# Azure Security Services: How Do They Compare?

Navigating Microsoft Azure's security ecosystem can be overwhelming. This guide cuts through the complexity to explain the core services that form a comprehensive cloud security and governance framework.

### **The Governance Loop:**

* **Azure Policy** - Governance & Compliance (Always free) → **Azure Firewall** - Network Protection (No free tier) → **Azure Defender** - Threat Detection (30-day free trial) → **Azure Security Center** - Centralized Monitoring (Free basic features) → **Azure Sentinel** - SIEM & SOAR (Pay-per-use)
    

![azure_security_infographic.png](https://private-us-east-1.manuscdn.com/sessionFile/aGcaIB73EWyrxcWZxcp4gn/sandbox/7WKdABDsM5kr5xKFfQdHMO_1765001897022_na1fn_L2hvbWUvdWJ1bnR1L2F6dXJlX3NlY3VyaXR5X2luZm9ncmFwaGlj.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9wcml2YXRlLXVzLWVhc3QtMS5tYW51c2Nkbi5jb20vc2Vzc2lvbkZpbGUvYUdjYUlCNzNFV3lyeGNXWnhjcDRnbi9zYW5kYm94LzdXS2RBQkRzTTVrcjV4S0ZmUWRITU9fMTc2NTAwMTg5NzAyMl9uYTFmbl9MMmh2YldVdmRXSjFiblIxTDJGNmRYSmxYM05sWTNWeWFYUjVYMmx1Wm05bmNtRndhR2xqLnBuZyIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTc5ODc2MTYwMH19fV19&Key-Pair-Id=K2HSFNDJXOU9YS&Signature=I1-BpOEfOsoJn8PspBSJ2Ib5~EdzhLlDkHRaGXKiYtMB4le~mlGz8OTIj5WaramE0n-IPJY23YycUZQYLzk9I5J-kc8wYppWXTNqnUne5D3iwVx7ktZBdftYYle2hn5K6yI3cJi1ykdHrXN~2Y4O2XF5lmTWiqn0BM-6h-ZHqHl6r5wzaXU-Af0inapRLN4XtoxCoeoT48YQGE3FVXds18dIDJxwYKCHLfMShi3zcAt8YM1CmCcYOWA0cHG0gMbGV8Ea89Z2DJ-lqzxf31IggCIdabk09QUXDXjOaqeDoEQbAptj~Zsk0zmcw5xsugD-JERnSpBRo8oLLjzqYR0-Pw__ align="left")

## **The Foundation: Azure Policy**

Think of Azure Policy as your cloud rulebook. It's a **free governance service** that automatically enforces standards across your Azure environment. Whether it's ensuring all storage accounts are encrypted, restricting VM sizes to control costs, or mandating resource tagging for finance tracking—Azure Policy makes compliance proactive, not reactive. It's your first line of defense in establishing guardrails.

## **Your Security Dashboard: Microsoft Defender for Cloud**

Formerly Azure Security Center, this is your **centralized security command center**. The free tier provides continuous security assessment and actionable recommendations (your "secure score"). Upgrade to the paid Standard tier for **advanced threat protection** across virtual machines, containers, SQL databases, and more. It's essential for maintaining security posture and meeting compliance requirements.

## **The Intelligent Shield: Microsoft Defender for Cloud (Workload Protection)**

This is the **advanced threat detection component** within Defender for Cloud. It provides real-time protection against attacks, using behavioral analytics and threat intelligence to detect suspicious activity. Think of it as antivirus and intrusion detection built for the cloud era, protecting your workloads wherever they reside—Azure, on-premises, or even other clouds.

## **The Network Gatekeeper: Azure Firewall**

Azure Firewall is a **managed, cloud-native firewall service** that provides centralized network security. Unlike traditional firewalls, it offers application-level filtering, threat intelligence feeds, and automatic scalability. It's ideal for controlling outbound internet traffic, protecting spoke networks in hub-and-spoke architectures, and implementing network segmentation strategies.

## **The Security Operations Hub: Microsoft Sentinel**

Sentinel is Azure's **cloud-native SIEM and SOAR solution**—your security operations center in the cloud. It collects security data from across your entire digital estate, uses AI to detect threats, and enables automated response through playbooks. While you pay for data ingestion, Sentinel eliminates traditional SIEM infrastructure costs and complexity.

