Key Takeaways
- Entra ID is the control plane. Conditional Access policies, MFA enforcement, Privileged Identity Management (PIM) for just-in-time admin, and Identity Protection for risk-based controls.
- RBAC is hierarchical. Owner, Contributor, Reader plus custom roles. Layer at management group, subscription, resource group or resource scope. Audit annually with PIM access reviews.
- Defender for Cloud is mandatory for serious deployments. CSPM plus CWPP in one product, with regulatory compliance dashboards for ISO 27001, PCI DSS, SOC 2 and more.
- Key Vault for secrets with managed identity access, soft delete and purge protection enabled. RBAC mode preferred over access policies for new vaults.
- Network controls: NSGs at subnet level, Azure Firewall or NVA at perimeter, Private Endpoints for PaaS to remove public exposure, Just-In-Time VM access for management ports.
Entra ID: The Azure Control Plane
Azure is identity-first to a greater degree than AWS or GCP. Entra ID (formerly Azure Active Directory) governs access to every Azure resource, every Microsoft 365 service, and increasingly to non-Microsoft SaaS through OIDC and SAML federation. Getting Entra ID right is the prerequisite for everything else.
Baseline Entra ID hygiene: enforce MFA on every user (including service-account-equivalents via Conditional Access exclusions for the smallest possible set), disable legacy authentication protocols (POP, IMAP, basic SMTP) which bypass MFA, use Conditional Access policies as the central authorisation gate (require compliant device, require MFA, block high-risk sign-ins, restrict locations where appropriate), and enable Identity Protection for automated risk detection and response.
Privileged Identity Management
PIM converts standing admin assignments into eligible assignments that must be activated for a time-limited window (typically 8 hours), with MFA prompt and a business justification. The result is that even compromised admin credentials are useless outside the activation window. PIM access reviews force a quarterly or annual review of every eligible assignment. Standing Global Admin without PIM is the highest-severity finding in many Azure pentests.
Azure RBAC and Scope Hierarchy
Azure RBAC operates at four scopes: management group, subscription, resource group and individual resource. Permissions inherit downward. A Contributor at management group level is Contributor on every subscription and resource group inside it. This makes broad assignments dangerous and narrow assignments tedious. The trade-off is solved by good management group hierarchy: typical Indian enterprises use Root MG > Platform MG and Landing Zone MG > production / non-production MGs > subscriptions.
Built-in roles cover most use cases (Owner, Contributor, Reader plus service-specific roles like Storage Blob Data Contributor, Key Vault Secrets User). Custom roles are useful for specific operations (a 'log reviewer' role with read on Log Analytics workspaces but no write anywhere) but should be exception, not norm. Avoid Owner at subscription scope for anyone other than the cloud platform team.
Quarterly access review via PIM is the cleanest operational control. Set up access reviews on every privileged role, route the review to the relevant manager or resource owner, and revoke standing assignments that are not justified at review time.
Need a Cloud Security Assessment?
Codesecure runs ISO/IEC 27001:2022 certified cloud security assessments and pentest across AWS, Azure and GCP for Indian enterprises. Named OSCP consultants, CIS and CSA mapping, fixed-price proposals, free retest within 90 days.
See Cloud Services →Microsoft Defender for Cloud
Defender for Cloud (formerly Azure Security Center plus Azure Defender) is the central security product. It is a CSPM (Cloud Security Posture Management) plus a CWPP (Cloud Workload Protection Platform) plus a regulatory compliance dashboard. The free tier provides CSPM-lite (secure score, baseline recommendations) and the paid tiers add per-resource workload protection (Defender for Servers, Defender for SQL, Defender for Storage, Defender for Containers, Defender for Key Vault, Defender for App Service, Defender for DNS, Defender for Resource Manager).
Enable the paid plans for production workloads at minimum. Secure Score (a percentage that summarises posture) is the standard board-level KPI for Azure security; 80 percent is achievable for a well-run estate. The Regulatory Compliance dashboard exposes Azure-native mappings for CIS Microsoft Azure Foundations Benchmark, NIST SP 800-53, ISO 27001:2013 (with 2022 transition in progress at Microsoft), PCI DSS 4.0, SOC 2 and several others.
Key Vault and Secrets Management
Azure Key Vault is the canonical secret, key and certificate store. Three configuration choices matter at vault creation. First, RBAC mode versus access policy mode: prefer RBAC for new vaults, it integrates with Azure RBAC and supports PIM. Second, soft delete and purge protection: enable both; without purge protection, an attacker or accidental delete can destroy keys and the recovery window. Third, network access: prefer Private Endpoint over service-endpoint exception; remove public access on production vaults.
Workloads access Key Vault via Managed Identity rather than embedded secrets. The Managed Identity is granted the specific Key Vault Secrets User or Key Vault Crypto User role on the vault, with no broader Azure permissions. Application code retrieves secrets at runtime through the Azure SDK. No secrets in app configuration, environment variables (except references), or code.
Customer-managed keys (CMK) for Storage, SQL Database, Cosmos DB and other PaaS encrypt data with a key the customer controls. Useful for regulatory positions that require customer key control. Operational overhead is small; impact on availability is real if Key Vault becomes unavailable, so plan for it.
Network Security: NSGs, Firewall, Private Endpoints, JIT
NSGs operate at subnet or NIC level with allow and deny rules processed by priority. They are the basic east-west and ingress control. Define a small set of named NSG patterns (web tier, app tier, data tier, management) and reuse rather than creating one-off NSGs per workload.
