Skip to main content
HashnodeUnderstand. Build. Conquer the CloudUnderstand. Build. Conquer the Cloud

Command Palette

Search for a command to run...

Azure Security Services: How Do They Compare?

Updated
10 min read
Azure Security Services: How Do They Compare?
R
Roberto

I'm technologist in love with almost all things tech from my daily job in the Cloud to my Master's in Cybersecurity and the journey all along.

Navigating Microsoft Azure's security ecosystem can be overwhelming. This guide cuts through the complexity to explain the core services that form a comprehensive cloud security and governance framework.

The Governance Loop:

  • Azure Policy - Governance & Compliance (Always free) → Azure Firewall - Network Protection (No free tier) → Azure Defender - Threat Detection (30-day free trial) → Azure Security Center - Centralized Monitoring (Free basic features) → Azure Sentinel - SIEM & SOAR (Pay-per-use)

azure_security_infographic.png

The Foundation: Azure Policy

Think of Azure Policy as your cloud rulebook. It's a free governance service that automatically enforces standards across your Azure environment. Whether it's ensuring all storage accounts are encrypted, restricting VM sizes to control costs, or mandating resource tagging for finance tracking—Azure Policy makes compliance proactive, not reactive. It's your first line of defense in establishing guardrails.

Your Security Dashboard: Microsoft Defender for Cloud

Formerly Azure Security Center, this is your centralized security command center. The free tier provides continuous security assessment and actionable recommendations (your "secure score"). Upgrade to the paid Standard tier for advanced threat protection across virtual machines, containers, SQL databases, and more. It's essential for maintaining security posture and meeting compliance requirements.

The Intelligent Shield: Microsoft Defender for Cloud (Workload Protection)

This is the advanced threat detection component within Defender for Cloud. It provides real-time protection against attacks, using behavioral analytics and threat intelligence to detect suspicious activity. Think of it as antivirus and intrusion detection built for the cloud era, protecting your workloads wherever they reside—Azure, on-premises, or even other clouds.

The Network Gatekeeper: Azure Firewall

Azure Firewall is a managed, cloud-native firewall service that provides centralized network security. Unlike traditional firewalls, it offers application-level filtering, threat intelligence feeds, and automatic scalability. It's ideal for controlling outbound internet traffic, protecting spoke networks in hub-and-spoke architectures, and implementing network segmentation strategies.

The Security Operations Hub: Microsoft Sentinel

Sentinel is Azure's cloud-native SIEM and SOAR solution—your security operations center in the cloud. It collects security data from across your entire digital estate, uses AI to detect threats, and enables automated response through playbooks. While you pay for data ingestion, Sentinel eliminates traditional SIEM infrastructure costs and complexity.

How They Work Together: A Cohesive Defense

These services aren't isolated tools; they form an integrated security fabric:

  • Azure Policy sets the rules

  • Defender for Cloud monitors compliance and detects threats

  • Azure Firewall controls network traffic

  • Sentinel correlates alerts and orchestrates responses

Strategic Recommendations

  1. Start with governance: Implement Azure Policy early to establish guardrails

  2. Enable visibility: Turn on Defender for Cloud Free immediately in all subscriptions

  3. Protect critical workloads: Use Defender for Cloud Standard for production environments

  4. Scale strategically: Implement Azure Firewall when network segmentation becomes critical

  5. Mature operations: Deploy Sentinel when you need centralized threat management and automated response

Defender vs Security Center Comparing the Free Tiers

azure_defender_vs_security_center.png

Azure Secure Score: Your Cloud Security Report Card

Azure Secure Score is a security metrics dashboard that measures your organization's security posture across Microsoft cloud environments (Azure, Microsoft 365, Dynamics 365, and Power Platform). Think of it as a "security health score" for your cloud environment.

azure_secure_score_infographic.png

What It Does:

  1. Measures your security posture against Microsoft's security recommendations

  2. Calculates a percentage score (0-100%) based on implemented security controls

  3. Prioritizes actions to improve your security

  4. Tracks progress over time

How It Works:

  • Assesses your resources against security best practices

  • Awards points for implementing security controls

  • Shows how many points you've earned vs. total possible points

  • Updates continuously as you add resources and implement recommendations

Key Features:

  • Unified view across multiple cloud services

  • Actionable recommendations with step-by-step guidance

  • Comparison against industry averages

  • Progress tracking with historical trends

Why It Matters:

  • Quantifies security in simple numbers

  • Focuses effort on highest-impact improvements

  • Demonstrates progress to leadership and auditors

  • Aligns with industry frameworks like CIS and NIST

Bottom Line: Secure Score transforms complex security configurations into an understandable metric, helping organizations systematically improve their cloud security posture.

