Detecting Lateral Movement in Azure Environments

TECH
Written By Hannah Nairn

Most breaches don’t kick the door in.

They log in, look around, and blend in. One identity here, one permission there. Nothing obviously malicious. By the time it’s noticed, the attacker isn’t breaking in anymore. They’re moving sideways.

That sideways movement is lateral movement. And in Azure, it often hides in plain sight.

What lateral movement actually looks like in Azure

Forget the idea of attackers bouncing between servers.

In Azure, lateral movement is usually identity-first:

  • A user account accessing subscriptions it rarely touches

  • A service principal drifting outside its usual deployment path

  • Tokens reused across workloads that were never meant to trust each other

  • Privileges being exercised rather than escalated

The attacker isn’t asking for more access. They’re using what already exists.

Why this is so easy to miss

Azure environments are designed for flexibility, not suspicion.

A few patterns make lateral movement hard to spot:

  • Identities with broad access “just in case”

  • Centralised platforms where lots of teams share subscriptions

  • Logs split across Entra ID, Activity Logs, resource logs, and Defender

  • Alerts that exist, but no one is quite sure which ones matter

Even when everything is sent into Sentinel, the signal can still be subtle.

When “over-permissioned” doesn’t mean wrong

This is where things get uncomfortable.

Defender might flag a user as over-permissioned, but the access is technically correct. They requested it through MyAccess. It was approved. It aligns with their role.

From a governance point of view, everything worked.

From a detection point of view, that user now has a perfect hiding place.

When someone has wide but legitimate access, lateral movement disappears into normal behaviour. Accessing multiple subscriptions? Expected. Touching production and non-production? Allowed. Reading secrets? Approved months ago.

An attacker sitting on that identity doesn’t need to move loudly. They just need to move patiently.

Sentinel has the data, not the answers

Pushing logs into Sentinel is the easy part. Making sense of them is harder.

You want Sentinel seeing:

  • Entra ID sign-in and audit logs

  • Azure Activity Logs across all subscriptions

  • Defender for Cloud alerts

  • Resource logs from things attackers actually care about

But raw logs don’t detect lateral movement on their own. You need to correlate identity behaviour over time.

Good Sentinel detections ask questions like:

  • Has this user ever accessed these resources before?

  • Is this service principal behaving like a human today?

  • Why is this identity suddenly active across unrelated workloads?

  • Why did this access pattern change after a new role assignment?

Lateral movement is a pattern problem, not a single-event problem.

Access workflows can hide the problem

MyAccess and similar systems are great at preventing obvious mistakes.

They stop people requesting things they should never have. They enforce approvals. They create audit trails. All good things.

But they don’t guarantee that the access granted won’t later be abused.

Once access exists and is considered correct, it often stops being scrutinised. Reviews become tick-box exercises. Sentinel alerts get tuned out because “that user always does that”.

That’s how lateral movement survives. Not by breaking controls, but by living comfortably inside them.

What actually helps surface movement

You don’t need perfect detections. You need friction.

A few practical approaches that work well:

  • Alert on changes in behaviour after access is granted, not just the grant itself

  • Track identities that span too many unrelated workloads

  • Use time-bound access wherever possible, even for legitimate users

  • Treat service principals like production systems, with baselines and monitoring

The goal isn’t to stop people working. It’s to make unusual movement feel unusual again.

The real challenge

Most lateral movement in Azure isn’t hidden because logs are missing.

It’s hidden because the access makes sense on paper.

Defender might complain. Sentinel might collect everything. MyAccess might show clean approvals. And still, an attacker can move quietly from one workload to the next.

Detecting lateral movement means looking past whether access is correct, and starting to ask whether behaviour still makes sense.

That’s where the interesting stuff shows up.

Hannah Nairn
Next

RBAC in Kubernetes: Technical Guardrails and Human Weaknesses