Hi All,
I've been asked to see if there is an MFA options for accessing ARM or an effective privilege management option we could use for accessing ARM. The idea that we prevent users using their day to day accounts to run ARM, as if the account is compromised it could give an attacker the keys to the kingdom.
I'm aware we can enter credentials for actions, though this would mean having known admin credentials and poses the same issue, or have an admin approve all actions, though this may be restrictive for a number of reasons in a limited 24x7 operation.
We currently use Cyberark for other privilege access (such as the AD users and computers snap-in and RDP to servers, as this has separate managed accounts linked to an MFA logon where the passwords for the admin accounts are complex, not known to the user are rotated frequently. We're looking at whether we can run ARM via cyberark but wondered if there is anything built in or in the pipeline to minimise the risk of using ARM?
Thanks
Kip