A quick view of Sentinel Queries

  1. This query retrieves all Entra ID sign-in logs from the past day, extracts geographic location details (country, state, city) from the structured data, and returns a comprehensive view of authentication events sorted chronologically with key security information including user details, IP addresses, application usage, and risk assessments.

     SigninLogs
 | where TimeGenerated >= ago(1d)
 | extend Country = tostring(LocationDetails.countryOrRegion)
 | extend State = tostring(LocationDetails.state)
 | extend City = tostring(LocationDetails.city)
 | project 
     TimeGenerated,
     UserPrincipalName,
     UserId,
     IPAddress,
     Location,
     Country,
     State,
     City,
     DeviceDetail,
     AppDisplayName,
     ClientAppUsed,
     ResourceDisplayName,
     ResultType,
     ResultDescription,
     ConditionalAccessStatus,
     RiskDetail,
     RiskLevelDuringSignIn
 | sort by TimeGenerated desc

  2. This query analyzes failed Entra ID login attempts, filtering for unsuccessful sign-ins (excluding successful ones where ResultType = "0") within the last day. The query retrieves key authentication failure details including timestamp, user identity, source IP address, error codes, descriptions, and geographic location information. The results provide security teams with actionable data to investigate potential brute force attacks, credential stuffing, or compromised account attempts.

     SigninLogs
 | where ResultType != "0"  // 0 = Success
 | where TimeGenerated >= ago(1d)
 | project
     TimeGenerated,
     UserPrincipalName,
     IPAddress,
     ResultType,
     ResultDescription,
     LocationDetails

Azure CIS Recommendations Implementation Guide

Step-by-Step Actions in Azure Portal

1. AZURE VIRTUAL MACHINES: Enable Multi-Factor Authentication (MFA)

Recommendation

Enable Multi-Factor Authentication (MFA) for all user accounts accessing Azure VMs. Enforce strong password policies and implement conditional access policies.

Step-by-Step Implementation

Step 1: Access Microsoft Entra Admin Center

  1. Open the Azure Portal

  2. Search for "Microsoft Entra ID" in the search bar

  3. Click on Microsoft Entra ID from the results

Step 2: Create a Conditional Access Policy

  1. In the Microsoft Entra admin center, navigate to Entra ID > Conditional Access > Overview

  2. Click + Create new policy

  3. Enter a policy name (e.g., "MFA Enforcement Policy")

Step 3: Assign Users or Groups

  1. Under Assignments, select Users or workload identities

  2. Click on What does this policy apply to? and ensure Users and groups is selected

  3. Under Include, choose Select users and groups

  4. Select the users or groups that need MFA (or select All users for organization-wide enforcement)

  5. Click Select

Step 4: Configure Cloud Apps or Actions

  1. Under Cloud apps or actions, select All cloud apps or Select resources

  2. If selecting specific resources, choose Windows Azure Service Management API to apply to Azure portal access

  3. Click Select

Step 5: Set Access Controls

  1. Under Access controls, click on Grant

  2. Select Grant access

  3. Check the box for Require multifactor authentication

  4. Click Select

Step 6: Enable the Policy

  1. Under Enable policy, select On

  2. Click Create to activate the policy

Step 7: Test MFA Implementation

  1. Sign out of the Azure portal

  2. Sign back in with a user account covered by the policy

  3. You should be prompted to complete MFA (phone call, SMS, or authenticator app)

Verification

  • Users will see an MFA prompt when signing into Azure portal

  • Check Conditional Access > Policies to confirm the policy is active

  • Monitor Sign-in logs to verify MFA is being enforced

Impact on Secure Score

Significant improvement - Reduces unauthorized access risks by requiring additional verification

2. AZURE STORAGE: Enable Encryption at Rest and in Transit

Recommendation

Enable Encryption at Rest and in Transit. Use HTTPS/TLS 1.2+, enable Storage Service Encryption (SSE), and enforce Azure AD authentication.

Step-by-Step Implementation

Part A: Verify Storage Service Encryption (SSE) is Enabled

Note: Azure Storage encryption is enabled by default for all storage accounts and cannot be disabled. However, you should verify and configure key management.

