Microsoft Azure serves millions of organizations worldwide, including over 95% of Fortune 500 companies. This dominant market position means that the security of Azure environments has become one of the most important challenges in modern IT. The shared responsibility model means that Microsoft secures the cloud infrastructure, but configuration, identity management, data protection, and monitoring rest with the customer. This guide presents best practices for securing Azure in each of these areas.
Why Does Azure Security Matter for Organizations?
Azure is today the second-largest public cloud platform in the world, with a market share exceeding 25% (behind AWS at ~31%). In Europe, Azure holds a leading position among corporations due to its deep integration with the Microsoft 365 ecosystem, Active Directory, and hybrid solutions. This means that a security breach in an Azure environment is not an abstract risk — it is a direct threat to customer data, business continuity, and regulatory compliance.
The shared responsibility model is a fundamental concept that every organization using public cloud must understand. Microsoft is responsible for physical security of data centers, network infrastructure, the hypervisor, and the base platform. The customer is responsible for service configuration, identity and access management, data protection, security monitoring, and regulatory compliance. The boundary of responsibility shifts depending on the service model — in IaaS the customer is responsible for the operating system and above, in PaaS for the application and data, and in SaaS primarily for configuration and identities.
Cloud security reports consistently indicate that over 80% of cloud breaches result from customer-side misconfiguration, not from vulnerabilities in the cloud platform. Open storage containers, overly broad permissions, lack of MFA on administrative accounts, publicly accessible databases — these are real attack vectors leading to data breaches. Therefore, understanding and implementing best practices is not an optional enhancement — it is a prerequisite for secure use of Azure.
Regulations such as NIS2, DORA, and GDPR place additional requirements on organizations regarding data protection in the cloud. Organizations must demonstrate that they have implemented appropriate technical and organizational measures, conduct continuous security monitoring, and are able to respond to incidents within a defined timeframe. Azure provides tools that facilitate meeting these requirements, but their activation and configuration rest with the customer.
📚 Read the complete guide: Cloud Security / AWS: Bezpieczeństwo chmury publicznej - AWS, Azure, best practices
Microsoft Defender for Cloud — CSPM, Secure Score, and Security Recommendations
Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender) is Azure’s native security platform, combining two key functions: Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP).
CSPM (Cloud Security Posture Management) is a function for continuous assessment of the Azure environment’s security configuration. Defender for Cloud scans all resources — virtual machines, networks, databases, containers, applications — and compares their configuration against a set of best practices. Every identified non-compliance generates a recommendation with a problem description, potential security impact, and remediation steps. Crucially, many recommendations can be implemented with a single click using the “Quick fix” feature.
Secure Score is an aggregated metric expressed as a percentage, representing the overall security level of the Azure environment. The scale ranges from 0% to 100%, where a higher score means better security posture. Secure Score is calculated based on the ratio of implemented recommendations to all detected recommendations, weighted by their severity (critical recommendations have a greater impact on the score). This tool is invaluable for CISOs and security managers because it enables tracking progress over time and prioritizing remediation actions based on their impact on the overall score.
CWPP (Cloud Workload Protection Platform) provides active protection of workloads in Azure. It includes protection plans for: servers (Defender for Servers — integration with Microsoft Defender for Endpoint), databases (Defender for SQL, Cosmos DB, MySQL, PostgreSQL), containers (Defender for Containers — image scanning, runtime protection), storage (Defender for Storage — malware detection in uploads), App Service, Key Vault, DNS, and Resource Manager. Each protection plan generates security alerts specific to the given resource type.
Practical recommendations for Defender for Cloud: activate Defender for Cloud on all subscriptions (free CSPM is available by default), enable paid CWPP plans at least for servers and databases (the most exposed resources), set the target Secure Score to a minimum of 70% and execute an improvement plan, configure automatic notifications for critical security alerts, regularly review and implement recommendations — ideally on a weekly cycle.
Identity and Access: Microsoft Entra ID, Conditional Access, and PIM
In a Zero Trust architecture, identity is the new security perimeter. In the Azure environment, identity and access management is built on Microsoft Entra ID (formerly Azure Active Directory) — the native IAM (Identity and Access Management) platform that serves as the foundation for access control to all Azure and Microsoft 365 resources.
