🏛 Azure Security Architecture
Azure security is built around a hierarchical governance model that aligns security controls with organizational structure. Unlike AWS where IAM is the central plane, Azure's identity plane is Microsoft Entra ID (formerly Azure Active Directory) — making identity the true perimeter, especially for organizations with existing Microsoft investments.
Azure Landing Zones
Azure Landing Zones provide opinionated reference architectures for deploying workloads with security guardrails pre-configured. They implement the management group hierarchy, policy assignments, and connectivity patterns recommended by Microsoft.
- Management Groups → Subscriptions → Resource Groups → Resources
- Platform Landing Zone: connectivity, identity, management subscriptions
- Application Landing Zones: corp and online archetypes
- Azure Blueprints (now Deployment Stacks) for repeatable secure deployments
Azure Policy & Governance
Azure Policy enforces organizational standards across all subscriptions and resource groups. It is the equivalent of AWS SCPs but operates at the resource level rather than the API call level.
- Policy definitions: built-in (500+) or custom JSON definitions
- Policy initiatives (sets): group related policies for compliance standards
- Policy effects: Deny, Audit, Append, DeployIfNotExists, Modify
- Assign at management group level to inherit across all subscriptions
- Remediation tasks to fix non-compliant existing resources
Hybrid Identity
Most enterprises integrate on-premises Active Directory with Entra ID for unified identity management. This extends cloud security to on-premises and vice versa.
- Entra Connect Sync: synchronize on-prem AD users to Entra ID
- Entra Connect Cloud Sync: lightweight agent-based alternative
- Password Hash Sync vs Pass-Through Authentication vs Federation
- Entra ID Password Protection: ban weak passwords on-prem and cloud
👤 Microsoft Entra ID Security
Microsoft Entra ID is the identity backbone of the Azure ecosystem. With Entra ID P1 or P2, organizations gain access to powerful security capabilities including Conditional Access, Privileged Identity Management, and automated risk-based authentication — collectively implementing zero trust principles at the identity layer.
| Feature | Entra ID Free | Entra ID P1 | Entra ID P2 |
|---|---|---|---|
| Basic MFA | ✓ (per-user MFA) | ✓ | ✓ |
| Conditional Access | ✗ | ✓ | ✓ |
| Self-Service Password Reset | Cloud only | ✓ with writeback | ✓ with writeback |
| Dynamic Groups | ✗ | ✓ | ✓ |
| Privileged Identity Management (PIM) | ✗ | ✗ | ✓ |
| Identity Protection (user/sign-in risk) | ✗ | ✗ | ✓ |
| Access Reviews | ✗ | ✗ | ✓ |
| Entitlement Management | ✗ | ✗ | ✓ |
Conditional Access Policies
Conditional Access is the zero trust policy engine for Entra ID. It evaluates signals and enforces access controls based on user, device, location, and risk context.
- Require MFA for all admin roles unconditionally
- Require compliant/Entra-joined device for corporate apps
- Block legacy authentication protocols (SMTP AUTH, IMAP, POP3)
- Risk-based: require step-up auth when sign-in risk is medium/high
- Named locations: trust known office IPs, challenge unknown locations
- Session controls: limit download in unmanaged devices via Defender for Cloud Apps
Privileged Identity Management (PIM)
PIM provides just-in-time (JIT) privileged access, eliminating standing admin privileges that can be abused if an account is compromised.
- Eligible assignments: users request activation when needed (time-limited)
- Activation requires MFA, justification, and optionally approval
- Time-bound: Global Admin for 1 hour, not permanently assigned
- Alerts on permanent assignments, unused roles, no MFA on activation
- Access reviews: periodic re-certification of privileged role memberships
- PIM for Groups: extend JIT to group membership (not just Azure RBAC roles)
Entra ID App Registrations & Service Principals
Application identities in Entra ID use App Registrations (the template) and Service Principals (per-tenant instance). Common security issues include over-privileged app permissions, client secrets with no expiry, and unused applications with sensitive Graph API permissions. Audit app registrations regularly with Entra ID's application governance features.
🛡 Azure Defender for Cloud
Microsoft Defender for Cloud (formerly Azure Security Center + Azure Defender) is Azure's unified CSPM and CWPP platform. It provides a Secure Score to quantify your security posture and Defender plans that activate workload-specific threat detection for each Azure resource type.
| Defender Plan | What It Protects | Key Detections |
|---|---|---|
| Defender for Servers | Azure VMs, on-prem servers via Arc, AWS/GCP instances | Fileless attacks, credential dumping, lateral movement, vulnerability assessment (integrated Qualys) |
| Defender for Storage | Azure Blob Storage, Azure Files, ADLS Gen2 | Malware scanning, anomalous access patterns, data exfiltration, ransomware upload |
| Defender for SQL | Azure SQL DB, SQL Managed Instance, SQL Server on VMs | SQL injection attempts, anomalous queries, brute force, data exfiltration |
| Defender for Containers | AKS clusters, Arc-enabled Kubernetes, container registries | Privileged containers, crypto mining, privilege escalation, exposed dashboards |
| Defender for App Service | Azure App Service web apps and API apps | Web shells, dangling DNS, phishing pages, suspicious outbound connections |
| Defender for Key Vault | Azure Key Vault | Unusual access patterns, access from suspicious IPs, high volume secret retrieval |
Secure Score & CSPM
The Secure Score aggregates all Defender for Cloud recommendations into a single percentage representing your security posture. Recommendations are prioritized by potential score increase and severity.
