The 30-second version: Azure security is a Microsoft-shaped stack - Entra ID for identity, Defender for Cloud for posture and workload protection, Sentinel for SIEM/SOAR, Defender XDR for endpoint and identity threat detection, Key Vault for secrets and keys, Purview for data governance and DLP, Azure Firewall / App Gateway WAF / NSGs for network controls, and Azure Policy for guardrails. The reference architecture is the Cloud Adoption Framework Enterprise-Scale Landing Zone - management groups, hub-spoke networking, Defender at the root, Sentinel at a central log-analytics workspace.
What makes Azure security different from AWS or GCP: identity is the front door (Entra ID is everywhere, not just for Azure but for Microsoft 365 and any app federated to it), Conditional Access is the universal policy engine, RBAC inherits silently down the management-group hierarchy, and the licensing maze (E3 / E5 / A5 / Defender for Cloud plan P1 / P2) decides which features you actually get. This page is the practitioner's overview of all of it.
On this page
- Shared responsibility in Azure
- CAF Secure methodology
- Well-Architected - Security pillar
- Core Azure security services
- Reference architecture - Landing Zones
- Top 10 Azure misconfigurations
- Azure-specific attack paths
- Entra ID vs traditional Active Directory
- Azure-native vs third-party comparisons
- Azure on the other CSOH pages
- Certifications - AZ-500 / SC-200 / SC-100
- Native vs third-party - when each fits
- Further reading
- FAQ
- Where next
CAF Secure methodology
Microsoft's Cloud Adoption Framework Secure methodology is the prescriptive guidance that sits above individual tools - the "how do we run a secure Azure program?" answer Microsoft publishes for itself and its customers. It's organized around eight disciplines:
- Risk insights - understand the business impact, threat landscape, and risk appetite that drive everything below.
- Security integration - security as a partner to every business unit and engineering team, not a gate.
- Business resilience - keep operating through incidents; assume breach and design for recovery.
- Access control - zero-trust identity and explicit authorization for every request.
- Security operations - detect, respond, recover; the Sentinel + Defender XDR + Security Copilot stack.
- Asset protection - workloads, data, networks, devices; Defender for Cloud is the spine.
- Innovation security - secure the SDLC; pair with the CI/CD page on Azure DevOps / GitHub Actions.
- Governance - Azure Policy, Blueprints (deprecated, use Deployment Stacks), management-group hierarchy, compliance reporting.
CAF Secure is the program-level framework; the rest of this page is the tools you reach for to execute it.
Well-Architected - Security pillar
The Azure Well-Architected Framework - Security pillar is Microsoft's architectural review framework - design principles you apply at the workload level, complementary to CAF's program-level guidance. The pillar's design principles:
Plan resources & how to harden them
Inventory first. You cannot secure what you don't know exists. Tag resources, baseline configurations, and decide per-resource what "good" looks like before traffic flows.
Automate
Use Azure Policy, Deployment Stacks, Bicep / Terraform, and CI/CD to make secure-by-default the path of least resistance for developers. Manual hardening doesn't survive scale.
Protect your code
Secure the SDLC. Defender for DevOps surfaces secrets, IaC misconfigurations, and CVEs in the pipeline; GitHub Advanced Security and Azure DevOps integrate similar checks at PR time.
Apply segmentation
Identity, network, and workload boundaries. Conditional Access, Private Link, separate subscriptions for environments - segmentation limits blast radius when a single boundary fails.
Encrypt data
In transit and at rest. Azure encrypts almost everything by default with platform-managed keys; customer-managed keys (CMK) and Managed HSM are the upgrade path when regulators ask.
Continuously monitor & assume breach
Defender for Cloud + Sentinel + Defender XDR for detection. Tabletop the breach-already-happened scenario; build the response runbooks before you need them.
Walk a new workload through the Well-Architected Review (the Microsoft Assessments tool automates most of the questionnaire) at design time and again before go-live. The questions are mostly the ones you should have been asking anyway; the value is the structure that ensures none of them get skipped.
Core Azure security services
The opinionated catalog - what each service is, what it's good for, what its limits are. Grouped by what they do, not by what they're called.
Detection & posture
- Microsoft Defender for Cloud - the Azure-native CSPM + CWPP. The free Foundational CSPM tier ships secure-score and regulatory-compliance dashboards across CIS / NIST / PCI / ISO 27001 / SOC 2. The Defender CSPM plan adds attack-path analysis, agentless scanning, code-to-cloud context, and DevOps integration. Workload-protection plans cover servers (P1 / P2), containers, databases, storage, App Service, Key Vault, and Resource Manager - pay per-resource per-month. Multi-cloud connectors for AWS and GCP exist; depth still lags Azure parity.
- Microsoft Sentinel - cloud-native SIEM and SOAR on top of Log Analytics. KQL is the query language. First-party connectors for every Microsoft data source (Entra, Defender XDR, Azure activity, M365) flow free of license charge; ingestion is metered. Playbooks (Logic Apps) handle SOAR - auto-triage, enrichment, response. Pair with the Cloud SOC page for the SOC operating model around it.
