Azure Operational Security best practices
This article provides a set of operational best practices for protecting your data, applications, and other assets in Azure.
The best practices are based on a consensus of opinion, and they work with current Azure platform capabilities and feature sets. Opinions and technologies change over time and this article is updated on a regular basis to reflect those changes.
Define and deploy strong operational security practices
Azure operational security refers to the services, controls, and features available to users for protecting their data, applications, and other assets in Azure. Azure operational security is built on a framework that incorporates the knowledge gained through capabilities that are unique to Microsoft, including the Security Development Lifecycle (SDL), the Microsoft Security Response Center program, and deep awareness of the cybersecurity threat landscape.
Enforce multifactor verification for users
We recommend that you require two-step verification for all of your users. This includes administrators and others in your organization who can have a significant impact if their account is compromised (for example, financial officers).
There are multiple options for requiring two-step verification. The best option for you depends on your goals, the Microsoft Entra edition you're running, and your licensing program. See How to require two-step verification for a user to determine the best option for you. See the Microsoft Entra ID and Microsoft Entra multifactor Authentication pricing pages for more information about licenses and pricing.
Following are options and benefits for enabling two-step verification:
Option 1: Enable MFA for all users and login methods with Microsoft Entra Security Defaults Benefit: This option enables you to easily and quickly enforce MFA for all users in your environment with a stringent policy to:
- Challenge administrative accounts and administrative logon mechanisms
- Require MFA challenge via Microsoft Authenticator for all users
- Restrict legacy authentication protocols.
This method is available to all licensing tiers but is not able to be mixed with existing Conditional Access policies. You can find more information in Microsoft Entra Security Defaults
Option 2: Enable multifactor authentication by changing user state.
Benefit: This is the traditional method for requiring two-step verification. It works with both Microsoft Entra multifactor authentication in the cloud and Azure Multi-Factor Authentication Server. Using this method requires users to perform two-step verification every time they sign in and overrides Conditional Access policies.
To determine where multifactor authentication needs to be enabled, see Which version of Microsoft Entra multifactor authentication is right for my organization?.
Option 3: Enable multifactor authentication with Conditional Access policy. Benefit: This option allows you to prompt for two-step verification under specific conditions by using Conditional Access. Specific conditions can be user sign-in from different locations, untrusted devices, or applications that you consider risky. Defining specific conditions where you require two-step verification enables you to avoid constant prompting for your users, which can be an unpleasant user experience.
This is the most flexible way to enable two-step verification for your users. Enabling a Conditional Access policy works only for Microsoft Entra multifactor authentication in the cloud and is a premium feature of Microsoft Entra ID. You can find more information on this method in Deploy cloud-based Microsoft Entra multifactor authentication.
Manage and monitor user passwords
The following table lists some best practices related to managing user passwords:
Best practice: Ensure you have the proper level of password protection in the cloud.
Detail: Follow the guidance in Microsoft Password Guidance, which is scoped to users of the Microsoft identity platforms (Microsoft Entra ID, Active Directory, and Microsoft account).
- Detect potential vulnerabilities that affect your organization's identities
- Configure automated responses to detected suspicious actions that are related to your organization's identities
- Investigate suspicious incidents and take appropriate actions to resolve them
Receive incident notifications from Microsoft
Be sure your security operations team receives Azure incident notifications from Microsoft. An incident notification lets your security team know you have compromised Azure resources so they can quickly respond to and remediate potential security risks.
In the Azure enrollment portal, you can ensure admin contact information includes details that notify security operations. Contact information is an email address and phone number.
Organize Azure subscriptions into management groups
If your organization has many subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope that’s above subscriptions. You organize subscriptions into containers called management groups and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.
You can build a flexible structure of management groups and subscriptions into a directory. Each directory is given a single top-level management group called the root management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. The root management group allows global policies and Azure role assignments to be applied at the directory level.
Here are some best practices for using management groups:
Best practice: Ensure that new subscriptions apply governance elements like policies and permissions as they are added.
