Azure Security Best Practices: The 2025 Guide

I’ve spent the last decade hardening Azure estates across regulated enterprises and fast-moving startups. This 2025 guide distills what actually reduces risk in Azure right now—mapped to what Microsoft ships today—with pragmatic moves you can execute this quarter.

Executive summary (for busy leaders):

1. Enforce phishing-resistant identity (Entra ID + Conditional Access + passkeys, PIM/JIT), 2) make networks private by default (Private Link, deny public access on PaaS, DDoS Standard), 3) encrypt & isolate sensitive data (Key Vault/HSM, confidential VMs), 4) log once, analyze everywhere (Sentinel Data Lake + Defender for Cloud), 5) shift-left on AKS/serverless & supply chain, 6) codify guardrails (Policy/Initiatives at MG level), 7) protect backups with immutability.

---

What’s new for 2025 (why this matters)

• Microsoft Sentinel Data Lake (Public Preview) brings a purpose-built, low-cost security data lake inside Sentinel and the Defender portal, enabling long-term retention and AI-assisted analytics without exploding SIEM costs. Rollout and RBAC are documented and live. Microsoft Learn+3Microsoft+3TECHCOMMUNITY.MICROSOFT.COM+3
• Defender for Cloud – refined Attack Paths now prioritize externally exploitable, business-impacting chains so you fix what attackers would actually use. (June 30 & Sept 2025 notes.) Microsoft Learn
• NSG Flow Logs retirement; use VNet Flow Logs for network analytics going forward (Network Watcher). Plan migrations now. Microsoft Learn+1
• TLS deprecations: Application Gateway requires TLS 1.2+ by Aug 31, 2025; Storage moves to TLS 1.2 minimum (enforcement timeline published). Set minimum TLS versions everywhere. Microsoft Learn+1
• Entra passkeys & strong auth are available in Microsoft Entra ID—use them to reduce phishing risk and MFA fatigue. Microsoft Learn+1

---

1) Identity & Access: Make compromise hard

Non-negotiables

• MFA everywhere, phishing-resistant by default (FIDO2/passkeys in Entra ID), short-lived tokens, device posture via Conditional Access. Microsoft Learn+1
• Just-in-time admin via PIM (no standing global admins). Require approval, reason, ticket, and enforce time-bound elevation. Microsoft Learn+1
• Risk-adaptive policies with Entra ID Protection (block high-risk sign-ins, require re-auth/remediation for user risk). Microsoft Learn+1
• Least-privilege & review: Access reviews for high-risk roles; minimize Owner/User Access Administrator at subscription. Microsoft Learn

Zero-trust access to private apps

• Microsoft Entra Private Access (Global Secure Access) gives VPN-less, per-app access with identity-centric policies to your private resources—use it to modernize internal web access. Microsoft Learn

---

2) Network Security: Private paths first, internet last

• Shut public doors on PaaS: Deny/disable public network access and use Private Link for Storage/SQL and other services. Microsoft’s policy initiatives and service docs back this pattern—and SQL now defaults to “Public network access: Disable”. Microsoft Learn+2Microsoft Learn+2
• Use VNet Flow Logs (not NSG Flow Logs) for traffic analytics; plan transitions ahead of retirement dates. Microsoft Learn+1
• Edge protections: Standard WAF (Front Door/App GW) + DDoS Protection Standard for internet-facing zones; set TLS 1.2+ on front doors and app gateways. Microsoft Learn
• Centralize rules with Azure Virtual Network Manager security admin rules; treat them as org guardrails for east-west controls. Microsoft Learn

Bicep example — Storage with private-first settings

resource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: 'opschronicleprodsa'
  location: resourceGroup().location
  kind: 'StorageV2'
  sku: { name: 'Standard_GRS' }
  properties: {
    minimumTlsVersion: 'TLS1_2'
    publicNetworkAccess: 'Disabled'
    allowBlobPublicAccess: false
  }
}

(Enforce with Policy at management group; require Private Endpoints per service.) Microsoft Learn+1

---

3) Data Protection & Crypto: Encrypt, isolate, prove

• Encryption at rest is on by default for Azure Storage—still enforce key hygiene, minimal TLS versions, and private endpoints. Microsoft Learn+1
• Key lifecycle: Use Key Vault or Managed HSM for sensitive keys/secrets; rotate automatically and restrict access via private endpoints and RBAC/ACL. (See MCSB baselines.) Microsoft Learn+1
• Confidential computing: Evaluate Azure confidential VMs (AMD SEV-SNP / Intel TDX) for regulated workloads needing memory encryption and attestation. Megaport

---

4) Logging, Detection & Response: Evidence before alerts

• Microsoft Sentinel Data Lake (Preview) for long-term, low-cost retention and AI-ready analytics; onboarding and unified RBAC are live. Keep hot analytics in workspaces; offload cold to the lake. Microsoft Learn+2Microsoft Learn+2
• Defender for Cloud: Turn on Defender CSPM plans, enable Attack Path analysis to prioritize exploitable chains, and track to the Microsoft Cloud Security Benchmark (MCSB) in the Regulatory Compliance dashboard. Microsoft Learn+2Microsoft Learn+2
• Azure Monitor/AMA only: The old Log Analytics agent is retired—use Azure Monitor Agent + Data Collection Rules; stop deploying MMA extensions. Microsoft Learn+1

---

5) Compute, Containers & Serverless: From build to runtime

VMs & images

• Harden with baseline policies; monitor with Defender for Cloud (agentless where available) and DCR-based AMA collection. Microsoft Learn

Containers & AKS

• Prefer Workload Identity (OIDC federation) over pod identity; use Azure Policy for AKS, restrict public services, and enable Defender for Cloud (containers) for vuln/runtime signals. Microsoft Learn