Microsoft Entra ID provides centralized management of user identities, groups, and applications. Key best practices include: enforcing Multi-Factor Authentication (MFA) for all users (not just administrators) — Microsoft’s report indicates that MFA blocks over 99.9% of account attacks; eliminating legacy authentication protocols (Basic Auth, SMTP Auth), which do not support MFA and are the primary vector for credential stuffing attacks; enabling Security Defaults for subscriptions without advanced licenses (enforces MFA and blocks legacy auth); regular review of inactive accounts and guest identities (stale accounts).
Conditional Access is a policy engine based on contextual signals. Instead of a simple “does the user have a password?”, Conditional Access makes decisions based on multiple simultaneous signals: who is logging in (user, group, role), from which device (managed, compliant, unmanaged), from which location (trusted network, known IP, unusual country), to which application (critical, standard), what is the session risk level (risk detected by Identity Protection). Based on these signals, the Conditional Access policy can: allow access, require MFA, require a managed device, restrict access (e.g., web only, no downloads), or block access.
Recommended Conditional Access policies: block legacy authentication (unconditional), enforce MFA for all users, require a managed device for access to sensitive data, block sign-ins from countries where the organization does not operate, force password change on detected risk (integration with Identity Protection).
Privileged Identity Management (PIM) is a Just-in-Time (JIT) access mechanism for privileged roles. Instead of permanent assignment of the Global Admin or Owner role, PIM requires role activation for a specified duration (e.g., 4 hours) with justification and optional approval. Key benefits: minimizing the exposure window for privileged roles (principle of least privilege), auditability — every activation is logged with justification, enforcing MFA on role activation, automatic expiration of permissions after the time elapses. PIM should be implemented for all administrative roles — Global Admin, Security Admin, Exchange Admin, User Admin, and others.
Network Security: NSG vs Azure Firewall vs Azure Front Door + WAF
Network protection in Azure is multi-layered and requires understanding the differences between individual components to select the appropriate level of protection for each scenario.
Network Security Groups (NSG) are the basic, free network traffic filtering mechanism in Azure. NSG operates at layers 3-4 (network/transport) and allows defining allow/deny rules based on source/destination IP address, port, and protocol. NSG can be assigned to a subnet (protects all resources in the subnet) or to a Network Interface Card (protects a specific virtual machine). NSG is the absolute minimum — every subnet should have a configured NSG with a “deny all inbound” rule as the default, with explicitly defined exceptions for required traffic.
Best practices for NSG: principle of least privilege — open only ports required by the application, use Application Security Groups (ASG) instead of IP addresses for defining rules (simplifies management in dynamic environments), enable NSG flow logs for diagnostics and network traffic monitoring, never open management ports (RDP 3389, SSH 22) to 0.0.0.0/0 — use Azure Bastion or JIT VM Access.
Azure Firewall is a managed, stateful layer 7 (application) firewall with built-in high availability and scalability. Unlike NSG, Azure Firewall offers: FQDN (Fully Qualified Domain Name) filtering — control of outbound traffic to specific domains, threat intelligence-based filtering — automatic blocking of traffic to/from known malicious IP addresses and domains, TLS inspection — decryption and analysis of HTTPS traffic, URL filtering — web access control based on categories, IDPS (Intrusion Detection and Prevention System) in the Premium version.
Azure Firewall is recommended for organizations requiring advanced outbound traffic control, TLS inspection, centralized network policy management (Azure Firewall Manager), and application-layer threat protection.
Azure Front Door + WAF (Web Application Firewall) protects web applications against layer 7 attacks. Azure Front Door provides global load balancing, CDN acceleration, and DDoS protection, while the integrated WAF protects against OWASP Top 10 attacks (SQL injection, XSS, CSRF), bots, and other web threats. WAF operates in two modes: Detection (logs, does not block) and Prevention (actively blocks malicious traffic). Recommendation: start in Detection mode, analyze logs, adjust rules, and switch to Prevention.
Azure DDoS Protection comes in two variants: Basic (free, enabled by default, protects against typical volumetric attacks) and Standard (paid, advanced protection with automatic threshold tuning, telemetry, alerts, and Azure Monitor integration). DDoS Protection Standard is recommended for organizations with critical public-facing resources.
Reference architecture: internet traffic → Azure Front Door + WAF (web application protection) → Azure Firewall (traffic filtering, TI, IDPS) → NSG on subnets (microsegmentation) → Azure resources.
Data Protection: Azure Key Vault, Encryption, and Azure Information Protection
Data protection in the cloud covers three data states: data at rest, data in transit, and data in use. Azure provides protection mechanisms for each of these states.
