> For the complete documentation index, see [llms.txt](https://docs.balkan.id/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer/iam-risk-analysis-microsoft-azure.md).

# IAM Risk Analysis - Microsoft Azure

### Overview

This section outlines how Segregation of Duties (SoD) policies across Microsoft Azure Infrastructure are implemented, configured, validated, and operationalized within BalkanID IAM Risk Analyzer.

The objective is to transition organizations from periodic cloud access reviews and static RBAC audits to a continuous governance program where identity risks are automatically detected, analyzed, and remediated throughout the identity lifecycle.

Microsoft Azure uses Azure Resource Manager (ARM) RBAC as its primary authorization model. Access to infrastructure resources is governed through:

* Management Groups and Subscriptions
* Built-in and Custom Azure RBAC Roles
* Resource-level permissions across compute, storage, networking, and databases
* Azure Policy and Blueprint assignments
* Activity Logs and Diagnostic Settings
* Service Principals and Managed Identities

While this model enables flexible infrastructure access management, it can introduce privilege escalation paths, segregation conflicts, and governance gaps when roles are assigned broadly or without centralized oversight.

BalkanID IAM Risk Analyzer continuously evaluates Azure identity relationships to detect:

* Segregation of Duties conflicts
* Privileged access governance violations
* Excessive RBAC role assignments
* Identity lifecycle failures
* Non-human identity risks (service principals and managed identities)

The result is a centralized risk view that enables organizations to enforce least privilege, strong governance controls, and secure cloud infrastructure access.

### Implementation

**Phase 1:** Policy Definition & Baseline Establishment

Objective: Define and validate SoD policy scope across Azure RBAC roles, subscription-level access, and identity lifecycle processes.

Activities include:

Identify governance areas in scope:

* Management Groups and Subscription hierarchy
* Azure RBAC roles (Owner, Contributor, Reader, User Access Administrator)
* Custom role definitions
* Resource-level permissions (Compute, Storage, Networking, Databases)
* Azure Policy and governance controls
* Activity Logs and Diagnostic Settings
* Service principals and managed identities
* External and third-party access

Define baseline toxic access combinations aligned with Azure infrastructure governance best practices.

Categorize SoD rules by risk severity.

Validate rule logic against:

* RBAC role assignments
* Role inheritance across management groups and subscriptions
* Resource-level permissions
* Policy and monitoring configurations
* Service principal and managed identity access

Outcome

A formally approved Azure SoD policy library ready for configuration within BalkanID IAM Risk Analyzer.

**Phase 2:** Rule Configuration in BalkanID IAM Risk Analyzer - Finding Rule for SoD  detection \
\
User-Generated Insights can be used for writing SoD Rules and can be aggregated into a finding for actionable risk alerts. Findings provide a broader risk context and are used to trigger automated workflows.

Example:

***Use Case 1*****:** Owner Role vs Security Monitoring Administration

Azure assigns the Owner role with full control over resources, including the ability to modify monitoring configurations.

When a single identity can both manage infrastructure and modify or disable diagnostic settings or activity logs, it can conceal unauthorized activity.

Risk Impact

* Ability to hide unauthorized infrastructure changes
* Reduced independent oversight of monitoring controls
* Increased insider threat risk

<figure><img src="/files/rlTzDZTYVGIhlkvRPH9U" alt=""><figcaption></figcaption></figure>

***Use Case 2***: Infrastructure Provisioning vs Cost Management Administration

Infrastructure roles (e.g., Contributor) allow provisioning and scaling of resources.

If a user can also manage cost, billing, or budget configurations, they may manipulate resource usage without detection.

Risk Impact

* Unauthorized resource provisioning
* Increased financial governance risk
* Potential cost manipulation

<figure><img src="/files/gc25UsXtyhWZvnrOF2qj" alt=""><figcaption></figcaption></figure>

SoD Detection:

<figure><img src="/files/yzBmyfIKMVzIj3ETFHNQ" alt=""><figcaption></figcaption></figure>

### Baseline SoD Rule Library&#x20;

| **Rules**                                                   | **Category**                                                                         |
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------ |
| SoD- Owner Role vs Security Monitoring Administration       | <p></p><ul><li>Segregation of Duties</li><li>Cloud Security Governance</li></ul>     |
| SoD - Infrastructure Provisioning vs Billing Administration | <p></p><ul><li>Segregation of Duties</li><li>Financial Governance</li></ul>          |
| SoD- KMS Key Administration vs Encrypted Data Access        | <p></p><ul><li>Segregation of Duties</li><li>Cryptographic Controls</li></ul><p></p> |

### Control Mapping

| Framework      | Control ID     | Control Title                    |
| -------------- | -------------- | -------------------------------- |
| SOC 2          | CC6            | Logical Access Controls          |
| SOC 2          | CC6.3          | Authorization Changes            |
| ISO 27001      | A.9            | Access Control                   |
| ISO 27001      | A.6            | Segregation of Duties            |
| NIST SP 800-53 | AC-5           | Separation of Duties             |
| NIST SP 800-53 | AC-2           | Account Management               |
| NIST SP 800-53 | AC-6           | Least Privilege                  |
| SOX            | Logical Access | Infrastructure Access Governance |

## Conclusion

Microsoft Azure Infrastructure provides powerful and flexible access control capabilities through its RBAC model. However, without disciplined governance, it can lead to privilege sprawl, segregation conflicts, and persistent access risks.

The findings identified highlight areas where controls may not be sufficiently designed or operating effectively, particularly in privileged role governance, RBAC scoping, and identity lifecycle management.

Implementing continuous identity risk monitoring through BalkanID IAM Risk Analyzer enables organizations to detect and remediate these risks, strengthening cloud governance and reducing audit and security exposure.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer/iam-risk-analysis-microsoft-azure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.