Azure Security - The Complete Guide

Microsoft Azure's security model from the ground up - shared responsibility, the Cloud Adoption Framework Secure methodology, the Well-Architected security pillar, the native service catalog (Defender for Cloud, Sentinel, Entra ID, Key Vault, Purview, Azure Firewall, and the rest), the Landing Zones reference architecture, the misconfigurations attackers actually exploit, and the certification track that gets you to AZ-500 / SC-200 / SC-100. Vendor-neutral but Microsoft-specific.

A long row of server racks with cool blue LED lighting in a hyperscale data center aisle
Photo by Manuel Geissinger on Pexels

· · Vendor-neutral · View source on GitHub

The 30-second version: Azure security is a Microsoft-shaped stack - Entra ID for identity, Defender for Cloud for posture and workload protection, Sentinel for SIEM/SOAR, Defender XDR for endpoint and identity threat detection, Key Vault for secrets and keys, Purview for data governance and DLP, Azure Firewall / App Gateway WAF / NSGs for network controls, and Azure Policy for guardrails. The reference architecture is the Cloud Adoption Framework Enterprise-Scale Landing Zone - management groups, hub-spoke networking, Defender at the root, Sentinel at a central log-analytics workspace.

What makes Azure security different from AWS or GCP: identity is the front door (Entra ID is everywhere, not just for Azure but for Microsoft 365 and any app federated to it), Conditional Access is the universal policy engine, RBAC inherits silently down the management-group hierarchy, and the licensing maze (E3 / E5 / A5 / Defender for Cloud plan P1 / P2) decides which features you actually get. This page is the practitioner's overview of all of it.

On this page

  1. Shared responsibility in Azure
  2. CAF Secure methodology
  3. Well-Architected - Security pillar
  4. Core Azure security services
  5. Reference architecture - Landing Zones
  6. Top 10 Azure misconfigurations
  7. Azure-specific attack paths
  8. Entra ID vs traditional Active Directory
  9. Azure-native vs third-party comparisons
  10. Azure on the other CSOH pages
  11. Certifications - AZ-500 / SC-200 / SC-100
  12. Native vs third-party - when each fits
  13. Further reading
  14. FAQ
  15. Where next

Shared responsibility in Azure

Microsoft's shared responsibility model is the same shape as AWS's and GCP's, with Microsoft-specific lines. Microsoft always owns the physical hosts, hypervisor, and the Azure control plane; you always own your data, your identities, and your access-management decisions. Everything in between shifts with the service type.

Layer On-prem IaaS (VMs) PaaS (App Service, AKS, SQL DB) SaaS (M365, Dynamics)
Physical / network / hostYouMicrosoftMicrosoftMicrosoft
OS & runtimeYouYouMicrosoftMicrosoft
Application / configYouYouYouMostly Microsoft
Network controlsYouYou (NSG, Firewall)Shared (Private Link, VNet integration)Shared (Conditional Access, named locations)
Identity & accessYouYouYouYou
DataYouYouYouYou

The bottom three rows never move. The most-violated line in practice is "configuration" - Microsoft secures the Azure SQL service itself, but if you set the firewall rule to 0.0.0.0-255.255.255.255 the data is yours to lose. For a full treatment of shared responsibility across all three clouds, see the dedicated Shared Responsibility page.

CAF Secure methodology

Microsoft's Cloud Adoption Framework Secure methodology is the prescriptive guidance that sits above individual tools - the "how do we run a secure Azure program?" answer Microsoft publishes for itself and its customers. It's organized around eight disciplines:

CAF Secure is the program-level framework; the rest of this page is the tools you reach for to execute it.

Well-Architected - Security pillar

The Azure Well-Architected Framework - Security pillar is Microsoft's architectural review framework - design principles you apply at the workload level, complementary to CAF's program-level guidance. The pillar's design principles:

Plan resources & how to harden them

Inventory first. You cannot secure what you don't know exists. Tag resources, baseline configurations, and decide per-resource what "good" looks like before traffic flows.

Automate

Use Azure Policy, Deployment Stacks, Bicep / Terraform, and CI/CD to make secure-by-default the path of least resistance for developers. Manual hardening doesn't survive scale.

Protect your code

Secure the SDLC. Defender for DevOps surfaces secrets, IaC misconfigurations, and CVEs in the pipeline; GitHub Advanced Security and Azure DevOps integrate similar checks at PR time.

Apply segmentation

Identity, network, and workload boundaries. Conditional Access, Private Link, separate subscriptions for environments - segmentation limits blast radius when a single boundary fails.

Encrypt data

In transit and at rest. Azure encrypts almost everything by default with platform-managed keys; customer-managed keys (CMK) and Managed HSM are the upgrade path when regulators ask.

Continuously monitor & assume breach

Defender for Cloud + Sentinel + Defender XDR for detection. Tabletop the breach-already-happened scenario; build the response runbooks before you need them.

Walk a new workload through the Well-Architected Review (the Microsoft Assessments tool automates most of the questionnaire) at design time and again before go-live. The questions are mostly the ones you should have been asking anyway; the value is the structure that ensures none of them get skipped.

Core Azure security services

The opinionated catalog - what each service is, what it's good for, what its limits are. Grouped by what they do, not by what they're called.

Detection & posture

Identity

Data protection

Network

Compliance & governance

Incident response

For the discipline above the tools, see the Incident Response page.

A dark security operations control room with large wall-mounted screens and analyst workstations
Photo by Field Engineer on Pexels

Reference architecture - Landing Zones

The Cloud Adoption Framework Enterprise-Scale Landing Zone is Microsoft's reference architecture for a multi-subscription Azure tenant - the equivalent of AWS Control Tower / Organizations + a hub-spoke network. It's prescriptive without being rigid; treat it as the default unless you have specific reasons to diverge.

The management-group hierarchy

A typical Enterprise-Scale hierarchy under the Tenant Root Group:

Security controls at each layer

Identity placement

Entra ID is tenant-wide - it doesn't live "in a subscription." Conditional Access, PIM, and Entra ID Governance policies are managed centrally by an identity-platform team and apply to everyone. Treat the identity tenant as the most sensitive Azure-adjacent asset you operate: a tenant compromise dwarfs almost any single-subscription incident.

For the cross-cloud version of this content, see the Landing Zones page.

Top 10 Azure misconfigurations

The patterns CSPM tools find most often in real Azure tenants. Each one shows up in a Defender for Cloud secure-score scan or any vendor-neutral CSPM within minutes of connecting.

  1. Anonymous Storage blob access enabled. Containers set to Blob or Container public access serve their contents to the open internet. The Azure equivalent of a public S3 bucket. Disable at the storage-account level (allowBlobPublicAccess: false) and enforce via Azure Policy at the management-group scope.
  2. Classic admin (co-administrator) still active. The legacy Azure Service Management role co-exists with modern RBAC and grants full Owner-equivalent access at the subscription level. Migrate any remaining co-admins to scoped RBAC; remove the assignment.
  3. No MFA on Global Administrator. The highest-impact Entra role with no second factor. Conditional Access with "require MFA for admins" is the baseline. Combine with PIM so Global Admin is eligible-not-active by default.
  4. Weak Conditional Access posture. CA policies that allow legacy authentication, don't block sign-ins from high-risk countries, or have major exclusions for "the executive team." Disable legacy auth tenant-wide; minimize exclusions; track who's excluded from what in a register.
  5. Public Function App / App Service with anonymous access. A serverless endpoint or web app exposed to the internet with no authentication. Pair with Serverless: function-key authentication is not enough by itself; use Easy Auth / App Service Authentication or front with API Management + OAuth.
  6. NSG with 0.0.0.0/0 → any port. The Azure analogue of a wide-open security group. Trips every CSPM by default. Restrict source addresses; use Bastion or just-in-time VM access instead of public RDP/SSH ports.
  7. No Defender for Cloud workload protection plans enabled. The free Foundational CSPM is on by default, but workload protection (Defender for Servers, Containers, Storage, SQL, Key Vault) is opt-in per-resource-type. Without it, you have posture findings but no runtime threat detection. Enable at the management-group scope.
  8. Unencrypted (or default-key-only) managed disks for regulated workloads. Azure encrypts managed disks by default with platform-managed keys; for HIPAA / PCI / FedRAMP scopes, regulators often expect customer-managed keys backed by Key Vault Premium or Managed HSM. Disk Encryption Sets are the construct.
  9. Default ARM management-plane access from anywhere. Anyone with valid Entra credentials and the right RBAC role can call ARM from any IP. Conditional Access "Microsoft Azure Management" cloud app + named-location requirement = ARM only from corporate networks or compliant devices. The single highest-leverage CA policy after admin MFA.
  10. No PIM on Owner / User Access Administrator. Standing Owner assignments are the single most-common path from "an attacker phished one admin" to "the attacker now owns the subscription." Convert standing assignments to PIM-eligible; require approval for activation of the most sensitive roles.

Azure-specific attack paths

The techniques pentesters and incident responders see in Azure tenants - both Microsoft-specific and adaptations of generic cloud attacks. For the discipline around finding these proactively, see the Cloud Pentesting page.

A hand holding a small brass padlock against a textured background, suggesting access control
Photo by George Becker on Pexels

Entra ID vs traditional Active Directory

One of the most common Azure-security confusions: Entra ID is not Active Directory. They share a name, a vendor, and some concepts; they're architecturally different products.

Dimension On-prem Active Directory (AD DS) Microsoft Entra ID
ArchitectureDomain controllers in your data centerMicrosoft-operated multi-tenant cloud service
Primary protocolsKerberos, NTLM, LDAPOAuth 2.0, OpenID Connect, SAML 2.0; Graph API for management
Authentication unitComputer joined to a domainUser + application + device (registered or joined)
Policy mechanismGroup Policy Objects (GPOs)Conditional Access policies + Intune device policies
HierarchyForest → domain → OUTenant → administrative unit (flatter)
Group typesSecurity, distribution, scope nuancesSecurity, Microsoft 365, dynamic, assigned
Trusts / federationDomain / forest trustsCross-tenant access settings, B2B collaboration, external federation
Privileged tierTier 0 / 1 / 2 admin separation; ESAEEntra PIM roles + Microsoft's secure-admin guidance

Common ground: users, groups, group-based access, the concept of administrator roles. What's different: Entra ID has no domain controllers, no Kerberos for cloud-only sign-ins, no GPOs, no LDAP by default (Domain Services adds an LDAP-speaking managed-AD overlay if you need it). Hybrid identity bridges the two - Entra Connect or Cloud Sync synchronizes identities between AD and Entra, and modern enterprises run both side by side for the foreseeable future. Apply the same Tier 0 / 1 / 2 administrative tiering discipline to Entra that you would to AD; the tiering model is timeless even though the protocols are different.

Azure-native vs third-party - service comparisons

How the Azure-native tools stack up against the third-party tools customers most often compare them to.

Defender for Cloud vs Wiz / Orca / Lacework

Capability Defender for Cloud Wiz / Orca / Lacework / CrowdStrike Falcon Cloud
Azure depthDeep; first-party control-plane integrationStrong but not always first-party-deep
Multi-cloud parityAWS / GCP supported, parity lagsMulti-cloud is the design center
Attack-path analysisDefender CSPM plan ships paths in 2026Mature - Wiz's original differentiator
Agentless scanningYes (Defender CSPM plan)Yes - agentless was the category-defining pattern
Workload protection (CWPP)Defender for Servers / Containers / etc., per-resource pricingBundled into platform pricing
Code-to-cloud / SCADefender for DevOps; integration with GHASNative repo and IaC scanning
Pricing modelPer-resource-per-month, opt-in per planAnnual contract, environment-sized

Microsoft Sentinel vs Splunk / Panther / Chronicle (Google SecOps)

Capability Microsoft Sentinel Splunk Panther Google SecOps (Chronicle)
Best fitMicrosoft-heavyMixed / mature SOCCloud-native, code-firstGoogle / multi-cloud, massive scale
Query languageKQLSPLPython detections, SQL data lakeUDM + YARA-L
Microsoft 365 connectorsFirst-party, free of licenseAdd-on, paidYesYes
SOARBuilt-in (Logic Apps)SOAR is separate productNativeNative
PricingPer-GB ingestion (Log Analytics)Workload pricing (per ingest GB)Per-event / data-lake basedPer-employee (flat scale)
Threat-intel integrationMSTIC, TI Indicators tableSplunk Enterprise SecurityVirusTotal-native via GoogleMandiant + VT native

Entra PIM vs CyberArk / Delinea / BeyondTrust

Capability Entra PIM CyberArk / Delinea / BeyondTrust
ScopeEntra and Azure RBAC rolesCross-platform privileged accounts (AD, Linux, network gear, databases, cloud)
Just-in-time elevationYes - approval, MFA, justification, time-boxYes
Credential vaultingNo - for accounts use Key Vault separatelyYes - the original PAM differentiator
Session recordingNoYes - for high-assurance review
LicenseEntra ID P2 (often bundled in M365 E5)Standalone enterprise contract
Best fitCloud / Azure / Entra-heavy environmentsMixed estates with legacy on-prem privileged accounts

The pattern: native tools win on Microsoft-stack depth and integration; third-party tools win on cross-platform breadth, attack-path graph analysis, and (sometimes) maturity in a specific feature. Most enterprises ultimately run both.

Azure on the other CSOH pages

This page is the Azure-flavored hub; each discipline page has its own Azure-specific section. The deep dives:

Certifications - AZ-900 → AZ-500 → SC-200 / SC-100

Microsoft's certification track for Azure security has converged on a clean ladder. The shortest credible path from "no Azure exposure" to "qualified Azure security professional":

AZ-900 - Azure Fundamentals

Entry-level. Cloud concepts, Azure architecture, pricing, support, basic governance. ~30 hours of prep for someone new to cloud. Skip if you already operate Azure resources daily.

AZ-500 - Azure Security Engineer Associate

The hands-on Azure-security cert. Identity (Entra), platform protection (NSGs, Firewall, Bastion), data and applications (Key Vault, encryption, App Service), and security operations (Defender for Cloud, Sentinel basics). 60-120 hours of prep depending on prior Azure depth.

SC-200 - Security Operations Analyst Associate

The SOC-analyst cert for the Microsoft stack. Sentinel deeply, Defender XDR, KQL hunting, Defender for Endpoint. Pair with hands-on lab time in a real (or trial) M365 + Sentinel tenant.

SC-100 - Cybersecurity Architect Expert

The expert-level architect cert. Requires one prerequisite associate cert (AZ-500, SC-200, MS-500, or SC-300). Zero Trust design, identity strategy, regulatory compliance, security operations strategy. The capstone for an enterprise Azure-security architect role.

Adjacent certs worth knowing: SC-300 (Identity and Access Administrator - Entra-specific), SC-400 (Information Protection Administrator - Purview / DLP), MS-500 (Microsoft 365 Security - now retired and absorbed into SC-200 / SC-400). For the cross-cloud certification landscape, see the Certifications page.

Native vs third-party - when each fits

The decision is rarely "all native" or "all third-party." It's a workload-by-workload, control-by-control fit question.

When Azure-native usually wins

When third-party usually wins

The Microsoft licensing maze

This is where Microsoft loses customers' patience. A non-exhaustive list of where Azure security features actually live, license-wise:

The pragmatic move: a license-mapping spreadsheet, owned by the security team, that tracks which feature requires which SKU. Microsoft's documentation has improved; the SKU sprawl has not. Renew it every time Microsoft renames or rebundles anything.

Further reading

Microsoft official

Microsoft blogs & events

Microsoft Learn paths

Community

Related CSOH pages

FAQ

Is Microsoft Defender for Cloud enough on its own?

