Microsoft Azure has become the cloud platform of choice for a growing number of UK businesses, from small professional services firms to large enterprises. Its deep integration with Microsoft 365, Active Directory, and the broader Microsoft ecosystem makes it a natural extension for organisations already invested in Microsoft technologies. But migrating to Azure — or expanding your existing Azure footprint — introduces a new set of security responsibilities that many businesses underestimate.
Azure operates on a shared responsibility model. Microsoft secures the underlying infrastructure — the physical data centres, the hypervisors, the network fabric — but you are responsible for securing everything you build on top of it. Your virtual machines, your data, your identities, your network configurations, and your application code are all your responsibility. A misconfigured Azure environment can be just as vulnerable as an unsecured on-premises server, and the consequences of a breach can be equally severe.
This guide covers the essential security best practices that every UK business running workloads on Azure should implement, with specific attention to UK GDPR compliance, the NCSC Cloud Security Principles, and the practical realities of securing cloud infrastructure without a dedicated security operations centre.
The challenge for many UK businesses is that Azure security is not a single task to be completed but an ongoing discipline that touches every aspect of your cloud environment. It requires a structured approach that addresses identity management, network architecture, data protection, monitoring, compliance, and disaster recovery in a coordinated fashion. Addressing one area while neglecting others creates a false sense of security that can be more dangerous than having no security strategy at all, because it encourages complacency while leaving genuine vulnerabilities exposed.
Furthermore, the regulatory landscape in the United Kingdom adds layers of obligation that businesses cannot afford to ignore. UK GDPR imposes strict requirements on how personal data is processed, stored, and protected, with fines of up to four per cent of global annual turnover for serious violations. The ICO has demonstrated its willingness to enforce these penalties, and cloud misconfiguration is increasingly cited as a contributing factor in data breach investigations. Beyond GDPR, sector-specific regulations — such as FCA requirements for financial services firms and NHS Digital standards for healthcare organisations — impose additional controls that must be reflected in your Azure security posture.
Identity and Access Management
Identity is the new perimeter in cloud security. In an Azure environment, controlling who can access what — and under what conditions — is the single most important security measure you can implement. Every resource in Azure is accessed through Microsoft Entra ID (formerly Azure Active Directory), making it the foundation of your security posture.
Enforce Multi-Factor Authentication
Multi-factor authentication (MFA) should be mandatory for every user account that accesses your Azure environment, without exception. Microsoft's own data shows that MFA blocks 99.9% of account compromise attacks. For administrative accounts, MFA should be enforced with phishing-resistant methods such as FIDO2 security keys or the Microsoft Authenticator app with number matching — SMS-based MFA, while better than nothing, is vulnerable to SIM-swapping attacks and should be treated as a minimum rather than a standard.
When rolling out MFA across your organisation, take a phased approach that prioritises the highest-risk accounts first. Begin with all Global Administrator and Privileged Role Administrator accounts, then extend to all users with any administrative role, followed by all regular users. Configure break-glass emergency access accounts — typically two accounts with strong, unique passwords stored securely offline — that are excluded from MFA policies to ensure you can always access your tenant in an emergency. These accounts should be monitored closely, with alerts configured to trigger immediately if they are ever used.
Consider the user experience when selecting authentication methods. The Microsoft Authenticator app with push notifications and number matching offers the best balance of security and usability for most organisations. Hardware security keys such as YubiKeys provide the strongest protection for high-privilege accounts but add cost and logistical complexity. Whatever methods you choose, invest time in clear communication and training for your staff — resistance to MFA almost always stems from poor implementation and inadequate communication rather than fundamental opposition to the concept itself.
Implement Least Privilege Access
Every user and service account should have only the minimum permissions needed to perform their role. Azure's Role-Based Access Control (RBAC) provides granular permission management, and you should use it to assign specific roles rather than granting broad Owner or Contributor access. Review role assignments regularly and remove any that are no longer needed.
Use Conditional Access Policies
Conditional Access is one of Azure's most powerful security features. It allows you to define policies that control access based on conditions such as user location, device compliance status, application being accessed, risk level, and sign-in behaviour. For UK businesses, common Conditional Access policies include blocking access from outside the United Kingdom (or allowing it only with additional MFA), requiring compliant devices for access to sensitive applications, blocking legacy authentication protocols, and requiring MFA for all administrative actions.