Azure Key Vault is a managed service for centralized storage and management of cryptographic keys, certificates, secrets (passwords, connection strings, API keys), and managed HSM keys. Key Vault eliminates the anti-pattern of storing secrets in source code, environment variables, or configuration files.
Best practices for Key Vault: one Key Vault per application/environment (blast radius isolation), enable soft-delete and purge protection (protection against accidental deletion), use Managed Identities instead of connection strings for application access, enable logging (diagnostics) and monitor access to secrets, rotate secrets regularly (automation using Azure Functions or Event Grid), apply the principle of least privilege — granular RBAC permissions instead of vault access policies.
Data at rest encryption is enabled by default in Azure for most services — Azure Storage, SQL Database, Cosmos DB, and others use 256-bit AES. Key management options: Microsoft-managed keys (default, simplest), Customer-managed keys (CMK) in Key Vault (organization controls encryption keys), Customer-managed keys in HSM (highest level of control). For organizations with regulatory requirements (PCI DSS, NIS2), Customer-managed keys are recommended.
Data in transit encryption — all traffic between Azure services should be encrypted with TLS 1.2+. Enforce TLS 1.2 as a minimum in service configurations (Storage Accounts, App Service, SQL). Use Azure Private Link and Private Endpoints so that traffic between services does not leave Microsoft’s backbone network and does not traverse the public internet.
Azure Information Protection (AIP) / Microsoft Purview Information Protection classifies and protects documents and emails based on data sensitivity. It enables automatic application of classification labels (Confidential, Internal, Public), document encryption with access control (who can open, print, copy), tracking and revoking access to shared documents, automatic classification based on data patterns (social security numbers, credit cards, medical data). It is a key tool for GDPR compliance.
Monitoring and SIEM: Microsoft Sentinel, Diagnostic Settings, and Log Analytics
Visibility is the foundation of security — you cannot protect what you cannot see. Azure offers an extensive ecosystem of security monitoring and analysis tools.
Microsoft Sentinel is Azure’s native, cloud-based SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platform built on Azure Log Analytics. Sentinel collects security data from across the entire Azure environment, Microsoft 365, on-premises, and multi-cloud, correlates events, detects threats, and automates response.
Key Sentinel capabilities: over 200 native data connectors (Azure, AWS, GCP, on-premises, third-party), built-in detection rules (Analytic Rules) mapped to MITRE ATT&CK, automation through Automation Rules and Playbooks (Logic Apps), proactive threat hunting with Kusto Query Language (KQL), Workbooks — interactive security dashboards, integration with Microsoft Defender XDR (unified security operations).
Best practices for Sentinel: connect key data sources (Entra ID, Defender for Cloud, Azure Activity, Office 365, firewalls, EDR), enable UEBA (User and Entity Behavior Analytics) for behavioral anomaly detection, configure Automation Rules for common alerts (auto-close known false positives, auto-escalate critical alerts), use Watchlists to enrich alerts with business context (VIP users, critical servers), monitor costs — Sentinel operates on a pay-per-GB model and data volume directly impacts the bill.
Diagnostic Settings are the mechanism for forwarding logs from individual Azure services to a centralized location. Every Azure resource (VM, Storage Account, SQL Database, Key Vault, NSG) can send its diagnostic logs and metrics to: Log Analytics Workspace (analysis in Sentinel or Azure Monitor), Storage Account (long-term archive), Event Hub (streaming to third-party SIEM).
Recommendation: enable Diagnostic Settings for all critical resources and direct logs to a Log Analytics Workspace integrated with Sentinel. Minimum log sources: Azure Activity Log (resource operations), Entra ID Sign-in Logs and Audit Logs (identity), NSG Flow Logs (network traffic), Key Vault Access Logs (secret access), Defender for Cloud Alerts.
Azure Monitor is the base platform for monitoring in Azure, on which Sentinel and Log Analytics are built. Azure Monitor provides metric alerts (CPU, memory, disk), log alerts (KQL queries), Action Groups (email, SMS, webhook, ITSM notifications), Workbooks, and dashboards.
Compliance: CIS Benchmark, Azure Policy, and Regulatory Compliance Dashboard
Compliance with regulations and industry standards is a key requirement for organizations in regulated sectors and increasingly important for all businesses.
