Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

alz checklist updates #569

Merged
merged 3 commits into from
Dec 14, 2023
Merged

alz checklist updates #569

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a1ecf4c
alz checklist updates
Dec 7, 2023
82669f9
updates to product names
Dec 12, 2023
dcc1b9a
naming change
Dec 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 8 additions & 18 deletions checklists/alz_checklist.en.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -299,14 +299,15 @@
{
"category": "Identity and Access Management",
"subcategory": "Identity",
"text": "If Azure Active Directory Domains Services (AADDS) is in use, deploy AADDS within the primary region because this service can only be projected into one subscription",
"waf": "Security",
"text": "When deploying Microsoft Entra Domain Services, use a location with Availability Zones and deploy at least two VMs across these zones. If not available, deploy in an Availability Set",
"waf": "Reliability",
"guid": "1559ab91-53e8-4908-ae28-c84c33b6b780",
"id": "B03.11",
"severity": "Medium",
"training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
"link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview"
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain#vm-recommendations"
},

{
"category": "Identity and Access Management",
"subcategory": "Identity",
Expand All @@ -321,7 +322,7 @@
{
"category": "Identity and Access Management",
"subcategory": "Identity",
"text": "If AD on Windows server in use, are the resources in Azure using the correct domain controller?",
"text": "If Microsoft Entra Domain Services on Windows server is in use, are the resources in Azure using the correct domain controller?",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we change this to:

If domain controllers are being used, ensure that resources are set to use the correct domain controller.

"waf": "Security",
"guid": "ac6a9e01-e6a8-43de-9de3-2c1992481607",
"id": "B03.13",
Expand Down Expand Up @@ -354,11 +355,11 @@
{
"category": "Identity and Access Management",
"subcategory": "Landing zones",
"text": "Configure Identity (ADDS) network segmentation through the use of a virtual Network and peer back to the hub. Providing authentication inside application landing zone (legacy).",
"text": "Configure Identity network segmentation through the use of a virtual Network and peer back to the hub. Providing authentication inside application landing zone (legacy).",
"waf": "Security",
"guid": "9cf5418b-1520-4b7b-add7-88eb28f833e8",
"id": "B04.01",
"severity": "Low",
"severity": "Medium",
"training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities"
},
Expand Down Expand Up @@ -530,7 +531,7 @@
{
"category": "Resource Organization",
"subcategory": "Subscriptions",
"text": "If AD on Windows Server, establish a dedicated identity subscription in the Indentity management group, to host Windows Server Active Directory domain controllers",
"text": "If Entra Domain Services on Windows server, establish a dedicated identity subscription in the Identity management group, to host the domain controllers",
Copy link
Collaborator

@brsteph brsteph Dec 8, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question on this and a few other sections - I am not aware that Windows Server Active Directory is being changed to Entra Domain Services. The product documentation still refers to it as AD. I thought Entra Domain Services was a replacement name for the Azure AD Domain Services.

Some of these recommendations are agnostic to which approach, and some are dependent, so I think we would want to be clear here.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this section, could we change this to:

If servers will be used for Identity services, like domain controllers, establish a dedicated identity subscription in the Identity management group to host the services.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good spotting here, I'll update based on recent comment

"waf": "Security",
"guid": "3a923c34-74d0-4001-aac6-a9e01e6a83de",
"id": "C02.13",
Expand Down Expand Up @@ -916,17 +917,6 @@
"training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits"
},
{
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why we would remove this. Is there a reason we would not want the domain controllers to be in the more fault-tolerant configuration?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is being consolidated into B03.11

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was reading B03.11 as being just for Entra Domain Services - I think this might be tied to my other comment thread then.

I am thinking the sheet should be agnostic to the provider used, and we can treat Active Directory Domain Services and Entra Domain Services with the same recommendations - the same HA for DCs applies to both. Although I may be missing some roadmap items here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, consolidating under the identity design area

"category": "Network Topology and Connectivity",
"subcategory": "Hybrid",
"text": "If you are deploying at least two VMs running AD DS as domain controllers, add them to different Availability Zones. If not available in the region, deploy in an Availability Set.",
"waf": "Reliability",
"guid": "2df4930f-6a43-49a3-926b-309f02c302f0",
"id": "D04.15",
"ammp": true,
"severity": "High",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain#vm-recommendations"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "Hybrid",
Expand Down
Loading