When people say “we secure Azure”, they usually mean a collection of enabled settings. MFA is on. Defender is enabled. Policies are applied. Secure Score looks respectable. Formally, everything appears correct. In practice, that may not be the case.
The cloud does not forgive illusions. It scales faster than teams can fully grasp the consequences of their design decisions. That is why I approach Azure security not as a checklist of controls, but as an interconnected architectural model built on five foundations: identity, network, data, monitoring, and governance. If one layer is weak, the load shifts to the others, and sooner or later the structure cracks.
The starting point for security in Azure is identity. Not the network. Not a firewall. Not endpoint protection. Identity. In the cloud there is no internal perimeter that can be inherently trusted. There is only an access token issued by an identity system, and the context in which it is used. At the centre of this model sits Microsoft Entra ID. It is not merely a user directory, but the control plane for the entire environment, from the Azure portal to APIs, from DevOps pipelines to PaaS services.
The most common architectural mistake is excessive privilege granted “for convenience”. Giving a developer Owner rights at subscription level may feel pragmatic, less bureaucracy, faster delivery. In reality, it creates a standing privileged risk. In a mature environment there are no permanent administrators. There is temporary privilege elevation through PIM, there is justification, there is approval, there is audit, and there is automatic removal of the role. This shifts the philosophy of access. Privilege becomes an event, not a state.
MFA is the baseline, but without contextual logic it becomes a formality. Conditional Access should account for risk level, device compliance, geography, and the sensitivity of the resource being accessed. Access to a financial database should not be treated the same way as signing into a collaboration portal. I also make a point of removing secrets from code wherever possible. Managed identities are one of the most underestimated capabilities in Azure. They are not simply convenient. They eliminate an entire class of attacks related to leaked client secrets.
The next layer is the network. In Azure, the network is not just connectivity; it is a model of trust. A VNet is a logical boundary within which relationships between workloads are defined. A flat cloud network is effectively an invitation to lateral movement. Segmentation should reflect workload criticality, environment separation such as production and non production, and traffic type. NSGs restrict movement internally, while firewalls control outbound flows. A critical point often overlooked is that many modern attacks rely on outbound communication. Controlling egress is frequently more important than controlling ingress.
Private Endpoints significantly reduce public exposure, especially for PaaS services such as Storage or SQL. However, deploying them without a coherent DNS architecture leads to operational complexity. Without a systematic approach, security controls turn into isolated technical patches that are difficult to maintain. WAF and DDoS protection are also important, yet their real value only materialises when their telemetry is analysed, not merely stored for compliance purposes.
The third pillar is data. Azure encrypts data at rest by default, but the real question is not whether data is encrypted, it is who controls the key. Using customer managed keys through Key Vault introduces an additional layer of control and separation of duties. This is particularly relevant in regulated environments. Beyond cryptography, visibility is crucial. Without understanding where sensitive data resides, it is impossible to design effective data protection. Classification and data discovery tools transform assumptions into measurable facts.
Backup strategy deserves particular scrutiny. Many organisations confidently state that “we have backups”. Yet if a global administrator can delete or alter backup policies, that strategy protects against accidents rather than adversaries. An immutable approach, soft delete, and clear separation of roles make recovery resilient against real attack scenarios.
The fourth pillar is monitoring and threat detection. Without centralised telemetry, security becomes reactive by definition. In Azure, Microsoft Sentinel typically forms the core of this layer, consolidating identity, network, workload, and application signals. A SIEM on its own, however, is merely a platform. Its effectiveness depends on meaningful correlation and well designed response workflows. If an incident is logged but does not automatically trigger containment actions such as isolating a virtual machine or disabling an account, response time becomes the critical variable.
Microsoft Defender for Cloud plays a complementary role by highlighting configuration weaknesses and workload risks. Secure Score should not be treated as a target metric. It is a directional indicator, not proof of architectural maturity. A high score does not guarantee resilience if fundamental design decisions are flawed.
The final pillar is governance. It is often perceived as administrative overhead, yet it determines whether the environment remains manageable over time. Without structured landing zones, enforced policies, and a consistent subscription model, Azure inevitably evolves into an uncontrolled sprawl. Policies should not merely audit non compliance; they should prevent it. Naming conventions, mandatory tagging, and enforced logging collectively establish operational discipline. Governance is not bureaucracy. It is the mechanism that prevents architectural entropy.
What ultimately matters is the interaction between these pillars. Identity governs access to data. Network segmentation limits the blast radius of compromise. Monitoring detects anomalies in identity and network behaviour. Governance ensures that design principles are consistently enforced. Each layer reinforces the others.
Azure security is not a licence tier and not a collection of enabled features. It is an architectural discipline in which trust is minimised, privilege is temporary, data is cryptographically controlled, telemetry is centralised, and rules are automatically enforced. Everything else is a feeling of safety that dissolves at the first serious incident.