securion.ai
    Cloud Security 13 min read

    Azure Security Baseline: Hardening Subscriptions, Identities, and Networks

    A pragmatic checklist for the Azure controls that actually move the needle — from Entra ID conditional access to Azure Policy guardrails to private networking patterns.

    Azure Security Baseline: Hardening Subscriptions, Identities, and Networks

    Identity Is the Azure Perimeter

    Azure breaches almost always start at Entra ID (formerly Azure AD), not at a VM or storage account. Get identity right and the rest gets dramatically easier:

    • Conditional Access — require compliant device + phishing-resistant MFA for any privileged role.
    • Privileged Identity Management (PIM) — make Global Admin and Owner roles just-in-time, with approval and time-bound activation.
    • Workload identities — replace client secrets with Federated Identity Credentials (OIDC) wherever possible.
    • Break-glass accounts — at least two, with FIDO2 keys stored physically, monitored aggressively.

    Azure Policy as a Guardrail Engine

    Azure Policy is the structural prevention layer. Apply at the management group level so subscriptions inherit:

    • Deny resources in unapproved regions.
    • Deny public IPs on VMs unless explicitly tagged for it.
    • Require diagnostic settings to send to a central Log Analytics workspace.
    • Require encryption with customer-managed keys for sensitive data services.
    • Require a tag set (cost-center, owner, environment) on every resource.

    Use the Microsoft Cloud Security Benchmark initiative as a starting baseline rather than authoring from scratch.

    Networking: Private by Default

    The default "public endpoint" for storage accounts, SQL databases, and Key Vaults is convenient and dangerous. The pattern that holds up:

    • Private Endpoints for every PaaS service that supports them — storage, SQL, Cosmos DB, Key Vault, App Configuration.
    • Disable public network access at the resource level once private endpoints are in place.
    • Service endpoints + NSG as a fallback where private endpoints aren't supported.
    • Azure Firewall or third-party NVA at the hub for egress filtering.

    Defender for Cloud and What to Trust About It

    Microsoft Defender for Cloud is Azure's CSPM/CWPP. It's good at:

    • Surfacing common misconfigurations against the Microsoft baseline.
    • Vulnerability assessment for VMs and containers.
    • Adaptive application controls for VMs.

    It's mediocre at:

    • Custom detections — you'll layer Sentinel on top.
    • Multi-cloud — works for AWS/GCP, but native tools are still better there.

    Treat the Defender secure score as a tracking metric, not a goal in itself. A score of 80% with the right 20% missing is meaningfully different from 80% with random gaps.

    Centralized Logging and Detection

    One Log Analytics workspace per environment (prod, non-prod), aggregated to a single Sentinel workspace for detection. The required data sources:

    • Entra ID sign-in & audit logs.
    • Activity logs from every subscription.
    • Resource diagnostic settings (Key Vault, Storage, App Service).
    • Microsoft Defender alerts.
    • Microsoft 365 audit logs (if you also use M365).
    "Lift-and-shifted Azure environments often skip diagnostic settings entirely. The bill stays low — until you need a forensic timeline."