All Articles
AzureSecurity ArchitectureCybersecurity

Azure Cloud Security: Hardening Your Microsoft Environment

A practical guide to hardening Azure environments — Entra ID, network security, data protection, monitoring with Sentinel, and the top 10 Azure security mistakes to avoid.

MG
Mohamed Ghassen Brahim
May 1, 202611 min read

Azure's default configuration is not secure enough for production workloads. Out of the box, storage accounts can be publicly accessible, virtual machines get public IPs, and administrative access has no MFA requirement. Hardening Azure requires deliberate configuration at every layer.

This guide covers the security controls that every Azure environment needs, based on hardening environments across regulated industries.

Identity: Entra ID Hardening

Identity is your first and most important security control in Azure. A compromised identity with Global Administrator access owns your entire environment.

Conditional Access Policies (Priority Order)

  1. Require MFA for all users: No exceptions. Block legacy authentication protocols that don't support MFA.
  2. Require compliant devices for sensitive applications: Use Intune device compliance as a Conditional Access condition.
  3. Block access from untrusted locations: Define trusted network locations. Require MFA or block access from unknown locations.
  4. Require MFA for risky sign-ins: Use Entra ID Protection risk-based policies to require step-up authentication for suspicious logins.
  5. Block high-risk users: Automatically block accounts flagged as compromised until remediated.
  6. Session controls: Enforce session timeout for sensitive applications. Use Continuous Access Evaluation (CAE).

Privileged Identity Management (PIM)

Non-negotiable: No standing admin access. All privileged roles are activated just-in-time through PIM.

  • Maximum activation duration: 8 hours (shorter for Global Admin: 2 hours)
  • Require justification for every activation
  • Require approval for Global Admin and Security Admin activations
  • Alert on all PIM activations
  • Review privileged role assignments quarterly

Break-Glass Accounts

Two emergency access accounts that bypass Conditional Access:

  • Cloud-only accounts (not synced from on-premises)
  • Strong, unique passwords stored in a physical safe
  • No MFA (by design — they're for when MFA fails)
  • Excluded from ALL Conditional Access policies
  • Monitored with high-priority alerts for any sign-in activity
  • Tested quarterly to verify they work

Network Security

Default Architecture

Internet → Azure Front Door (WAF) → Azure Firewall → Application Gateway → Workloads
                                                                              │
                                                                    Private Endpoints
                                                                    (Storage, SQL, Key Vault)

Key Controls

Azure Firewall: Deploy in the hub VNet. All traffic routes through the firewall. Enable TLS inspection for encrypted traffic analysis. Use Azure Firewall Premium for IDPS (Intrusion Detection and Prevention).

Network Security Groups: Apply to every subnet. Default deny inbound. Allow only required traffic from known sources. Log all NSG flow events.

Private Link: Every PaaS service (Storage, SQL, Key Vault, Container Registry, etc.) should use Private Endpoints. Disable public network access on all PaaS services.

Azure Bastion: No public IPs on virtual machines. Access VMs through Azure Bastion only. Enable native client support for RDP/SSH tools.

DDoS Protection: Enable Azure DDoS Protection Standard on VNets with public-facing resources. Auto-mitigation with alerting.

Data Protection

Encryption at Rest

All Azure services encrypt data at rest by default using Microsoft-managed keys. For sensitive workloads, upgrade to:

  • Customer-managed keys (CMK): Keys stored in Azure Key Vault, managed by you. Required for many compliance frameworks.
  • Double encryption: Some services support infrastructure-level + service-level encryption (double encryption).

Key Vault Best Practices

  • Soft delete and purge protection enabled: Prevent accidental or malicious key deletion
  • Access via RBAC, not access policies: RBAC provides finer-grained control
  • No secrets in code or configuration: All secrets, certificates, and keys in Key Vault
  • Managed identities for access: Applications authenticate to Key Vault using managed identities (no stored credentials)
  • Key rotation: Automated rotation for keys and secrets on defined schedules

Data Classification with Microsoft Purview

  • Auto-classify sensitive data across Azure storage, SQL databases, and file shares
  • Apply sensitivity labels that enforce protection (encryption, access restrictions)
  • Track data lineage and access patterns
  • DLP policies to prevent sensitive data leakage

Compute Security

Microsoft Defender for Cloud

Enable all Defender plans:

  • Defender for Servers (vulnerability assessment, endpoint detection)
  • Defender for Containers (image scanning, runtime protection)
  • Defender for App Service (web app protection)
  • Defender for Storage (malware scanning, threat detection)
  • Defender for SQL (injection detection, anomalous access)
  • Defender for Key Vault (anomalous access patterns)

Secure Score

Defender for Cloud's Secure Score provides a numerical rating of your security posture. Target: above 80%.

Prioritise recommendations by:

  1. Quick fixes (can be resolved in minutes)
  2. High-impact (most points gained per recommendation)
  3. Critical workload relevance

Monitoring: Microsoft Sentinel

Sentinel is Azure's cloud-native SIEM (Security Information and Event Management).

Data Connectors (Enable These)

  • Azure Activity Logs (all subscriptions)
  • Entra ID sign-in and audit logs
  • Microsoft 365 audit logs
  • Azure Firewall logs
  • NSG flow logs
  • Defender for Cloud alerts
  • Azure Key Vault diagnostics

Analytics Rules

Start with Microsoft's built-in analytics rules, then customise:

Detection CategoryExamples
Identity threatsBrute force, impossible travel, anomalous sign-in
Privilege escalationPIM activation anomalies, new Global Admin
Data exfiltrationUnusual download volume, storage account access from new IP
Network threatsCommunication with known malicious IPs, lateral movement
Resource abuseCrypto mining indicators, unusual compute deployment

Top 10 Azure Security Mistakes

  1. No MFA for administrators. The #1 most common and most devastating mistake.
  2. Public storage accounts. Storage accounts with anonymous blob access enabled.
  3. Standing admin access. Global Administrators who are always active, not using PIM.
  4. No private endpoints. PaaS services accessible over the public internet.
  5. Default NSGs. Network security groups with allow-all rules.
  6. No logging. Diagnostic settings not enabled, no central log collection.
  7. Shared service accounts. Multiple people using the same account credentials.
  8. Secrets in code. Connection strings, API keys, and passwords committed to repositories.
  9. No backup testing. Backups exist but have never been restored to verify they work.
  10. Ignoring Secure Score. Defender recommendations sitting unaddressed for months.

Azure security hardening is not a one-time project — it's an ongoing practice. If you need help securing your Azure environment, let's talk.

Ready to act

Ready to put this into practice?

I help companies implement the strategies discussed here. Book a free 30-minute discovery call.

Schedule a Free Call