Azure Security: Defender, Azure AD, and Cloud-Native Controls

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Azure has a different security model than AWS, and teams that try to apply AWS patterns directly to Azure hit problems. Azure leans heavily on Entra ID (formerly Azure AD) for identity, uses a different RBAC model, and has its own set of native security tools. Here is what you need to know if you are securing Azure workloads.

Microsoft Defender for Cloud

Defender for Cloud is Azure’s equivalent of AWS Security Hub plus GuardDuty plus Inspector rolled into one. It provides security posture management (CSPM) with a Secure Score, workload protection (CWP) for VMs, containers, databases, and storage, and threat detection.

Enable Defender for Cloud across all subscriptions. The free tier gives you Secure Score and basic recommendations. The paid plans add threat detection and vulnerability scanning. At minimum, enable Defender for Servers, Containers, and Key Vault.

Focus on High severity recommendations first. Track Secure Score over time for reporting — leadership understands percentages better than finding counts.

Entra ID (Azure AD) Security

Entra ID is the identity plane for all of Azure. Compromise it and you compromise everything. Key hardening steps:

Conditional Access Policies: Require MFA for all users, block legacy authentication protocols (POP, IMAP, SMTP auth), require compliant devices for access to sensitive applications, and block sign-ins from risky locations.

Privileged Identity Management (PIM): Make all privileged role assignments time-limited and require approval. No one should have permanent Global Admin access. PIM makes users activate their privileged roles for a specific duration with MFA and justification.

Identity Protection: Enable risk-based policies that detect impossible travel, leaked credentials, anonymous IP usage, and unfamiliar sign-in properties. Configure automatic remediation to force password reset or block sign-in for high-risk events.

Network Security Groups

NSGs work similarly to AWS security groups but attach at the subnet or NIC level. Apply NSGs to subnets and use Application Security Groups (ASGs) to create logical groupings of VMs that share the same network policies.

Use NSG flow logs for network visibility. Send them to a Log Analytics workspace and use traffic analytics to visualize traffic patterns, identify anomalies, and detect lateral movement.

Key Vault

Azure Key Vault stores keys, secrets, and certificates. Use it for every secret in your environment — database passwords, API keys, connection strings. Enable soft delete and purge protection so deleted secrets can be recovered and not permanently destroyed by an attacker.

Use RBAC (recommended over access policies) to grant specific principals specific operations. Separate key management permissions from key usage permissions. Enable diagnostic logging.

Use managed identities instead of service principals with client secrets. Managed identities eliminate the need to store and rotate credentials.

Microsoft Sentinel

Sentinel is Azure’s SIEM and SOAR platform. It ingests logs from Azure services, Microsoft 365, and third-party sources. Use built-in analytics rules for common threat detection and build custom rules using KQL (Kusto Query Language) for your specific environment.

Connect Sentinel to Defender for Cloud for automated incident creation from security alerts. Build playbooks using Logic Apps for automated response — isolate a VM, disable a user account, or create a ServiceNow ticket.

Z-500 is the starting point

Related Guides in This Series

• Active Directory Security: Attack Paths and Hardening — HADESS | 2026
• AWS ALB Security: TLS, Authentication, and Access Controls — HADESS | 2026
• AWS CloudTrail: Log Analysis and Security Monitoring — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.