Serverless

• Lock Function Apps behind Private Endpoints, set minimum TLS 1.2, and restrict outbound. Use Defender for Cloud signals for anomalous activity via Defender for Cloud Apps. Microsoft Learn+1

---

6) Storage Security: Stop data exfil and malware

• Network rules: Only selected VNets/IPs; prefer Private Endpoints; avoid “Allow public access from all networks”. Microsoft Learn+1
• Malware scanning for Blob with Microsoft Defender for Storage: on-upload and on-demand scanning (filters GA in 2025); note file size and service-type limits. Pair with Sensitive data threat detection to prioritize impactful alerts. Microsoft Learn+3Microsoft Learn+3Microsoft Learn+3

---

7) Backups & Recovery: Assume ransomware

• Immutable vaults (WORM) + Always-on Soft Delete for Recovery Services/Backup vaults. Lock immutability when ready; understand it’s irreversible by design. Microsoft Learn+2Microsoft Learn+2

---

8) Governance at Scale: Policy > after-the-fact fixes

• Adopt Microsoft Cloud Security Benchmark as your north star; assign its built-in Policy Initiative at the management-group level, not subscription-by-subscription. Microsoft Learn+1

High-value policy controls to roll out org-wide

• Deny public network access for Azure SQL/MySQL/PostgreSQL (enforce Private Link). azadvertizer.net+1
• App/edge TLS minimum versions set to 1.2+ (App Service, App GW). Microsoft Learn
• Storage: minimum TLS 1.2, allowBlobPublicAccess = false, and require Private Endpoints. Microsoft Learn

---

30-Day Azure Hardening Plan (ship this in sprints)

Week 1 — Identity & guardrails

• Enforce PIM on all privileged roles; remove standing Global Admin.
• Enable passkeys/FIDO2 for admins; Conditional Access baseline (block legacy auth, require compliant devices for admin). Microsoft Learn+1

Week 2 — Network & data exposure

• Set Public network access = Disabled on SQL/Storage where Private Endpoints exist; create Private Endpoints for gaps.
• Enable DDoS Protection Standard for internet-facing VNets; confirm WAF rules on Front Door/App GW; set TLS 1.2+. Microsoft Learn+2Microsoft Learn+2

Week 3 — Logging & detection

• Onboard to Sentinel Data Lake (Preview) for long retention; keep hot analytics in workspaces.
• In Defender for Cloud, enable Attack Paths and align to MCSB in Regulatory Compliance. Microsoft Learn+2Microsoft Learn+2

Week 4 — Workload & data hardening

• Enable Defender for Storage (on-upload scanning + sensitive-data awareness).
• AKS: enforce Workload Identity, lock public services, and enable Defender for Cloud for containers.
• Backups: turn on Immutable vaults and Always-on Soft Delete for critical tiers. Microsoft Learn+2Microsoft Learn+2

---

Reference snippets

Azure Policy initiative (excerpt) — disable public network access on Azure SQL

{
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780",
  "parameters": { "effect": { "value": "Deny" } }
}

(Assign at the management group for consistent coverage.) azadvertizer.net

App Service — enforce TLS 1.2 minimum
Azure portal → App Service → TLS/SSL settings → Minimum TLS = 1.2. Automate with Policy where possible. Microsoft Learn

---

Service-by-service quick hits (2025)

• Entra ID: Passkeys + Conditional Access + PIM + ID Protection risk policies. Microsoft Learn+1
• Networking: Private Link over public endpoints; migrate to VNet Flow Logs. Microsoft Learn+1
• Storage: Private Endpoints, min TLS 1.2, Defender for Storage malware scanning + sensitive data detection. Microsoft Learn+2Microsoft Learn+2
• AKS: Workload Identity; Policy add-ons; Defender for Cloud containers. Microsoft Learn
• Monitoring: AMA + DCRs; avoid legacy MMA. Microsoft Learn
• SIEM/SOAR: Sentinel Data Lake for retention; unify in Defender portal. Microsoft Learn
• Backups: Immutable vaults (locked) + Always-on Soft Delete. Microsoft Learn+1

---

FAQ

Is Azure Storage “secure by default” now?
Encryption at rest is on by default, but exposure usually comes from network paths. Use Private Endpoints, restrict firewalls, and enforce minimum TLS versions. Add Defender for Storage for malware and sensitive-data-aware alerts. Microsoft Learn+3Microsoft Learn+3Microsoft Learn+3

Should we move to Microsoft Sentinel Data Lake now?
If you’re struggling with retention costs, yes—pilot it. It’s Public Preview; keep high-signal, near-real-time analytics in workspaces and use the data lake for long-term/forensic datasets. Microsoft Learn+1

Do we still need VPNs if we deploy Entra Private Access?
Often not for internal web apps. Entra Private Access enforces identity-centric, per-app access without a network-level tunnel. Keep VPNs for non-HTTP protocols and legacy systems. Microsoft Learn

What about TLS deadlines?
Application Gateway enforces TLS 1.2+ from Aug 31, 2025. Azure Storage (Blob) moves to TLS 1.2 minimum per Microsoft’s published timeline—upgrade clients and set minimums in services today. Microsoft Learn+1

NSG Flow Logs are going away—what’s the replacement?
Use VNet Flow Logs. Plan policy/automation updates and downstream analytics migrations now. Microsoft Learn+1

---

Final word

Security isn’t toggling a SKU—it’s removing classes of failure. In Azure 2025, that means: identity that resists phishing, networks that default to private, encryption and backups you can prove, logs you can query for years, and preventative guardrails as code. If you want, I can turn this into a ready-to-deploy Landing Zone baseline (Policy initiatives, DCRs, Private Link patterns) tailored to your org’s risk profile.