As entities of every sector move more apps and workloads to the cloud, security is becoming a top priority. Microsoft Azure, one of the world’s most popular cloud platforms, provides a range of security tools and best practices to help businesses protect their assets stored in their environments.
However, securing an Azure environment is about more than just enabling default protections—it’s about helping users maintain compliance, too. This takes a forward-thinking approach to identity management, network security, logging, and monitoring.
To strengthen security, Microsoft has made several key changes, including mandatory Multi-Factor Authentication, new AI-driven security integrations, and enhancements to Azure Bastion for remote access. Also, many of its security solutions have been rebranded to move with the times.
This guide sets out eight fundamental best practices to help entities secure their Microsoft Azure environments, helping to limit risk, maintain compliance, and stay a step ahead of evolving threats.
1. Identity Management with Microsoft Entra ID
Azure Active Directory (Azure AD) has been rebranded as Microsoft Entra ID. Multi-Factor Authentication (MFA) is a critical security measure, and as of last year, Microsoft announced that these tools will become mandatory for Azure sign-ins.
At a minimum, any Microsoft Entra ID user with administrative roles or resource management capabilities should have MFA enabled. Additionally:
- Password policy settings should enforce complex passwords.
- Custom roles should be audited to ensure they don’t have excessive administrative permissions.
- Guest user access should be limited, and permissions should be restricted as much as possible.
- If Active Directory Federation Services (ADFS) is used for authentication, on-premises Active Directory should be monitored for security and compliance.
2. Microsoft Defender for Cloud
Microsoft has rebranded Azure Security Center as Microsoft Defender for Cloud. This service offers advanced threat protection and security management for Azure, multi-cloud, and hybrid environments.
- Enable virtual machine security data collection by default using the automatic provisioning of the monitoring agent.
- Regularly review the Recommendations tab in Defender for Cloud to address potential security gaps.
- Ensure that security contact information is up to date for incident notifications.
- Consider upgrading from the free tier to the Standard tier to benefit from threat detection for virtual machines and databases.
Also, Microsoft Copilot integrations have been introduced in Azure Web Application Firewall and Azure Firewall, boosting security with AI-powered capabilities.
Copilot improves Azure security by providing an AI-powered assistant that helps security teams quickly identify, investigate, and respond to threats in real-time using natural language prompts, streamlining the security process and fueling faster threat detection and remediation. It also provides insights and context to make informed decisions; acting as a proactive security partner within the Azure environment.
3. Networking and Azure Bastion Enhancements
Restricting remote access is crucial:
- Limit SSH and RDP exposure in Network Security Groups—do not open ports 22 or 3389 to the public internet.
- If running Microsoft SQL Server, ensure its separate SQL Server Firewall is configured securely.
- Implement operating system firewalls inside virtual machines for defense in depth.
- Conduct vulnerability scans using a security solution that follows Azure’s Pentest Rules of Engagement.
New since May 2024, Azure Bastion introduced a Premium SKU, offering session recording, monitoring, and auditing for more secure remote access to virtual machines.
4. Logging with Ample Storage Retention
Logging is key for security auditing and compliance:
- Enable Activity Log storage for tracking changes and security events.
- Ensure flow logging is enabled for Network Security Groups.
- Enable SQL Server Database auditing for better visibility into database activity.
- Use encrypted storage accounts with “Storage Service Encryption” and “Secure Transfer Required.”
- Retain logs for more than 90 days, or set retention to unlimited where possible.
5. Monitoring with Activity Log Alerts
Activity Log Alerts help detect security events in real time. Alerts should be created for:
- Policy assignments and security solution changes
- Network Security Group and firewall rule modifications
- Security policy updates
- SQL Server Firewall rule changes
With Microsoft Sentinel (formerly Azure Sentinel), businesses can integrate SIEM and SOAR capabilities for enhanced security monitoring and automated response.
6. Cloud Storage Account Security
To secure cloud storage accounts:
- Enable blob encryption, file encryption, and secure transfer for all storage accounts.
- Rotate Storage Account access keys periodically to reduce the risk of credential compromise.
- Use Shared Access Signatures (SAS) with strict expiration times (eight hours or less).
- Audit public access to Blob or file containers and restrict it unless necessary.
7. Virtual Machine Security Data
Azure virtual machines should be hardened using best practices similar to on-premises security:
- Keep OS and software patches up to date.
- Run endpoint protection to prevent malware threats.
- Use disk encryption to protect sensitive data at rest.
Furthermore, the virtual machine agent should be kept running to ensure security telemetry collection.
8. Microsoft SQL Server and Threat Detection
Microsoft SQL Server integration remains a strong feature in Azure, and security settings should be optimized:
- Restrict SQL Server Firewall access to only required IP ranges.
- Enable audit logs for security insights and breach detection.
- Use Microsoft Defender for SQL (previously Azure Defender for SQL) to detect SQL injection and other threats.
With Microsoft Copilot integrations, AI-driven security insights are now available to enhance database security monitoring and response.