Welcome to Part 3 of WEI’s Cloud Security Foundations series! Click here for Part 1 and here for Part 2. 

Thank you for following along with our cloud security series. Now, it’s time to talk about Azure. If you’re like most organizations, you likely already have a Microsoft footprint. Perhaps Office 365, Active Directory, or a few Windows servers. The good news? Azure can leverage a lot of what you already have. The challenge? Cloud security still requires an entirely fresh approach built on Zero Trust in Azure.

Azure often feels familiar yet different because it assumes a Microsoft footprint while demanding a cloud-first operating model, and today that model centers on Microsoft Entra ID, Defender for Cloud, Azure Policy, and Azure landing zones aligned to the Microsoft Cloud Security Benchmark.

Why Azure Feels Different (And Why That’s Actually Good)

Unlike AWS where you’re starting fresh, Azure assumes you’re probably already in the Microsoft ecosystem somewhere. That’s both a blessing and a curse. The blessing? Your existing Active Directory, Office 365 licenses, and Windows expertise all translate. The curse? It’s easy to assume your on-premises security approach will work in the cloud. Spoiler alert: it won’t.

Azure integrates deeply with Microsoft identity, productivity, and endpoint ecosystems, allowing existing investments to accelerate Azure cloud security adoption without replicating legacy perimeter assumptions in the cloud.

Success comes from reframing security around Zero Trust and the Microsoft Cloud Security Benchmark (MCSB), which provides prescriptive Azure-aware controls that Defender for Cloud evaluates by default.

The Five Pillars

Microsoft’s security approach maps to five practical areas that align to MCSB: Identity and Access Management, Network Security and Segmentation, Data Protection and Encryption, Threat Detection and Response, and Governance and Compliance.

The differentiation in Azure lies in how these controls are enforced by policy and measured continuously through Defender for Cloud Secure Score and Azure landing zone architectures at scale.

Phase 1 – Getting Your Foundation Right

Prefer Azure landing zones over Azure Blueprints, because Blueprints is being deprecated and Microsoft recommends Template Specs, Deployment Stacks, and policy-driven landing zones from the Cloud Adoption Framework.

Adopt a management group hierarchy with Azure Policy initiatives aligned to MCSB and deploy subscriptions via code to ensure consistent guardrails and inherited controls across platform and application landing zones. 

• Goal: Consistent deployments across subscriptions using landing zone patterns and policy assignments. 
• Success: Every subscription inherits the same baseline via management groups, policy, and RBAC. 
• Key tools: Management groups, Azure Policy, Template Specs, Deployment Stacks, and Azure landing zone accelerators. 

Starting actions:

• Establish platform landing zones for identity, connectivity, and management, followed by “vending” application landing zones with pre-applied policies and guardrails. 
• Apply the Microsoft Cloud Security Benchmark policy initiative and begin posture assessment in Defender for Cloud. 
• Centralize logging with Log Analytics and Azure Monitor as part of the management landing zone. 

Phase 2 – Zero Trust in Azure Identity 

This is where Azure gets interesting. Zero Trust sounds fancy, but it’s really “assume everyone’s a potential threat and make them prove otherwise every single time.”

The old way was “you’re inside the corporate network, so you must be fine.” The new way is “I don’t care if you’re the CEO sitting at your desk, you still need to prove who you are.”

Zero Trust means continuously verifying user, device, and session with least privilege enforced by policy across Microsoft Entra ID and connected apps and workloads, the foundation of Zero Trust in Azure.

Make MFA universal, apply Conditional Access with device and risk conditions, and use just‑in‑time elevation via Entra Privileged Identity Management to eliminate standing admin permissions.

• Goal: Verify every access request with strong authentication, device posture, and session risk. 
• Success: Universal MFA, Conditional Access baselines, Just-In-Time (JIT) admin via Entra PIM, and automated access reviews in Entra ID Governance. 
• Key tools: Entra ID (formerly Azure AD), Conditional Access, Identity Protection, Privileged Identity Management, and Entra ID Governance. 

Starting actions:

• Enable security defaults or equivalent Conditional Access policies to enforce MFA and block risky sign-ins quickly. 
• Configure Identity Protection signals in Conditional Access to restrict access when risk is medium or high. 
• Require PIM activation and approval workflows for all privileged roles, with logging to Sentinel. 

Phase 3 – Network and Data Security (The Boring But Critical Stuff)

Network security in Azure is like an onion. There are lots of layers, and it might make you cry if you don’t do it right. The good news is that Azure gives you plenty of tools. The bad news is that you have to use them.

