๐ฆ Azure Security Baseline and Top Misconfigurations
Intro: Azure usually goes wrong in the same places: identity, management-group governance, policy gaps, and overly broad network or subscription access. The names differ from AWS, but the control story is familiar.
What this page includes
- a practical Azure baseline
- top 10 Azure misconfigurations
- short fixes
- notes on what matters most in production
Recommended Azure baseline
Identity and access
- enforce MFA for privileged users
- reduce standing privilege through Entra ID PIM where possible
- use managed identities instead of embedded credentials
- keep subscription and management group ownership explicit
- minimize Owner and User Access Administrator assignments
Policy and posture
- use Azure Policy for guardrails and compliance checks
- enable Microsoft Defender for Cloud broadly
- review regulatory and benchmark mappings, but do not confuse compliance score with real risk reduction
- standardize landing zones and subscription creation
Logging and monitoring
- centralize Activity Logs and resource logs
- protect log destinations
- enable alerts for role assignment changes, policy changes, public exposure, and key security service disablement
Network and data
- prefer private endpoints and private networking where practical
- review NSGs deliberately
- harden storage accounts and data access patterns
- use Key Vault for secrets, keys, and certificates
Top 10 Azure misconfigurations
| # | Misconfiguration | Why it is dangerous | Short fix |
|---|---|---|---|
| 1 | Too many Owners at subscription scope | Easy privilege abuse and weak accountability | Limit Owners, use PIM, separate admin duties |
| 2 | Users can register risky apps or consent broadly | Enables identity abuse and persistence | Tighten app registration and admin consent policies |
| 3 | Defender for Cloud not enabled or ignored | Weak posture visibility and missed recommendations | Enable it consistently and triage findings |
| 4 | No management group governance | Guardrails drift by subscription | Standardize policy and RBAC at management-group level |
| 5 | NSGs allow broad inbound access | Enlarged attack surface | Reduce exposure and use private access patterns |
| 6 | Key Vault access too broad or poorly monitored | Secret theft or silent misuse | Scope access carefully and monitor access patterns |
| 7 | Public storage or weak storage settings | Data exposure | Enforce secure transfer, private access, and strict keys/tokens |
| 8 | No PIM for privileged roles | Standing access becomes normal | Require just-in-time elevation where possible |
| 9 | Weak logging retention or fragmented diagnostics | Harder investigations and poor control evidence | Centralize logging and retention policy |
| 10 | Managed identities not used for automation | Secrets sprawl in pipelines and scripts | Prefer managed identities for workload auth |
Practical Azure checks
az role assignment list --all
az policy assignment list
az security pricing list
az storage account list
az monitor activity-log list --max-events 10
az keyvault list
Design comments
- Management groups are strategic. They keep standards from fragmenting across subscriptions.
- Defender for Cloud is valuable, but only if recommendation triage and ownership are real.
- PIM changes culture by making privileged access visible and time-bound.
Official and primary references
- Microsoft Defender for Cloud
- Azure Policy
- Microsoft Cloud Security Benchmark
- CloudSecDocs Azure Security Baseline and Security Roadmap