Merge pull request #106597 from memildin/asc-melvyn-vmva

PMEds28 · web-flow · commit ed5fcbcbb49b · 2020-03-11T09:36:55.000Z
Removed preview
diff --git a/articles/security-center/media/security-center-identity-access/two-security-controls-for-identity-and-access.png b/articles/security-center/media/security-center-identity-access/two-security-controls-for-identity-and-access.png
diff --git a/articles/security-center/secure-score-security-controls.md b/articles/security-center/secure-score-security-controls.md
@@ -41,7 +41,7 @@ The enhanced Secure Score is shown as a percentage, as shown in the following sc
 
 ## Locating your Secure Score
 
-Security Center displays your score prominently: it's the first thing shown in the Overview page. If you click through to the dedicated Secure Score page, you'll see the score broken down by subscription. Click a single subscription to see the detailed list of prioritized recommendations and the potential impact that remediating them will have on the subscription’s score.
+Security Center displays your score prominently: it's the first thing shown in the Overview page. If you click through to the dedicated Secure Score page, you'll see the score broken down by subscription. Click a single subscription to see the detailed list of prioritized recommendations and the potential impact that remediating them will have on the subscription's score.
 
 ## How the Secure Score is calculated 
 
@@ -95,7 +95,7 @@ The table below lists the Security Controls in Azure Security Center. For each c
 |**Remediate vulnerabilities**|6|- Advanced data security should be enabled on your SQL servers<br>- Vulnerabilities in Azure Container Registry images should be remediated (Preview)<br>- Vulnerabilities on your SQL databases should be remediated<br>- Vulnerabilities should be remediated by a Vulnerability Assessment solution<br>- Vulnerability assessment should be enabled on your SQL managed instances<br>- Vulnerability assessment should be enabled on your SQL servers<br>- Vulnerability assessment solution should be installed on your virtual machines|
 |**Enable encryption at rest**|4|- Disk encryption should be applied on virtual machines<br>- Transparent Data Encryption on SQL databases should be enabled<br>- Automation account variables should be encrypted<br>- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign<br>- SQL server TDE protector should be encrypted with your own key|
 |**Encrypt data in transit**|4|- API App should only be accessible over HTTPS<br>- Function App should only be accessible over HTTPS<br>- Only secure connections to your Redis Cache should be enabled<br>- Secure transfer to storage accounts should be enabled<br>- Web Application should only be accessible over HTTPS|
-|**Manage access and permissions**|4|- A maximum of 3 owners should be designated for your subscription<br>- Deprecated accounts should be removed from your subscription (Preview)<br>- Deprecated accounts with owner permissions should be removed from your subscription (Preview)<br>- External accounts with owner permissions should be removed from your subscription (Preview)<br>- External accounts with read permissions should be removed from your subscription<br>- External accounts with write permissions should be removed from your subscription (Preview)<br>- There should be more than one owner assigned to your subscription<br>- Role-Based Access Control (RBAC) should be used on Kubernetes Services (Preview)<br>- Service Fabric clusters should only use Azure Active Directory for client authentication|
+|**Manage access and permissions**|4|- A maximum of 3 owners should be designated for your subscription<br>- Deprecated accounts should be removed from your subscription<br>- Deprecated accounts with owner permissions should be removed from your subscription<br>- External accounts with owner permissions should be removed from your subscription<br>- External accounts with read permissions should be removed from your subscription<br>- External accounts with write permissions should be removed from your subscription<br>- There should be more than one owner assigned to your subscription<br>- Role-Based Access Control (RBAC) should be used on Kubernetes Services (Preview)<br>- Service Fabric clusters should only use Azure Active Directory for client authentication|
 |**Remediate security configurations**|4|- Pod Security Policies should be defined on Kubernetes Services (Preview)<br>- Vulnerabilities in container security configurations should be remediated<br>- Vulnerabilities in security configuration on your machines should be remediated<br>- Vulnerabilities in security configuration on your virtual machine scale sets should be remediated<br>- Monitoring agent should be installed on your virtual machines<br>- Monitoring agent should be installed on your machines<br>- Monitoring agent should be installed on virtual machine scale sets<br>- Monitoring agent health issues should be resolved on your machines|
 |**Restrict unauthorized network access**|4|- IP forwarding on your virtual machine should be disabled<br>- Authorized IP ranges should be defined on Kubernetes Services (Preview)<br>- (DEPRECATED) Access to App Services should be restricted (Preview)<br>- (DEPRECATED) The rules for web applications on IaaS NSGs should be hardened<br>- Virtual machines should be associated with a Network Security Group<br>- CORS should not allow every resource to access your API App<br>- CORS should not allow every resource to access your Function App<br>- CORS should not allow every resource to access your Web Application<br>- Remote debugging should be turned off for API App<br>- Remote debugging should be turned off for Function App<br>- Remote debugging should be turned off for Web Application<br>- Access should be restricted for permissive Network Security Groups with Internet-facing VMs<br>- Network Security Group Rules for Internet facing virtual machines should be hardened|
 |**Apply adaptive application control**|3|- Adaptive Application Controls should be enabled on virtual machines<br>- Monitoring agent should be installed on your virtual machines<br>- Monitoring agent should be installed on your machines<br>- Monitoring agent health issues should be resolved on your machines|
@@ -121,7 +121,7 @@ Yes, but for a while they'll be running side by side to ease the transition.
 Yes. We recommend disabling recommendations when they're inapplicable in your environment. For instructions on how to disable a specific recommendation, see [Disable security policies](https://docs.microsoft.com/azure/security-center/tutorial-security-policy#disable-security-policies).
 
