Security Overview
Security work in Azure enterprise environments always starts the same way — a blank subscription with no guardrails, and a mandate to make it compliant. The tools are there: Defender for Cloud, Sentinel, Key Vault, Policy. The work is connecting them into something coherent and sustainable.
Key Services
| Service | Purpose |
|---|---|
| Microsoft Defender for Cloud | Unified security management & threat protection |
| Microsoft Sentinel | Cloud-native SIEM & SOAR solution |
| Azure Key Vault | Secrets, keys, and certificate management |
| Azure Policy | Governance and compliance enforcement |
Core Capabilities
Security Posture Management
- Secure Score: Get a centralized view of your security posture with actionable recommendations
- Microsoft Cloud Security Benchmark (MCSB): Automatically assigned to all subscriptions
- Regulatory Compliance Dashboard: Monitor compliance with industry standards (ISO 27001, PCI DSS, SOC 2, HIPAA)
Workload Protection
- Defender for Servers: Advanced threat protection for VMs
- Defender for Containers: Security for Kubernetes and container registries
- Defender for Storage: Protect against malicious uploads and suspicious access
- Defender for Databases: SQL injection detection and vulnerability assessment
Quick Start Guide
1. Enable Microsoft Defender for Cloud
# Enable Defender for Cloud on subscription
az security pricing create \
--name VirtualMachines \
--tier standard
# Enable all Defender plans
az security pricing create \
--name VirtualMachines,SqlServers,AppServices,StorageAccounts,KubernetesService \
--tier standard
2. Review Security Recommendations
- Navigate to Microsoft Defender for Cloud in Azure Portal
- Check your Secure Score on the overview page
- Review Recommendations prioritized by potential impact
- Implement high-priority items first
3. Configure Security Policies
# Assign a built-in policy initiative
az policy assignment create \
--name 'ASC Default' \
--policy-set-definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8' \
--scope /subscriptions/{subscription-id}
Best Practices
Always follow the principle of least privilege and Zero Trust when configuring access controls.
Enable All Defender Plans
Enable Microsoft Defender plans for comprehensive protection across all resource types. The free tier provides limited security, while enhanced security features include:
- Just-in-time VM access
- Adaptive application controls
- File integrity monitoring
- Threat detection and alerts
Automate Security Responses
- Workflow Automation: Use Logic Apps to automate responses to security alerts
- Security Alerts Integration: Export to SIEM tools or ticketing systems
- Continuous Compliance: Automate remediation tasks for non-compliant resources
Regular Security Assessments
- Review Secure Score weekly
- Investigate all high and critical severity alerts within 24 hours
- Conduct monthly compliance audits
- Update security policies as threats evolve
Network Security
- Deploy Azure Firewall for centralized network protection
- Use Network Security Groups (NSGs) on all subnets
- Enable DDoS Protection for internet-facing applications
- Implement Web Application Firewall (WAF) for web apps
CI/CD Integration
GitHub Actions Example
name: Security Scan
on: [push]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Microsoft Defender for Cloud scan
uses: azure/defender-for-cloud-action@v1
with:
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Upload security results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: security-results.sarif
Azure DevOps Pipeline
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: AzureCLI@2
displayName: 'Check Security Compliance'
inputs:
azureSubscription: 'your-connection'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
# Get compliance status
az security assessment list --output table
Common Pitfalls to Avoid
The mistake I see most often is leaving Defender for Cloud in the free tier on production subscriptions. The free tier gives you a score and not much else — no threat detection, no just-in-time access, no vulnerability scanning. It looks like you've enabled security. You haven't.
The second most common mistake is ignoring medium-severity recommendations because the team is focused on critical findings. Medium findings accumulate. Six months of ignored medium findings is a material attack surface.
I never disable automatic provisioning of monitoring agents. Teams disable it because it touches their VMs and that makes them nervous. I understand the concern, but without the agents you're flying blind. I also never grant the Security Admin role without a specific, time-boxed justification — overly permissive access to that role is a compliance finding waiting to happen.
I always use just-in-time VM access instead of leaving RDP or SSH ports open permanently. I integrate Sentinel from day one and automate remediation for the findings that have safe, well-understood fixes.
Compliance & Regulatory Standards
Defender for Cloud helps meet compliance requirements:
- HIPAA: Health Insurance Portability and Accountability Act
- PCI DSS: Payment Card Industry Data Security Standard
- SOC 2: Service Organization Control 2
- ISO 27001: Information Security Management
- NIST SP 800-53: Security controls for federal information systems
- CIS: Center for Internet Security benchmarks
Monitoring & Alerting
Configure Alert Notifications
# Create action group for security alerts
az monitor action-group create \
--name SecurityTeam \
--resource-group rg-security \
--short-name SecTeam \
--email-receiver name=SecurityTeam email=security@company.com
Key Metrics to Track
- Secure Score trend (target: >80%)
- Number of unhealthy resources
- Mean time to remediate (MTTR) critical findings
- Percentage of resources with vulnerability scans enabled