End-to-end security in Azure

One of the best reasons to use Azure for your applications and services is to take advantage of its wide array of security tools and capabilities. These tools and capabilities help make it possible to create secure solutions on the secure Azure platform. Microsoft Azure provides confidentiality, integrity, and availability of customer data, while also enabling transparent accountability.

The following diagram and documentation introduces you to the security services in Azure. These security services help you meet the security needs of your business and protect your users, devices, resources, data, and applications in the cloud.

Microsoft security services map

The security services map organizes services by the resources they protect (column). The diagram also groups services into the following categories (row):

  • Secure and protect - Services that let you implement a layered, defense in-depth strategy across identity, hosts, networks, and data. This collection of security services and capabilities provides a way to understand and improve your security posture across your Azure environment.
  • Detect threats – Services that identify suspicious activities and facilitate mitigating the threat.
  • Investigate and respond – Services that pull logging data so you can assess a suspicious activity and respond.

The diagram includes the Azure Security Benchmark program, a collection of high-impact security recommendations you can use to help secure the services you use in Azure.

Diagram showing end-to-end security services in Azure.

Security controls and baselines

The Azure Security Benchmark program includes a collection of high-impact security recommendations you can use to help secure the services you use in Azure:

  • Security controls - These recommendations are generally applicable across your Azure tenant and Azure services. Each recommendation identifies a list of stakeholders that are typically involved in planning, approval, or implementation of the benchmark.
  • Service baselines - These apply the controls to individual Azure services to provide recommendations on that service’s security configuration.

Secure and protect

Diagram showing Azure services that help you secure and protect your cloud resources.

Service Description
Azure Security Center A unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.
Identity & Access Management
Azure Active Directory (AD) Microsoft’s cloud-based identity and access management service.
Conditional Access is the tool used by Azure AD to bring identity signals together, to make decisions, and enforce organizational policies.
Domain Services is the tool used by Azure AD to provide managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication.
Privileged Identity Management (PIM) is a service in Azure AD that enables you to manage, control, and monitor access to important resources in your organization.
Multi-factor authentication is the tool used by Azure AD to help safeguard access to data and applications by requiring a second form of authentication.
Azure AD Identity Protection A tool that allows organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to third-party utilities for further analysis.
Infrastructure & Network
VPN Gateway A virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet and to send encrypted traffic between Azure virtual networks over the Microsoft network.
Azure DDoS Protection Standard Provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect your specific Azure resources in a virtual network.
Azure Front Door A global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications.
Azure Firewall A managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Azure Key Vault A secure secrets store for tokens, passwords, certificates, API keys, and other secrets. Key Vault can also be used to create and control the encryption keys used to encrypt your data.
Key Vault Managed HSM A fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs.
Azure Private Link Enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.
Azure Application Gateway An advanced web traffic load balancer that enables you to manage traffic to your web applications. Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers.
Azure Service Bus A fully managed enterprise message broker with message queues and publish-subscribe topics. Service Bus is used to decouple applications and services from each other.
Web Application Firewall Provides centralized protection of your web applications from common exploits and vulnerabilities. WAF can be deployed with Azure Application Gateway and Azure Front Door.
Data & Application
Azure Backup Provides simple, secure, and cost-effective solutions to back up your data and recover it from the Microsoft Azure cloud.
Azure Storage Service Encryption Automatically encrypts data before it is stored and automatically decrypts the data when you retrieve it.
Azure Information Protection A cloud-based solution that enables organizations to discover, classify, and protect documents and emails by applying labels to content.
API Management A way to create consistent and modern API gateways for existing back-end services.
Azure confidential computing Allows you to isolate your sensitive data while it's being processed in the cloud.
Azure DevOps Your development projects benefit from multiple layers of security and governance technologies, operational practices, and compliance policies when stored in Azure DevOps.
Customer Access
Azure AD External Identities With External Identities in Azure AD, you can allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer.
You can share your apps and resources with external users via Azure AD B2B collaboration.
Azure AD B2C lets you support millions of users and billions of authentications per day, monitoring and automatically handling threats like denial-of-service, password spray, or brute force attacks.

Detect threats

Diagram showing Azure services that detect threats.

Service Description
Azure Defender Brings advanced, intelligent, protection of your Azure and hybrid resources and workloads. The Azure Defender dashboard in Security Center provides visibility and control of the cloud workload protection features for your environment.
Azure Sentinel A scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Identity & Access Management
Microsoft 365 Defender A unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Azure AD Identity Protection Sends two types of automated notification emails to help you manage user risk and risk detections: Users at risk detected email and Weekly digest email.
Infrastructure & Network
Azure Defender for IoT A unified security solution for identifying IoT/OT devices, vulnerabilities, and threats. It enables you to secure your entire IoT/OT environment, whether you need to protect existing IoT/OT devices or build security into new IoT innovations.
Azure Network Watcher Provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS products which includes virtual machines, virtual networks, application gateways, and load balancers.
Azure Policy audit logging Helps to enforce organizational standards and to assess compliance at-scale. Azure Policy uses activity logs, which are automatically enabled to include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
Data & Application
Azure Defender for container registries Includes a vulnerability scanner to scan the images in your Azure Resource Manager-based Azure Container Registry registries and provide deeper visibility into your images' vulnerabilities.
Azure Defender for Kubernetes Provides cluster-level threat protection by monitoring your AKS-managed services through the logs retrieved by Azure Kubernetes Service (AKS).
Microsoft Cloud App Security A Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services.

Investigate and respond

Diagram showing Azure services that help you investigate and respond to threats.

Service Description
Azure Sentinel Powerful search and query tools to hunt for security threats across your organization's data sources.
Azure Monitor logs and metrics Delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. Azure Monitor collects and aggregates data from a variety of sources into a common data platform where it can be used for analysis, visualization, and alerting.
Identity & Access Management
Azure AD reports and monitoring Azure AD reports provide a comprehensive view of activity in your environment.
Azure AD monitoring lets you route your Azure AD activity logs to different endpoints.
Azure AD PIM audit history Shows all role assignments and activations within the past 30 days for all privileged roles.
Data & Application
Microsoft Cloud App Security Provides tools to gain a deeper understanding of what's happening in your cloud environment.

Next steps