Azure Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access to Azure resources and Microsoft Entra ID. Instead of permanently assigning admin roles, PIM allows users to activate elevated permissions only when they need them, for a defined period. This dramatically reduces the window of opportunity for attackers who compromise an admin account. PIM requires a Microsoft Entra ID P2 licence and is strongly recommended for any business with multiple Azure administrators.
Beyond individual Conditional Access policies, consider how identity security fits into a broader Zero Trust architecture. The Zero Trust model — which Microsoft actively promotes for Azure environments — operates on the principle of never trust, always verify. Every access request is authenticated, authorised, and encrypted regardless of where it originates. In practical terms, this means treating your internal network with the same level of suspicion as the public internet. Users connecting from your office network should still be required to authenticate with MFA and meet device compliance requirements, just as they would when working remotely. Zero Trust is not a product you purchase but a security philosophy that informs every configuration decision you make.
Service Principal and Managed Identity Security
Human identities are not the only accounts that need securing. Azure environments typically contain numerous service principals and application registrations that authenticate programmatically. These non-human identities are frequently overlooked in security reviews, yet they often have broad permissions and their credentials — client secrets or certificates — can be compromised just like passwords. Use Managed Identities wherever possible, as these eliminate the need for stored credentials entirely. For service principals that require client secrets, implement short expiry periods and automate rotation through Azure Key Vault. Audit all service principal permissions regularly and remove any that are no longer in active use.
Network Security
Azure networking is flexible and powerful, but its default configurations are not always secure. Proper network segmentation and access control are essential for protecting your Azure resources.
Network Security Groups
Network Security Groups (NSGs) act as virtual firewalls for your Azure virtual machines and subnets. They filter traffic based on source and destination IP addresses, ports, and protocols. Every subnet and network interface in your Azure environment should have an NSG attached, with rules that follow the principle of least privilege — only allow traffic that is explicitly required and deny everything else.
Effective NSG management requires discipline and documentation. Name your security groups consistently, document the purpose of every rule, and avoid using overly broad IP ranges or port ranges. Enable NSG flow logs and send them to a Log Analytics workspace — these logs are invaluable for troubleshooting connectivity issues, identifying unusual traffic patterns, and demonstrating compliance to auditors. Review your NSG rules at least quarterly to remove rules that were created for temporary purposes and never cleaned up. Over time, NSG rule sets tend to accumulate unnecessary entries that widen the attack surface, so regular housekeeping is essential.
For environments with multiple subnets, consider implementing a tiered network architecture that separates workloads by sensitivity level. Place web-facing resources in a front-end subnet with restrictive NSG rules, application servers in a middle tier, and databases in a back-end subnet that accepts traffic only from the application tier. This layered approach means that even if an attacker compromises a web server, they cannot directly access your database servers — they would need to move laterally through multiple security boundaries, each of which provides an opportunity for detection and containment.
Azure Firewall
For larger environments, Azure Firewall provides centralised network security with advanced features including threat intelligence-based filtering, TLS inspection, and application-level rules. It is a managed service, which means Microsoft handles the availability and scaling, reducing your operational burden. For UK businesses with compliance requirements, Azure Firewall's logging capabilities integrate directly with Azure Monitor and Microsoft Sentinel, providing the audit trail that regulators expect.
Private Endpoints
Wherever possible, use Private Endpoints to access Azure PaaS services (such as Azure SQL, Storage Accounts, and Key Vault) over private IP addresses within your virtual network rather than over the public internet. This eliminates the exposure of sensitive services to the public internet and significantly reduces the attack surface.
| Security Control | Purpose | Recommended For | Azure SKU Required |
|---|---|---|---|
| Network Security Groups | Subnet and VM-level traffic filtering | All Azure deployments | Free |
| Azure Firewall | Centralised network security | Multi-subnet environments | Standard or Premium |
| Private Endpoints | Private access to PaaS services | All PaaS service access | Standard pricing |
| Azure DDoS Protection | Distributed denial of service mitigation | Internet-facing workloads | Standard tier |
| Azure Bastion | Secure RDP/SSH without public IPs | All VM management | Basic or Standard |
| Web Application Firewall | OWASP threat protection | Web applications | Application Gateway WAF v2 |
Azure Bastion deserves particular attention as a security control for virtual machine management. Traditionally, administrators access Azure VMs via RDP or SSH, which requires the VMs to have public IP addresses or complex VPN configurations. Azure Bastion eliminates this requirement entirely by providing secure RDP and SSH access directly through the Azure portal over TLS. The virtual machine never needs a public IP address, and the management ports never need to be exposed to the internet. For any environment running Azure virtual machines, Bastion should be considered a baseline security requirement rather than an optional convenience.