  1. Open the Azure Portal

  2. Navigate to your Storage Account

  3. In the left menu, go to Security + networking > Encryption

  4. Verify that encryption is enabled (it should show as enabled by default)

  5. For enhanced security, consider using Customer-managed keys instead of Microsoft-managed keys

Part B: Enable HTTPS-Only Access

  1. In your Storage Account, go to Configuration (under Settings)

  2. Find the Secure transfer required setting

  3. Set it to Enabled (this enforces HTTPS/TLS 1.2+)

  4. Click Save

Part C: Configure Azure AD Authentication

  1. In your Storage Account, go to Access control (IAM)

  2. Click + Add > Add role assignment

  3. Select the appropriate role (e.g., Storage Blob Data Contributor or Storage Blob Data Reader)

  4. Under Assign access to, select User, group, or service principal

  5. Search for and select the users or groups that need access

  6. Click Review + assign

  1. In your Storage Account, go to Configuration

  2. Find Allow storage account key access

  3. Set it to Disabled (forces use of Azure AD or SAS tokens only)

  4. Click Save

Part E: Enable Infrastructure Encryption (Double Encryption)

For highly sensitive data, enable double encryption:

  1. In your Storage Account, go to Encryption

  2. Check the box for Enable infrastructure encryption

  3. Click Save

Verification

  • Go to Configuration and confirm Secure transfer required is Enabled

  • Check Encryption to confirm encryption is active

  • Attempt to access storage with HTTP (should be blocked)

  • Verify only HTTPS connections are allowed

Impact on Secure Score

Major improvement - Protects data in transit and at rest, improving data protection posture significantly

3. AZURE SQL DATABASE: Enable Transparent Data Encryption (TDE)

Recommendation

Enable Transparent Data Encryption (TDE). Configure firewall rules, enable Azure AD authentication, and implement vulnerability assessment.

Step-by-Step Implementation

Step 1: Enable TDE on Your SQL Database

  1. Open the Azure Portal

  2. Navigate to your SQL Database

  3. In the left menu, go to Security > Transparent data encryption

  4. You should see that Data encryption is already On by default

  5. If it's not enabled, click the toggle to On

  6. Click Save

Step 2: Configure TDE Key Management

Option A: Use Service-Managed Keys (Default)

  • TDE is already configured with Microsoft-managed keys

  • No additional action needed

Option B: Use Customer-Managed Keys (Recommended for Sensitive Data)

  1. In Transparent data encryption, look for TDE protector

  2. Select a key from your Azure Key Vault

  3. Click Save

Step 3: Configure SQL Firewall Rules

  1. Navigate to your SQL Server (not the database)

  2. Go to Security > Firewalls and virtual networks

  3. Under Firewall rules, click + Add a firewall rule

  4. Enter a rule name (e.g., "AllowCorporateNetwork")

  5. Set Start IP and End IP to your organization's IP range

  6. Click OK

  7. Disable "Allow Azure services and resources to access this server" if not needed

Step 4: Enable Azure AD Authentication

  1. In your SQL Server, go to Security > Microsoft Entra ID

  2. Click Set admin

  3. Search for and select a user or group to be the SQL admin

  4. Click Select

  5. Click Save

Step 5: Implement SQL Vulnerability Assessment

  1. In your SQL Database, go to Security > Vulnerability Assessment

  2. Click Enable vulnerability assessment

  3. Select or create a Storage Account for storing assessment reports

  4. Click Save

  5. Click Scan to run an initial vulnerability assessment

  6. Review the results and remediate identified vulnerabilities

Step 6: Enable Advanced Threat Protection

  1. In your SQL Database, go to Security > Microsoft Defender for SQL

  2. Click Enable Microsoft Defender for SQL

  3. Configure alert notifications:

    • Go to Alert notifications

    • Add email addresses for security alerts

  4. Click Save

Verification

  • Go to Transparent data encryption and confirm Data encryption is On

  • Check Firewalls and virtual networks to confirm rules are in place

  • Verify Microsoft Entra ID admin is configured

  • Run a Vulnerability Assessment scan to confirm it's working

  • Check Microsoft Defender for SQL is enabled

Impact on Secure Score

Significant improvement - Encrypts database at rest, restricts access, and enables threat detection

Summary: Expected Improvements to Secure Score

RecommendationBeforeAfterImpact
MFA for VMsWeak authenticationStrong 2FA/MFA+15-20 points
Storage EncryptionUnencrypted dataEncrypted at rest & transit+20-25 points
SQL TDE + SecurityUnencrypted databaseEncrypted + firewall + threat detection+25-30 points
Total Expected Improvement~45%~75-80%+60-75 points

Next Steps

  1. Prioritize Implementation: Start with MFA (easiest), then Storage, then SQL

  2. Test Each Change: Verify functionality after each implementation

  3. Monitor Secure Score: Check your score weekly to track improvements

  4. Document Changes: Keep records of all security changes for compliance

  5. Plan Ongoing Maintenance: Schedule regular reviews of security settings

  6. Enable Monitoring: Use Azure Monitor and Log Analytics to track access and changes

  7. Automate these steps with the AzureCLI or Powershell

#azure#security#cloud-computing

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

U

Understand. Build. Conquer the Cloud

70 posts

No time for a novel? Here are my my Cloud Architect field notes: Distilling my complex cloud adventures into digestible TL;DRs.