Azure Hardening

This section covers Microsoft Azure hardening across the six security domains. Each domain page maps cross-cutting principles (covered in the General section) onto specific Azure services and configuration primitives — Entra ID, Azure Policy, Defender for Cloud, Sentinel, and the platform's native control planes.

Content is authored progressively: IAM ships first as a pilot (Phase 5), followed by Network, Data Protection, Logging & Detection, Workloads, and Incident Response in subsequent phases.

Domains

• IAM — Entra ID, Global Admin separation, PIM, Conditional Access, managed identities, Key Vault
• Network — NSGs, Azure Firewall, Private Endpoints, DDoS Protection, Front Door WAF
• Data Protection — Storage public access, CMK with Key Vault, SQL TDE, Disk Encryption, Purview
• Logging & Detection — Diagnostic Settings, Log Analytics, Activity Log, Defender for Cloud, Sentinel
• Workloads — VM Trusted Launch, JIT VM access, AKS hardening, App Service identity
• Incident Response — Defender automation, Sentinel playbooks, forensic snapshots
• GenAI Security — Entra ID auth, content filters, Prompt Shields, private endpoints, RBAC, diagnostic logging, abuse monitoring, CMK encryption, quota limits
• Kubernetes — AKS private cluster, Microsoft Entra Workload Identity, KMS v2 etcd encryption, Entra ID RBAC + Azure RBAC for K8s Authorization, Microsoft Defender for Containers, Azure Policy PSS, Log Analytics diagnostic settings, Azure CNI network policy, User-Assigned Managed Identity, Pod Security Standards

This page is a Phase 2 stub. Section overview content arrives in later phases.