CHAPTER 16
Azure Security Best Practices
Updated: May 15, 2026
25 min read
# CHAPTER 16
Azure Security Best Practices
1. Introduction
Microsoft Azure is arguably one of the most secure infrastructures on the planet. Microsoft employs thousands of security engineers and invests over $1 billion annually in cybersecurity. However, under the Shared Responsibility Model, Microsoft is only responsible for the security *of* the cloud. You are responsible for security *in* the cloud. If you misconfigure a Network Security Group or accidentally leak an API key to GitHub, Microsoft cannot save you. In this chapter, we will distill enterprise cloud security into actionable best practices.2. Learning Objectives
By the end of this chapter, you will be able to:- Understand the Shared Responsibility Model.
- Audit RBAC permissions to enforce Least Privilege.
- Secure data at rest using Azure Key Vault.
- Implement Microsoft Defender for Cloud.
- Utilize Azure Bastion to securely access Virtual Machines.
3. Beginner-Friendly Explanation
Imagine a high-tech bank vault (Microsoft Azure).- Microsoft's Responsibility: Microsoft builds the 4-foot-thick steel walls. They hire the armed guards. They install the retinal scanners at the front door. The bank itself is impenetrable from the outside.
- Your Responsibility: You rent a safety deposit box inside the vault. You are given the only key. If you leave your key sitting on a park bench, a thief can simply pick it up, walk past the guards, and empty your box. Microsoft's walls did not fail; your key management failed.
4. Microsoft Defender for Cloud
You don't have to be a security expert to secure Azure; Microsoft built a tool that literally gives you a score. Microsoft Defender for Cloud constantly scans all your Subscriptions, VNets, and VMs. It provides a "Secure Score" (e.g., 65%). It gives you actionable recommendations: *"You have 3 Storage Accounts that do not enforce HTTPS. Click this button to fix it and increase your score by 5%."*5. Azure Key Vault (Decoupling Credentials)
Never hardcode passwords, connection strings, or API keys in your application code or GitHub repositories! If a hacker gains access to your code, they steal the keys. Instead, use Azure Key Vault.- 1. You save the database password ("supersecret") inside Key Vault.
- 2. Key Vault encrypts it and locks it down via Entra ID (Azure AD).
- 3. Your App Service code uses a Managed Identity to ask Key Vault for the password at runtime.
-
4.
If a hacker steals your source code, they only see:
GetSecretFromVault('DB_PASS'). They get nothing!
6. Mini Project: Zero Trust with Azure Bastion
How do you RDP or SSH into a Virtual Machine without exposing Port 3389 or Port 22 to the public internet?Step-by-Step Conceptual Tutorial:
- 1. You have a VM with NO Public IP address. It is completely hidden inside a VNet.
- 2. In the past, you had to set up a complex, expensive VPN or a vulnerable "Jump Box" to access it. Today, Microsoft provides Azure Bastion.
- 3. You deploy an Azure Bastion host into a dedicated subnet within your VNet.
- 4. A developer navigates to the Azure Portal in their web browser, clicks on the private VM, and clicks Connect via Bastion.
- 5. *The Magic:* Bastion verifies the developer's Entra ID Login and RBAC permissions. Once verified, Bastion creates a secure, encrypted HTML5 session directly in the web browser, proxying the traffic securely into the private VM. Zero public IPs. Zero VPNs. Absolute security.
7. Real-World Scenarios
A retail company hosts their internal HR portal on a web server in Azure. Instead of making it public or forcing employees to use a clunky VPN, they place it behind Microsoft Entra Application Proxy. When an employee navigates tohr.company.com, they are intercepted by a Microsoft login screen. Entra ID checks their identity and enforces Multi-Factor Authentication (MFA). If verified, they are seamlessly proxied to the backend server. If a hacker tries to visit the URL, they hit an impenetrable MFA wall.
8. Best Practices
- Managed Identities: Whenever an Azure service needs to talk to another Azure service (e.g., a Virtual Machine needs to read a file from Blob Storage), do not use passwords. Enable a System-Assigned Managed Identity on the VM. Azure automatically creates an invisible service account for the VM and handles the password rotation in the background.
9. Common Mistakes
- Leaking SAS Tokens or Connection Strings: Beginners often commit their Storage Account Connection Strings to GitHub. Bots scan public GitHub repositories 24/7. They will find your key within 3 seconds and spin up $10,000 worth of Bitcoin mining VMs in your subscription before you can even delete the commit. Always use Key Vault or Managed Identities.
10. Exercises
- 1. Explain the "Shared Responsibility Model" regarding a data breach caused by a leaked Connection String.
- 2. Why is Azure Bastion considered a more secure and modern alternative to exposing SSH/RDP ports directly to the internet?
11. FAQs
Q: Does Microsoft look at my data? A: No. Microsoft's terms of service explicitly state that you own your data, and Microsoft does not use Azure customer data for advertising purposes. Furthermore, because it is encrypted at rest (using Microsoft or Customer-Managed Keys), Microsoft engineers cannot read your databases.12. Interview Questions
- Q: Describe the architectural process of securing sensitive database credentials within an Azure App Service application using Azure Key Vault and Managed Identities.
- Q: A security audit mandates that all RDP and SSH ports across the entire Azure infrastructure must be closed to the public internet, but administrators still require access. Detail the implementation of Azure Bastion to satisfy this requirement.