Azure Security Best Practices: A Checklist for Cloud Architects

Azure is one of the most feature-rich cloud platforms available — and one of the most complex to secure. Our Azure security hardening service and cloud security assessment help organisations identify and remediate the gaps covered in this checklist. Its integration with Microsoft 365, Active Directory, and an ecosystem of enterprise services creates a vast attack surface. At the same time, Azure’s native security tooling (Microsoft Defender for Cloud, Sentinel, Entra ID Protection) is among the most capable available from any cloud provider.

The challenge is that capabilities alone don’t deliver security. Configuration does. This checklist covers the controls that every Azure deployment should have in place, organised by security domain. Use it as a reference for new deployments and a benchmark for existing environments.

Identity and Access Management (Entra ID / Azure AD)

Identity is the primary attack vector in Azure. Compromised credentials — particularly privileged ones — are the root cause of the majority of Azure breaches.

Conditional Access Policies

Conditional Access is Azure’s zero-trust enforcement layer. Every organisation on Azure should have:

Require MFA for all users:

Condition: All users, All cloud apps
Grant: Require MFA

Require MFA for all admins (strongest auth):

Condition: Directory roles (all privileged roles)
Grant: Require authentication strength — Phishing-resistant MFA
(This requires FIDO2 keys or passkeys for admins — not just TOTP)

Block legacy authentication (CRITICAL):

Condition: All users, Client app = Exchange ActiveSync, Other clients (legacy auth protocols)
Grant: Block

Legacy auth protocols (SMTP AUTH, POP, IMAP) don’t support MFA. Attackers specifically target them for credential stuffing. Blocking legacy auth is one of the highest-impact single controls in Azure.

Compliant device required for corporate data access:

Condition: All users, Specific apps (SharePoint, Exchange, etc.)
Grant: Require device to be marked as compliant (Intune)

Sign-in risk policy:

Condition: Sign-in risk >= High
Grant: Require MFA or Block

Privileged Identity Management (PIM)

PIM provides just-in-time privileged access. Nobody should hold persistent Global Administrator or Subscription Owner roles — they should request elevation when needed.

Configure PIM for all privileged roles:

• Global Administrator
• Application Administrator
• Privileged Role Administrator
• User Access Administrator
• Subscription Owner/Contributor

PIM settings per role:

• Activation requirements: MFA required for activation
• Maximum activation duration: 4–8 hours (not 24)
• Require justification: Yes — log why access was requested
• Require approval: Yes for Global Admin (at least one other admin must approve)
• Notifications: Email the security team on every activation

Service Principals and Managed Identities

• Never use service principals with client secrets for Azure resource access — use Managed Identities instead. Managed Identities eliminate credential management entirely.
• All service principals should have documented owners and regular access reviews
• Client secret expiry: set to 90 days maximum (not multi-year or no expiry)
• Restrict who can create App Registrations — default allows all users to register apps

Access Reviews

Configure recurring access reviews for:

• Guest accounts (review quarterly — remove stale guests)
• Group membership for privileged groups (review monthly)
• Service principal API permissions (review annually)

Network Security

Virtual Network Architecture

Apply network segmentation:

• Hub-spoke topology — centralise shared services (firewall, DNS, VPN) in a hub VNet; workloads in spoke VNets
• Dedicated subnets for: management, application, database, and integration tiers
• No direct internet access to database subnets — enforce network controls

Azure Firewall / NSG Controls

Network Security Groups (NSGs):

• Default-deny inbound from internet on all subnets
• Allow only specific ports and sources required for the workload
• Use Application Security Groups (ASGs) to avoid IP-based rules that break when IPs change
• Enable NSG Flow Logs for all NSGs — ship to a Log Analytics workspace

Azure Firewall:

• Deploy Azure Firewall (or equivalent NVA) in hub VNet for centralised egress filtering
• Implement Threat Intelligence-based filtering — block known malicious IPs and domains
• Force-tunnel all internet traffic through Azure Firewall (UDR on all spoke subnets)

Inbound traffic:

• Use Azure Front Door or Application Gateway with WAF for internet-facing web applications — never expose app servers directly
• Apply Azure DDoS Protection Standard for production VNets hosting critical workloads

Private Endpoints

For any PaaS service (Storage, SQL, Key Vault, Service Bus), use Private Endpoints to keep traffic on the Microsoft backbone:

# Terraform — Private Endpoint for Azure Storage
resource "azurerm_private_endpoint" "storage" {
  name                = "pe-storage-${var.env}"
  location            = var.location
  resource_group_name = var.rg_name
  subnet_id           = azurerm_subnet.private_endpoint.id

  private_service_connection {
    name                           = "psc-storage"
    private_connection_resource_id = azurerm_storage_account.main.id
    is_manual_connection           = false
    subresource_names              = ["blob"]
  }
}

After creating Private Endpoints, disable public network access on the PaaS resource:

• Storage: Allow access from All networks → Disabled
• Key Vault: Allow public access → Disabled
• Azure SQL: Allow public endpoint → No

Just-in-Time VM Access

Eliminate persistent management port access via Microsoft Defender for Cloud → Just-in-Time VM Access:

• Blocks SSH (22), RDP (3389), and WinRM (5985/5986) by default
• Analysts request temporary access, which is time-limited and audited
• Source IP is locked to the requestor’s IP for the access window

Data Protection

Encryption at Rest

• All Azure Managed Disks: encrypted by default with Platform-Managed Keys (PMK)
• For regulated workloads: use Customer-Managed Keys (CMK) stored in Azure Key Vault — you control key rotation and can revoke access
• Azure Storage: Enable encryption at rest (default) — consider CMK for sensitive data
• Azure SQL Database: Transparent Data Encryption (TDE) enabled by default — enable CMK for regulatory compliance

Key Vault

Every Azure deployment should use Azure Key Vault for secrets, certificates, and keys:

resource "azurerm_key_vault" "main" {
  name                        = "kv-${var.app_name}-${var.env}"
  location                    = var.location
  resource_group_name         = var.rg_name
  sku_name                    = "standard"
  tenant_id                   = data.azurerm_client_config.current.tenant_id

  # Enable soft delete and purge protection — cannot be disabled after enabling
  soft_delete_retention_days  = 90
  purge_protection_enabled    = true

  # Disable public network access
  public_network_access_enabled = false

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
    ip_rules       = var.allowed_ips
  }
}

Key Vault access model:

• Use RBAC (Role-Based Access Control) for Key Vault access — not legacy access policies
• Application access: Key Vault Secrets User role on the specific secret
• Developer access to non-production: Key Vault Secrets User via PIM
• No broad Key Vault Administrator outside of break-glass scenarios

Storage Account Security

# Disable shared key access (force Entra ID authentication)
az storage account update \
  --name mystorageaccount \
  --resource-group myrg \
  --allow-shared-key-access false

# Enforce minimum TLS 1.2
az storage account update \
  --name mystorageaccount \
  --resource-group myrg \
  --min-tls-version TLS1_2

# Require HTTPS
az storage account update \
  --name mystorageaccount \
  --resource-group myrg \
  --https-only true

Blob Storage: Prevent Data Exfiltration

Enable Storage Account resource locks to prevent accidental deletion:

az lock create --name "delete-lock" \
  --resource-group myrg \
  --resource-name mystorageaccount \
  --resource-type Microsoft.Storage/storageAccounts \
  --lock-type CanNotDelete

Enable Soft Delete for blobs and containers (recover accidentally deleted data):

• Blob soft delete: 30-day retention
• Container soft delete: 30-day retention

Monitoring and Threat Detection

Diagnostic Settings (Log Everything)

Every Azure resource should have diagnostic settings enabled, sending logs to a central Log Analytics workspace:

# Enable diagnostic settings for all resources in a subscription
az monitor diagnostic-settings create \
  --resource /subscriptions/{subscription-id} \
  --workspace /subscriptions/{subscription-id}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/{workspace} \
  --logs '[{"category":"Administrative","enabled":true},{"category":"Security","enabled":true},{"category":"Policy","enabled":true}]' \
  --metrics '[{"category":"AllMetrics","enabled":true}]' \
  --name "central-diagnostics"

Key log sources:

• Entra ID Sign-in and Audit logs — all authentication events, user and group changes
• Azure Activity Log — subscription-level events (resource creation, deletion, role assignments)
• NSG Flow Logs — all network traffic metadata
• Azure Firewall logs — allow/deny decisions, FQDN logs
• Key Vault audit logs — all access to secrets, keys, certificates
• SQL Audit logs — all database access and queries
• App Service / Function logs — application-level events

Microsoft Defender for Cloud

Enable Microsoft Defender for Cloud and the relevant Defender plans for your workloads:

Target Secure Score: 80%+. Track it weekly and assign score improvement as an OKR.