CIS Microsoft Azure Foundations Benchmark is a recognized security standard developed by the Center for Internet Security that defines the baseline configuration for Azure environments. The benchmark is divided into sections: IAM, Security Center, Storage Accounts, Database Services, Logging and Monitoring, Networking, Virtual Machines, and others. Each recommendation has a clearly defined level: Level 1 (basic, minimal operational disruption) and Level 2 (advanced, higher protection level at the cost of greater complexity). Defender for Cloud natively assesses the environment against the CIS benchmark and generates remediation recommendations.
Azure Policy is a native governance mechanism that allows defining, enforcing, and auditing the configuration of Azure resources. Azure Policy works preventively (blocks creation of non-compliant resources) or detectionally (reports non-compliance of existing resources). Examples of useful policies: enforce encryption on Storage Accounts, prohibit creation of public IP addresses, enforce tags on resources (cost center, environment, owner), enforce a specific region for resources (data residency), prohibit creation of VMs without NSG.
Azure Policy Initiatives (formerly Policy Sets) group related policies into logical sets. Microsoft provides ready-made initiatives for: CIS Microsoft Azure Foundations Benchmark, NIST SP 800-53, ISO 27001, PCI DSS, HIPAA/HITRUST, Azure Security Benchmark (ASB). Recommendation: assign the Azure Security Benchmark initiative to all subscriptions as a minimum baseline.
Regulatory Compliance Dashboard in Defender for Cloud presents in real time the compliance status of the Azure environment with selected regulatory standards. The dashboard shows for each standard: overall compliance percentage, list of controls with their status (passed/failed/skipped), detailed remediation recommendations for each unmet control, change history over time (compliance trend). This tool is invaluable during audit preparations — the auditor can receive a compliance report export directly from the Azure platform.
Additional compliance frameworks natively supported in Azure: NIS2 — Defender for Cloud maps recommendations to NIS2 requirements regarding risk management, supply chain security, and incident reporting; GDPR — Microsoft Purview Compliance Manager assesses GDPR compliance status and generates recommendations; DORA — for financial institutions, covering ICT risk management and digital operational resilience requirements.
Zero Trust Architecture in Azure — How to Implement It?
Zero Trust is a security model based on the principle of “never trust, always verify.” Azure provides native tools for implementing every pillar of the Zero Trust architecture.
Identity pillar: Microsoft Entra ID with Conditional Access. Every access request is authenticated and authorized based on multiple contextual signals. MFA for all users, risk-based Conditional Access policies, PIM for privileged roles, continuous session verification — these are the foundations of Zero Trust in the identity layer.
Device pillar: Microsoft Intune and Conditional Access Device Compliance. Access to Azure resources is conditioned on device state: current security patches, active Defender for Endpoint, enabled BitLocker encryption, no jailbreak/root. Devices that do not meet the policy receive limited access or are blocked.
Network pillar: microsegmentation and Private Link. Instead of traditional network segmentation (hub-and-spoke with broad internal trust), Zero Trust requires microsegmentation — each workload is isolated, and traffic between workloads is blocked by default and requires an explicit rule. Azure Private Link eliminates public endpoints for Azure services — traffic between the application and the database never leaves Microsoft’s backbone network. Azure Bastion provides secure administrative access to VMs without exposing RDP/SSH ports.
Data pillar: classification and protection. Microsoft Purview Information Protection classifies data based on sensitivity, Azure Key Vault with CMK protects encryption keys, and Azure Policy enforces encryption on all storage resources.
Application pillar: JIT VM Access and App Service Environment. Just-in-Time VM Access (a Defender for Cloud feature) opens administrative ports on VMs only on demand, for a specified time, and for a specified IP. App Service Environment (ASE) isolates web applications in a dedicated virtual network.
Step-by-step implementation: (1) Audit the current state — Defender for Cloud Secure Score as a baseline, (2) Identity — MFA + Conditional Access + PIM (fastest ROI), (3) Network — NSG microsegmentation + Private Link for critical services, (4) Data — Key Vault + CMK + classification, (5) Monitoring — Sentinel + full diagnostic logging, (6) Continuous improvement — periodic policy review and adaptation to new threats.
Zero Trust is not a project with an end date — it is a continuous process of improvement in which each successive step reduces the attack surface and increases organizational resilience.
