Contents
- 1 🔐 Azure Fundamentals for Cybersecurity Engineers
- 1.1 🛡 1. Microsoft Defender for Cloud
- 1.2 👤 2. Azure Active Directory (Entra ID)
- 1.3 🔐 3. Azure Key Vault
- 1.4 📜 4. Microsoft Sentinel
- 1.5 🔒 5. Azure Policy
- 1.6 🧪 6. Microsoft Defender for Endpoint
- 1.7 📦 7. Azure Resource Manager (ARM) & RBAC
- 1.8 🔁 8. Azure Monitor & Log Analytics
- 1.9 🔐 9. Azure DDoS Protection
- 1.10 🌍 10. Azure Firewall
- 1.11 🔍 11. Azure Security Center (legacy name)
- 1.12 📂 12. Azure Storage Account Security
- 1.13 🔒 13. Privileged Identity Management (PIM)
- 1.14 📎 14. Azure Blueprints
- 1.15 📧 15. Microsoft Purview (formerly Azure Information Protection)
- 2 ✅ Summary Table
🔐 Azure Fundamentals for Cybersecurity Engineers
Azure provides a broad range of tools and services specifically tailored for building, managing, and securing cloud infrastructure. Below is a list of essential Azure services every cybersecurity engineer should know—along with what they are, why they matter, and how to use them effectively.
🛡 1. Microsoft Defender for Cloud
What it is:
A unified security management and threat protection solution.
Why it’s used:
To monitor workloads, assess security posture, and detect threats across hybrid and multi-cloud environments.
Use Cases:
- Auto-discover misconfigurations
- Integrated with Azure Policy and Sentinel
- Get Secure Score recommendations
👤 2. Azure Active Directory (Entra ID)
What it is:
Microsoft’s cloud-based identity and access management service.
Why it’s used:
To manage users, groups, roles, and provide SSO for thousands of SaaS apps and internal resources.
Use Cases:
- Enforce Conditional Access
- MFA and identity protection
- Integrate with on-prem AD for hybrid identity
🔐 3. Azure Key Vault
What it is:
A secure secrets management service.
Why it’s used:
To store encryption keys, passwords, and certificates securely and audit their access.
Use Cases:
- Key management for encryption (e.g. SQL TDE, Azure Storage)
- Rotate secrets automatically
- RBAC or Access Policies for granular control
📜 4. Microsoft Sentinel
What it is:
Azure’s cloud-native SIEM and SOAR platform.
Why it’s used:
To collect logs, detect threats using AI, investigate, and respond to incidents.
Use Cases:
- Ingest logs from 100+ sources
- Use MITRE ATT&CK-based analytics rules
- Automate responses with playbooks (via Logic Apps)
🔒 5. Azure Policy
What it is:
A service that enforces organisational standards and compliance.
Why it’s used:
To define and automatically apply security controls at scale.
Use Cases:
- Block untagged resources or public IPs
- Require encryption or region constraints
- Audit and remediate non-compliance
🧪 6. Microsoft Defender for Endpoint
What it is:
An enterprise-grade EDR/XDR solution.
Why it’s used:
To detect and respond to endpoint-level threats across Windows, macOS, and Linux.
Use Cases:
- Alert on malware or suspicious process behaviour
- Isolate infected machines
- Run automated investigations and responses
📦 7. Azure Resource Manager (ARM) & RBAC
What it is:
Azure’s control plane for deploying and managing resources, with built-in access controls.
Why it’s used:
To implement least privilege access to resources using roles and scopes.
Use Cases:
- Limit VM access to specific admins
- Prevent developers from deleting production data
- Assign custom roles for tiered access
🔁 8. Azure Monitor & Log Analytics
What it is:
A suite of tools for telemetry, logging, and metrics collection.
Why it’s used:
To monitor infrastructure and detect anomalies using logs and visual dashboards.
Use Cases:
- Query logs using KQL (Kusto Query Language)
- Create custom alerts for specific actions
- Baseline behaviour for security analytics
🔐 9. Azure DDoS Protection
What it is:
A network-level DDoS mitigation service.
Why it’s used:
To protect publicly accessible endpoints from large-scale denial-of-service attacks.
Use Cases:
- Apply to critical Azure resources (e.g. Load Balancers, App Gateways)
- View detailed attack telemetry
- Integrate with Sentinel for alerting
🌍 10. Azure Firewall
What it is:
A stateful, managed firewall-as-a-service.
Why it’s used:
To inspect traffic at Layer 3–7, filter packets, and enforce network policies.
Use Cases:
- DNAT/SNAT rules
- Centralised policy enforcement
- Threat intelligence filtering (deny known bad IPs)
🔍 11. Azure Security Center (legacy name)
What it is:
Now integrated into Defender for Cloud, previously the hub for security posture management.
Why it’s used:
To perform vulnerability assessments and hardening recommendations.
Use Cases:
- Recommendations for VM baselines
- JIT VM access control
- OS-level threat detection
📂 12. Azure Storage Account Security
What it is:
Built-in capabilities to secure Blob, File, Table, and Queue storage.
Why it’s used:
To control access, encrypt data, and monitor usage.
Use Cases:
- Enable private endpoints
- Enforce HTTPS-only connections
- Enable logging and diagnostic settings
🔒 13. Privileged Identity Management (PIM)
What it is:
A service in Entra (AAD) to manage just-in-time (JIT) admin access.
Why it’s used:
To reduce risk from standing privileges and elevate access only when needed.
Use Cases:
- Require approval for privileged access
- Set time-bound role assignments
- Alert on elevation requests
📎 14. Azure Blueprints
What it is:
A way to define repeatable governance environments with security, policies, and templates.
Why it’s used:
To deploy secure-by-default environments across multiple subscriptions.
Use Cases:
- Enforce CIS/NIST-aligned baselines
- Deploy ARM templates + policy + RBAC together
- Track compliance against predefined standards
📧 15. Microsoft Purview (formerly Azure Information Protection)
What it is:
A data governance and classification solution.
Why it’s used:
To discover, label, and protect sensitive data across emails, documents, and cloud storage.
Use Cases:
- Apply auto-classification (e.g. “Confidential”)
- Encrypt documents
- Monitor and restrict data exfiltration
✅ Summary Table
| Service | Purpose | Common Use Case |
|---|---|---|
| Defender for Cloud | Threat & posture management | Cloud security baselining and alerting |
| Azure AD / Entra ID | Identity and access control | SSO, MFA, Conditional Access |
| Key Vault | Secrets and key management | TLS certs, API keys, encryption keys |
| Sentinel | SIEM + SOAR | Threat detection, IR automation |
| Azure Policy | Governance and enforcement | Security baselines, policy auditing |
| Defender for Endpoint | EDR/XDR for devices | Malware detection, auto-remediation |
| Azure Firewall | Network control and traffic filtering | DNAT/SNAT, threat intel filtering |
| Azure DDoS Protection | Attack mitigation | Prevent volumetric and protocol-layer attacks |
| Log Analytics / Monitor | Logging and alerting | Anomaly detection, KQL queries |
| PIM | JIT access management | Temporary admin access |
| Blueprints | Secure deployment templates | Standards-aligned infrastructure |
| Microsoft Purview | Data classification and DLP | Auto-labeling, compliance |
| Storage Security | Data access control & encryption | HTTPS, Private Endpoints, Logs |