Azure Firewall or a third-party NVA (Palo Alto VM-Series, Fortinet, Check Point) provides centralised egress filtering, threat intelligence-based blocking, and application-layer rules. For most Indian enterprise deployments at scale, Azure Firewall Standard or Premium is the default starting point.
Private Endpoints connect PaaS services (Storage, SQL, Cosmos DB, Key Vault, App Service, ACR, etc.) to your virtual network via a private IP, removing public internet exposure entirely. The DNS configuration to make this work cleanly with conditional forwarders is the one tricky bit; once solved, Private Endpoint is the right pattern for production PaaS.
Just-In-Time VM access (a Defender for Cloud feature) keeps management ports (22, 3389, WinRM) closed by default and opens them on request for a time-limited window from a specific source IP. A useful alternative is Azure Bastion (managed jump host with no public IP needed on the target VM).
CSPM, IAM Cleanup or Audit Pressure?
Whether you need a CSPM deployment, an IAM rationalisation, a SOC 2 or ISO 27001 cloud control evidence pack, or a quick second-opinion on a finding, our cloud security lead is available for a 30-minute free scoping call.
Talk to a Cloud Lead →Azure Policy and Compliance Enforcement
Azure Policy lets you express rules as code and apply them across management groups, subscriptions and resource groups. The combination of Audit, Deny, DeployIfNotExists and Modify effects covers most preventive and detective controls. Examples: deny creation of storage accounts that allow public blob access, deny creation of VMs without disk encryption, audit Key Vaults without soft delete, deploy diagnostic settings automatically to every new resource.
Initiative definitions (sets of related policies) include CIS Microsoft Azure Foundations Benchmark, NIST SP 800-53, ISO 27001, PCI DSS and several Microsoft Cloud Adoption Framework defaults. Assigning the right initiatives at the right scope is the single highest-leverage policy decision. Codesecure helps clients design the management group hierarchy and policy assignments as part of cloud-platform-engineering work.
Logging, Log Analytics and Microsoft Sentinel
Azure resources emit Activity Logs (control plane) and Diagnostic Logs (data plane). Both must be configured to flow to a Log Analytics workspace, preferably a single central workspace per environment (or per business unit at very large scale). Diagnostic settings can be applied at scale via Azure Policy.
Microsoft Sentinel is the cloud-native SIEM and SOAR built on Log Analytics. It ingests Azure logs natively, plus AWS, GCP, Office 365, Defender for Cloud and a wide range of third-party connectors. Built-in analytics rules cover most MITRE ATT&CK techniques. Workbooks, Hunting queries and Notebooks provide investigation surface. Codesecure has implemented Sentinel for Indian banks, fintechs and large enterprises; the typical deployment is 6 to 10 weeks for a single environment and produces a 200 to 400 alert-rule baseline tuned to the customer's stack.
Frequently Asked Questions
How long does it take to harden an Azure tenant?
For a single subscription or small landing zone, 4 to 6 weeks. For a multi-subscription enterprise with management group hierarchy, Defender for Cloud rollout, PIM, Conditional Access, network redesign and Sentinel: 10 to 16 weeks of focused work. Codesecure delivers phased programmes with named consultants and fixed-price milestones.
Do we need Defender for Cloud paid plans?
For production workloads holding sensitive or regulated data, yes. The paid Defender plans add real workload protection (anti-malware on VMs, suspicious activity on SQL, brute-force detection on App Service) that the free CSPM tier does not provide. For dev and test, the free tier is acceptable.
How does Entra ID Conditional Access relate to Multi-Factor Authentication?
Conditional Access is the policy engine that decides when MFA is required, what type of MFA is acceptable, which devices can sign in, and which locations are allowed. Per-user MFA (the older mechanism) still exists for backward compatibility but Conditional Access is the recommended modern approach with finer control.
What about hybrid Active Directory plus Entra ID?
Most Indian enterprises run hybrid: on-prem AD synchronised to Entra ID via Entra Cloud Sync or Azure AD Connect, with selected accounts as cloud-only. Hybrid introduces additional attack paths (Pass-the-PRT, hybrid join token theft) that need to be considered. Codesecure tests hybrid identity attack paths as part of cloud pentest engagements.
Can we use Azure for RBI-regulated workloads?
Yes. Microsoft Azure publishes RBI-aligned guidance and many Indian banks, NBFCs and insurers run regulated workloads on Azure. The shared responsibility model applies: Microsoft secures the cloud, the customer secures everything in the cloud (identity, data, network, applications). Codesecure helps regulated entities structure their Azure landing zone to satisfy RBI, SEBI and IRDAI expectations.
Do you offer Azure penetration testing?
Yes. See our companion guide on cloud penetration testing. Azure requires acknowledgement of the Microsoft Cloud Penetration Testing Rules of Engagement before testing; Codesecure handles the documentation as part of engagement kickoff. We test Entra ID, RBAC, Storage, Key Vault, App Service, AKS, Sentinel detection coverage, and the assumed-compromise attack chain end to end.
Make Your Azure Estate Defender-Score and Audit Ready
Codesecure delivers Azure security baseline, Defender for Cloud rollout, PIM and Conditional Access design, Sentinel implementation and cloud pentest for Indian enterprises. ISO/IEC 27001:2022 certified, named Azure-certified consultants, free retest within 90 days.