How Does nFlo Support Azure Security?
nFlo offers comprehensive cloud environment audit and protection services, with particular specialization in the Microsoft Azure ecosystem. Experience gained across over 500 cybersecurity projects and collaboration with over 200 clients encompasses organizations of every size — from companies deploying their first cloud workloads to enterprises with advanced multi-cloud environments.
nFlo’s Azure security services include: Azure environment security audit (configuration assessment against CIS benchmark, Azure Security Benchmark, NIS2 and GDPR requirements), Zero Trust architecture implementation (Conditional Access, PIM, microsegmentation, Private Link), Defender for Cloud and Microsoft Sentinel configuration and optimization (data source integration, detection rule creation, SOAR playbooks), identity and access management (Entra ID hardening, Conditional Access policies, MFA rollout), and continuous security monitoring in a managed SOC model with a response time of under 15 minutes.
A client retention rate of 98% confirms that nFlo’s approach — combining deep technological expertise with a pragmatic approach to security — delivers real value. Every project begins with an assessment of the current Secure Score and concludes with measurable improvement in security posture, with a clearly defined roadmap for further development ensuring a 90% risk reduction.
Summary
- The shared responsibility model requires active customer action — Microsoft secures the infrastructure, but configuration, identities, data, and monitoring rest with the organization. Over 80% of cloud breaches result from misconfiguration.
- Defender for Cloud is the starting point — free CSPM provides immediate visibility into security posture, Secure Score enables measuring progress, and paid CWPP plans protect critical workloads.
- Identity is the new perimeter — MFA for everyone, risk-based Conditional Access, and PIM for privileged roles are the three pillars of identity protection in Azure, blocking over 99.9% of account attacks.
- Network protection is multi-layered — NSG as a minimum on every subnet, Azure Firewall for advanced traffic control, Azure Front Door + WAF for web applications.
- Key Vault eliminates secrets in code — centralized management of keys, certificates, and secrets with Managed Identities is a standard that should apply to every Azure application.
- Sentinel provides visibility and automation — native integration with the Azure and Microsoft 365 ecosystem, MITRE ATT&CK mapping, and built-in SOAR enable building a mature detection and response program.
- Azure Policy automates compliance — ready-made initiatives for CIS, NIST, ISO 27001, and NIS2 enable continuous compliance assessment and preventive configuration enforcement.
Frequently Asked Questions
What are the most important security services in Azure?
Key security services in Azure include: Microsoft Defender for Cloud (CSPM/CWPP) — continuous configuration assessment and workload protection, Microsoft Entra ID (IAM) — identity management, MFA, Conditional Access, Azure Firewall and NSG (network protection) — multi-layered traffic filtering, Azure Key Vault (secrets management) — centralized storage of keys, certificates, and passwords, Microsoft Sentinel (SIEM/SOAR) — log collection, event correlation, response automation, and Azure Policy (compliance) — configuration enforcement and auditing. These services form an integrated security ecosystem that covers all protection layers — from identity to data.
What is the difference between NSG and Azure Firewall?
NSG (Network Security Group) is a free traffic filter at the subnet or NIC level, operating at layers 3-4 (network/transport). It allows defining allow/deny rules based on IP addresses, ports, and protocols. Azure Firewall is an advanced, managed layer 7 (application) firewall with FQDN filtering (traffic control to specific domains), built-in threat intelligence (automatic blocking of known malicious addresses), TLS inspection (decryption and analysis of HTTPS traffic), and IDPS in the Premium version. NSG is the absolute minimum that should be on every subnet. Azure Firewall provides enterprise-grade protection for organizations requiring advanced traffic control.
How to implement Zero Trust in Azure?
Implementing Zero Trust in Azure involves six steps: (1) Microsoft Entra ID with Conditional Access and MFA for all users — identity as the new perimeter, (2) Azure Private Link instead of public endpoints — traffic does not leave Microsoft’s backbone network, (3) microsegmentation with NSG — each workload isolated, traffic blocked by default, (4) JIT VM Access — administrative ports opened only on demand, (5) Azure Policy as compliance guardrails — preventive enforcement of secure configuration, (6) Microsoft Defender for Cloud for continuous security posture assessment and Sentinel for monitoring. Zero Trust is a continuous process, not a one-time project.
Which compliance benchmarks are natively available in Azure?
Azure natively supports a broad range of benchmarks and regulatory standards: CIS Microsoft Azure Foundations Benchmark (Level 1 and 2), NIST SP 800-53 (Rev. 4 and 5), ISO 27001:2013, PCI DSS v4.0, SOC 2, HIPAA/HITRUST, GDPR, NIS2, and Azure Security Benchmark (ASB) — Microsoft’s own benchmark that covers NIST and CIS recommendations in an Azure-specific context. The Regulatory Compliance Dashboard in Defender for Cloud presents compliance status with selected standards in real time, facilitating audit preparations.
