This is a comprehensive list of Microsoft Azure’s primary security controls and services, categorized by their function within the Azure ecosystem.
Like AWS, Microsoft Azure operates on a "Shared Responsibility Model." Microsoft secures the underlying infrastructure (computing, storage, networking, and the physical datacenter), while these controls are the tools customers use to secure their data, applications, and identities within that infrastructure.
These controls manage identities, define access policies, and ensure that only authorized users and devices can access Azure resources.
Microsoft Entra ID (formerly Azure Active Directory): The foundational identity service for Azure. It provides:
User and Group Management: Creating and managing user identities and their organization.
Authentication: Verifying the identity of users and devices.
Authorization (RBAC): Azure Role-Based Access Control (RBAC) allows you to assign specific permissions to users, groups, and service principals for specific Azure resources.
Conditional Access: The most critical identity control in Azure. It allows you to enforce access policies based on specific conditions, such as user location, device state, application, and risk level (e.g., "Require MFA if accessing from outside the corporate network").
Microsoft Entra Multifactor Authentication (MFA): Adds an essential layer of security by requiring two or more verification methods for a single sign-in event.
Microsoft Entra Privileged Identity Management (PIM): Manages, controls, and monitors access to important resources. It provides "just-in-time" (JIT) and "just-enough-access" (JEA) permissions, requiring a justification and approval process for elevated access.
Microsoft Entra Identity Protection: Detects potential identity-based risks and vulnerabilities, allowing administrators to automate the response to detected risks (e.g., blocking access or requiring a password change).
Azure B2C (Business-to-Consumer): A customer identity and access management service used for customer-facing applications, allowing users to sign in using social identities (e.g., Facebook, Google) or local accounts.
These controls protect the Azure network infrastructure, isolate workloads, and manage traffic flow.
Azure Virtual Network (VNet): The fundamental control for creating isolated network environments in Azure.
Network Security Groups (NSGs): A built-in, stateful firewall control used to filter network traffic to and from Azure resources within a VNet (applied at the subnet or individual interface level).
Azure Firewall: A managed, cloud-native network security service that provides stateful inspection, high availability, and unrestricted cloud scalability to protect your VNets. It includes features like application FQDN filtering, network-level rules, and IDPS (Intrusion Detection and Prevention System).
Azure DDoS Protection: A managed service designed to protect your Azure applications from DDoS attacks.
Basic: Automatically enabled for all Azure services at no extra cost, offering basic volumetric attack protection.
Standard (or Network Protection): Provides advanced DDoS mitigation, including dynamic tuning based on application traffic patterns and detailed attack analytics.
Azure Web Application Firewall (WAF): Provides centralized protection for web applications against common exploits and vulnerabilities, such as SQL injection, XSS, and bot protection. It can be deployed with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN).
Azure Private Link: Enables you to access Azure PaaS services (like Azure Storage and SQL Database) and Azure-hosted customer/partner services privately from your VNet. The traffic traverses Microsoft’s private network, avoiding the public internet.
Azure Bastion: A fully managed PaaS service that provides secure and seamless RDP (Remote Desktop Protocol) and SSH (Secure Shell) access to virtual machines directly in the Azure portal over SSL, without exposing public IP addresses.
These controls focus on data security at rest (storage), in transit (network), and in use.
Encryption and Key Management
Azure Key Vault: A managed service used to safeguard and control cryptographic keys, secrets, and certificates used by cloud applications and services.
Azure Disk Encryption: Helps encrypt Windows and Linux IaaS virtual machine disks to provide standard, full-disk volume encryption (using BitLocker for Windows and DM-Crypt for Linux).
Azure Storage Service Encryption (SSE): Automatically encrypts all data stored in Azure Storage (Blob, File, Table, Queue) using 256-bit AES encryption before persisting it to disk.
Data Governance and Discovery
Azure Information Protection (AIP) and Microsoft Purview: These are broader governance and compliance solutions. They help discover, classify, label, and protect sensitive information across your Azure and on-premises environments.
These controls are designed to protect the underlying compute, storage, and database infrastructure.
Microsoft Defender for Cloud (formerly Azure Security Center): A comprehensive, unified security management system. It serves two primary purposes:
Cloud Security Posture Management (CSPM): Assesses your resource configurations, identifies security misconfigurations, provides a "Secure Score," and gives recommendations based on best practices and standards.
Cloud Workload Protection (CWP): Provides advanced threat protection for specific workloads like VMs (Defender for Servers), containers (Defender for Containers), databases (Defender for SQL), and more.
Update Management: Automates the patching and update process for Windows and Linux virtual machines across Azure and on-premises environments.
Just-In-Time (JIT) VM Access: A feature of Defender for Cloud that minimizes exposure to brute-force attacks by allowing access to VM management ports (like RDP and SSH) only when requested, and for a specific time duration.
These controls are designed for protecting web applications and serverless environments.
Azure API Management Security: Helps secure, publish, and manage APIs with features like authentication, authorization, rate limiting, and analytics.
App Service Security: Azure App Service has built-in security features, including HTTPS enforcement, authentication/authorization (using Entra ID or other providers), and integration with Azure WAF and Private Link.
These controls provide visibility, auditing, and ensure compliance across the Azure environment.
Azure Activity Log: Records subscription-level events, providing an audit trail of "who did what, when, and where" for Azure Resource Manager (ARM) operations (creating, updating, deleting resources).
Azure Monitor Logs (Log Analytics): Collects and aggregates telemetry data (logs and metrics) from Azure resources, enabling deep analysis, alerting, and security reporting.
Azure Policy: Helps enforce organizational standards and assess compliance at scale. It allows you to create policy definitions to restrict the creation of non-compliant resources (e.g., "All virtual machines must be in a specific region").
Microsoft Sentinel (SIEM/SOAR): A cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. It collects data from various sources (Azure, on-premises, other clouds), uses AI to detect threats, and automates incident response.