Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure provides comprehensive security capabilities across all layers of your cloud deployments. Azure delivers confidentiality, integrity, and availability of customer data while enabling transparent accountability. This article introduces Azure's security architecture organized by protection, detection, and response capabilities.
For a comprehensive introduction to Azure security capabilities organized by functional area, see Introduction to Azure security. For detailed implementation guidance and best practices, refer to the domain-specific security overview articles linked throughout this document.
Microsoft security architecture
Azure security services are organized into three foundational categories:
- Secure and protect: Implement defense-in-depth strategies across identity, infrastructure, networks, and data
- Detect threats: Identify suspicious activities and potential security incidents
- Investigate and respond: Analyze security events and take corrective actions
The following diagram illustrates how Azure security services align with these categories and the resources they protect:
Security controls and baselines
The Azure cloud security benchmark provides comprehensive security guidance for Azure services:
- Security controls: High-level recommendations applicable across your Azure tenant and services
- Service baselines: Implementation of controls for individual Azure services with specific configuration recommendations
Use these controls and baselines to:
- Establish security standards for cloud deployments
- Assess compliance at scale using Microsoft Defender for Cloud regulatory compliance dashboard
- Map to industry frameworks including CIS, NIST, and PCI-DSS
- Implement secure configurations with Azure Policy
For governance and compliance capabilities, see Azure security management and monitoring overview.
Secure and protect
Azure provides layered security controls across identity, infrastructure, networks, and data. For detailed implementation guidance, refer to the domain-specific overview articles.
Threat protection
Microsoft Defender for Cloud provides unified security management with continuous assessment and advanced threat protection. For comprehensive coverage, see Azure threat protection.
Identity and access
- Microsoft Entra ID - Cloud identity and access management
- Privileged Identity Management - Just-in-time privileged access
For details, see Azure identity management security overview.
Network security
- Azure Firewall - Cloud-native network firewall with IDPS
- Azure DDoS Protection - Always-on DDoS mitigation
- Azure VPN Gateway - Encrypted cross-premises connectivity
- Azure Front Door - Global load balancer with integrated WAF
- Azure Private Link - Private connectivity to Azure services
For details, see Azure network security overview.
Data protection
- Azure Key Vault - Secure key and secret storage with FIPS 140-2 Level 1 (Standard tier) and FIPS 140-3 Level 3 (Premium tier) validated HSMs
- Key Vault Managed HSM - Single-tenant FIPS 140-3 Level 3 HSM
- Azure Storage Service Encryption - Automatic encryption at rest
- Azure Backup - Independent and isolated backups
For details, see Azure encryption overview and Key management in Azure.
Governance
- Azure Policy - Enforce standards and assess compliance
For details, see Azure security management and monitoring overview.
Detect threats
Azure threat detection services identify suspicious activities and security incidents across your environment.
- Microsoft Defender for Cloud - Advanced threat protection with workload-specific plans
- Microsoft Sentinel - Cloud-native SIEM and SOAR solution
- Microsoft Defender XDR - Unified endpoint, identity, email, and application protection
- Azure Network Watcher - Network monitoring and diagnostics
For comprehensive threat detection capabilities, see Azure threat protection.
Investigate and respond
Azure provides tools to analyze security events and respond to incidents.
- Microsoft Sentinel - Threat hunting with search and query tools
- Azure Monitor - Comprehensive telemetry collection and analysis with Log Analytics workspaces
- What is Microsoft Entra monitoring and health? - Activity logs and audit history
For monitoring and operational guidance, see Azure security management and monitoring overview.
Next steps
- Review Introduction to Azure security for a comprehensive overview organized by functional area
- Review Azure security services and technologies for a comprehensive list of security capabilities
- Understand shared responsibility in the cloud
- Explore Azure security best practices and patterns
- Learn about Azure cloud security benchmark