- Microsoft Defender XDR - the unified XDR portal pulling Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, and Entra ID Protection together. The investigation experience that correlates an endpoint detection with the user's mailbox activity and the Entra sign-in that preceded it. Increasingly the SOC's primary console for Microsoft-shop incidents.
- Microsoft Security Copilot - LLM-assisted analyst tooling. Incident summarization, KQL generation, threat-intel synthesis, malware reverse-engineering hints. Billed as Security Compute Units (SCUs). Force-multiplier for experienced analysts; not a tier-1 replacement.
- Azure Monitor - the metric, log, and alert platform underneath everything. Log Analytics workspace is the storage; Application Insights is the APM slice. Sentinel runs on top of Log Analytics. The plumbing every detection eventually depends on.
- Activity Log - the Azure control-plane audit log. Every ARM API call against your subscriptions. The single most-requested evidence class in any Azure audit. Stream it to Log Analytics and Sentinel; retain per your compliance obligation.
- Diagnostic Settings - per-resource configuration that ships resource-level logs and metrics to Log Analytics, Event Hubs, or Storage. The thing that makes "Sentinel sees the Key Vault audit log" actually true. Enforce via Azure Policy; default-on is your friend.
Identity
- Microsoft Entra ID (formerly Azure AD) - the cloud identity provider for Azure, M365, and any SaaS federated to it. Users, groups, applications, service principals, managed identities all live here. The licensing tiers (Free, P1, P2) decide which advanced features (Conditional Access, PIM, Identity Protection) you get; most enterprise tenants run P2 via Microsoft 365 E5 or Entra ID P2 standalone.
- Entra ID Governance - access reviews, entitlement management (access packages), lifecycle workflows for joiners-movers-leavers. The slice that makes "least privilege, periodically reviewed" auditable. Licensed separately from base Entra; required for serious IGA-grade governance.
- Entra Privileged Identity Management (PIM) - just-in-time elevation for both Entra and Azure RBAC roles. Default to eligible (not active) for any sensitive role; require approval, MFA, and a justification at elevation; cap the activation window. The single highest-leverage PAM control in any Azure tenant.
- Conditional Access - the universal policy engine. Per sign-in, evaluates user / app / device / location / risk signals and decides allow / block / require-MFA / require-compliant-device. The closest thing Microsoft has to a zero-trust policy decision point. Plan it like code: source-controlled, environments, deploy via policy templates. The wrong CA policy will lock out the tenant - keep a break-glass account excluded.
- Entra Permissions Management (formerly CloudKnox) - the cloud-infrastructure-entitlement-management (CIEM) product. Discovers unused permissions across Azure, AWS, and GCP; recommends right-sized roles; tracks the Permission Creep Index. Where "least privilege at scale" gets quantitative.
- Managed Identities - Azure resources that authenticate to other Azure resources without you storing credentials. System-assigned (lifecycle bound to the resource) or user-assigned (independent lifecycle, reusable). The right pattern for VM-to-Key-Vault, Function-to-Storage, AKS-to-ACR, etc. Replaces virtually every connection string and embedded secret use case.
- Entra External ID (formerly Azure AD B2C / B2B) - the unified B2C (customer identity) and B2B (partner collaboration) offering. Replaces the older Azure AD B2C product for new deployments. Custom user flows, social logins, MFA for external identities.
- Entra Verified ID - verifiable credentials based on the W3C standard. Issuer / verifier flows for employment, age, identity verification. Adoption is early; useful for specific high-assurance workflows.
Data protection
- Azure Key Vault - the secret, key, and certificate store. RBAC or access-policy authorization. Soft-delete and purge protection are required for compliance; turn both on at create time. Premium tier backs keys with FIPS 140-2 Level 2 HSMs. Diagnostic Settings → Log Analytics → Sentinel for the audit-log breadcrumb auditors expect.
- Azure Managed HSM - single-tenant FIPS 140-2 Level 3 HSM. Required for regulators that don't accept multi-tenant Key Vault Premium. Pricier; the upgrade path when SOC 2 / FedRAMP / PCI auditors push back on key-isolation guarantees.
- Microsoft Purview - the umbrella for data governance (catalog, lineage, classification), DLP (data loss prevention across M365 + endpoints), insider risk management, and compliance manager. The Microsoft answer to "where does our sensitive data live and who's moving it where?" Pair with the Data Security page.
- Azure Information Protection (AIP) - sensitivity labels for documents and email. Folds into Purview now (labels live in the Purview portal). Encrypts content at rest in the file itself; access decisions follow the document wherever it travels.
- Storage encryption - Azure Storage encrypts everything at rest by default with Microsoft-managed keys. Customer-managed keys (CMK) backed by Key Vault are a per-account configuration. Infrastructure encryption adds a second encryption layer for double-encrypted regulatory workloads.