Microsoft Sentinel

For organisations with logging budget and a need for SIEM/SOAR:

• Create a Microsoft Sentinel workspace
• Connect all Azure data sources (Activity Log, Entra ID, Defender for Cloud, Defender XDR)
• Enable analytics rules — start with Microsoft-provided rules, then add ESCU content
• Configure playbooks for automated response to high-frequency incidents (disable compromised user, isolate infected VM)

Alerts

Define critical alerts that require immediate response:

// Alert: Global Admin role assigned
AzureActivity
| where OperationNameValue == "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"
| extend RoleDefinitionId = tostring(parse_json(Properties).requestbody.properties.roleDefinitionId)
| where RoleDefinitionId contains "62e90394-69f5-4237-9190-012177145e10"  // Global Admin role ID
| project TimeGenerated, Caller, CallerIpAddress, ActivityStatusValue

// Alert: Mass deletion of resources
AzureActivity
| where OperationNameValue endswith "/DELETE"
| where ActivityStatusValue == "Succeeded"
| summarize DeletionCount = count() by Caller, bin(TimeGenerated, 5m)
| where DeletionCount > 10

Governance

Azure Policy

Enforce security controls at scale with Azure Policy:

Built-in policies to assign (minimum):

• Require MFA for subscription owners
• Audit virtual machines without disaster recovery configured
• Storage accounts should restrict network access
• Key vaults should have purge protection enabled
• Azure SQL Database should have Azure Defender enabled
• Auditing on SQL server should be enabled
• Secure transfer to storage accounts should be enabled
• Network Watcher should be enabled

Create a Security Initiative grouping all security policies — assign it at the Management Group level to cover all subscriptions.

Policy effects: Start with Audit to understand the impact, then switch to Deny for critical controls once compliance is established.

Subscription and Management Group Structure

Recommended hierarchy:

Tenant Root Group
├── Platform (Hub networking, shared services)
├── Landing Zones
│   ├── Production
│   │   ├── Production subscription A
│   │   └── Production subscription B
│   └── Non-production
│       └── Dev/Test subscriptions
├── Sandbox (developer experimentation, no data)
└── Decommissioned

Apply Azure Policy and RBAC at the Management Group level so they cascade automatically to all subscriptions underneath.

Resource Tags

Enforce consistent tagging via Azure Policy — tags are how you track ownership, cost allocation, and security classification:

{
  "required-tags": ["environment", "owner", "cost-center", "data-classification"],
  "allowed-environments": ["prod", "staging", "dev", "sandbox"],
  "allowed-classifications": ["public", "internal", "confidential", "restricted"]
}

Quick Reference Checklist

Identity

• MFA required for all users via Conditional Access
• Phishing-resistant MFA for all admins
• Legacy authentication blocked
• PIM configured for all privileged roles
• No persistent Global Administrator assignments (beyond break-glass)
• Managed Identities used instead of service principal client secrets
• Quarterly guest access reviews scheduled

Network

• Hub-spoke VNet topology
• Azure Firewall or NVA for centralised egress
• NSG Flow Logs enabled on all NSGs
• Private Endpoints for all PaaS services
• Public network access disabled on all PaaS post-Private Endpoint
• Just-in-Time VM access configured
• DDoS Protection Standard on production VNets

Data

• Customer-Managed Keys for regulated workloads
• Key Vault with soft delete, purge protection, and private endpoint
• Storage accounts: HTTPS only, TLS 1.2+, shared key disabled
• Blob soft delete enabled

Monitoring

• Diagnostic settings on all resources → central Log Analytics
• Entra ID Sign-in and Audit logs connected
• Microsoft Defender for Cloud enabled
• Relevant Defender plans active for production workloads
• Secure Score target set and tracked
• Critical alerts configured and tested

Governance

• Management Group hierarchy established
• Azure Policy initiatives assigned at Management Group level
• Required tags enforced on all resources
• Subscription Owner and Contributor access reviewed quarterly

CyberneticsPlus conducts Azure security assessments, implements Defender for Cloud and Sentinel, and helps organisations achieve and maintain their Azure security baseline. Our engineers hold Azure Security Engineer Associate and other advanced certifications. Contact us to assess your Azure security posture.