Azure Security Best Practices 2026: 35 Critical Controls Every Organization Must Implement
Azure's shared responsibility model means Microsoft secures the cloud infrastructure, but you are responsible for securing what you put in it. Despite this well-documented model, 68% of cloud security incidents in 2025 were caused by customer misconfiguration, not platform vulnerabilities. The default Azure configuration is not secure enough for production workloads.
This guide covers 35 critical security controls organized into 7 domains, prioritized by risk impact. Each control includes the specific Azure service, configuration steps, and which Microsoft Defender for Cloud benchmark it satisfies. After implementing these controls across 300+ Azure environments, we consistently achieve Defender for Cloud Secure Scores above 85%.
Azure Security Maturity Assessment
Before implementing controls, assess your current posture:
| Maturity Level | Secure Score Range | Typical Gaps | Risk Level |
|---|---|---|---|
| Level 1: Basic | 0-30% | No MFA, public endpoints, no monitoring | Critical |
| Level 2: Developing | 30-55% | MFA enabled but gaps, basic networking, some logging | High |
| Level 3: Defined | 55-75% | Good identity controls, network gaps, limited monitoring | Medium |
| Level 4: Managed | 75-90% | Comprehensive controls, fine-tuning needed | Low |
| Level 5: Optimized | 90%+ | Continuous improvement, automated response | Minimal |
Domain 1: Identity & Access Management (Controls 1-8)
Identity is the new security perimeter. 80% of cloud breaches involve compromised credentials.
| # | Control | Priority | Azure Service | Implementation |
|---|---|---|---|---|
| 1 | Enforce MFA for all users | Critical | Entra ID Conditional Access | Create CA policy: All Users → All Cloud Apps → Require MFA |
| 2 | Block legacy authentication | Critical | Entra ID Conditional Access | Create CA policy: Block access for legacy auth clients |
| 3 | Implement Privileged Identity Management (PIM) | Critical | Entra ID PIM | Convert permanent admin roles to eligible (JIT) assignments |
| 4 | Enforce least-privilege RBAC | High | Azure RBAC | Replace Owner/Contributor with specific roles per resource |
| 5 | Configure emergency access accounts | High | Entra ID | Create 2 break-glass accounts, exclude from CA, monitor usage |
| 6 | Enable risk-based Conditional Access | High | Entra ID P2 | Block high-risk sign-ins, require MFA for medium-risk |
| 7 | Implement access reviews | Medium | Entra ID Access Reviews | Quarterly reviews for privileged roles and guest access |
| 8 | Configure cross-tenant access policies | Medium | Entra ID External Identities | Restrict which external tenants can collaborate |
Why MFA Alone Isn't Enough
MFA blocks 99.9% of automated attacks, but sophisticated threat actors use MFA fatigue attacks, adversary-in-the-middle proxies, and SIM-swapping. Layer MFA with:
- Phishing-resistant MFA: FIDO2 security keys or Windows Hello for Business
- Conditional Access: Device compliance requirements + location-based policies
- Continuous Access Evaluation (CAE): Revokes tokens in real-time when risk is detected
Domain 2: Network Security (Controls 9-15)
| # | Control | Priority | Azure Service | Implementation |
|---|---|---|---|---|
| 9 | Implement Network Security Groups (NSGs) | Critical | Azure NSGs | Apply NSGs to all subnets, deny-all default, allow specific traffic |
| 10 | Use Private Endpoints for PaaS services | Critical | Azure Private Link | Disable public endpoints for storage, SQL, Key Vault, etc. |
| 11 | Deploy Azure Firewall or NVA | High | Azure Firewall Premium | Centralized egress filtering, TLS inspection, IDPS |
| 12 | Enable DDoS Protection | High | Azure DDoS Protection | Enable DDoS Protection Standard on VNets with public IPs |
| 13 | Implement hub-spoke network topology | High | VNet Peering + Azure Firewall | Central hub for shared services, spokes for workloads |
| 14 | Enable NSG Flow Logs | Medium | Network Watcher | Enable flow logs for all NSGs, send to Log Analytics |
| 15 | Restrict management port access | Critical | Azure Bastion / JIT VM Access | Replace public RDP/SSH with Bastion or JIT access |
Zero Trust Network Architecture
The traditional "castle and moat" approach fails in the cloud. Implement Zero Trust networking:
- Microsegmentation: Use NSGs and Azure Firewall to segment workloads — even within the same VNet, restrict east-west traffic