When designing your Azure network topology, the hub-and-spoke model is widely regarded as best practice for multi-workload environments. The hub virtual network contains shared services — Azure Firewall, VPN Gateway, Azure Bastion, and any centralised monitoring infrastructure — whilst spoke virtual networks contain individual workloads peered to the hub. This architecture provides centralised security control and visibility whilst allowing individual workloads to be isolated from one another. Traffic between spokes must route through the hub, where it can be inspected and filtered by Azure Firewall. For UK businesses with on-premises infrastructure, the hub is also where you terminate your site-to-site VPN or ExpressRoute connection, providing a single, controlled entry point into your Azure environment.
Data Protection and Encryption
Protecting data in your Azure environment is not just a security best practice — it is a legal requirement under UK GDPR. The regulation requires appropriate technical and organisational measures to protect personal data, and encryption is one of the most fundamental technical measures available.
Encryption at Rest
Azure encrypts all data at rest by default using Microsoft-managed keys. However, for sensitive data and for compliance with stricter regulatory requirements, you should consider using customer-managed keys stored in Azure Key Vault. This gives you full control over the encryption keys, including the ability to rotate, disable, or revoke them. Customer-managed keys are particularly important for businesses in regulated sectors such as financial services and healthcare.
Encryption in Transit
Ensure that all data in transit is encrypted using TLS 1.2 or later. This applies to communications between your on-premises environment and Azure (typically via VPN or ExpressRoute), between Azure services, and between your users and Azure-hosted applications. Disable older TLS versions (1.0 and 1.1) on all Azure services — these are known to be vulnerable and should not be used.
Azure Security Best Practices
- MFA enforced for all users, phishing-resistant for admins
- Conditional Access policies blocking risky sign-ins
- RBAC with least-privilege role assignments
- Private Endpoints for all PaaS service access
- Customer-managed encryption keys in Key Vault
- Microsoft Defender for Cloud enabled and monitored
- Azure Policy enforcing compliance baselines
Common Azure Security Mistakes
- Multiple Global Admin accounts without PIM
- Storage accounts with public blob access enabled
- VMs with public IP addresses and open RDP ports
- No NSGs on subnets — all traffic flows freely
- Legacy authentication protocols still enabled
- Defender for Cloud recommendations ignored
- No backup or disaster recovery configuration
Data Classification and Azure Key Vault
Encryption alone is not sufficient for comprehensive data protection — you also need to understand what data you hold, where it resides, and how sensitive it is. Microsoft Purview provides automated data discovery and classification across your Azure environment, scanning storage accounts, databases, and file shares to identify sensitive information such as personal data, financial records, and intellectual property. Once classified, you can apply appropriate protection policies — ensuring that highly sensitive data receives stronger encryption, more restrictive access controls, and more detailed audit logging than general business data.
Azure Key Vault is the cornerstone of secrets management in any Azure environment. All application secrets, database connection strings, API keys, certificates, and encryption keys should be stored in Key Vault rather than in application configuration files, environment variables, or source code. Enable soft-delete and purge protection on all Key Vaults to prevent accidental or malicious deletion of critical secrets. Configure access policies using the principle of least privilege — each application should have access only to the specific secrets it requires, and no human user should have standing access to production secrets without a documented justification and an audit trail recording every access event.
Monitoring and Threat Detection
Security is not a one-time configuration exercise — it requires continuous monitoring and the ability to detect and respond to threats in real time. Azure provides several tools for this purpose.
Microsoft Defender for Cloud
Microsoft Defender for Cloud (formerly Azure Security Center) provides a unified security management view across your Azure resources. It continuously assesses your environment against security best practices and compliance standards, provides a Secure Score that quantifies your security posture, and generates actionable recommendations for improvement. Enable Defender for Cloud on all subscriptions and aim for a Secure Score of at least 80%.
