Skip to content

Azure Hardening Checklist

  • Disable App Registrations 1
  • Limit Enterprise applications, for information on possible abuses checkout, illicit consent grant attacks 1
  • Restrict External collaboration access 1
  • Limit guest user access 1
  • Enable 2FA or Microsoft Intune for device enrollement to Azure AD 1
  • Review Network security groups (NSG) for overly permissive access (refer to your business needs) 1
  • Apply primary deny on Network security groups 1
  • Use virtual network service tags instead of hardcoding IPs to manage NSGs
  • Ensure blob storages are set to private in production enviroments
  • Checkout Azure Security Center periodically for recommended security improvements, specially adapted to your enviroment 2
  • Enable NSGs for non-VPN gateway subnets in your network; Enable NSGs for VPN gateway might lead to breakdown the access to your systems 2
  • Test your Azure functions and Azure Applications for traditional application vulnerabilities e.g., SQLi, XXE, SSRF, etc. 2
  • Review access controls to your Azure Apps to ensure no overly permissive access is permitted (refer to your business needs)
  • Use Microsoft CredScan to identify leaked credentials and secerets
  • Encrypt Data at rest and in-flight 2

  • Restrict access to your databases, One or more of the following will suffice 2:

  • Restrict access to your VMs, , One or more of the following will suffice 2:
    • Configure Bastion Hosts
    • Use Azure Bastion - Fully Managed RDP/SSH
    • Remove the public IP address of machines that should not be exposed to the internet
    • Use Just-in-time VM access from azure 1
  • Audit and Remove excessive Privileges Held by Service Principals 4
    • Global Administrator
    • Privileged Role Administrator
    • Privileged Authentication Administrator
  • Additionally, audit for any Service Principals that have been granted any of the following MS Graph app roles 4 :
    • RoleManagement.ReadWrite.Directory
    • AppRoleAssignment.ReadWrite.All
  • Protect your secerets, consider using Azure Key Vault 2
    • Store secerets in the Azure Key Vault
    • Use Managed Service Identities to connect to key vaults
  • Use a seperate Azure Subscription for production: allows the use of multiple RBACs and policies to enforce controls only for the non-production enviroment 2 .
  • Configure a WAF, follow the steps below 2:
    • Implement application gate way or front in front of your web application
    • Enable a web application firewall