| Identity and Access Management |
Authentication |
Wherever possible, eliminate static API keys in favor of Microsoft Entra ID for authentication. |
Azure OpenAI |
🔴 High |
link |
| Identity and Access Management |
Authentication |
Enforce multi-factor authentication for any user with rights to the Azure environments. |
Microsoft Entra |
🔴 High |
link |
| Identity and Access Management |
Authentication |
Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege. |
Microsoft Entra |
🔴 High |
link |
| Identity and Access Management |
Authentication |
Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments. |
Microsoft Entra |
🔴 High |
link |
| Identity and Access Management |
Authentication |
Use Azure RBAC to manage data plane access to resources, if possible. E.g. Data Operations across Key Vault, Storage Account and Database Services. |
Azure RBAC |
🔴 High |
link |
| Identity and Access Management |
Authentication |
Use Microsoft Entra ID PIM access reviews to periodically validate resource entitlements. |
Microsoft Entra |
🔴 High |
link |
| Identity and Access Management |
Authentication |
Require clients to authenticate using Entra ID when accessing AI model endpoints. |
Azure API Management |
🔴 High |
link |
| Identity and Access Management |
Entra ID based access |
Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. |
Azure OpenAI |
🔴 High |
link |