## **How They Work Together: A Cohesive Defense**

These services aren't isolated tools; they form an integrated security fabric:

* **Azure Policy** sets the rules
    
* **Defender for Cloud** monitors compliance and detects threats
    
* **Azure Firewall** controls network traffic
    
* **Sentinel** correlates alerts and orchestrates responses
    

## **Strategic Recommendations**

1. **Start with governance**: Implement Azure Policy early to establish guardrails
    
2. **Enable visibility**: Turn on Defender for Cloud Free immediately in all subscriptions
    
3. **Protect critical workloads**: Use Defender for Cloud Standard for production environments
    
4. **Scale strategically**: Implement Azure Firewall when network segmentation becomes critical
    
5. **Mature operations**: Deploy Sentinel when you need centralized threat management and automated response
    

## Defender vs Security Center Comparing the *Free* Tiers

![azure_defender_vs_security_center.png](https://private-us-east-1.manuscdn.com/sessionFile/aGcaIB73EWyrxcWZxcp4gn/sandbox/BXRPidSxDCf2XG5Joj8y6b_1765004417390_na1fn_L2hvbWUvdWJ1bnR1L2F6dXJlX2RlZmVuZGVyX3ZzX3NlY3VyaXR5X2NlbnRlcg.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9wcml2YXRlLXVzLWVhc3QtMS5tYW51c2Nkbi5jb20vc2Vzc2lvbkZpbGUvYUdjYUlCNzNFV3lyeGNXWnhjcDRnbi9zYW5kYm94L0JYUlBpZFN4RENmMlhHNUpvajh5NmJfMTc2NTAwNDQxNzM5MF9uYTFmbl9MMmh2YldVdmRXSjFiblIxTDJGNmRYSmxYMlJsWm1WdVpHVnlYM1p6WDNObFkzVnlhWFI1WDJObGJuUmxjZy5wbmciLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE3OTg3NjE2MDB9fX1dfQ__&Key-Pair-Id=K2HSFNDJXOU9YS&Signature=ff0tV19d6aKBWy1Ez4YGo-~DW88gEMoktiOxqXQsPQTXCXQp5LxuGBbZNrjjBZidY-oSumGjfogs4WtvcM-xD5e9d~Z0xGkWnFFE1Ro8febo3BrhwqnXQRHaWWX7pzOO73VHFXWf6IEvhhVpBkaxOpjJo4b-qwJLUipodnoi~k~aWdZOU0vUTxapqQulHQ4Mf0dSq1vpQEjbKMgQFE9NQVVR63S9iI21Ku8lV0u-SdMi1WWfbj8GNuAo~OhdzShy-pTP3OcSeIWnaKzVkA~Z6Nxhv~v~ELLXZGPvPKlM7Vgaqtm74cjJZAbd4TMPSdun1S~Eh4XQw2vhvbzaSvy0uA__ align="left")

# **Azure Secure Score: Your Cloud Security Report Card**

**Azure Secure Score** is a **security metrics dashboard** that measures your organization's security posture across Microsoft cloud environments (Azure, Microsoft 365, Dynamics 365, and Power Platform). Think of it as a **"security health score"** for your cloud environment.

![azure_secure_score_infographic.png](https://private-us-east-1.manuscdn.com/sessionFile/aGcaIB73EWyrxcWZxcp4gn/sandbox/VcMaDwDFsyakyksYZWqwL0_1765005155719_na1fn_L2hvbWUvdWJ1bnR1L2F6dXJlX3NlY3VyZV9zY29yZV9pbmZvZ3JhcGhpYw.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9wcml2YXRlLXVzLWVhc3QtMS5tYW51c2Nkbi5jb20vc2Vzc2lvbkZpbGUvYUdjYUlCNzNFV3lyeGNXWnhjcDRnbi9zYW5kYm94L1ZjTWFEd0RGc3lha3lrc1laV3F3TDBfMTc2NTAwNTE1NTcxOV9uYTFmbl9MMmh2YldVdmRXSjFiblIxTDJGNmRYSmxYM05sWTNWeVpWOXpZMjl5WlY5cGJtWnZaM0poY0docFl3LnBuZyIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTc5ODc2MTYwMH19fV19&Key-Pair-Id=K2HSFNDJXOU9YS&Signature=FHumyEX7ismJYsei0QYQzUMkI~DivvAN4nLG-~oXrTYIqWXem3WqK4QEE-eqOXa6HRV5IbxmLfp8mXB-~PA2808EyCRS~Mkqe4NGooIw3~PjD6tqwkCfEI7peTX3YXlFopJpMTqQ5cCxUUVA8ZkEBPFxHc9dTvf9qXX501-iXQtcLjgx31iissjbjDoEMPXueoh6Zokrq8XThEhMa9Sq5JqPcFii8FV8Nwro1o87ZJE39xwYug2siXWO0yRzj3B~gbKSZC5owbs0vbnvmEAOZl4h013HYgvUx7BEdXQOzp92~q6RRdEsqzDfWeupe7GqtkHqo-9DLJhvQYAQ05RIVw__ align="left")

## **What It Does:**

1. **Measures** your security posture against Microsoft's security recommendations
    
2. **Calculates** a percentage score (0-100%) based on implemented security controls
    
3. **Prioritizes** actions to improve your security
    
4. **Tracks progress** over time
    

## **How It Works:**

* **Assesses** your resources against security best practices
    
* **Awards points** for implementing security controls
    
* **Shows** how many points you've earned vs. total possible points
    
* **Updates continuously** as you add resources and implement recommendations
    

## **Key Features:**

* **Unified view** across multiple cloud services
    
* **Actionable recommendations** with step-by-step guidance
    
* **Comparison** against industry averages
    
* **Progress tracking** with historical trends
    

## **Why It Matters:**

* **Quantifies** security in simple numbers
    
* **Focuses effort** on highest-impact improvements
    
* **Demonstrates progress** to leadership and auditors
    
* **Aligns** with industry frameworks like CIS and NIST
    

**Bottom Line:** Secure Score transforms complex security configurations into an understandable metric, helping organizations systematically improve their cloud security posture.

## A quick view of Sentinel Queries

1. This query **retrieves all Entra ID sign-in logs** from the past day, extracts geographic location details (country, state, city) from the structured data, and returns a comprehensive view of authentication events sorted chronologically with key security information including user details, IP addresses, application usage, and risk assessments.
    
    ```typescript
    SigninLogs
    | where TimeGenerated >= ago(1d)
    | extend Country = tostring(LocationDetails.countryOrRegion)
    | extend State = tostring(LocationDetails.state)
    | extend City = tostring(LocationDetails.city)
    | project 
        TimeGenerated,
        UserPrincipalName,
        UserId,
        IPAddress,
        Location,
        Country,
        State,
        City,
        DeviceDetail,
        AppDisplayName,
        ClientAppUsed,
        ResourceDisplayName,
        ResultType,
        ResultDescription,
        ConditionalAccessStatus,
        RiskDetail,
        RiskLevelDuringSignIn
    | sort by TimeGenerated desc
    ```
    
2. This query **analyzes failed Entra ID login attempts, filtering for unsuccessful sign-ins (excluding successful ones where ResultType = "0"**) within the last day. The query retrieves key authentication failure details including timestamp, user identity, source IP address, error codes, descriptions, and geographic location information. The results provide security teams with actionable data to investigate potential brute force attacks, credential stuffing, or compromised account attempts.
    
    ```typescript
    SigninLogs
    | where ResultType != "0"  // 0 = Success
    | where TimeGenerated >= ago(1d)
    | project
        TimeGenerated,
        UserPrincipalName,
        IPAddress,
        ResultType,
        ResultDescription,
        LocationDetails
    ```
    

## Azure CIS Recommendations Implementation Guide

## Step-by-Step Actions in Azure Portal

---

## 1\. AZURE VIRTUAL MACHINES: Enable Multi-Factor Authentication (MFA)

### Recommendation

Enable Multi-Factor Authentication (MFA) for all user accounts accessing Azure VMs. Enforce strong password policies and implement conditional access policies.

### Step-by-Step Implementation

#### **Step 1: Access Microsoft Entra Admin Center**

1. Open the [Azure Portal](https://portal.azure.com)
    
2. Search for **"Microsoft Entra ID"** in the search bar
    
3. Click on **Microsoft Entra ID** from the results
    

#### **Step 2: Create a Conditional Access Policy**

1. In the Microsoft Entra admin center, navigate to **Entra ID** &gt; **Conditional Access** &gt; **Overview**
    
2. Click **\+ Create new policy**
    
3. Enter a policy name (e.g., "MFA Enforcement Policy")
    

#### **Step 3: Assign Users or Groups**

1. Under **Assignments**, select **Users or workload identities**
    
2. Click on **What does this policy apply to?** and ensure **Users and groups** is selected
    
3. Under **Include**, choose **Select users and groups**
    
4. Select the users or groups that need MFA (or select **All users** for organization-wide enforcement)
    
5. Click **Select**
    

#### **Step 4: Configure Cloud Apps or Actions**

1. Under **Cloud apps or actions**, select **All cloud apps** or **Select resources**
    
2. If selecting specific resources, choose **Windows Azure Service Management API** to apply to Azure portal access
    
3. Click **Select**
    

#### **Step 5: Set Access Controls**

1. Under **Access controls**, click on **Grant**
    
2. Select **Grant access**
    
3. Check the box for **Require multifactor authentication**
    
4. Click **Select**
    

#### **Step 6: Enable the Policy**

1. Under **Enable policy**, select **On**
    
2. Click **Create** to activate the policy
    

#### **Step 7: Test MFA Implementation**

1. Sign out of the Azure portal
    
2. Sign back in with a user account covered by the policy
    
3. You should be prompted to complete MFA (phone call, SMS, or authenticator app)
    

### Verification

* Users will see an MFA prompt when signing into Azure portal
    
* Check **Conditional Access** &gt; **Policies** to confirm the policy is active
    
* Monitor **Sign-in logs** to verify MFA is being enforced
    

### Impact on Secure Score

✅ **Significant improvement** - Reduces unauthorized access risks by requiring additional verification

---

## 2\. AZURE STORAGE: Enable Encryption at Rest and in Transit

### Recommendation

Enable Encryption at Rest and in Transit. Use HTTPS/TLS 1.2+, enable Storage Service Encryption (SSE), and enforce Azure AD authentication.

### Step-by-Step Implementation

#### **Part A: Verify Storage Service Encryption (SSE) is Enabled**

**Note:** Azure Storage encryption is **enabled by default** for all storage accounts and cannot be disabled. However, you should verify and configure key management.

1. Open the [Azure Portal](https://portal.azure.com)
    
2. Navigate to your **Storage Account**
    
3. In the left menu, go to **Security + networking** &gt; **Encryption**
    
4. Verify that encryption is enabled (it should show as enabled by default)
    
5. For enhanced security, consider using **Customer-managed keys** instead of Microsoft-managed keys
    

#### **Part B: Enable HTTPS-Only Access**

1. In your Storage Account, go to **Configuration** (under Settings)
    
2. Find the **Secure transfer required** setting
    
3. Set it to **Enabled** (this enforces HTTPS/TLS 1.2+)
    
4. Click **Save**
    

#### **Part C: Configure Azure AD Authentication**

1. In your Storage Account, go to **Access control (IAM)**
    
2. Click **\+ Add** &gt; **Add role assignment**
    
3. Select the appropriate role (e.g., **Storage Blob Data Contributor** or **Storage Blob Data Reader**)
    
4. Under **Assign access to**, select **User, group, or service principal**
    
5. Search for and select the users or groups that need access
    
6. Click **Review + assign**
    

#### **Part D: Disable Shared Key Access (Optional but Recommended)**

1. In your Storage Account, go to **Configuration**
    
2. Find **Allow storage account key access**
    
3. Set it to **Disabled** (forces use of Azure AD or SAS tokens only)
    
4. Click **Save**
    

#### **Part E: Enable Infrastructure Encryption (Double Encryption)**

For highly sensitive data, enable double encryption:

1. In your Storage Account, go to **Encryption**
    
2. Check the box for **Enable infrastructure encryption**
    
3. Click **Save**
    

### Verification

* Go to **Configuration** and confirm **Secure transfer required** is **Enabled**
    
* Check **Encryption** to confirm encryption is active
    
* Attempt to access storage with HTTP (should be blocked)
    
* Verify only HTTPS connections are allowed
    

### Impact on Secure Score

✅ **Major improvement** - Protects data in transit and at rest, improving data protection posture significantly

---

## 3\. AZURE SQL DATABASE: Enable Transparent Data Encryption (TDE)

### Recommendation

Enable Transparent Data Encryption (TDE). Configure firewall rules, enable Azure AD authentication, and implement vulnerability assessment.

### Step-by-Step Implementation

#### **Step 1: Enable TDE on Your SQL Database**

1. Open the [Azure Portal](https://portal.azure.com)
    
2. Navigate to your **SQL Database**
    
3. In the left menu, go to **Security** &gt; **Transparent data encryption**
    
4. You should see that **Data encryption** is already **On** by default
    
5. If it's not enabled, click the toggle to **On**
    
6. Click **Save**
    

#### **Step 2: Configure TDE Key Management**

**Option A: Use Service-Managed Keys (Default)**

* TDE is already configured with Microsoft-managed keys
    
* No additional action needed
    

**Option B: Use Customer-Managed Keys (Recommended for Sensitive Data)**

1. In **Transparent data encryption**, look for **TDE protector**
    
2. Select a key from your **Azure Key Vault**
    
3. Click **Save**
    

#### **Step 3: Configure SQL Firewall Rules**

1. Navigate to your **SQL Server** (not the database)
    
2. Go to **Security** &gt; **Firewalls and virtual networks**
    
3. Under **Firewall rules**, click **\+ Add a firewall rule**
    
4. Enter a rule name (e.g., "AllowCorporateNetwork")
    
5. Set **Start IP** and **End IP** to your organization's IP range
    
6. Click **OK**
    
7. **Disable** "Allow Azure services and resources to access this server" if not needed
    

#### **Step 4: Enable Azure AD Authentication**

1. In your **SQL Server**, go to **Security** &gt; **Microsoft Entra ID**
    
2. Click **Set admin**
    
3. Search for and select a user or group to be the SQL admin
    
4. Click **Select**
    
5. Click **Save**
    

#### **Step 5: Implement SQL Vulnerability Assessment**

1. In your **SQL Database**, go to **Security** &gt; **Vulnerability Assessment**
    
2. Click **Enable vulnerability assessment**
    
3. Select or create a **Storage Account** for storing assessment reports
    
4. Click **Save**
    
5. Click **Scan** to run an initial vulnerability assessment
    
6. Review the results and remediate identified vulnerabilities
    

#### **Step 6: Enable Advanced Threat Protection**

1. In your **SQL Database**, go to **Security** &gt; **Microsoft Defender for SQL**
    
2. Click **Enable Microsoft Defender for SQL**
    
3. Configure alert notifications:
    
    * Go to **Alert notifications**
        
    * Add email addresses for security alerts
        
4. Click **Save**
    

### Verification

* Go to **Transparent data encryption** and confirm **Data encryption** is **On**
    
* Check **Firewalls and virtual networks** to confirm rules are in place
    
* Verify **Microsoft Entra ID** admin is configured
    
* Run a **Vulnerability Assessment** scan to confirm it's working
    
* Check **Microsoft Defender for SQL** is enabled
    

### Impact on Secure Score

✅ **Significant improvement** - Encrypts database at rest, restricts access, and enables threat detection

---

## Summary: Expected Improvements to Secure Score

| Recommendation | Before | After | Impact |
| --- | --- | --- | --- |
| **MFA for VMs** | Weak authentication | Strong 2FA/MFA | +15-20 points |
| **Storage Encryption** | Unencrypted data | Encrypted at rest & transit | +20-25 points |
| **SQL TDE + Security** | Unencrypted database | Encrypted + firewall + threat detection | +25-30 points |
| **Total Expected Improvement** | ~45% | ~75-80% | +60-75 points |

---

## Next Steps

1. **Prioritize Implementation:** Start with MFA (easiest), then Storage, then SQL
    
2. **Test Each Change:** Verify functionality after each implementation
    
3. **Monitor Secure Score:** Check your score weekly to track improvements
    
4. **Document Changes:** Keep records of all security changes for compliance
    
5. **Plan Ongoing Maintenance:** Schedule regular reviews of security settings
    
6. **Enable Monitoring:** Use Azure Monitor and Log Analytics to track access and changes
    
7. Automate these steps with the AzureCLI or Powershell
    

---