 ### If a Security Control offers me zero points towards my Secure Score, should I ignore it?
-In some cases you'll see a control max score greater than zero, but the impact is zero. When the incremental score for fixing resources is negligible, it's rounded to zero. Don't ignore these recommendations as they still bring security improvements. The only exception is the “Additional Best Practice” control. Remediating these recommendations won't increase your score, but it will enhance your overall security.
+In some cases you'll see a control max score greater than zero, but the impact is zero. When the incremental score for fixing resources is negligible, it's rounded to zero. Don't ignore these recommendations as they still bring security improvements. The only exception is the "Additional Best Practice" control. Remediating these recommendations won't increase your score, but it will enhance your overall security.
 
 ## Next steps
 
diff --git a/articles/security-center/security-center-identity-access.md b/articles/security-center/security-center-identity-access.md
@@ -11,86 +11,50 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 12/19/2019
+ms.date: 03/06/2020
 ms.author: memildin
 ---
-# Monitor identity and access (preview)
-When Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls to harden and protect your resources.
 
-This article explains the **Identity and Access** page of the resource security section of Azure Security Center.
+# Monitor identity and access
 
-For a full list of the recommendations you might see on this page, see [Identity and Access recommendations](recommendations-reference.md#recs-identity).
+> [!TIP]
+> From March 2020, Azure Security Center's identity and access recommendations are included in all subscriptions on the free pricing tier. If you have subscriptions on the free tier, their Secure Score will be affected as they were not previously assessed for their identity and access security. 
 
-> [!NOTE]
-> Monitoring identity and access is in preview and available only on the Standard tier of Security Center. See [Pricing](security-center-pricing.md) to learn more about Security Center's pricing tiers.
->
+When Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls to harden and protect your resources.
+
+The security perimeter has evolved from a network perimeter to an identity perimeter. Security becomes less about defending your network and more about defending your data, as well as managing the security of your apps and users. Nowadays, with more data and more apps moving to the cloud, identity becomes the new perimeter.
 
-Identity should be the control plane for your enterprise, and protecting identities should be your top priority. The security perimeter has evolved from a network perimeter to an identity perimeter. Security becomes less about defending your network and more about defending your data, as well as managing the security of your apps and users. Nowadays, with more data and more apps moving to the cloud, identity becomes the new perimeter.
+By monitoring identity activities, you can take proactive actions before an incident takes place or reactive actions to stop an attack attempt. Examples of recommendations you might see on the **Identity and access** resource security section of Azure Security Center include:
 
-By monitoring identity activities, you can take proactive actions before an incident takes place or reactive actions to stop an attack attempt. The Identity & Access dashboard provides you with recommendations such as:
+- MFA should be enabled on accounts with owner permissions on your subscription
+- A maximum of 3 owners should be designated for your subscription
+- Deprecated accounts should be removed from your subscription
+- External accounts with read permissions should be removed from your subscription
 
-- Enable MFA for privileged accounts on your subscription
-- Remove external accounts with write permissions from your subscription
-- Remove privileged external accounts from your subscription
+For a full list of the recommendations you might see here, see [Identity and Access recommendations](recommendations-reference.md#recs-identity).
 