Detail: Use the root management group to assign enterprise-wide security elements that apply to all Azure assets. Policies and permissions are examples of elements.
Best practice: Align the top levels of management groups with segmentation strategy to provide a point for control and policy consistency within each segment.
Detail: Create a single management group for each segment under the root management group. Don't create any other management groups under the root.
Best practice: Limit management group depth to avoid confusion that hampers both operations and security.
Detail: Limit your hierarchy to three levels, including the root.
Best practice: Carefully select which items to apply to the entire enterprise with the root management group.
Detail: Ensure root management group elements have a clear need to be applied across every resource and that they're low impact.
Good candidates include:
- Regulatory requirements that have a clear business impact (for example, restrictions related to data sovereignty)
- Requirements with near-zero potential negative effect on operations, like policy with audit effect or Azure RBAC permission assignments that have been carefully reviewed
Best practice: Carefully plan and test all enterprise-wide changes on the root management group before applying them (policy, Azure RBAC model, and so on).
Detail: Changes in the root management group can affect every resource on Azure. While they provide a powerful way to ensure consistency across the enterprise, errors or incorrect usage can negatively affect production operations. Test all changes to the root management group in a test lab or production pilot.
Monitor storage services for unexpected changes in behavior
Diagnosing and troubleshooting issues in a distributed application hosted in a cloud environment can be more complex than it is in traditional environments. Applications can be deployed in a PaaS or IaaS infrastructure, on-premises, on a mobile device, or in some combination of these environments. Your application's network traffic might traverse public and private networks, and your application might use multiple storage technologies.
You should continuously monitor the storage services that your application uses for any unexpected changes in behavior (such as slower response times). Use logging to collect more detailed data and to analyze a problem in depth. The diagnostics information that you obtain from both monitoring and logging helps you to determine the root cause of the issue that your application encountered. Then you can troubleshoot the issue and determine the appropriate steps to remediate it.
Azure Storage Analytics performs logging and provides metrics data for an Azure storage account. We recommend that you use this data to trace requests, analyze usage trends, and diagnose issues with your storage account.
Prevent, detect, and respond to threats
Microsoft Defender for Cloud helps you prevent, detect, and respond to threats by providing increased visibility into (and control over) the security of your Azure resources. It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with various security solutions.
The Free tier of Defender for Cloud offers limited security for your resources in Azure as well as Arc-enabled resources outside of Azure. The Enahanced Security Features extend these capabilities to include threat and vulnerability management, as well as regulatory compliance reporting. Defender for Cloud Plans help you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats by using analytics and intelligence, and respond quickly when under attack. You can try Defender for Cloud Standard at no cost for the first 30 days. We recommend that you enable enhanced security features on your Azure subscriptions in Defender for Cloud.
Use Defender for Cloud to get a central view of the security state of all your resources in your own data centers, and Azure. At a glance, verify that the appropriate security controls are in place and configured correctly, and quickly identify any resources that need attention.
Almost all enterprise organizations have a security information and event management (SIEM) system to help identify emerging threats by consolidating log information from diverse signal gathering devices. The logs are then analyzed by a data analytics system to help identify what’s “interesting” from the noise that is inevitable in all log gathering and analytics solutions.
Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Sentinel provides intelligent security analytics and threat intelligence via alert detection, threat visibility, proactive hunting, and automated threat response.
Here are some best practices for preventing, detecting, and responding to threats:
Best practice: Increase the speed and scalability of your SIEM solution by using a cloud-based SIEM.
Detail: Investigate the features and capabilities of Microsoft Sentinel and compare them with the capabilities of what you’re currently using on-premises. Consider adopting Microsoft Sentinel if it meets your organization’s SIEM requirements.
Best practice: Find the most serious security vulnerabilities so you can prioritize investigation.