- Always Encrypted (SQL) - column-level encryption for Azure SQL where the keys live with the client, not the database. Even a DBA with full server access cannot read protected columns. Pair with secure enclaves for queries on encrypted data.
Network
- Azure Firewall - stateful, cloud-native firewall. Standard tier for L3/L4; Premium adds TLS inspection, IDPS, URL filtering, web categories. Firewall Manager centralizes policy across hubs in a hub-spoke or vWAN topology. Pricing is per-hour-plus-data-processed; cheap to neglect, expensive at scale - size with a real traffic estimate.
- Azure Front Door - global L7 edge + CDN + WAF. The right front-door for internet-facing apps that want global anycast, TLS termination, and DDoS-resilient ingress. Standard / Premium tiers; Premium adds Private Link to origins and more WAF features.
- Application Gateway WAF - regional L7 with WAF (managed OWASP rule set + custom rules). Use when traffic is regional and you want VNet-internal load balancing with WAF inspection.
- DDoS Protection - Basic is on by default for every public IP at no charge (platform-level absorption). Network and IP protection plans add tuned mitigation, telemetry, and rapid-response support - required for any serious public-facing workload.
- Private Link - PaaS services (Storage, SQL, Key Vault, etc.) reachable over a private IP in your VNet, not the public internet. The single highest-leverage move for shrinking the public-internet exposure of a Microsoft-managed service. Pair with Private DNS Zones.
- Network Security Groups (NSGs) - stateful packet-filter rules at the subnet or NIC level. The Azure analogue to AWS security groups. Default-deny inbound on workload subnets; explicit allow-lists; service tags instead of IP literals where possible.
- Application Security Groups (ASGs) - abstraction that lets you write NSG rules against named application tiers (app-web, app-api, app-db) instead of IPs. Makes the policy survive IP churn.
- Service Endpoints - older mechanism that lets a subnet reach a PaaS service over the Microsoft backbone with the service's firewall trusting the VNet. Largely superseded by Private Link for new designs.
- Azure Virtual Network Manager (AVNM) - centralized network configuration and security-rule management across many VNets. Connectivity configurations (hub-spoke, mesh) and security-admin rules that override NSGs are the high-leverage features.
Compliance & governance
- Microsoft Purview Compliance Manager - scores your tenant against 350+ regulatory frameworks (SOC 2, ISO 27001, NIST, GDPR, HIPAA, FedRAMP, etc.). Mixes auto-evaluated technical controls with manual attestation tracking. The Microsoft-side analogue to a GRC-platform module; pair with the GRC page.
- Azure Policy - the policy-as-code engine. JSON-defined rules that audit or enforce at the management-group, subscription, or resource-group scope. Initiative definitions bundle policies into framework-aligned sets (CIS, NIST, Azure Security Benchmark). DeployIfNotExists for auto-remediation. Pair with the Compliance Frameworks page.
- Azure Blueprints (deprecated) - was Microsoft's bundle of ARM templates, policies, and RBAC assignments for repeatable subscription deployments. Replaced by Deployment Stacks (with Bicep / ARM) or the Terraform Azure Landing Zones modules. Existing Blueprint deployments still function; new programs should adopt the replacements.
- Service Trust Portal - Microsoft's repository of audit reports (SOC 2, ISO, FedRAMP), DPAs, and compliance documentation for Azure and M365. The single most-requested URL during a vendor-risk-assessment cycle; download the relevant attestations under NDA and store them in your evidence repository.
Incident response
- Microsoft Sentinel SOAR - playbooks (Logic Apps) that trigger on analytics-rule incidents. Enrichment (lookup IPs against threat intel, pull user context), containment (disable an Entra user, isolate a VM), and notification (page on-call, post to Teams). Most mature SOCs invest more in playbook engineering than in writing new detection rules.
- Defender XDR investigation - the cross-product investigation graph: an Entra sign-in → an endpoint detection → a mailbox forwarding rule → a Defender for Cloud alert get correlated into one incident. Automatic attack disruption can isolate a device or disable an account when high-confidence patterns hit.
- Security Copilot triage - natural-language summaries of incidents, suggested KQL for hunting, and step-by-step responder guidance. Mid-2026 the IR-acceleration use case is the most-validated; assume verification still required on every action.
For the discipline above the tools, see the Incident Response page.
Reference architecture - Landing Zones
The Cloud Adoption Framework Enterprise-Scale Landing Zone is Microsoft's reference architecture for a multi-subscription Azure tenant - the equivalent of AWS Control Tower / Organizations + a hub-spoke network. It's prescriptive without being rigid; treat it as the default unless you have specific reasons to diverge.
The management-group hierarchy
A typical Enterprise-Scale hierarchy under the Tenant Root Group:
- Intermediate root (often named after the org) - the highest level where you apply tenant-wide policy. Apply Defender for Cloud at this level so every subscription inherits.