Microsoft Sentinel
For more advanced threat detection, Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) solution that collects and analyses security data from across your entire environment — not just Azure, but also on-premises systems, Microsoft 365, and third-party services. Sentinel uses artificial intelligence and machine learning to identify threats that might be missed by traditional rule-based detection. While it adds cost, it provides the level of visibility and threat detection that regulators and cyber insurance providers increasingly expect.
Incident Response and Security Alerting
Detection without response is merely observation. Your monitoring infrastructure must be connected to a clear incident response process that defines who is notified when a security alert is raised, what severity levels warrant immediate action versus next-business-day investigation, and how incidents are escalated if they cannot be resolved quickly. Configure alert rules in Azure Monitor to notify your security team via email, SMS, or integration with your IT service management platform. For critical alerts — such as a new Global Administrator being created, a Conditional Access policy being disabled, or a large data export from a storage account — the notification should be immediate and impossible to overlook.
For businesses without a dedicated security operations centre, consider using Microsoft Defender for Cloud workflow automation to create automated responses to common security events. For example, you can configure a Logic App that automatically isolates a virtual machine from the network if Defender detects malicious activity, or that revokes a user session if an impossible-travel alert is triggered. These automated responses provide a safety net that buys your team time to investigate whilst limiting the potential damage from an active attack. Document your incident response procedures, test them through tabletop exercises at least annually, and update them as your Azure environment evolves.
UK GDPR and Data Residency Considerations
UK businesses using Azure must ensure that their cloud environment meets UK GDPR requirements. This includes understanding where your data is stored — Azure offers UK South and UK West data centre regions, and for UK GDPR compliance, you should configure your resources to use these regions wherever possible. While UK GDPR does not strictly prohibit storing data outside the UK, keeping data in UK regions simplifies your compliance position and avoids the complexities of international data transfer mechanisms.
Azure Policy can be used to enforce data residency requirements automatically. Create a policy that restricts resource deployment to the UK South and UK West regions, ensuring that no team member accidentally creates resources in a non-UK region. This is a simple but effective governance control that prevents compliance issues before they occur.
The NCSC publishes fourteen Cloud Security Principles that UK organisations should consider when evaluating and using cloud services. Azure provides detailed documentation mapping its controls to each of these principles. Key areas to focus on include: data in transit protection, asset protection and resilience, separation between customers, personnel security, secure service administration, audit and monitoring, and identity and authentication. Reviewing Microsoft's compliance documentation against these principles is an essential step for any UK business deploying workloads on Azure.
Beyond data residency, UK GDPR imposes specific obligations around data subject rights that directly affect how you architect your Azure environment. You must be able to respond to Subject Access Requests within one month, which means you need to know exactly where personal data is stored across your Azure subscriptions and be able to extract it efficiently. You must also support the right to erasure — the ability to delete an individual's personal data from all systems upon request. In complex Azure environments with data spread across multiple databases, storage accounts, and application caches, fulfilling these obligations can be technically challenging unless you have planned for them from the outset.
Conduct Data Protection Impact Assessments before deploying new Azure workloads that process personal data at scale. A DPIA systematically analyses how personal data flows through your Azure environment, identifies privacy risks, and documents the measures you have put in place to mitigate them. Azure's compliance documentation and data processing agreements support this process, but the assessment itself is your responsibility. For businesses handling special category data — such as health information, biometric data, or data relating to criminal convictions — DPIAs are not merely recommended but legally required under UK GDPR. Maintaining a register of processing activities and keeping it aligned with your actual Azure configuration is an ongoing obligation that requires regular review.
Backup and Disaster Recovery
The shared responsibility model means that while Microsoft ensures the availability of the Azure platform, you are responsible for backing up your data and planning for disaster recovery. Azure Backup provides a managed backup service for virtual machines, databases, and file shares. Azure Site Recovery provides disaster recovery orchestration, enabling you to replicate workloads to a secondary region and fail over automatically if the primary region becomes unavailable.
For UK businesses, a common approach is to use UK South as the primary region and UK West as the disaster recovery region. This keeps all data within the UK while providing geographic redundancy. Test your disaster recovery plan regularly — at least quarterly — to ensure that it works when you need it.
Need Help Securing Your Azure Environment?
Cloudswitched is a Microsoft Solutions Partner with deep expertise in Azure security. We help UK businesses configure, monitor, and maintain secure Azure environments — from initial setup through to ongoing compliance management. Protect your cloud investment with expert guidance.
GET IN TOUCH
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