- Identity-based access: Use Azure AD Application Proxy instead of VPN for web applications
- Encrypt all traffic: TLS 1.2+ for all connections, even internal
- Assume breach: Design networks so that compromising one workload doesn't give access to others
Domain 3: Compute Security (Controls 16-21)
| # | Control | Priority | Azure Service | Implementation |
|---|---|---|---|---|
| 16 | Enable Microsoft Defender for Servers | Critical | Defender for Cloud P2 | Enable on all subscriptions, covers VMs, Arc-enabled servers |
| 17 | Enable automatic OS patching | Critical | Azure Update Manager | Configure automatic patching schedules for all VMs |
| 18 | Enable disk encryption | High | Azure Disk Encryption / SSE | Enable encryption at host or Azure Disk Encryption on all VMs |
| 19 | Use managed identities instead of service principals | High | Managed Identity | Replace API keys and service principal secrets with managed identities |
| 20 | Enable Defender for Containers | High | Defender for Containers | Scan container images, runtime protection for AKS |
| 21 | Implement VM baseline compliance | Medium | Azure Policy Guest Configuration | Apply CIS benchmarks via Guest Configuration policies |
Domain 4: Data Security (Controls 22-27)
| # | Control | Priority | Azure Service | Implementation |
|---|---|---|---|---|
| 22 | Enable Azure Key Vault for secrets management | Critical | Azure Key Vault | Store all secrets, keys, certificates in Key Vault — never in code |
| 23 | Enable storage account security | Critical | Storage Account settings | Require HTTPS, disable anonymous access, enable soft delete |
| 24 | Enable SQL Database Transparent Data Encryption | High | Azure SQL TDE | Enable TDE on all SQL databases (on by default for new DBs) |
| 25 | Enable SQL Advanced Threat Protection | High | Defender for SQL | Detects SQL injection, anomalous access, brute force |
| 26 | Implement data classification | Medium | Purview Data Map | Discover, classify, and label sensitive data across Azure |
| 27 | Configure backup and disaster recovery | Critical | Azure Backup + Site Recovery | Backup all VMs and databases, test DR annually |
Key Vault Best Practices
- Enable soft delete and purge protection — prevents accidental or malicious deletion of secrets
- Use RBAC for data plane access — more granular than access policies
- Enable diagnostic logging — audit who accessed which secrets and when
- Rotate secrets automatically — Key Vault supports automatic rotation for storage account keys
- Use one Key Vault per environment — separate dev/staging/production secrets
Domain 5: Monitoring & Threat Detection (Controls 28-32)
| # | Control | Priority | Azure Service | Implementation |
|---|---|---|---|---|
| 28 | Enable Microsoft Defender for Cloud | Critical | Defender for Cloud | Enable all Defender plans on all subscriptions |
| 29 | Configure centralized logging | Critical | Log Analytics Workspace | Send all Azure activity, diagnostic, and security logs to central workspace |
| 30 | Deploy Microsoft Sentinel | High | Microsoft Sentinel | Enable SIEM/SOAR for automated threat detection and response |
| 31 | Enable Azure Activity Log alerts | High | Azure Monitor | Alert on critical actions: role assignments, policy changes, resource deletions |
| 32 | Implement diagnostic settings on all resources | Medium | Azure Monitor Diagnostic Settings | Route metrics and logs from all resources to Log Analytics |
Critical Alerts to Configure
| Alert | Condition | Severity | Response |
|---|---|---|---|
| Global admin role assigned | Activity log: Role assignment created for Global Admin | Critical | Verify legitimacy within 15 minutes |
| NSG rule modified to allow all inbound | Activity log: NSG rule 0.0.0.0/0 inbound added | Critical | Immediately verify, likely revert |
| Key Vault access from unusual IP | Key Vault diagnostic logs | High | Investigate access, rotate affected secrets |
| VM created in unusual region | Activity log: VM creation outside approved regions | High | Verify legitimate, may indicate crypto mining |
| Storage account public access enabled | Policy compliance change | High | Disable public access, investigate data exposure |
| Large number of failed sign-ins | Entra ID sign-in logs | Medium | Investigate potential brute force attack |
Domain 6: Governance & Compliance (Controls 33-35)
| # | Control | Priority | Azure Service | Implementation |
|---|---|---|---|---|
| 33 | Implement Azure Policy for guardrails | Critical | Azure Policy | Assign CIS benchmark initiative, enforce tagging, restrict regions |
| 34 | Enable management group hierarchy | High | Management Groups | Organize subscriptions by environment (Prod, Non-Prod, Sandbox) |
| 35 | Implement Azure Blueprints / Landing Zones | High | Azure Landing Zones | Deploy standardized, secure environments for new workloads |
Essential Azure Policies
- Allowed locations: Restrict resource deployment to approved regions
- Require encryption on storage accounts: Ensure all storage uses encryption
- Deny public IP addresses on NICs: Prevent accidental public exposure
- Require NSGs on subnets: Ensure all subnets have network security groups
- Audit VMs without Defender: Identify unprotected VMs
- Require resource tags: Enforce mandatory tagging for cost and accountability
- Deny certain VM SKUs: Prevent deployment of expensive or inappropriate VM sizes
Implementation Roadmap
| Phase | Timeline | Controls | Expected Secure Score |
|---|---|---|---|
| Phase 1: Critical | Week 1-2 | 1-3, 9-10, 15-16, 22-23, 27-28 | 45-55% |
| Phase 2: High Priority | Week 3-4 | 4-6, 11-13, 17-19, 24-25, 29-31 | 65-75% |
| Phase 3: Medium Priority | Week 5-8 | 7-8, 14, 20-21, 26, 32-35 | 80-90% |
| Phase 4: Optimization | Ongoing | Fine-tune policies, automated response, regular reviews | 90%+ |
Frequently Asked Questions
What's the minimum Azure security configuration for production?
At minimum: MFA for all users (Control 1), block legacy auth (Control 2), NSGs on all subnets (Control 9), private endpoints for PaaS (Control 10), no public RDP/SSH (Control 15), Defender for Cloud enabled (Control 28), and centralized logging (Control 29). These 7 controls address the most common attack vectors.
How much does Azure security cost?
Entra ID P2 is ~$9/user/month. Defender for Cloud Plan 2 is ~$15/server/month. Sentinel is usage-based (~$2.46/GB ingested). For a 50-VM environment, expect $1,500-3,000/month for comprehensive security. This is 5-10% of typical Azure spend — far less than the cost of a breach (average: $4.88M in 2025).
Should we use Azure Firewall or a third-party NVA?
Azure Firewall Premium is sufficient for most organizations and integrates natively with Azure monitoring and policy. Consider third-party NVAs (Palo Alto, Fortinet) only if you need specific features like application-layer inspection that Azure Firewall doesn't support, or if your organization has existing expertise with a specific vendor.
How do we secure hybrid environments (on-prem + Azure)?
Use Azure Arc to extend Azure security to on-premises servers, implement Azure AD Application Proxy instead of VPN for web apps, deploy Defender for Cloud on Arc-enabled servers, and use Azure Sentinel for unified threat detection across both environments. Our server management team specializes in securing hybrid infrastructure.
What compliance frameworks does Microsoft Defender for Cloud support?
Defender for Cloud includes regulatory compliance dashboards for CIS Benchmarks, NIST 800-53, PCI DSS, ISO 27001, SOC 2 TSC, HIPAA, and many more. Each dashboard maps your Azure controls to specific framework requirements and shows your compliance score. See our M365 Compliance Guide for complementary Microsoft 365 compliance configuration.
Get Expert Azure Security Configuration
Contact Medha Cloud for a comprehensive Azure security assessment. Our cloud security consultants will evaluate your current Azure environment against these 35 controls, identify critical gaps, and implement remediation — typically achieving an 85%+ Defender for Cloud Secure Score within 60 days.
For ongoing Azure security management, our managed IT services include continuous monitoring, threat response, and compliance management. We also offer white-label SOC services for MSPs who need to extend Azure security monitoring to their clients.
Related Resources
Protect your organization with expert healthcare IT support designed for HIPAA compliance.
Managed IT for HealthcareTopics
Sreenivasa Reddy G
Founder & CEO • 15+ years
Sreenivasa Reddy is the Founder and CEO of Medha Cloud, recognized as "Startup of the Year 2024" by The CEO Magazine. With over 15 years of experience in cloud infrastructure and IT services, he leads the company's vision to deliver enterprise-grade cloud solutions to businesses worldwide.
