strategy requires careful planning and integration between AWS services, Microsoft identity technologies, and existing organizational systems. Focus on establishing trust relationships, implementing proper authentication mechanisms, and providing a simple-to-use user experience while maintaining security controls.

Note: While local service accounts or isolated identity management may be necessary in specific technical scenarios, these approaches should be considered a last resort when centralized identity integration is not feasible. Local accounts increase security risks, administrative overhead, and compliance challenges. Always prioritize integration with organizational identity providers and use temporary credentials whenever possible, as recommended by AWS security best practices.

Implementation steps

  1. Assess current organizational identity infrastructure and determine integration requirements for Microsoft workloads on AWS:

    • Document existing Active Directory schema, domains, and trust relationships.

    • Map out current authentication flows and identify Microsoft applications requiring integration.

  2. Choose appropriate Directory Service option (AWS Managed Microsoft AD, AD Connector, or Active Directory on EC2) based on your organizational needs and existing infrastructure:

    • Compare directory service options against requirements (scale, features, management overhead).

    • Evaluate cost implications and licensing requirements for each option.

    • Conduct proof-of-concept testing with selected directory service option.

  3. Establish trust relationships between AWS-hosted Active Directory and on-premises Active Directory domains if hybrid connectivity is required:

    • Configure VPN or Direct Connect for secure hybrid connectivity.

    • Set up forest and domain trusts and verify DNS resolution between environments.

    • Test authentication flows across trusted domains.

  4. Configure single sign-on (SSO) using AWS IAM Identity Center or compatible third-party solutions to provide unified access across Microsoft applications:

    • Set up AWS IAM Identity Center integration with chosen directory service.

    • Configure application-specific SSO connectors for Microsoft workloads.

    • Test SSO flows for required applications.

  5. Implement multi-factor authentication (MFA) for user accounts accessing Microsoft workloads using AWS IAM Identity Center MFA capabilities, which support various authentication methods including TOTP, SMS, email, and passwordless options like Windows Hello for Business and FIDO2 security keys, or integrate with AWS Managed Microsoft AD using RADIUS-based MFA solutions:

    • Define MFA policies and enforcement rules.

    • Configure selected MFA methods in AWS IAM Identity Center or RADIUS.

    • Test MFA enrollment and authentication processes.

  6. Set up automated user provisioning and deprovisioning processes that integrate with HR systems and organizational identity management workflows:

    • Design user lifecycle workflows and approval processes.

    • Implement SCIM or PowerShell-based provisioning scripts.

    • Configure integration between HR systems and AWS directory service.

  7. Configure role-based access control (RBAC) that aligns with organizational roles and responsibilities while following least privilege principles:

    • Define role hierarchy and permission sets.

    • Create security groups and implement group-based assignments.

    • Document and implement approval workflows for role changes.

  8. Establish monitoring and auditing capabilities to track identity-related activities and adhere to organizational security policies:

    • Configure CloudWatch logging for directory service events.

    • Set up alerts for suspicious authentication activities.

    • Implement regular compliance reporting and access reviews.

Resources

Related documents:

Related tools: