Azure Security Checklist: Hardening Your Azure Subscription
A practical checklist for hardening Azure subscriptions covering Defender for Cloud, RBAC, Privileged Identity Management, Conditional Access, Key Vault, and Microsoft Sentinel.
Azure's security surface area is enormous — spanning Entra ID (formerly Azure AD), hundreds of resource types, and integrations with Microsoft 365 and on-premises Active Directory. This checklist covers the controls that matter most for protecting an Azure subscription, organized by the layers where breaches most commonly originate.
Identity Hardening (Entra ID)
Enable Security Defaults or Conditional Access
If your organization doesn't have Entra ID P2 licenses, enable Security Defaults. This enforces MFA for all users, blocks legacy authentication protocols, and requires MFA for administrator roles.
For organizations with P1/P2 licenses, replace Security Defaults with Conditional Access policies for finer control:
# Require MFA for all users
New-AzureADMSConditionalAccessPolicy -DisplayName "Require MFA - All Users" `
-State "Enabled" `
-Conditions @{Users=@{IncludeUsers="All"}; Applications=@{IncludeApplications="All"}} `
-GrantControls @{BuiltInControls=@("Mfa"); Operator="OR"}
Block Legacy Authentication Protocols
Legacy protocols (SMTP AUTH, POP3, IMAP, MAPI) do not support modern MFA. Attackers use them specifically to bypass MFA requirements:
# Conditional Access policy to block legacy auth
New-AzureADMSConditionalAccessPolicy `
-DisplayName "Block Legacy Authentication" `
-State "Enabled" `
-Conditions @{
Users=@{IncludeUsers="All"};
Applications=@{IncludeApplications="All"};
ClientAppTypes=@("ExchangeActiveSync","Other")
} `
-GrantControls @{BuiltInControls=@("Block"); Operator="OR"}
Enable Privileged Identity Management (PIM)
PIM requires privileged roles to be activated on-demand (just-in-time access) rather than permanently assigned. This dramatically reduces the standing attack surface:
- Navigate to Entra ID → Identity Governance → Privileged Identity Management
- Set Global Administrator, Privileged Role Administrator, and Security Administrator as "Eligible" rather than "Active"
- Require MFA, justification, and approval for activation
- Set maximum activation duration to 8 hours
Review and Minimize Global Administrator Count
Organizations should have 2-4 Global Administrators maximum — enough for break-glass scenarios but not so many that the role is routinely used. Audit:
Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq "Global Administrator"} |
Get-AzureADDirectoryRoleMember | Select-Object DisplayName, UserPrincipalName
Configure Self-Service Password Reset with MFA
SSPR reduces helpdesk burden and ensures passwords can be reset securely without bypassing MFA.
Enable Identity Protection Risk Policies
Entra ID Identity Protection uses ML to detect risky sign-ins and compromised credentials. Configure:
- User risk policy: Block access or require password change for High risk
- Sign-in risk policy: Require MFA for Medium and High risk sign-ins
Subscription and Resource Management
Enable Microsoft Defender for Cloud
Defender for Cloud (formerly Azure Security Center) provides CSPM scoring, threat protection, and regulatory compliance assessment. Enable the Enhanced Security Features (paid) for full coverage:
az security pricing create -n VirtualMachines --tier Standard
az security pricing create -n StorageAccounts --tier Standard
az security pricing create -n SqlServers --tier Standard
az security pricing create -n KeyVaults --tier Standard
az security pricing create -n AppServices --tier Standard
az security pricing create -n Containers --tier Standard
Set Minimum Secure Score Target
Review your Defender for Cloud Secure Score baseline. Implement all "High" severity recommendations before "Medium". Use the recommendations export to track remediation:
az security assessment list --query '[?status.code==`Unhealthy`].{Name:displayName,Severity:metadata.severity}' \
--output table
Apply Management Group Structure and RBAC
Use Management Groups to organize subscriptions by environment (prod, staging, dev) and apply policies at the appropriate level. Use built-in RBAC roles rather than custom roles where possible:
Owner: Reserved for automation service principals with break-glass exceptionsContributor: Infrastructure engineers, scoped to resource groupsReader: Auditors and monitoring tools- Custom roles: Only when built-in roles don't fit — document and review quarterly
Enable Azure Policy for Continuous Compliance
Deploy the CIS Azure benchmark initiative:
az policy assignment create \
--name "CIS-Azure-1-4-0" \
--display-name "CIS Microsoft Azure Foundations Benchmark v1.4.0" \
--scope /subscriptions/<subscription-id> \
--policy-set-definition /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8 \
--assign-identity \
--location eastus
Lock Production Resources
Apply resource locks to prevent accidental deletion of critical resources:
az lock create \
--name "production-lock" \
--resource-group production-rg \
--lock-type CanNotDelete \
--notes "Prevent accidental deletion of production resources"
Networking
Enable NSG Flow Logs
Network Security Group flow logs record TCP/UDP traffic metadata and are essential for network-level incident investigation:
az network watcher flow-log create \
--location eastus \
--name nsg-flow-log \
--nsg production-nsg \
--storage-account /subscriptions/.../storageAccounts/flowlogsstorage \
--enabled true \
--format JSON \
--log-version 2 \
--retention 90
Enable Azure DDoS Protection Standard
For production internet-facing applications, DDoS Protection Standard provides adaptive tuning, attack metrics, and rapid response support.