 > [!NOTE]
-> If your subscription has more than 600 accounts, Security Center is unable to run the Identity recommendations against your subscription. Recommendations that are not run are listed under “unavailable assessments” below.
+> If your subscription has more than 600 accounts, Security Center is unable to run the Identity recommendations against your subscription. Recommendations that are not run are listed under "unavailable assessments" below.
 Security Center is unable to run the Identity recommendations against a Cloud Solution Provider (CSP) partner's admin agents.
 >
 
-## Monitor identity and access
-
-Open the list of identified Identity and Access issues by selecting **Identity & access** from the Security Center sidebar (under **Resources**), or from the overview page. 
-
-Under **Identity & Access**, there are two tabs:
-
-- **Overview**: recommendations identified by Security Center.
-- **Subscriptions**: list of your subscriptions and current security state of each.
-
-[![Identity & Access](./media/security-center-identity-access/identity-dashboard.png)](./media/security-center-identity-access/identity-dashboard.png#lightbox)
-
-### Overview section
-Under **Overview**, there is a list of recommendations. The first column lists the recommendation. The second column shows the total number of subscriptions that are affected by that recommendation. The third column shows the severity of the issue.
 
-1. Select a recommendation. The recommendations window opens and displays:
+All of the identity and access recommendations are available within two security controls in the **Recommendations** page:
 
-   - Description of the recommendation
-   - List of unhealthy and healthy subscriptions
-   - List of resources that are unscanned due to a failed assessment or the resource is under a subscription running on the Free tier and is not assessed
+- Manage access and permissions 
+- Enable MFA
 
-    [![Recommendations window](./media/security-center-identity-access/select-subscription.png)](./media/security-center-identity-access/select-subscription.png#lightbox)
+![The two security controls with the recommendations related to identity and access](media/security-center-identity-access/two-security-controls-for-identity-and-access.png)
 
-1. Select a subscription in the list for additional detail.
 
-### Subscriptions section
-Under **Subscriptions**, there is a list of subscriptions. The first column lists the subscriptions. The second column shows the total number of recommendations for each subscription. The third column shows the severities of the issues.
+## Enable multi-factor authentication (MFA)
 
-[![Subscriptions tab](./media/security-center-identity-access/subscriptions.png)](./media/security-center-identity-access/subscriptions.png#lightbox)
+Enabling MFA requires [Azure Active Directory (AD) tenant permissions](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles). 
 
-1. Select a subscription. A summary view opens with three tabs:
+- If you have a premium edition of AD, enable MFA using using [conditional access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview).
 
-   - **Recommendations**:  based on assessments performed by Security Center that failed.
-   - **Passed assessments**: list of assessments performed by Security Center that passed.
-   - **Unavailable assessments**: list of assessments that failed to run due to an error or because the subscription has more than 600 accounts.
+- Users of AD free edition can enable **security defaults** in Azure Active Directory as described in the [AD documentation](https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) but the Security Center recommendation to enable MFA will still appear.
 
-   Under **Recommendations** is a list of the recommendations for the selected subscription and severity of each recommendation.
-
-   [![Recommendations for select subscription](./media/security-center-identity-access/recommendations.png)](./media/security-center-identity-access/recommendations.png#lightbox)
-
-1. Select a recommendation for a description of the recommendation, a list of unhealthy and healthy subscriptions, and a list of unscanned resources.
-
-   [![Description of recommendation](./media/security-center-identity-access/designate.png)](./media/security-center-identity-access/designate.png#lightbox)
-
-   Under **Passed assessments** is a list of passed assessments.  Severity of these assessments is always green.
-
-   [![Passed assessments](./media/security-center-identity-access/passed-assessments.png)](./media/security-center-identity-access/passed-assessments.png#lightbox)
-
-1. Select a passed assessment from the list for a description of the assessment and a list of healthy subscriptions. There is a tab for unhealthy subscriptions that lists all the subscriptions that failed.
-
-   [![Passed assessments](./media/security-center-identity-access/remove.png)](./media/security-center-identity-access/remove.png#lightbox)
-
-> [!NOTE]
-> If you created a Conditional Access policy that necessitates MFA but has exclusions set, the Security Center MFA recommendation assessment considers the policy non-compliant, because it enables some users to sign in to Azure without MFA.
 
 ## Next steps
 To learn more about recommendations that apply to other Azure resource types, see the following articles:
