Identity Is the Azure Perimeter
Azure breaches almost always start at Entra ID (formerly Azure AD), not at a VM or storage account. Get identity right and the rest gets dramatically easier:
- Conditional Access — require compliant device + phishing-resistant MFA for any privileged role.
- Privileged Identity Management (PIM) — make Global Admin and Owner roles just-in-time, with approval and time-bound activation.
- Workload identities — replace client secrets with Federated Identity Credentials (OIDC) wherever possible.
- Break-glass accounts — at least two, with FIDO2 keys stored physically, monitored aggressively.
Azure Policy as a Guardrail Engine
Azure Policy is the structural prevention layer. Apply at the management group level so subscriptions inherit:
- Deny resources in unapproved regions.
- Deny public IPs on VMs unless explicitly tagged for it.
- Require diagnostic settings to send to a central Log Analytics workspace.
- Require encryption with customer-managed keys for sensitive data services.
- Require a tag set (cost-center, owner, environment) on every resource.
Use the Microsoft Cloud Security Benchmark initiative as a starting baseline rather than authoring from scratch.
Networking: Private by Default
The default "public endpoint" for storage accounts, SQL databases, and Key Vaults is convenient and dangerous. The pattern that holds up:
- Private Endpoints for every PaaS service that supports them — storage, SQL, Cosmos DB, Key Vault, App Configuration.
- Disable public network access at the resource level once private endpoints are in place.
- Service endpoints + NSG as a fallback where private endpoints aren't supported.
- Azure Firewall or third-party NVA at the hub for egress filtering.