Azure Cloud User Access Restrictions

This might have slipped under your radar, but Microsoft enforced a major change on January 30th that's affecting Identity Governance for guest users. I'm seeing some confusion about it, so wanted to break it down. 𝐘𝐨𝐮 𝐧𝐨𝐰 𝐧𝐞𝐞𝐝 𝐚𝐧 𝐀𝐳𝐮𝐫𝐞 𝐬𝐮𝐛𝐬𝐜𝐫𝐢𝐩𝐭𝐢𝐨𝐧 𝐭𝐨 𝐮𝐬𝐞 𝐈𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞 𝐟𝐞𝐚𝐭𝐮𝐫𝐞𝐬 𝐟𝐨𝐫 𝐠𝐮𝐞𝐬𝐭 𝐮𝐬𝐞𝐫𝐬. If you haven't done this yet, you're probably already running into issues. That means: ❌No new access reviews for guest users ❌Can't update entitlement management policies involving guests ❌Can't create or edit lifecycle workflows scoped to guests ❌Basically, any new governance action for guests is blocked Microsoft shifted to a Monthly Active User billing model for guest governance, as they need proper billing tracking for governance actions on guest accounts, so subscription linkage became mandatory. To resolve the issues, head to Entra → ID Governance → Dashboard, find the Guest Access Governance panel, and link your Azure subscription. You'll need Contributor role permissions. The setup walks you through picking a subscription and resource group - takes about 10 minutes. If you're managing guest access and haven't linked a subscription yet, prioritize this today. Your team might already be stuck, wondering why policies won't save. #EntraGovernance #EntraID #AzureSubscription #mvpbuzz #guestgovernance #governance

🚨 Securing Azure Entra ID: Proactive Defense Against Discovery Tactics 🚨 Discovery tactics in Azure Entra ID environments (TA0007) give attackers the roadmap they need for lateral movement, privilege escalation, and exfiltration. But awareness empowers action. Let’s dive into how you can mitigate these threats: 1️⃣ Account Discovery (T1087): Mitigate unauthorized Entra ID account enumeration. Restrict commands like Get-AzADUser and enforce least-privilege access. 2️⃣ Cloud Service Discovery (T1526): Disable unused Azure services to reduce the attack surface. Monitor commands like az resource list --output table and set alerts. 3️⃣ Password Policy Discovery (T1201): Enable strong password policies using banned password lists. Use Smart Lockout to block brute-force attempts. Monitor Entra audit logs for password policy changes and set alerts. 4️⃣ Permission Groups Discovery (T1069): Restrict group enumeration permissions to essential roles only. Use Privileged Identity Management (PIM) for critical groups like Global Administrators. Monitor changes to group memberships via Azure Monitor or Microsoft Sentinel. 5️⃣ Cloud Groups Enumeration (T1069.003): Regularly review sensitive group access and enforce JIT access for administrative roles using PIM. Monitor commands such as az ad group list and az ad group member list. 💡 Key takeaway: Proactive steps like disabling unused services, enforcing least privilege, and implementing robust monitoring can significantly reduce your attack surface. 🔑 Do you know of any other ways to fortify your Azure defenses? 🏰 Share your thoughts and strategies below! #AzureSecurity #CyberSecurity #CloudDefense

I've just released version 13 of my #ConditionalAccess Policy Design Baseline for #EntraID (#AzureAD). Updates: ☑️ Added a GLOBAL prefix for all policies (and a CUSTOM prefix for any deviations). ☑️ Reversed the guest access policy to block access to Azure Management. ☑️ Added medium-risk policies for Entra ID Protection. ☑️ Added a new device registration policy with MFA requirement. ☑️ Re-added file download block for unmanaged devices. ☑️ Example policy for deviations, marked as CUSTOM. ☑️ Brand alignment (Azure AD to Entra ID). https://lnkd.in/e3bqDCh

Azure’s enforcing MFA, and everyone’s worried their service accounts will break. Let’s keep it simple: If your automations use proper workload identities (managed identities, service principals, or app registrations), you’re safe. If you’re still running scripts with human accounts, you’re likely to see failures – even if you have conditional access workarounds. The new policy enforces MFA for interactive logins, and those bypasses are no longer guaranteed. Here’s what I recommend: 1. Check your Entra ID/Azure AD sign-in logs. Spend 30 minutes to spot any automation, scripts, or jobs running under a real user account. 2. Watch for ROPC flows. Any system using direct username/password authentication is likely at risk. 3. Plan your migrations now, not later. Delaying only stacks up troubleshooting for the next enforcement window. 4. Update your Azure CLI/PowerShell modules. New releases better handle MFA and give clearer logs for compliance. If you’re already fully on managed identity, good work. If not, use this change as your moment to audit and clean up lingering risks. Pairing this with Fabric’s new network hardening gives you a stronger baseline – and fewer security headaches down the road. Any questions? I’m here to help.

📌 How to enable Consumer tenant to securely access an Azure App Service hosted in a Provider tenant, without exposing the app to the public internet? Multi-Tenant Azure App Security with Private Endpoint architecture: ‣ Zero public ingress: The App Service is not publicly reachable (403 Forbidden from the internet) ‣ Access is only possible via Azure Private Endpoints ‣ Works across Azure AD tenants and subscriptions ‣ Fully reproducible with Terraform ‣ Explicit cross-tenant trust via approval workflow ‣ DNS isolation per tenant ‣ NSGs controlling VM access (RDP should be removed in prod) ‣ Secrets should be moved to Azure Key Vault (not TF vars) Network & access flow ✅ Provider VM → App Service (via Provider Private Endpoint) ✅ Consumer VM → App Service (via Consumer Private Endpoint, after approval) ❌ Internet → App Service (403 Forbidden) DNS resolution in both tenants maps <app>.azurewebsites.net → private IP, keeping traffic on the Azure backbone. ⚠️ Important technical constraints ‣ App Service must be Premium (P1v3+) ‣ Cross-tenant Private Endpoints require manual approval in the Provider tenant ‣ Each tenant maintains its own Private DNS Zone 👉 If you’re designing multi-tenant Azure platforms, this pattern is worth mastering. Here is the complete architecture with Terraform: https://lnkd.in/gzQfapHA Use cases: ‣ SaaS providers exposing private services to customers ‣ Enterprises with strict network isolation policies ‣ Regulated environments requiring no public endpoints ‣ Platform teams standardizing secure cross-tenant patterns #Azure #Terraform #CloudArchitecture #AzureNetworking #PrivateEndpoint #ZeroTrust #AppService #MultiTenant #PlatformEngineering #DevOps #CloudSecurity