- Platform - Microsoft's term for the subscriptions that host shared services. Children:
- Identity - domain controllers, Entra Connect, identity-related infra.
- Management - the central Log Analytics workspace, Automation Account, Sentinel.
- Connectivity - the hub VNet, Azure Firewall, ExpressRoute / VPN gateways.
- Landing zones - application subscriptions. Typically split by corp (private-only, fully governed) and online (internet-facing) under the parent.
- Sandbox - relaxed-governance subscriptions for experimentation. Hard-bounded by SCP-style policy denies on expensive or risky resource types.
- Decommissioned - quarantine for subscriptions on the way out.
Security controls at each layer
- Tenant Root Group - minimal policy here (Microsoft applies its own); used mostly for the Security Reader / Global Reader role assignments that need full-tenant visibility.
- Intermediate root - Defender for Cloud plans enabled, Azure Security Benchmark policy initiative assigned, log diagnostic-settings enforcement, deny-list policies for unapproved regions / SKUs.
- Management subscription - central Log Analytics workspace receives all subscription-level Activity Logs and resource-level Diagnostic Settings. Sentinel sits on top of this workspace.
- Connectivity subscription - hub-spoke or vWAN. Azure Firewall (or NVA) at the hub, Private DNS Zones, ExpressRoute or VPN to on-prem. All spoke traffic transits the hub.
- Workload subscriptions - RBAC scoped at this level, no Owner role at higher scopes. Workload teams build inside the guardrails the platform team set above.
Identity placement
Entra ID is tenant-wide - it doesn't live "in a subscription." Conditional Access, PIM, and Entra ID Governance policies are managed centrally by an identity-platform team and apply to everyone. Treat the identity tenant as the most sensitive Azure-adjacent asset you operate: a tenant compromise dwarfs almost any single-subscription incident.
For the cross-cloud version of this content, see the Landing Zones page.
Top 10 Azure misconfigurations
The patterns CSPM tools find most often in real Azure tenants. Each one shows up in a Defender for Cloud secure-score scan or any vendor-neutral CSPM within minutes of connecting.
- Anonymous Storage blob access enabled. Containers set to Blob or Container public access serve their contents to the open internet. The Azure equivalent of a public S3 bucket. Disable at the storage-account level (
allowBlobPublicAccess: false) and enforce via Azure Policy at the management-group scope. - Classic admin (co-administrator) still active. The legacy Azure Service Management role co-exists with modern RBAC and grants full Owner-equivalent access at the subscription level. Migrate any remaining co-admins to scoped RBAC; remove the assignment.
- No MFA on Global Administrator. The highest-impact Entra role with no second factor. Conditional Access with "require MFA for admins" is the baseline. Combine with PIM so Global Admin is eligible-not-active by default.
- Weak Conditional Access posture. CA policies that allow legacy authentication, don't block sign-ins from high-risk countries, or have major exclusions for "the executive team." Disable legacy auth tenant-wide; minimize exclusions; track who's excluded from what in a register.
- Public Function App / App Service with anonymous access. A serverless endpoint or web app exposed to the internet with no authentication. Pair with Serverless: function-key authentication is not enough by itself; use Easy Auth / App Service Authentication or front with API Management + OAuth.
- NSG with
0.0.0.0/0→ any port. The Azure analogue of a wide-open security group. Trips every CSPM by default. Restrict source addresses; use Bastion or just-in-time VM access instead of public RDP/SSH ports. - No Defender for Cloud workload protection plans enabled. The free Foundational CSPM is on by default, but workload protection (Defender for Servers, Containers, Storage, SQL, Key Vault) is opt-in per-resource-type. Without it, you have posture findings but no runtime threat detection. Enable at the management-group scope.
- Unencrypted (or default-key-only) managed disks for regulated workloads. Azure encrypts managed disks by default with platform-managed keys; for HIPAA / PCI / FedRAMP scopes, regulators often expect customer-managed keys backed by Key Vault Premium or Managed HSM. Disk Encryption Sets are the construct.
- Default ARM management-plane access from anywhere. Anyone with valid Entra credentials and the right RBAC role can call ARM from any IP. Conditional Access "Microsoft Azure Management" cloud app + named-location requirement = ARM only from corporate networks or compliant devices. The single highest-leverage CA policy after admin MFA.
- No PIM on Owner / User Access Administrator. Standing Owner assignments are the single most-common path from "an attacker phished one admin" to "the attacker now owns the subscription." Convert standing assignments to PIM-eligible; require approval for activation of the most sensitive roles.
Azure-specific attack paths
The techniques pentesters and incident responders see in Azure tenants - both Microsoft-specific and adaptations of generic cloud attacks. For the discipline around finding these proactively, see the Cloud Pentesting page.
- Managed Identity abuse. A compromised VM or Function App with a managed identity has whatever RBAC the identity was granted. Over-permissioned managed identities turn a workload compromise into subscription-wide access. Audit role assignments to managed identities continuously; right-size with Entra Permissions Management.
- RBAC inheritance bites. Owner at the management group cascades to every subscription, RG, and resource underneath - silently. The user investigating a single VM may not know their permission was granted three levels up. Audit inherited assignments; use scope-narrow assignments by default.
- Illicit consent grants (OAuth phishing). An attacker creates an Entra-registered app, tricks a user into granting it permissions (Mail.Read, Files.Read.All, etc.), and walks off with the data via Graph API - no password, no MFA bypass needed. Restrict user consent to verified-publisher apps with low-risk permissions; require admin consent for anything else.
- Conditional Access bypass. Legacy-authentication endpoints (IMAP, POP, basic SMTP) that don't honor CA policies, device-code-flow phishing, OAuth refresh tokens persisting after the user signed out, or excluded "service accounts" with weak passwords. Disable legacy auth, monitor device-code sign-ins, and revoke refresh tokens on suspicious activity.
- Storage account key abuse. Whoever holds an account key has full data-plane access - bypasses RBAC, bypasses Conditional Access, often bypasses logging. Rotate keys, store in Key Vault, and prefer Entra-based authentication (RBAC + Storage Blob Data Contributor / Reader) over account keys wherever possible.
- ARM template / Bicep injection. Deployment templates trusted from arbitrary sources (a forked repo, a downloaded sample) can include policy assignments, role assignments, or resource provisioning the deployer didn't notice. Treat templates like code; review them; scope deployment-identity permissions narrowly.
- BloodHound for Azure / AzureHound. SpecterOps's collector for Entra and Azure RBAC relationships. Surfaces shortest-path attacks from a foothold to Global Admin / Owner. The defender uses it too - run it against your own tenant before the attacker does.
- ROADtools. Dirk-jan Mollema's Entra (formerly Azure AD) reconnaissance and exploitation toolkit. Dumps the directory, analyzes Conditional Access, finds misconfigurations in app registrations. Defenders should know what attackers see.
- MicroBurst. NetSPI's PowerShell toolkit for Azure offensive testing - enumerates Storage, Key Vault, Function Apps, and finds the typical "wait, that's public?" findings.
- AADInternals. The deepest-cut Entra tenant exploitation toolkit. Federation token forgery, Pass-through Authentication agent attacks, Seamless SSO abuse. Read the documentation as a defender; the attacks it implements are the ones your detections need to catch.
Entra ID vs traditional Active Directory
One of the most common Azure-security confusions: Entra ID is not Active Directory. They share a name, a vendor, and some concepts; they're architecturally different products.
| Dimension | On-prem Active Directory (AD DS) | Microsoft Entra ID |
|---|---|---|
| Architecture | Domain controllers in your data center | Microsoft-operated multi-tenant cloud service |
| Primary protocols | Kerberos, NTLM, LDAP | OAuth 2.0, OpenID Connect, SAML 2.0; Graph API for management |
| Authentication unit | Computer joined to a domain | User + application + device (registered or joined) |
| Policy mechanism | Group Policy Objects (GPOs) | Conditional Access policies + Intune device policies |
| Hierarchy | Forest → domain → OU | Tenant → administrative unit (flatter) |
| Group types | Security, distribution, scope nuances | Security, Microsoft 365, dynamic, assigned |
| Trusts / federation | Domain / forest trusts | Cross-tenant access settings, B2B collaboration, external federation |
| Privileged tier | Tier 0 / 1 / 2 admin separation; ESAE | Entra PIM roles + Microsoft's secure-admin guidance |
Common ground: users, groups, group-based access, the concept of administrator roles. What's different: Entra ID has no domain controllers, no Kerberos for cloud-only sign-ins, no GPOs, no LDAP by default (Domain Services adds an LDAP-speaking managed-AD overlay if you need it). Hybrid identity bridges the two - Entra Connect or Cloud Sync synchronizes identities between AD and Entra, and modern enterprises run both side by side for the foreseeable future. Apply the same Tier 0 / 1 / 2 administrative tiering discipline to Entra that you would to AD; the tiering model is timeless even though the protocols are different.
Azure-native vs third-party - service comparisons
How the Azure-native tools stack up against the third-party tools customers most often compare them to.
Defender for Cloud vs Wiz / Orca / Lacework
| Capability | Defender for Cloud | Wiz / Orca / Lacework / CrowdStrike Falcon Cloud |
|---|---|---|
| Azure depth | Deep; first-party control-plane integration | Strong but not always first-party-deep |
| Multi-cloud parity | AWS / GCP supported, parity lags | Multi-cloud is the design center |
| Attack-path analysis | Defender CSPM plan ships paths in 2026 | Mature - Wiz's original differentiator |
| Agentless scanning | Yes (Defender CSPM plan) | Yes - agentless was the category-defining pattern |
| Workload protection (CWPP) | Defender for Servers / Containers / etc., per-resource pricing | Bundled into platform pricing |
| Code-to-cloud / SCA | Defender for DevOps; integration with GHAS | Native repo and IaC scanning |
| Pricing model | Per-resource-per-month, opt-in per plan | Annual contract, environment-sized |
Microsoft Sentinel vs Splunk / Panther / Chronicle (Google SecOps)
| Capability | Microsoft Sentinel | Splunk | Panther | Google SecOps (Chronicle) |
|---|---|---|---|---|
| Best fit | Microsoft-heavy | Mixed / mature SOC | Cloud-native, code-first | Google / multi-cloud, massive scale |
| Query language | KQL | SPL | Python detections, SQL data lake | UDM + YARA-L |
| Microsoft 365 connectors | First-party, free of license | Add-on, paid | Yes | Yes |
| SOAR | Built-in (Logic Apps) | SOAR is separate product | Native | Native |
| Pricing | Per-GB ingestion (Log Analytics) | Workload pricing (per ingest GB) | Per-event / data-lake based | Per-employee (flat scale) |
| Threat-intel integration | MSTIC, TI Indicators table | Splunk Enterprise Security | VirusTotal-native via Google | Mandiant + VT native |
Entra PIM vs CyberArk / Delinea / BeyondTrust
| Capability | Entra PIM | CyberArk / Delinea / BeyondTrust |
|---|---|---|
| Scope | Entra and Azure RBAC roles | Cross-platform privileged accounts (AD, Linux, network gear, databases, cloud) |
| Just-in-time elevation | Yes - approval, MFA, justification, time-box | Yes |
| Credential vaulting | No - for accounts use Key Vault separately | Yes - the original PAM differentiator |
| Session recording | No | Yes - for high-assurance review |
| License | Entra ID P2 (often bundled in M365 E5) | Standalone enterprise contract |
| Best fit | Cloud / Azure / Entra-heavy environments | Mixed estates with legacy on-prem privileged accounts |
The pattern: native tools win on Microsoft-stack depth and integration; third-party tools win on cross-platform breadth, attack-path graph analysis, and (sometimes) maturity in a specific feature. Most enterprises ultimately run both.
Azure on the other CSOH pages
This page is the Azure-flavored hub; each discipline page has its own Azure-specific section. The deep dives:
- IAM on Azure - Entra ID, Conditional Access, PIM, managed identities, the RBAC inheritance trap.
- Zero Trust on Azure - how Conditional Access, Defender for Endpoint, and Entra ID Protection compose into Microsoft's Zero Trust reference architecture.
- Network Security on Azure - VNets, NSGs, Azure Firewall, Private Link, App Gateway WAF, Front Door, and the hub-spoke pattern.
- Data Security on Azure - Key Vault, Managed HSM, Purview, AIP, Storage encryption, Always Encrypted.
- Vulnerability Management on Azure - Defender for Servers (Microsoft Defender Vulnerability Management), container scanning, third-party CNAPP integrations.
- Detection Engineering on Azure - KQL detection libraries, Sigma → Sentinel conversion, MITRE ATT&CK coverage for the Microsoft stack.
- Incident Response on Azure - Defender XDR investigation, Sentinel SOAR playbooks, Microsoft's IR process and DART engagement.
- Compliance Frameworks - how SOC 2, ISO 27001, FedRAMP, HIPAA, and PCI DSS look implemented on Azure.
- Cloud Pentesting - Azure - the offensive-testing playbook for Entra and Azure resources.
Certifications - AZ-900 → AZ-500 → SC-200 / SC-100
Microsoft's certification track for Azure security has converged on a clean ladder. The shortest credible path from "no Azure exposure" to "qualified Azure security professional":
AZ-900 - Azure Fundamentals
Entry-level. Cloud concepts, Azure architecture, pricing, support, basic governance. ~30 hours of prep for someone new to cloud. Skip if you already operate Azure resources daily.
AZ-500 - Azure Security Engineer Associate
The hands-on Azure-security cert. Identity (Entra), platform protection (NSGs, Firewall, Bastion), data and applications (Key Vault, encryption, App Service), and security operations (Defender for Cloud, Sentinel basics). 60-120 hours of prep depending on prior Azure depth.
SC-200 - Security Operations Analyst Associate
The SOC-analyst cert for the Microsoft stack. Sentinel deeply, Defender XDR, KQL hunting, Defender for Endpoint. Pair with hands-on lab time in a real (or trial) M365 + Sentinel tenant.
SC-100 - Cybersecurity Architect Expert
The expert-level architect cert. Requires one prerequisite associate cert (AZ-500, SC-200, MS-500, or SC-300). Zero Trust design, identity strategy, regulatory compliance, security operations strategy. The capstone for an enterprise Azure-security architect role.
Adjacent certs worth knowing: SC-300 (Identity and Access Administrator - Entra-specific), SC-400 (Information Protection Administrator - Purview / DLP), MS-500 (Microsoft 365 Security - now retired and absorbed into SC-200 / SC-400). For the cross-cloud certification landscape, see the Certifications page.
Native vs third-party - when each fits
The decision is rarely "all native" or "all third-party." It's a workload-by-workload, control-by-control fit question.
When Azure-native usually wins
- The workload is purely Azure / M365. Defender for Cloud + Sentinel + Entra cover the full posture, detection, and identity surface with first-party integration depth that third-party tools rarely match.
- The license is already paid. Microsoft 365 E5 / A5 bundles Defender XDR (Endpoint, Identity, Office, Cloud Apps), Sentinel benefits, Entra ID P2, Purview, and Defender for Cloud secure-score for free. If you're paying E5 anyway, using something else duplicates spend.
- The auditor's evidence is Microsoft-shaped. Purview Compliance Manager, Defender for Cloud regulatory dashboard, and Sentinel workbooks produce evidence in the format Microsoft-experienced auditors are fastest at.
- You want control-plane enforcement, not just detection. Azure Policy and Conditional Access act at the API; third-party tools mostly observe and alert.
When third-party usually wins
- Multi-cloud. Wiz, Orca, Lacework, Prisma Cloud, CrowdStrike Falcon Cloud, etc. were designed multi-cloud from day one. Defender for Cloud's AWS / GCP coverage exists, but the third-party tools generally see deeper into non-Microsoft clouds.
- Attack-path graph analysis. Wiz's category-defining feature; competitors caught up. Microsoft's Defender CSPM attack paths exist but are newer.
- SIEM with mature data engineering. Splunk's flexibility, search performance, and ecosystem at very large scales is unmatched. Sentinel is catching up; not every shop wants to switch.
- Identity governance across non-Microsoft IdPs. Okta / Ping / SailPoint shops have integration depth Entra cannot replicate as a non-host IdP.
- Privileged-access management for legacy estates. CyberArk / Delinea / BeyondTrust for shared accounts, network gear, mainframes, on-prem databases. PIM doesn't cover that surface.
The Microsoft licensing maze
This is where Microsoft loses customers' patience. A non-exhaustive list of where Azure security features actually live, license-wise:
- Entra ID Free - base identity. SSO, MFA via Security Defaults only.
- Entra ID P1 - Conditional Access, group-based licensing, dynamic groups, password write-back.
- Entra ID P2 - PIM, Identity Protection, Access Reviews, Entra ID Governance bundling.
- Microsoft 365 E3 - Defender for Office Plan 1, base AIP, baseline compliance tooling.
- Microsoft 365 E5 - Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps, Defender for Office P2, Entra ID P2, Purview Premium features. The "everything Microsoft" SKU.
- Microsoft 365 A5 - the education-sector E5 equivalent. Similar feature set, different pricing.
- Defender for Cloud - Foundational CSPM - free; secure-score, compliance dashboards.
- Defender for Cloud - Defender CSPM plan - per-billable-resource, ~$5/resource/month at list. Attack-path analysis, agentless scanning, DevOps integration.
- Defender for Cloud - workload-protection plans - per-resource per-month for Servers (P1 / P2), Containers, Storage, SQL, Key Vault, Resource Manager, DNS, APIs, AI services. Each is a separate plan with separate pricing.
- Microsoft Sentinel - Log Analytics ingestion per GB (with reserved-capacity discounts). Microsoft data sources are free of license; third-party data is charged.
- Microsoft Security Copilot - Security Compute Units (SCUs), provisioned in hourly blocks.
The pragmatic move: a license-mapping spreadsheet, owned by the security team, that tracks which feature requires which SKU. Microsoft's documentation has improved; the SKU sprawl has not. Renew it every time Microsoft renames or rebundles anything.
Further reading
Microsoft official
- Microsoft Learn - Security documentation hub
- Cloud Adoption Framework - Secure methodology
- Well-Architected Framework - Security pillar
- Enterprise-Scale Landing Zone reference architecture
- Microsoft Zero Trust guidance
- Microsoft Cloud Security Benchmark (MCSB)
- Microsoft Service Trust Portal - audit reports, DPAs
Microsoft blogs & events
- Microsoft Security Blog
- Microsoft Tech Community - Azure
- Microsoft Ignite - annual flagship; security sessions and product announcements.
- Microsoft Secure - security-focused annual event.
Microsoft Learn paths
Community
- Azure-Sentinel GitHub - community detection rules, hunting queries, playbooks.
- KQL Search - community KQL query repository.
- MITRE ATT&CK coverage workbooks for Sentinel
- Dirk-jan Mollema - Entra security research
- SpecterOps blog - Azure / Entra offensive research
Related CSOH pages
- Shared Responsibility - the cross-cloud baseline.
- IAM & Identity - the cross-cloud identity discipline.
- Zero Trust - the architectural pattern Microsoft helped popularize.