Detail: Review your Azure secure score to see the recommendations resulting from the Azure policies and initiatives built into Microsoft Defender for Cloud. These recommendations help address top risks like security updates, endpoint protection, encryption, security configurations, missing WAF, internet-connected VMs, and many more.
The secure score, which is based on Center for Internet Security (CIS) controls, lets you benchmark your organization's Azure security against external sources. External validation helps validate and enrich your team's security strategy.
Best practice: Monitor the security posture of machines, networks, storage and data services, and applications to discover and prioritize potential security issues.
Detail: Follow the security recommendations in Defender for Cloud starting, with the highest priority items.
Best practice: Integrate Defender for Cloud alerts into your security information and event management (SIEM) solution.
Detail: Most organizations with a SIEM use it as a central clearinghouse for security alerts that require an analyst response. Processed events produced by Defender for Cloud are published to the Azure Activity Log, one of the logs available through Azure Monitor. Azure Monitor offers a consolidated pipeline for routing any of your monitoring data into a SIEM tool. See Stream alerts to a SIEM, SOAR, or IT Service Management solution for instructions.
Best practice: Integrate Azure logs with your SIEM.
Detail: Use Azure Monitor to gather and export data. This practice is critical for enabling security incident investigation, and online log retention is limited.
Monitor end-to-end scenario-based network monitoring
Customers build an end-to-end network in Azure by combining network resources like a virtual network, ExpressRoute, Application Gateway, and load balancers. Monitoring is available on each of the network resources.
Azure Network Watcher is a regional service. Use its diagnostic and visualization tools to monitor and diagnose conditions at a network scenario level in, to, and from Azure.
The following are best practices for network monitoring and available tools.
Best practice: Automate remote network monitoring with packet capture.
Detail: Monitor and diagnose networking issues without logging in to your VMs by using Network Watcher. Trigger packet capture by setting alerts and gain access to real-time performance information at the packet level. When you see an issue, you can investigate in detail for better diagnoses.
Best practice: Gain insight into your network traffic by using flow logs.
Detail: Build a deeper understanding of your network traffic patterns by using network security group flow logs. Information in flow logs helps you gather data for compliance, auditing, and monitoring your network security profile.
Best practice: Diagnose VPN connectivity issues.
Detail: Use Network Watcher to diagnose your most common VPN Gateway and connection issues. You can not only identify the issue but also use detailed logs to further investigate.
Enable Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies.
Enable Azure Policy to monitor and enforce your organization's written policy. This will ensure compliance with your company or regulatory security requirements by centrally managing security policies across your hybrid cloud workloads. Learn how to create and manage policies to enforce compliance. See Azure Policy definition structure for an overview of the elements of a policy.
Here are some security best practices to follow after you adopt Azure Policy:
Best practice: Policy supports several types of effects. You can read about them in Azure Policy definition structure. Business operations can be negatively affected by the deny effect and the remediate effect, so start with the audit effect to limit the risk of negative impact from policy.
Detail: Start policy deployments in audit mode and then later progress to deny or remediate. Test and review the results of the audit effect before you move to deny or remediate.
For more information, see Create and manage policies to enforce compliance.
Best practice: Identify the roles responsible for monitoring for policy violations and ensuring the right remediation action is taken quickly.
Detail: Have the assigned role monitor compliance through the Azure portal or via the command line.
Best practice: Azure Policy is a technical representation of an organization's written policies. Map all Azure Policy definitions to organizational policies to reduce confusion and increase consistency.
Detail: Document mapping in your organization's documentation or in the Azure Policy definition itself by adding a reference to the organizational policy in the policy definition or the initiative definition description.
Next steps
See Azure security best practices and patterns for more security best practices to use when you're designing, deploying, and managing your cloud solutions by using Azure.
The following resources are available to provide more general information about Azure security and related Microsoft services:
- Azure Security Team Blog - for up to date information on the latest in Azure Security
- Microsoft Security Response Center - where Microsoft security vulnerabilities, including issues with Azure, can be reported or via email to secure@microsoft.com