Introduction

Securing Azure infrastructure requires implementing multiple layers of security controls. This post walks through implementing essential security policies to protect your Azure environment.

Preventing Public Blob Storage Access

One common security risk is accidentally exposing blob storage containers publicly. Azure Policy can prevent this:

  1. Navigate to Azure Policy
  2. Search for the built-in policy “Configure your Storage account public access to be disallowed”
  3. Assign the policy at your desired scope (subscription or management group)
  4. Set the effect to “Deny” to prevent creation of public containers
{
"properties": {
"displayName": "Prevent Public Blob Access",
"policyType": "BuiltIn",
"mode": "All",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
"equals": "true"
}
]
},
"then": {
"effect": "deny"
}
}
}
}

Implementing Conditional Access Policies

Admin Role Protection

Secure privileged accounts with dedicated conditional access policies:

  1. Create a new policy targeting admin roles
  2. Configure conditions:
  • Users: Select all admin roles except break-glass account
  • Cloud apps: Microsoft Admin portals
  • Grant controls: Require MFA
conditions:
users:
include:
- adminRoles: ["Global Administrator", "Security Administrator"]
exclude:
- users: ["break-glass-account"]
applications:
include:
- appId: "Office365 Management APIs"
controls:
requireMFA: true
sessionControls:
signInFrequency: 4

Guest Access Controls

Implement specific policies for external users:

  1. Create dedicated guest conditional access policy
  2. Target all guest/external user accounts
  3. Require MFA for all cloud apps
  4. Enable report-only mode initially to assess impact

Security Group Management

Restrict security group creation to admins:

  1. Navigate to Azure AD > Groups > General settings
  2. Set “Users can create security groups” to No
  3. Document approved group creation process for users

Monitoring and Alerting

Implement cost monitoring:

  1. Create budget alerts at appropriate scopes
  2. Configure notification thresholds (e.g., 80%, 90%, 100%)
  3. Set up action groups for notifications
  4. Enable actual vs forecasted spend alerts

Conclusion

Implementing these security policies creates multiple layers of protection for your Azure environment. Regular review and updates ensure policies remain effective as your environment evolves.