🔐 Azure Security Fundamentals

Security is the cornerstone of any cloud deployment, and in Azure, identity is at the core of everything. Whether it's human users or automated services, the way access is granted, managed, and audited directly impacts your organization's security posture.

🧠 Why Identity Security Matters in Azure

Azure uses Azure Active Directory (Azure AD) as its identity provider. Every resource, user, or service principal must authenticate through Azure AD before accessing services.

Key principles:

• Every user must be authenticated.
• You must enforce strong authentication mechanisms to prevent impersonation.
• Misconfigured identity systems are a major attack vector.

🔒 Conditional Access & Multi Factor Authentication (MFA)

What is Conditional Access?

Conditional Access lets you define policies that determine whether users can access applications or data based on conditions like:

• Device compliance
• User location
• Risk level
• Session context

What is MFA?

Multi Factor Authentication requires users to provide two or more authentication factors, such as:

• Password + text message
• Password + biometric
• One-time password + security key

These are critical in protecting against phishing and password spray attacks.

💡 Note: Conditional Access and full MFA support require Azure AD Premium P1 or P2 licenses.

💰 Azure AD Licensing: What You Get

Feature	Free	Premium P1	Premium P2
MFA (Security Defaults)	✅	✅	✅
Conditional Access	❌	✅	✅
SLA	❌	99.99%	99.99%
Reports	Basic	Full	Full
Access Reviews	❌	❌	✅
Just in Time Access	❌	❌	✅

Learn more on Microsoft’s official docs.

👤 Understanding Azure AD vs Azure Roles

Azure uses two different role models, and confusing them can cause serious issues.

Azure AD Roles

These define what users can do in Azure AD itself, not in the Azure resources.

Task	Role
Create App Registration	Application Developer
Add user/group	User Administrator
Change payment method	Billing Administrator
Full control over tenant	Global Administrator

⚠️ Warning: The Global Administrator has unrestricted access. Assign sparingly!

Read the full list of Azure AD built in roles.

Azure Roles (RBAC)

Azure RBAC (Role Based Access Control) defines what users can do with Azure resources.

Role	Capabilities
Owner	Full control, including managing access
Contributor	Full control, except managing access
Reader	Read only access

You can also use custom roles or 70+ built in roles like:

• Virtual Machine Contributor
• CDN Endpoint Reader
• Azure Relay Owner

✅ Learn more about Azure RBAC roles.

✅ Best Practices for Azure Security

1. Use Least Privilege
   Only grant the minimal necessary access. Avoid blanket Contributor or Owner roles.

2. Audit Role Assignments
   Use Access Reviews (P2) and audit logs to validate and clean up unused roles.

3. Protect Global Admin Accounts
   Enable MFA, and restrict to a small number of trusted users.

4. Apply Conditional Access Policies
   Block access from risky locations, enforce compliant devices, and require MFA where needed.

5. Enable Defender for Identity
   Azure Defender can detect suspicious sign ins, lateral movement, and privilege escalation attempts.

6. Use Privileged Identity Management (PIM)
   Grant elevated access just in time to reduce attack surface.

---

🌐 Azure Network Security: Architecture, NSGs, and Private Link

Securing the network layer in Azure is just as important as managing identities and access. While Azure offers flexibility and scalability, it also requires intentional design and controls to prevent breaches.

This guide explores:

• Hub and Spoke network architecture
• Network Security Groups (NSGs)
• Azure Private Link

🧭 Hub and Spoke Architecture

A foundational design for secure cloud networks.

✅ What is it?

In this model:

• Hub VNet acts as the central gateway (with firewalls, WAFs, etc.)
• Spoke VNets are isolated per app, environment, or workload
• All traffic funnels through the hub, which is tightly controlled

🔄 Why Use It?

• Minimizes open ingress points
• Centralizes security policies and logging
• Enables secure VNet peering between services
• Scales easily across environments (Dev, Test, Prod)

🧱 Network Security Groups (NSGs)

NSGs are lightweight packet filters attached to subnets or NICs (network interfaces) to control traffic flow.

🛡️ What They Do

• Control inbound/outbound traffic at subnet or NIC level
• Define security rules based on:
  • Source IP
  • Destination IP
  • Source/Destination Ports
  • Protocol (TCP/UDP)

⚙️ Rule Priority

• Rules are numbered
• lower numbers = higher priority
• Rules can Allow or Deny
• Defaults include broad deny rules, which you override as needed

🧠 Example

Allow TCP 22 from 10.0.0.0/24 to 10.1.0.4 priority 100
Deny All priority 65500

⚠️ Important: Newly created VMs may come with open RDP/SSH secure these IMMEDIATELY.

🔒 Azure Private Link

Managed services (like SQL, Storage, etc.) often expose public endpoints by default. Private Link changes that.

🚫 Problem

By default

• Azure SQL / Storage is accessible over the public internet (even if firewall restricted)

✅ Solution: Private Link

Private Link enables

• Extension of a managed service into your VNet
• Use of a private IP address (called a Private Endpoint)
• Internal only traffic (never leaves Azure backbone)
• Full elimination of public exposure

🛠️ How it Works

• Create a Private Endpoint
• Configure the target resource to allow private access
• Azure sets up a private DNS zone (or configure manually)
• VM uses private IP for communication

📦 Supported Services

Private Link is supported by a wide range of services, including

• Databases: SQL, PostgreSQL, MySQL, CosmosDB
• Storage: Blob, Files, ACR
• Apps: App Service, Functions, Web Apps
• Messaging: Event Hub, Service Bus, Relay
• Security: Key Vault, Azure Monitor, Automation

✅ Learn more about Private Link.

🔄 Comparison: With vs. Without Private Link

❌ Without Private Link

• VM ▶ Azure SQL (via public IP)
  • ⛔ Public exposure, even if IPs are firewalled

✅ With Private link

• VM ▶ Azure SQL (via Private Endpoint)
  • ✅ Traffic stays within the VNet
  • ✅ Can extend securely to on-prem via VPN

✅ Network Security Best Practices

1. Use Hub and Spoke architecture for scalable, secure network design.
2. Apply NSGs to subnets and VM NICs to tightly control traffic.
3. Audit NSG rules regularly especially default SSH/RDP rules.
4. Use Private Link to eliminate public exposure of sensitive services.
5. Block all by default and allow explicitly the principle of least privilege.
6. Combine with Azure Firewall or 3rd party NGFWs for advanced inspection and control.

---