Azure Security Best Practices: Securing Your Microsoft Cloud Infrastructure

Microsoft Azure provides enterprise-grade security capabilities, but proper configuration is essential. This guide covers the critical security practices for protecting your Azure infrastructure, from identity management to threat detection.

Azure's Shared Responsibility Model

Microsoft secures the physical infrastructure and platform services, while you're responsible for:

• Identity and access management: Azure AD, RBAC, and authentication
• Data protection: Encryption, classification, and access controls
• Network security: NSGs, firewalls, and traffic management
• Application security: Code, configurations, and runtime protection

1. Identity and Access Management

Azure Active Directory Security

• Enable Multi-Factor Authentication (MFA) for all users
• Implement Conditional Access policies
• Use Privileged Identity Management (PIM) for just-in-time access
• Enable Identity Protection for risk-based access

# Create a Conditional Access policy via Azure CLI
az ad conditionalaccess policy create \
    --display-name "Require MFA for admins" \
    --state "enabled" \
    --conditions '{"users":{"includeRoles":["62e90394-69f5-4237-9190-012177145e10"]}}' \
    --grant-controls '{"operator":"OR","builtInControls":["mfa"]}'

Implement RBAC Best Practices

Use built-in roles and create custom roles only when necessary:

# Assign a built-in role at resource group scope
az role assignment create \
    --assignee user@company.com \
    --role "Storage Blob Data Reader" \
    --scope /subscriptions/SUB_ID/resourceGroups/my-rg

# Create a custom role with minimal permissions
az role definition create --role-definition '{
    "Name": "VM Operator",
    "Description": "Can start and stop VMs only",
    "Actions": [
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Compute/virtualMachines/deallocate/action"
    ],
    "AssignableScopes": ["/subscriptions/SUB_ID"]
}'

Managed Identities

Use managed identities instead of service principals with secrets:

# Enable system-assigned managed identity on a VM
az vm identity assign \
    --name my-vm \
    --resource-group my-rg

# Grant the managed identity access to Key Vault
az keyvault set-policy \
    --name my-keyvault \
    --object-id $(az vm show --name my-vm --resource-group my-rg --query identity.principalId -o tsv) \
    --secret-permissions get list

2. Network Security

Virtual Network Design

• Implement hub-and-spoke topology for enterprise networks
• Use Azure Firewall or third-party NVAs for traffic inspection
• Enable DDoS Protection Standard for public-facing resources
• Use Private Endpoints for PaaS services

Network Security Groups (NSGs)

# Create an NSG with restrictive rules
az network nsg create --name my-nsg --resource-group my-rg

# Add rule to allow HTTPS only from specific IP
az network nsg rule create \
    --nsg-name my-nsg \
    --resource-group my-rg \
    --name Allow-HTTPS \
    --priority 100 \
    --access Allow \
    --protocol Tcp \
    --destination-port-ranges 443 \
    --source-address-prefixes 10.0.0.0/8

# Deny all other inbound traffic
az network nsg rule create \
    --nsg-name my-nsg \
    --resource-group my-rg \
    --name Deny-All-Inbound \
    --priority 4096 \
    --access Deny \
    --direction Inbound \
    --protocol '*'

Private Endpoints

Use Private Link to access Azure services privately:

# Create a private endpoint for Azure SQL
az network private-endpoint create \
    --name sql-private-endpoint \
    --resource-group my-rg \
    --vnet-name my-vnet \
    --subnet private-endpoints \
    --private-connection-resource-id /subscriptions/SUB_ID/resourceGroups/my-rg/providers/Microsoft.Sql/servers/my-sql-server \
    --group-id sqlServer \
    --connection-name sql-connection

3. Compute Security

Virtual Machine Security

• Enable Azure Disk Encryption for all VMs
• Use Trusted Launch VMs for secure boot
• Disable public IP addresses where possible
• Enable automatic OS patching

# Enable disk encryption on a VM
az vm encryption enable \
    --resource-group my-rg \
    --name my-vm \
    --disk-encryption-keyvault my-keyvault

# Create a Trusted Launch VM
az vm create \
    --resource-group my-rg \
    --name secure-vm \
    --image Ubuntu2204 \
    --security-type TrustedLaunch \
    --enable-secure-boot true \
    --enable-vtpm true

Azure Kubernetes Service (AKS) Security

• Use private clusters with no public API endpoint
• Enable Azure AD integration for authentication
• Implement Azure Policy for Kubernetes
• Use Defender for Containers

# Create a secure AKS cluster
az aks create \
    --resource-group my-rg \
    --name secure-aks \
    --enable-private-cluster \
    --enable-aad \
    --enable-azure-rbac \
    --enable-defender \
    --network-plugin azure \
    --network-policy azure \
    --enable-managed-identity

4. Data Protection

Encryption at Rest

Azure encrypts data at rest by default, but use customer-managed keys for sensitive data:

# Create a Key Vault with purge protection
az keyvault create \
    --name my-keyvault \
    --resource-group my-rg \
    --enable-purge-protection \
    --enable-soft-delete

# Create a key for encryption
az keyvault key create \
    --vault-name my-keyvault \
    --name storage-key \
    --kty RSA \
    --size 2048

# Enable CMK on storage account
az storage account update \
    --name mystorageaccount \
    --resource-group my-rg \
    --encryption-key-source Microsoft.Keyvault \
    --encryption-key-vault https://my-keyvault.vault.azure.net \
    --encryption-key-name storage-key

Azure SQL Security

# Enable Transparent Data Encryption with CMK
az sql db tde set \
    --resource-group my-rg \
    --server my-sql-server \
    --database my-db \
    --status Enabled

# Enable Advanced Threat Protection
az sql db threat-policy update \
    --resource-group my-rg \
    --server my-sql-server \
    --database my-db \
    --state Enabled \
    --email-account-admins true

Storage Account Security

# Disable public blob access
az storage account update \
    --name mystorageaccount \
    --resource-group my-rg \
    --allow-blob-public-access false

# Require secure transfer
az storage account update \
    --name mystorageaccount \
    --https-only true

# Enable infrastructure encryption
az storage account update \
    --name mystorageaccount \
    --require-infrastructure-encryption true

5. Monitoring and Threat Detection

Microsoft Defender for Cloud

Enable Defender for Cloud on all subscriptions:

• Defender for Servers: VM threat detection and vulnerability assessment
• Defender for Containers: AKS and container registry security
• Defender for Storage: Malware scanning and anomaly detection
• Defender for SQL: Database threat detection
• Defender for Key Vault: Unusual access pattern detection

# Enable Defender for Cloud on subscription
az security pricing create \
    --name VirtualMachines \
    --tier Standard

az security pricing create \
    --name Containers \
    --tier Standard

Azure Monitor and Log Analytics

# Create a Log Analytics workspace
az monitor log-analytics workspace create \
    --resource-group my-rg \
    --workspace-name security-logs

# Enable diagnostic logging for a resource
az monitor diagnostic-settings create \
    --name security-diagnostics \
    --resource /subscriptions/SUB_ID/resourceGroups/my-rg/providers/Microsoft.Sql/servers/my-sql-server \
    --workspace security-logs \
    --logs '[{"category":"SQLSecurityAuditEvents","enabled":true}]'

Azure Sentinel

Use Azure Sentinel for SIEM and SOAR capabilities:

• Connect data sources from Azure and third-party services
• Use built-in analytics rules for threat detection
• Create custom detection rules for your environment
• Automate incident response with playbooks

6. Secret Management

# Store a secret in Key Vault
az keyvault secret set \
    --vault-name my-keyvault \
    --name db-connection-string \
    --value "Server=myserver;Database=mydb;..."

# Reference secret from App Service
az webapp config appsettings set \
    --resource-group my-rg \
    --name my-webapp \
    --settings "DbConnection=@Microsoft.KeyVault(SecretUri=https://my-keyvault.vault.azure.net/secrets/db-connection-string/)"

7. Azure Policy

Enforce security standards with Azure Policy:

# Assign built-in policy to require encryption
az policy assignment create \
    --name "require-sql-encryption" \
    --policy "/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16" \
    --scope /subscriptions/SUB_ID

# Create initiative for CIS benchmark
az policy set-definition create \
    --name "cis-azure-benchmark" \
    --definitions '[{"policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/..."}]'

Quick Wins Checklist

• Enable MFA for all users in Azure AD
• Enable Microsoft Defender for Cloud (Standard tier)
• Enable Azure AD Privileged Identity Management
• Disable public access on storage accounts
• Enable diagnostic logging on all resources
• Use managed identities instead of service principal secrets
• Enable Private Endpoints for PaaS services
• Review Security Center recommendations weekly

Next Steps

Azure provides comprehensive security tools through Microsoft Defender for Cloud. Regularly review your Secure Score, implement recommendations, and use Azure Policy to maintain compliance across your organization.

Need help securing your Azure infrastructure? Contact us for a comprehensive security assessment.