Design network segmentation with hub-and-spoke or mesh topologies in landing zones, using Network Security Groups and Azure Firewall alongside Private Endpoints to constrain lateral movement and exposure. 

Encrypt data at rest and in transit by default, manage keys in Key Vault, and monitor traffic and flow logs as part of the platform landing zone’s “management” capabilities. 

• Security layers: Segmentation via NSGs/ASGs, centralized filtering via Azure Firewall, and private access for PaaS via Private Link/Endpoints. 
• Data protection: Default encryption at rest with options for customer-managed keys and policy enforcement to prevent drift. 
• Monitoring: Log Analytics and platform diagnostics for NSG flow logs and resource diagnostics scoped by management groups. 

Starting actions:

• Turn on Defender for Cloud to surface misconfigurations tied to MCSB, including encryption and network exposure findings that affect Secure Score. 
• Enforce policies for “no public IPs” where feasible and require Private Endpoints for eligible services via Azure Policy. 
• Centralize key management in Azure Key Vault and require CMK for sensitive stores as a policy-driven exception pattern. 

Phase 4 – Threat Detection (Finding the Bad Guys)

This is where Azure really flexes. Microsoft has two primary tools for this: Microsoft Defender for Cloud and Microsoft Sentinel. Think of Defender for Cloud as your security posture manager and Sentinel as your full-blown security operations center.

Starting actions:

• Enable Defender for Cloud across all subscriptions and connectors, and remediate MCSB-driven recommendations that most impact Secure Score. 
• Connect identity, endpoint, network, and cloud telemetry to Sentinel, enable relevant analytics rules, and deploy automation playbooks for common incident types. 
• Tune analytics and ML anomalies iteratively to cut false positives while preserving high-fidelity detection coverage. 

Phase 5 – Governance (Proving You’re Doing It Right)

Nobody loves compliance, but everybody needs it. Azure’s approach to governance is innovative. Instead of periodic audits, you get continuous compliance monitoring.

Starting actions:

• Apply the MCSB initiative and any required regulatory initiatives, enabling automatic remediation where safe to do so. 
• Use Secure Score in Defender for Cloud as the KPI for Azure control effectiveness and drive backlog items from the highest‑impact controls (for example, MFA, secure management ports, and vulnerability remediation). 

Keep Microsoft Secure Score separate to track identity and endpoint posture in the Microsoft 365 ecosystem without conflating the metrics.

Your Azure Security Roadmap

Stage 1 – Foundation
Establish your baseline environment by deploying Azure Blueprints to enforce standard configurations across all subscriptions. Establish your identity controls by integrating existing identity management solutions to enable single sign-on and multi-factor authentication for all users. Set up basic monitoring systems using Azure Monitor and Log Analytics to collect logs and metrics, providing essential visibility into your environment from the start.

Stage 2 – Security
Enhance your security posture by implementing comprehensive network segmentation using Network Security Groups and Azure Firewall. Deploy encryption for data at rest and in transit, ensuring all sensitive information is protected. Activate advanced threat detection tools like Microsoft Defender for Cloud and Microsoft Sentinel, and begin automating security responses to common alerts to reduce manual intervention and improve response times.

Stage 3 – Optimization
Refine your security operations by fine-tuning detection rules and policies to minimize false positives while maintaining strong security coverage. Automate compliance checks and remediations to ensure continuous adherence to your organization’s standards. Establish ongoing processes, including regular access reviews, incident response exercises, and security architecture assessments, to ensure your Azure environment remains resilient as it evolves.

The Reality Check

Here’s what nobody tells you about Azure cloud security: it’s powerful, but it’s also complex. The integration between services is impressive when it works, but troubleshooting can be a nightmare when something breaks.

The good news? Microsoft has invested heavily in documentation and training. The bad news? You’ll need to read a lot of it.

Wrap-Up

Azure cloud security isn’t just about buying Microsoft licenses and hoping for the best. It requires intentional architecture, ongoing tuning, and a team that understands both security principles and Azure specifics.

The advantage of Azure is that if you’re already invested in the Microsoft ecosystem, you can leverage a lot of what you already have. The challenge is that cloud security still requires a cloud-centric approach.

Got questions about Zero Trust in Azure implementation, Azure Blueprints, or why Microsoft keeps changing service names? Contact WEI for your Azure or cloud questions. We’re here to help you navigate this stuff.

Next up, we’ll tackle the big question: How do you manage security when you’re using multiple cloud providers? Stay tuned for our upcoming post on multi-cloud security strategies! For questions, please contact WEI or send me a message on LinkedIn.