De4sec
De4sec Technology
de4sec.technology
πŸ‡¦πŸ‡Ί Australia

Azure Cloud Security Guide

How to secure your Azure environment β€” identity, workload protection, posture management, and centralised logging using the Microsoft security stack.

Prepared by
De4sec Technology
Contact
support@de4sec.technology
Edition
2026 Β· March
CONFIDENTIAL Β· FOR CLIENT USE ONLY
Contents
  1. Why Azure Security Is a Shared Responsibility
  2. Identity Security: Entra ID
  3. Microsoft Defender for Cloud
  4. Network Security
  5. Logging and Monitoring: Microsoft Sentinel
  6. De4sec Azure Security Service
01

Why Azure Security Is a Shared Responsibility

Microsoft secures the Azure platform β€” the physical infrastructure, hypervisor, and core services. You are responsible for securing everything you deploy on it: virtual machines, storage, identities, applications, and data.

The most common Azure breaches in 2026 are not exploits of Microsoft infrastructure. They are misconfigurations β€” public storage blobs, overprivileged identities, unpatched virtual machines, and no network segmentation.

Microsoft SecuresCustomer Secures
Physical datacentresIdentity and access management
Hypervisor and hardwareOperating systems on VMs
Core Azure platformNetwork configuration
Physical networkApplication code and data
Availability SLAMonitoring and detection
02

Identity Security: Entra ID

Privileged Identity Management (PIM)

βœ“No standing admin roles β€” admins request access for specific tasks with time limits
βœ“Approval workflows for sensitive roles
βœ“MFA required for role activation
βœ“All PIM activations logged and auditable

Conditional Access

βœ“MFA enforced for all Azure portal access
βœ“Admin console access restricted to compliant, managed devices
βœ“Named location policies β€” flag access from unexpected geographies
βœ“Risk-based access β€” Entra ID Identity Protection blocks risky sign-ins automatically

Service Principal Governance

βœ“Audit all service principals and app registrations β€” remove unused ones
βœ“Rotate service principal credentials on a regular schedule
βœ“Scope permissions to minimum required β€” avoid Contributor or Owner where Reader is sufficient
βœ“Monitor service principal sign-in logs for anomalies
03

Microsoft Defender for Cloud

Defender for Cloud provides continuous security posture assessment across your Azure subscriptions. It identifies misconfigurations, compliance gaps, and active threats.

βœ“Enable Defender for Cloud on all subscriptions β€” free tier provides posture assessment
βœ“Enable Defender plans for resources you deploy: servers, SQL, storage, Key Vault, containers
βœ“Secure Score β€” your overall posture metric. Target above 70% for SMB baseline
βœ“Security recommendations β€” prioritised list of actions to improve posture, with direct implementation links
βœ“Regulatory compliance dashboard β€” assess against Essential Eight, ISO 27001, CIS benchmarks

Defender for Cloud's Secure Score is the single most useful starting point for Azure security. Enable it, address the high-severity recommendations, and you've resolved the most common Azure misconfigurations.

04

Network Security

Network Segmentation

βœ“Use Virtual Networks (VNets) with subnets β€” don't deploy everything in a flat network
βœ“Apply Network Security Groups (NSGs) to subnets β€” deny by default, allow by exception
βœ“Use Azure Firewall or Network Virtual Appliance for centralised egress filtering
βœ“Separate production, development, and management networks

Remote Access

βœ“No RDP or SSH directly exposed to the internet β€” use Azure Bastion or VPN Gateway
βœ“Just-in-time VM access via Defender for Cloud β€” open management ports only when needed, for specific IPs
βœ“Private endpoints for PaaS services β€” Azure SQL, Storage, Key Vault accessible only from within the VNet

DDoS Protection

βœ“Azure DDoS Protection Standard β€” for production workloads with public endpoints
βœ“Application Gateway with WAF β€” protect web applications from OWASP Top 10 attacks
05

Logging and Monitoring: Microsoft Sentinel

All Azure resources generate logs. Without collection and analysis, you have no visibility into what's happening.

βœ“Enable Diagnostic Settings on all resources β€” send logs to Log Analytics workspace
βœ“Azure Activity Log β€” all control plane actions (who changed what in the Azure portal)
βœ“Microsoft Entra ID Sign-in Logs β€” all authentication activity
βœ“Defender for Cloud alerts β€” forwarded to Microsoft Sentinel
βœ“VM security events β€” forwarded via Azure Monitor Agent

Microsoft Sentinel Analytics

βœ“Scheduled analytics rules β€” detect patterns across logs over time
βœ“Near-real-time rules β€” alert within minutes of suspicious activity
βœ“Threat intelligence matching β€” known attacker IPs and IOCs matched against your logs
βœ“UEBA β€” User and Entity Behaviour Analytics, detect anomalous behaviour patterns
06

De4sec Azure Security Service

Architecture Review
Review current Azure environment against security best practices. Identify misconfigurations, overprovisioned identities, and network gaps.
Secure Baseline
Implement security baseline: PIM, Conditional Access, Defender for Cloud, NSGs, Bastion, private endpoints.
Microsoft Sentinel
Deploy Sentinel, configure data connectors, create analytics rules, establish monitoring cadence.
Ongoing Managed Security
Monthly Secure Score review, alert monitoring, quarterly architecture review, patch compliance for Azure VMs.
// NEXT STEP

Ready to implement this?

De4sec provides hands-on implementation. Book a free discovery call β€” we assess your environment at no cost, no obligation.

Book a Free Discovery Call β†’de4sec.technology
De4sec
Β© 2026 DE4SEC TECHNOLOGY. ALL RIGHTS RESERVED.