diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json index 2fba78448..7bae07bf6 100644 --- a/checklists/alz_checklist.en.json +++ b/checklists/alz_checklist.en.json @@ -299,14 +299,15 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "If Azure Active Directory Domains Services (AADDS) is in use, deploy AADDS within the primary region because this service can only be projected into one subscription", - "waf": "Security", + "text": "When deploying Active Directory on Windows Server, use a location with Availability Zones and deploy at least two VMs across these zones. If not available, deploy in an Availability Set", + "waf": "Reliability", "guid": "1559ab91-53e8-4908-ae28-c84c33b6b780", "id": "B03.11", "severity": "Medium", "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview" + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain#vm-recommendations" }, + { "category": "Identity and Access Management", "subcategory": "Identity", @@ -321,7 +322,7 @@ { "category": "Identity and Access Management", "subcategory": "Identity", - "text": "If AD on Windows server in use, are the resources in Azure using the correct domain controller?", + "text": "If domain controllers are being used, ensure that resources are set to use the correct domain controller.", "waf": "Security", "guid": "ac6a9e01-e6a8-43de-9de3-2c1992481607", "id": "B03.13", @@ -354,11 +355,11 @@ { "category": "Identity and Access Management", "subcategory": "Landing zones", - "text": "Configure Identity (ADDS) network segmentation through the use of a virtual Network and peer back to the hub. Providing authentication inside application landing zone (legacy).", + "text": "Configure Identity network segmentation through the use of a virtual Network and peer back to the hub. Providing authentication inside application landing zone (legacy).", "waf": "Security", "guid": "9cf5418b-1520-4b7b-add7-88eb28f833e8", "id": "B04.01", - "severity": "Low", + "severity": "Medium", "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities" }, @@ -530,7 +531,7 @@ { "category": "Resource Organization", "subcategory": "Subscriptions", - "text": "If AD on Windows Server, establish a dedicated identity subscription in the Indentity management group, to host Windows Server Active Directory domain controllers", + "text": "If servers will be used for Identity services, like domain controllers, establish a dedicated identity subscription in the identity management group, to host these services", "waf": "Security", "guid": "3a923c34-74d0-4001-aac6-a9e01e6a83de", "id": "C02.13", @@ -916,17 +917,6 @@ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits" }, - { - "category": "Network Topology and Connectivity", - "subcategory": "Hybrid", - "text": "If you are deploying at least two VMs running AD DS as domain controllers, add them to different Availability Zones. If not available in the region, deploy in an Availability Set.", - "waf": "Reliability", - "guid": "2df4930f-6a43-49a3-926b-309f02c302f0", - "id": "D04.15", - "ammp": true, - "severity": "High", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain#vm-recommendations" - }, { "category": "Network Topology and Connectivity", "subcategory": "Hybrid",