- Landing Zones - cross-cloud reference architectures.
- Cloud SOC - the SOC operating model around Sentinel and Defender XDR.
- GRC - where Purview Compliance Manager fits in a multi-framework program.
- Glossary - every Microsoft acronym on this page, defined.
FAQ
Is Microsoft Defender for Cloud enough on its own?
For a single-cloud Azure-only environment, Defender for Cloud's CSPM + workload-protection plans cover most of what a CSPM/CNAPP buyer would otherwise look at. It's deeply integrated with the Azure control plane, ships regulatory-compliance dashboards out of the box, and feeds Sentinel cleanly. Where it weakens: multi-cloud parity (its AWS and GCP connectors lag the third-party tools in depth), code-to-cloud / supply-chain context, and the kind of attack-path graph analysis Wiz or Orca pioneered. Most multi-cloud or M&A-heavy orgs run Defender for Cloud alongside a vendor-neutral CNAPP rather than instead of one.
Microsoft Sentinel vs Splunk - which should I pick?
If your environment is Azure-heavy and Microsoft 365-heavy, Sentinel is hard to beat on integration depth and cost - most of the M365 / Entra / Defender connectors are first-party and free of license cost (Azure-Monitor ingestion charges still apply). Splunk wins on flexibility, mature ecosystem, and parity across non-Microsoft data sources. The decision usually comes down to where your data already lives and what your SOC's existing tooling is. Splunk-shop SOCs rarely switch; greenfield Microsoft-shop SOCs rarely pick anything else.
What's the difference between Entra ID and traditional Active Directory?
Entra ID (formerly Azure AD) is a cloud identity provider, not a directory service in the traditional sense. There are no domain controllers, no Kerberos for cloud-only sign-ins (OAuth 2.0, SAML, and OpenID Connect take that role), no Group Policy, and no LDAP by default. What carries over: users, groups, role assignments, conditional-access policies as the modern Group-Policy equivalent. Most enterprises still run both - on-prem AD for Windows servers and legacy apps, Entra ID for cloud apps - synchronized via Entra Connect or Cloud Sync. Hybrid Identity is the practical default.
How does Azure RBAC inheritance bite you?
Azure RBAC inherits down the management-group → subscription → resource-group → resource hierarchy. A role granted at a management group cascades to every subscription and resource underneath, and the inheritance is silent at the resource level - the user looking at a single VM may not realize their access was granted three levels up. The classic blast-radius mistake is granting Owner or Contributor at the root or tenant-root management group for convenience; that role now applies to every Azure resource the tenant will ever own. Use Privileged Identity Management for time-bound elevation, scope role assignments as narrowly as possible, and audit inherited assignments with Access Reviews.
Should I use Azure-native security tools or third-party?
It's almost never either/or. Azure-native tools (Defender for Cloud, Sentinel, Entra) excel at depth in the Microsoft stack and integrate with the control plane in ways third parties can't fully replicate. Third-party CNAPP / SIEM / PAM tools excel at multi-cloud, multi-IdP, and depth in non-Microsoft workloads. The pragmatic split: native for first-party Azure / M365 telemetry and policy, third-party for the cross-cloud picture, attack-path analysis, and any workload that runs outside Microsoft. The cost question is real - Defender plans, Sentinel ingestion, and Microsoft 365 E5 add up - but so do enterprise CNAPP and SIEM contracts.
What's Microsoft Security Copilot actually good for?
As of 2026 it's most useful for SOC analyst acceleration - incident summarization, KQL query generation, malware reverse-engineering hints, and natural-language access to Defender XDR / Sentinel data. It's billed as Security Compute Units rather than per-seat, and the cost-per-investigation math only works for SOCs with enough volume to amortize. It is not a replacement for analysts, an autonomous responder, or an oracle - it produces plausible answers that still need human verification on every action that touches production. Treat as a force-multiplier in the hands of experienced analysts, not as a tier-1 substitute.
Are Azure Blueprints still the right way to deploy a Landing Zone?
No - Azure Blueprints was deprecated and is being replaced by Deployment Stacks (with Bicep or ARM templates) and the Azure Landing Zones Accelerator / Terraform CAF modules. Existing Blueprint deployments still work, but new programs should pick a Deployment-Stack-based or Terraform-based approach. The CAF Enterprise-Scale Landing Zone reference architecture remains the right starting point; only the deployment mechanism has changed.
Where next
- AWS Security - the complete guide - the sibling page for the other hyperscaler most CSOH readers also operate.
- GCP Security - the complete guide - the Google Cloud counterpart.
- AWS vs Azure vs GCP - side-by-side - when you need the one-screen reference for a vendor pitch or architecture decision.
- IAM on Azure - the deeper Entra / Conditional Access / PIM dive.
- Cloud SOC - the SOC operating model around Sentinel + Defender XDR.
- Friday Zoom - Azure security questions come up most weeks. Drop in.