For a single-cloud Azure-only environment, Defender for Cloud's CSPM + workload-protection plans cover most of what a CSPM/CNAPP buyer would otherwise look at. It's deeply integrated with the Azure control plane, ships regulatory-compliance dashboards out of the box, and feeds Sentinel cleanly. Where it weakens: multi-cloud parity (its AWS and GCP connectors lag the third-party tools in depth), code-to-cloud / supply-chain context, and the kind of attack-path graph analysis Wiz or Orca pioneered. Most multi-cloud or M&A-heavy orgs run Defender for Cloud alongside a vendor-neutral CNAPP rather than instead of one.

Microsoft Sentinel vs Splunk - which should I pick?

If your environment is Azure-heavy and Microsoft 365-heavy, Sentinel is hard to beat on integration depth and cost - most of the M365 / Entra / Defender connectors are first-party and free of license cost (Azure-Monitor ingestion charges still apply). Splunk wins on flexibility, mature ecosystem, and parity across non-Microsoft data sources. The decision usually comes down to where your data already lives and what your SOC's existing tooling is. Splunk-shop SOCs rarely switch; greenfield Microsoft-shop SOCs rarely pick anything else.

What's the difference between Entra ID and traditional Active Directory?

Entra ID (formerly Azure AD) is a cloud identity provider, not a directory service in the traditional sense. There are no domain controllers, no Kerberos for cloud-only sign-ins (OAuth 2.0, SAML, and OpenID Connect take that role), no Group Policy, and no LDAP by default. What carries over: users, groups, role assignments, conditional-access policies as the modern Group-Policy equivalent. Most enterprises still run both - on-prem AD for Windows servers and legacy apps, Entra ID for cloud apps - synchronized via Entra Connect or Cloud Sync. Hybrid Identity is the practical default.

How does Azure RBAC inheritance bite you?

Azure RBAC inherits down the management-group → subscription → resource-group → resource hierarchy. A role granted at a management group cascades to every subscription and resource underneath, and the inheritance is silent at the resource level - the user looking at a single VM may not realize their access was granted three levels up. The classic blast-radius mistake is granting Owner or Contributor at the root or tenant-root management group for convenience; that role now applies to every Azure resource the tenant will ever own. Use Privileged Identity Management for time-bound elevation, scope role assignments as narrowly as possible, and audit inherited assignments with Access Reviews.

Should I use Azure-native security tools or third-party?

It's almost never either/or. Azure-native tools (Defender for Cloud, Sentinel, Entra) excel at depth in the Microsoft stack and integrate with the control plane in ways third parties can't fully replicate. Third-party CNAPP / SIEM / PAM tools excel at multi-cloud, multi-IdP, and depth in non-Microsoft workloads. The pragmatic split: native for first-party Azure / M365 telemetry and policy, third-party for the cross-cloud picture, attack-path analysis, and any workload that runs outside Microsoft. The cost question is real - Defender plans, Sentinel ingestion, and Microsoft 365 E5 add up - but so do enterprise CNAPP and SIEM contracts.

What's Microsoft Security Copilot actually good for?

As of 2026 it's most useful for SOC analyst acceleration - incident summarization, KQL query generation, malware reverse-engineering hints, and natural-language access to Defender XDR / Sentinel data. It's billed as Security Compute Units rather than per-seat, and the cost-per-investigation math only works for SOCs with enough volume to amortize. It is not a replacement for analysts, an autonomous responder, or an oracle - it produces plausible answers that still need human verification on every action that touches production. Treat as a force-multiplier in the hands of experienced analysts, not as a tier-1 substitute.

Are Azure Blueprints still the right way to deploy a Landing Zone?

No - Azure Blueprints was deprecated and is being replaced by Deployment Stacks (with Bicep or ARM templates) and the Azure Landing Zones Accelerator / Terraform CAF modules. Existing Blueprint deployments still work, but new programs should pick a Deployment-Stack-based or Terraform-based approach. The CAF Enterprise-Scale Landing Zone reference architecture remains the right starting point; only the deployment mechanism has changed.

Where next