Azure AD Groups and its permissions to manage & operate the Azure Tenant

Question

I am setting up the Azure Cloud infrastructure and as a part of this exercise, I want to create and provide the required permissions to the AD Groups, teams will be added into the corresponding AD Groups later.

As of now, my Azure Tenant has five subscriptions (Connectivity, Management, Identity, Production, Dev). I have identified the following list of AD Groups and I am looking for the best practices or recommendations based on your existing implementation.

Answer 1

Considering your 5 listed AD groups meet your org requirement and you'll be adding predefined or custom Azure AD roles to these groups later - You may still need to follow these checks & best practices for your identified Groups. You should note that some of the below considerations/features provisioning will require Azure AD P1/P2 licenses:

1. Assign at least two cloud-only permanent global administrator accounts for use in an emergency. These accounts aren't to be used daily and should have long and complex passwords - more here.
2. Give your administrators only the access they need to only the areas they need access to. Not all administrators need to be global administrators - more here.
3. Periodic password resets encourage your users to increment their existing passwords - more here.
4. Block legacy authentication protocols like POP, SMTP, IMAP, and MAPI that cannot enforce MFA, making them a preferred entry point for adversaries - more here.
5. Enforce users to do two-step verification when accessing sensitive applications using Conditional Access policies - more here.
6. Enable tracking of risky sign-ins and compromised credentials for users in your organization - more here.
7. Enable automation to trigger events such as MFA, password reset, and blocking of risky sign-ins - more here.
8. Collaborate with Guest Users by letting them sign-in to Apps and Services with their own work, school, or social identities - more here.
9. Decide what devices your org allows. Consider Registering vs Joining, Bring Your Own Device vs Company Provided devices - more here.
10. Identify applications with-in your org (On-prem, SaaS Apps, and other LOB Apps) that can and should be managed with Azure AD.
11. Remove administrative roles from normal day-to-day user-accounts. Make administrative users eligible to use their role after succeeding a MFA check, providing a business justification or post due approval - more here.
12. Work with security & leadership teams to create an access review policy to review administrative access based on your org's policies - more here.
13. Use dynamic groups to automatically assign users to groups based on certain attributes e.g. department, title, region, and other attributes - more here.
14. Remove manual steps from the AD account lifecycle to prevent unauthorized access. Synchronize identities to Azure AD - more here.