# Azure Security Baseline and Top Misconfigurations

> **Intro:** Azure usually goes wrong in the same places: identity, management-group governance, policy gaps, and overly broad network or subscription access. The names differ from AWS, but the control story is familiar.
>
> **What this page includes**
>
> * a practical Azure baseline
> * top 10 Azure misconfigurations
> * short fixes
> * notes on what matters most in production

## Recommended Azure baseline

### Identity and access

* enforce MFA for privileged users
* reduce standing privilege through Entra ID PIM where possible
* use managed identities instead of embedded credentials
* keep subscription and management group ownership explicit
* minimize Owner and User Access Administrator assignments

### Policy and posture

* use Azure Policy for guardrails and compliance checks
* enable Microsoft Defender for Cloud broadly
* review regulatory and benchmark mappings, but do not confuse compliance score with real risk reduction
* standardize landing zones and subscription creation

### Logging and monitoring

* centralize Activity Logs and resource logs
* protect log destinations
* enable alerts for role assignment changes, policy changes, public exposure, and key security service disablement

### Network and data

* prefer private endpoints and private networking where practical
* review NSGs deliberately
* harden storage accounts and data access patterns
* use Key Vault for secrets, keys, and certificates

## Top 10 Azure misconfigurations

| #  | Misconfiguration                                 | Why it is dangerous                                | Short fix                                                       |
| -- | ------------------------------------------------ | -------------------------------------------------- | --------------------------------------------------------------- |
| 1  | Too many Owners at subscription scope            | Easy privilege abuse and weak accountability       | Limit Owners, use PIM, separate admin duties                    |
| 2  | Users can register risky apps or consent broadly | Enables identity abuse and persistence             | Tighten app registration and admin consent policies             |
| 3  | Defender for Cloud not enabled or ignored        | Weak posture visibility and missed recommendations | Enable it consistently and triage findings                      |
| 4  | No management group governance                   | Guardrails drift by subscription                   | Standardize policy and RBAC at management-group level           |
| 5  | NSGs allow broad inbound access                  | Enlarged attack surface                            | Reduce exposure and use private access patterns                 |
| 6  | Key Vault access too broad or poorly monitored   | Secret theft or silent misuse                      | Scope access carefully and monitor access patterns              |
| 7  | Public storage or weak storage settings          | Data exposure                                      | Enforce secure transfer, private access, and strict keys/tokens |
| 8  | No PIM for privileged roles                      | Standing access becomes normal                     | Require just-in-time elevation where possible                   |
| 9  | Weak logging retention or fragmented diagnostics | Harder investigations and poor control evidence    | Centralize logging and retention policy                         |
| 10 | Managed identities not used for automation       | Secrets sprawl in pipelines and scripts            | Prefer managed identities for workload auth                     |

## Practical Azure checks

```bash
az role assignment list --all
az policy assignment list
az security pricing list
az storage account list
az monitor activity-log list --max-events 10
az keyvault list
```

## Design comments

* **Management groups are strategic.** They keep standards from fragmenting across subscriptions.
* **Defender for Cloud is valuable**, but only if recommendation triage and ownership are real.
* **PIM changes culture** by making privileged access visible and time-bound.

## Official and primary references

* Microsoft Defender for Cloud
* Azure Policy
* Microsoft Cloud Security Benchmark
* CloudSecDocs Azure Security Baseline and Security Roadmap


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.product-security.expert/cloud-kubernetes-and-infrastructure-security/index/azure-security-baseline-and-top-misconfigurations.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.