Restrict Public IP Exposure
Audit all resources with public IP addresses:
az network public-ip list --query '[].{Name:name,IP:ipAddress,AssociatedTo:ipConfiguration.id}' \
--output table
Remove unnecessary public IPs and use Private Link for access to PaaS services (Storage, Key Vault, SQL) from VNets.
Configure Azure Firewall or NVA for Egress Filtering
Route all outbound traffic through a central firewall with application rules limiting egress to required FQDNs. This contains the blast radius of a compromised workload.
Enable Web Application Firewall
Protect internet-facing web applications with Azure Front Door or Application Gateway WAF in Prevention mode using OWASP Core Rule Set 3.2:
az network application-gateway waf-policy create \
--name production-waf-policy \
--resource-group production-rg \
--type OWASP \
--version 3.2
Data Protection
Configure Azure Key Vault for All Secrets
No connection strings, API keys, or certificates in application settings or code. All secrets through Key Vault, accessed via Managed Identity:
# Assign Key Vault Secrets User role to app's managed identity
az role assignment create \
--assignee <managed-identity-object-id> \
--role "Key Vault Secrets User" \
--scope /subscriptions/.../vaults/production-keyvault
Enable Soft Delete and Purge Protection on Key Vaults
Soft delete retains deleted vaults for 90 days. Purge protection prevents permanent deletion during the retention period:
az keyvault update \
--name production-keyvault \
--enable-soft-delete true \
--enable-purge-protection true
Enable Azure Storage Encryption with Customer-Managed Keys
By default Azure Storage uses Microsoft-managed keys. For regulated data, use customer-managed keys stored in Key Vault so you control rotation and can revoke access:
az storage account update \
--name mystorageaccount \
--resource-group production-rg \
--encryption-key-source Microsoft.Keyvault \
--encryption-key-vault https://production-keyvault.vault.azure.net/ \
--encryption-key-name storage-encryption-key \
--encryption-key-version <version>
Enable Azure Defender for Storage
Detects unusual access patterns, bulk data extraction, and access from suspicious locations using ML analysis of storage access logs.
Configure Blob Versioning and Soft Delete
Protect critical data against ransomware and accidental deletion:
az storage account blob-service-properties update \
--account-name mystorageaccount \
--enable-versioning true \
--enable-delete-retention true \
--delete-retention-days 30
Monitoring and SIEM
Deploy Microsoft Sentinel
Sentinel is Azure's cloud-native SIEM. Connect the essential data sources:
- Entra ID Sign-in and Audit Logs
- Azure Activity Log (all subscriptions)
- Defender for Cloud alerts
- Microsoft 365 Defender (if applicable)
- NSG Flow Logs via Log Analytics
Enable Diagnostic Settings on All Resources
Route logs from Key Vault, Application Gateways, Firewalls, and NSGs to Log Analytics:
az monitor diagnostic-settings create \
--name keyvault-diagnostics \
--resource /subscriptions/.../vaults/production-keyvault \
--workspace /subscriptions/.../workspaces/security-workspace \
--logs '[{"category":"AuditEvent","enabled":true,"retentionPolicy":{"enabled":true,"days":365}}]'
Configure Sentinel Analytics Rules
Enable built-in analytics rules for:
- Brute force attacks against Entra ID
- Anomalous sign-in activity (impossible travel, unfamiliar location)
- Mass download from SharePoint or OneDrive
- Azure resource deletion patterns
- Successful sign-in after multiple failures
Set Up Security Alerts for Critical Actions
Create alerts for subscription-level admin operations:
az monitor activity-log alert create \
--name "Role Assignment Alert" \
--resource-group security-rg \
--scope /subscriptions/<subscription-id> \
--condition category=Administrative and operationName=Microsoft.Authorization/roleAssignments/write \
--action-group /subscriptions/.../actionGroups/SecurityTeam
Regulatory Compliance
Enable Compliance Dashboard in Defender for Cloud
Map your controls to SOC 2, ISO 27001, PCI-DSS, or HIPAA using the built-in regulatory compliance dashboard. This provides a continuous audit trail of control status.
Configure Retention Policies
- Log Analytics workspace: minimum 90 days hot tier, 1 year total
- Storage account access logs: 1 year
- Key Vault audit logs: 1 year
- Activity logs: archive to storage for 7 years for regulated industries
A hardened Azure subscription is not a one-time project. The controls above should be validated monthly using Defender for Cloud Secure Score, Sentinel analytics rule review, and PIM access reviews. Quarterly, run a full access review of all privileged role assignments and remove any that are no longer needed.