Azure Security Fundamentals

Reviewed by [Compliance Expert Name], [Certification]

Azure operates under a shared responsibility model: Microsoft secures the cloud infrastructure, and you secure everything you build on it. Security starts at identity and access management through Microsoft Entra ID (formerly Azure AD) with role-based access control (RBAC) enforcing least privilege. Configure network security groups restrictively, harden virtual machines through patching, secure storage accounts with private access by default, encrypt data, and use Defender for Cloud and Azure Policy for visibility and compliance enforcement.

Identity and Access Management: The Foundation Everything Rests On

Azure security begins with identity. Every user, application, and service has an identity with attached permissions managed through Microsoft Entra ID (formerly Azure Active Directory) and role-based access control (RBAC). The critical principle is least privilege: every identity gets minimum permissions needed for their job, nothing more.

RBAC works by assigning roles to users and granting specific permissions through those roles. A virtual machine contributor can create and manage virtual machines. A reader can view resources but cannot modify anything. Custom roles handle specific needs. In practice, many organizations make everyone with administrative responsibility a subscription owner—the highest permission level. This creates massive security gaps. If anyone with owner permissions is compromised, the attacker has full access to everything in that subscription.

Assign owner permissions carefully and sparingly. Use contributor roles for people managing resources, reader roles for visibility, and custom roles for specific permission sets. Subscription owners should be a small group of senior IT leadership, never used for day-to-day work. When someone's role changes, their permissions change immediately. When someone leaves, disable their identity and they lose all access.

Network Security: Controlling What Gets In and Out

Azure virtual networks isolate your resources from each other and from the public internet by default. Network security groups control traffic flow with inbound and outbound rules. The guiding principle is zero trust: assume nothing is trusted by default and require explicit allow rules.

A network security group rule allows HTTP and HTTPS from the internet to a web server—that traffic is necessary. Block SSH except from your office IP address. Allowing SSH from anywhere means attackers can attempt to break in. Start restrictive—only allow what you know is needed—and add exceptions as required. Document why each exception exists and review your rules regularly. Network Access Control Lists (NACLs) provide additional network-layer control at the subnet level for defense in depth.

Virtual Machine Security: Responsibility Starts Here

Virtual machine security from the operating system upward is your responsibility. Patching, backups, monitoring, and hardening are all on you. Azure provides tools but they require configuration. Update Management automates patch deployment if you configure it. Desired State Configuration lets you define how a server should be configured and automatically enforces that configuration.

Many organizations deploy virtual machines without configuring auto-patching and months later those VMs run operating systems with known vulnerabilities. Beyond patching, hardening includes removing unnecessary services—every running service is a potential attack surface. Encrypt sensitive data stored on the VM. Azure provides managed disks with built-in encryption that should be enabled.

Storage Account Security: Controlling Access and Encryption

Azure Storage Accounts hold your data—files, blobs, databases. Use Azure AD identities for access control, not hardcoded storage account keys. Use managed identities for applications. Never embed credentials directly in application code.

Azure-managed encryption is straightforward—Azure handles encryption keys. Customer-managed encryption gives you control over the keys if compliance requires preventing Microsoft from accessing your data. For most organizations, Azure-managed encryption is appropriate. A common security gap is public access to blob storage. Someone creates blob storage for temporary data transfer, forgets to restrict public access, and sensitive data is exposed to the internet. Public access should be the exception, not the default.

Monitoring and Compliance: Visibility and Control

Azure Defender for Cloud monitors your Azure resources for security issues—unpatched VMs, public storage accounts, overly permissive network security groups, and other misconfiguration. Defender for Cloud identifies problems but doesn't automatically fix everything. You have to act on its recommendations. Prioritize high-risk findings and work through them systematically.

Azure Policy enforces governance rules automatically. Define policies like "all virtual machines must have encryption enabled" or "all network security groups must deny all inbound access by default." Azure Policy prevents configurations that violate policies and prevents compliance drift where resources gradually become misconfigured over time.

Cost and Security Trade-Offs

Some security features in Azure have costs—Defender for Cloud licensing, managed identities, application gateways, extra storage for encrypted keys. Security should usually win because a breach costs exponentially more than security tools. A development environment doesn't need the same security as production systems handling customer data. Tailor your security investment to what you're protecting. Proportional security is the right approach.

Resource Management and Organizational Control

Azure hierarchy enables least-privilege access at scale. Resources are organized into subscriptions (billing and access boundaries) and within subscriptions into resource groups. Assign different teams to different subscriptions and limit their access accordingly. Azure Policy operates across subscriptions and resource groups to enforce tagging standards, compliance requirements, and prevent non-compliant resources from being created.

Closing: Security Is Foundational, Not Automatic

Azure provides the platform, but you're responsible for securing what you build on it. Start with identity and access management. Configure network security restrictively. Harden virtual machines. Secure storage accounts and encrypt data. Use Defender for Cloud and Azure Policy for visibility and compliance enforcement. None of these are complicated individually, but implementing them correctly across your Azure environment requires planning and execution. Azure provides the tools, but you have to use them correctly.

Frequently Asked Questions

What is the principle of least privilege in Azure RBAC?

Every identity gets only the minimum permissions needed for their job, nothing more. Avoid making everyone with administrative responsibility a subscription owner. Use contributor roles for resource management, reader roles for visibility, and custom roles for specific permission sets. Regularly review and update permissions as roles change.

Why should I use Azure AD identities instead of access keys?

Azure AD identities provide audit trails of who accessed what and when. Access keys are permanent credentials that, if compromised, grant ongoing access. Managed identities associated with Azure AD provide security without embedding credentials in applications or configuration.

How do I prevent public access to blob storage?

Configure blob storage with private access by default. Regularly audit storage accounts to verify public access is not enabled. Use Azure Policy to enforce private access settings across all storage accounts. Document any exceptions and review them regularly.

What's the difference between Azure-managed and customer-managed encryption?

Azure-managed encryption is simpler—Microsoft handles the encryption keys. Customer-managed encryption gives you control over the keys, necessary if you need to prevent Microsoft from accessing your data for compliance reasons. Most organizations use Azure-managed encryption.

How should I approach patching virtual machines?

Use Update Management to automate patch deployment. Enable notifications for missing patches and review them regularly. Unpatched virtual machines are the most common entry point for Azure breaches. Automation is the most reliable approach.

What should I do with Defender for Cloud recommendations?

Defender for Cloud identifies misconfiguration and security gaps but doesn't automatically fix them. Prioritize high-risk findings first and work through them systematically. Track remediation progress and set deadlines for fixing identified issues.