- Score drops when new unhealthy resources are discovered
- Controls are weighted — fix high-impact controls first
- CNAPP capabilities: attack path analysis, cloud security graph
- Agentless scanning for VMs and containers without sensor deployment
Regulatory Compliance Dashboard
Defender for Cloud maps its assessments to industry and regulatory standards, giving continuous compliance visibility without manual audit prep.
- Built-in standards: NIST SP 800-53, PCI DSS, SOC 2, ISO 27001, CIS Azure
- Custom standards: upload your own control framework as JSON
- Compliance score per standard with failing controls highlighted
- Export compliance reports for auditors as PDF or CSV
📊 Microsoft Sentinel (SIEM/SOAR)
Microsoft Sentinel is a cloud-native SIEM and SOAR platform built on Azure Log Analytics. Its tight integration with the Microsoft ecosystem and powerful KQL query language makes it a strong choice for Azure-centric organizations. It can ingest logs from virtually any source via its 300+ data connectors.
Data Ingestion & Analytics
- Native connectors: Entra ID, Defender XDR, Microsoft 365, Azure Activity
- Third-party connectors: Palo Alto, Fortinet, Okta, AWS CloudTrail, GCP
- CEF/Syslog agent for any log source via Azure Monitor Agent
- Analytics rules: Scheduled (KQL query on schedule), Near-Real-Time (NRT), Fusion (ML correlation), Anomaly (UEBA)
- UEBA: User and Entity Behavior Analytics for insider threat detection
SOAR Automation
- Automation rules: auto-assign, suppress, or close incidents by conditions
- Playbooks: Logic Apps workflows triggered by incident/alert creation
- Common playbooks: isolate VM, disable Entra user, block IP in Firewall
- Bi-directional integration with ServiceNow, JIRA for ticketing
- Microsoft Copilot for Security integration for AI-assisted investigation
KQL Detection Rule Example
// Detect multiple failed logins followed by a success (password spray + success)
let failureThreshold = 10;
let timeWindow = 30m;
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType != "0" // Failed logins
| summarize FailureCount = count(),
FailedUsers = makeset(UserPrincipalName)
by IPAddress, bin(TimeGenerated, timeWindow)
| where FailureCount >= failureThreshold
| join kind=inner (
SigninLogs
| where ResultType == "0" // Successful logins
) on IPAddress
| project TimeGenerated, IPAddress, FailureCount,
SuccessfulUser = UserPrincipalName, FailedUsers
| extend AlertSeverity = "High"
Sentinel vs Splunk for Azure
For Azure-native environments, Sentinel typically wins on integration depth, licensing model, and management overhead. Splunk remains stronger for heterogeneous on-prem/cloud environments with existing Splunk investments.
- Sentinel: pay-per-GB ingested; no infrastructure; Microsoft 365 Defender connector is free
- Splunk: expensive licensing; more mature ecosystem; better for non-Azure sources
- Sentinel Codeless Connector Platform: build custom connectors without code
Threat Intelligence Integration
- Import IOCs via STIX/TAXII feeds directly into Sentinel
- Microsoft Defender Threat Intelligence (MDTI) integration
- TI matching analytics: alert when IOCs appear in any ingested log
- Threat Intelligence workbooks for IOC visualization and management
🔒 Azure Network & Data Security
Azure's network and data security layers work in concert to protect both traffic flows and sensitive data at rest and in transit. Azure Key Vault and Microsoft Purview Information Protection anchor the data security strategy, while NSGs and Azure Firewall control network access.
Network Security Controls
- NSGs: layer-4 stateful filtering on subnets and NICs — analogous to AWS Security Groups
- Azure Firewall: layer-7 FQDN filtering, TLS inspection, threat intelligence feeds
- Azure DDoS Protection: Standard tier provides SLA-backed mitigation and attack analytics
- Private Endpoints: bring Azure PaaS services into your VNet with private IP
- Azure Front Door + WAF: global edge protection with OWASP rules and bot management
Azure Key Vault
Key Vault provides centralized management of secrets, encryption keys, and TLS/SSL certificates. It should be the single source of truth for all sensitive configuration in Azure applications.
- Secrets: connection strings, API keys, passwords
- Keys: RSA/EC keys for application-level encryption; BYOK with HSM
- Certificates: lifecycle management with auto-renewal via CA integration
- Enable soft-delete and purge protection to prevent accidental/malicious deletion
- Use Managed Identity to access Key Vault without credentials
Data Protection
- Azure Storage Service Encryption (SSE): AES-256 at rest by default
- Azure Disk Encryption (ADE): VM disk encryption via BitLocker/dm-crypt using Key Vault
- TDE (Transparent Data Encryption): SQL database encryption at rest
- Microsoft Purview Information Protection (MIP): sensitivity labels for Office/email data
- Defender for Cloud Apps: CASB for shadow IT and data governance
- Purview DLP policies prevent sensitive data from leaving the tenant
The Azure Security Trinity
For organizations serious about Azure security, the highest-return combination is: Entra Conditional Access (zero trust access control) + Privileged Identity Management (JIT admin access) + Defender for Cloud (continuous posture management and threat detection). These three services address the top three attack vectors in Azure environments: credential attacks, standing privilege abuse, and resource misconfiguration.