Azure Security Baselines – What Most Teams Miss (But Really Shouldn’t)

TECH
Written By Hannah Nairn

Let’s be honest: most Azure deployments start out with good intentions. There’s usually a whiteboard, a diagram that looks suspiciously like a subway map, and at least one person confidently saying, “We’ll secure it properly once it’s running.”

But Azure security isn’t a seasoning you sprinkle on top of an already-cooked cloud stew. It’s the broth. The bones. The difference between “secure enough for a demo” and “secure enough that the auditors leave you alone.”

So let’s walk through the Azure Security Baselines - the parts most teams forget, skip, ignore, or promise to fix “next sprint.”
(Bless their optimistic hearts.)

1. Identity & Access Management (IAM)

A.K.A: The “keys to the kingdom” section, where things usually go a bit feral.

What Teams Miss

  • Letting service principals roam free with way too many permissions.

  • Conditional Access policies? Only applied to humans. Robots apparently get a free pass.

  • Legacy accounts and those mythical “break glass” accounts nobody has logged into since 2019.

  • No Privileged Access Workstation (PAW). Yes, Dave, accessing Azure Portal from your gaming PC is a bad idea.

  • Assigning tenant-wide roles because “it was faster.”

How Teams Can Fix It

IAM is where “least privilege” goes to die… unless you actively fight for it.

  • Apply least privilege ruthlessly and audit RBAC quarterly. (Quarterly = actually put it in the calendar.)

  • Enforce MFA + Conditional Access for everyone, yes, even automation accounts. Bots need boundaries too.

  • Use Azure AD Privileged Identity Management (PIM) to ensure admin powers are temporary, like Cinderella at midnight.

  • Rotate secrets automatically, or better: ditch them entirely and move to managed identities.

Alright, now that identity chaos is sorted, let’s take a stroll into the network, where people assume “private = safe” and everything starts burning.

2. Network Security

Welcome to the land where “Allow Internet” still somehow ends up in production NSGs.

What Teams Miss

  • Assuming private VNETs magically secure traffic (spoiler: they don’t).

  • NSGs with rules so broad they’re basically a hug for the entire internet.

  • Ignoring Azure Firewall features like threat intelligence because “it sounded optional.”

  • Microservices all talking to each other like it’s a trust exercise.

How Teams Can Fix It

  • Deny by default in NSGs and explicitly allow only what you actually need.

  • Replace public exposure with Private Endpoints because public IPs are attention seekers.

  • Turn on Azure Firewall threat intelligence and Forced Tunneling like you mean it.

  • Segment workloads not everything belongs in one giant flat network. This is Azure, not a dorm room.

Great. Firewalls aren’t crying anymore. Now let’s talk about your data… because it needs therapy.

3. Data Security

Where “default encryption” tries its best—but it’s not your whole security strategy.

What Teams Miss

  • Assuming encryption is happening and rotating magically.

  • Skipping Customer Managed Keys (CMK) even when handling sensitive workloads.

  • Forgetting to classify and label data (yes, teams still do this).

  • Leaving storage accounts in “allow all Azure services” mode aka “wide open.”

How Teams Can Fix It

  • Actually review key rotation policies, don’t assume Azure is handling it.

  • Use CMK for anything high-risk, regulated, or likely to get your compliance team stressed.

  • Force Private Endpoints for databases and storage accounts like SQL, Cosmos, and Blob.

  • Regularly scan for publicly exposed containers or SQL endpoints.

Your data is now less exposed than it was five minutes ago. Let’s see if your monitoring is equally mature… (usually it’s not).

4. Logging, Monitoring & Detection

A.K.A “The logs exist!” — but do they actually help you?

What Teams Miss

  • Thinking collecting logs = understanding logs.

  • Not enabling diagnostic logs on every resource.

  • Log analytics sprawl instead of a clean, centralized setup.

  • Alerts configured years ago and never tested.

How Teams Can Fix It

  • Enable Resource Logs, Activity Logs, and platform logs across everything.

  • Centralize into one Log Analytics workspace to actually correlate data.

  • Implement Defender for Cloud recommendations early instead of waiting for a pen test.

  • Test alerts monthly. Yes, this means simulating incidents. Fire drills aren’t just for schoolchildren.

Logs are talking. Alerts are alerting. Now let’s harden the things that run your workloads.

5. Endpoint & Workload Hardening

Cloud workloads want love too. Preferably in the form of hardening, not vibes.

What Teams Miss

  • Leaving VMs or containers basically unconfigured.

  • Relying solely on Defender and skipping baseline OS security.

  • No enforcement of configurations via Azure Policy. Drift city.

How Teams Can Fix It

  • Use Azure Image Builder or Packer to create hardened base images.

  • Apply Azure Policy to enforce secure settings and block drift.

  • Validate containers against CIS benchmarks so they don’t misbehave.

  • Turn on Defender for Servers/Containers including vuln scanning.

Now that workloads are armoured up, let’s jump into the land of IaC—where “secure by default” is a myth.

6. Infrastructure as Code (IaC) Security

Terraform doesn’t magically secure things. Shocking, I know.

What Teams Miss

  • Believing Terraform or Bicep means security is baked in.

  • Skipping IaC static analysis in pipelines.

  • Accidentally storing secrets in variables like it’s 2012.

How Teams Can Fix It

  • Use Checkov, Terrascan, or Defender for Cloud to scan IaC before deployment.

  • Never store secrets in variables use Key Vault references.

  • Use Azure Policy at deployment time to enforce compliance automatically.

We’ve covered misconfigurations. Now let’s talk Zero Trust because “internal traffic is safe” is so last decade.

7. Zero Trust Essentials

Trust no one. Not your network. Not your users. Not even your workloads.

What Teams Miss

  • Reducing Zero Trust to “block everything outside.”

  • Ignoring device posture and identity signals.

  • Allowing east/west traffic like an all-you-can-eat buffet.

How Teams Can Fix It

  • Enforce explicit verification for identity, device, location, and sensitivity.

  • Deny by default at every boundary not just the front door.

  • Use micro-segmentation + per-service access controls.

  • Apply Conditional Access App Control for SaaS visibility.

Now let’s finish strong; governance, the glue holding all this together.

8. Governance & Azure Policy

Where dreams of consistent cloud environments finally come true.

What Teams Miss

  • Forgetting to apply baseline policies at the management group level.

  • Letting teams deploy whatever they want, whenever they want.

  • Not auditing policy compliance until something breaks.

How Teams Can Fix It

  • Apply Azure Security Benchmark policies; start there, expand later.

  • Use Policy to enforce tagging, encryption, networking, and identity rules.

  • Review non-compliant resources weekly to stop snowballing.

  • Implement blueprint-style repeatable environments (landing zones FTW).

Final Thoughts: Azure Security Isn’t a One-Off—It’s a Lifestyle

Security isn’t achieved by sprinkling policies around like confetti. It’s a continuous discipline, a set of habits, and sometimes a bit of tough love for your cloud environment.

When teams skip these fundamentals, gaps multiply. Attackers love gaps. Auditors love finding gaps. You? You probably don’t.

So embrace the baseline. Automate it. Enforce it. And maybe… just maybe… secure your cloud before production traffic is flowing.

Hannah Nairn
Previous

The Future of Identity: Passwordless, Passkeys, and What Comes After MFA
Next

Privileged Identity Management (PIM): Psychology of Too Much Power