Microsoft Azure has become the cloud platform of choice for a growing number of UK businesses, from small professional services firms to large enterprises. Its deep integration with Microsoft 365, Active Directory, and the broader Microsoft ecosystem makes it a natural extension for organisations already invested in Microsoft technologies. But migrating to Azure — or expanding your existing Azure footprint — introduces a new set of security responsibilities that many businesses underestimate.
Azure operates on a shared responsibility model. Microsoft secures the underlying infrastructure — the physical data centres, the hypervisors, the network fabric — but you are responsible for securing everything you build on top of it. Your virtual machines, your data, your identities, your network configurations, and your application code are all your responsibility. A misconfigured Azure environment can be just as vulnerable as an unsecured on-premises server, and the consequences of a breach can be equally severe.
This guide covers the essential security best practices that every UK business running workloads on Azure should implement, with specific attention to UK GDPR compliance, the NCSC Cloud Security Principles, and the practical realities of securing cloud infrastructure without a dedicated security operations centre.
Identity and Access Management
Identity is the new perimeter in cloud security. In an Azure environment, controlling who can access what — and under what conditions — is the single most important security measure you can implement. Every resource in Azure is accessed through Microsoft Entra ID (formerly Azure Active Directory), making it the foundation of your security posture.
Enforce Multi-Factor Authentication
Multi-factor authentication (MFA) should be mandatory for every user account that accesses your Azure environment, without exception. Microsoft's own data shows that MFA blocks 99.9% of account compromise attacks. For administrative accounts, MFA should be enforced with phishing-resistant methods such as FIDO2 security keys or the Microsoft Authenticator app with number matching — SMS-based MFA, while better than nothing, is vulnerable to SIM-swapping attacks and should be treated as a minimum rather than a standard.
Implement Least Privilege Access
Every user and service account should have only the minimum permissions needed to perform their role. Azure's Role-Based Access Control (RBAC) provides granular permission management, and you should use it to assign specific roles rather than granting broad Owner or Contributor access. Review role assignments regularly and remove any that are no longer needed.
Use Conditional Access Policies
Conditional Access is one of Azure's most powerful security features. It allows you to define policies that control access based on conditions such as user location, device compliance status, application being accessed, risk level, and sign-in behaviour. For UK businesses, common Conditional Access policies include blocking access from outside the United Kingdom (or allowing it only with additional MFA), requiring compliant devices for access to sensitive applications, blocking legacy authentication protocols, and requiring MFA for all administrative actions.
Azure Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access to Azure resources and Microsoft Entra ID. Instead of permanently assigning admin roles, PIM allows users to activate elevated permissions only when they need them, for a defined period. This dramatically reduces the window of opportunity for attackers who compromise an admin account. PIM requires a Microsoft Entra ID P2 licence and is strongly recommended for any business with multiple Azure administrators.
Network Security
Azure networking is flexible and powerful, but its default configurations are not always secure. Proper network segmentation and access control are essential for protecting your Azure resources.
Network Security Groups
Network Security Groups (NSGs) act as virtual firewalls for your Azure virtual machines and subnets. They filter traffic based on source and destination IP addresses, ports, and protocols. Every subnet and network interface in your Azure environment should have an NSG attached, with rules that follow the principle of least privilege — only allow traffic that is explicitly required and deny everything else.
Azure Firewall
For larger environments, Azure Firewall provides centralised network security with advanced features including threat intelligence-based filtering, TLS inspection, and application-level rules. It is a managed service, which means Microsoft handles the availability and scaling, reducing your operational burden. For UK businesses with compliance requirements, Azure Firewall's logging capabilities integrate directly with Azure Monitor and Microsoft Sentinel, providing the audit trail that regulators expect.
Private Endpoints
Wherever possible, use Private Endpoints to access Azure PaaS services (such as Azure SQL, Storage Accounts, and Key Vault) over private IP addresses within your virtual network rather than over the public internet. This eliminates the exposure of sensitive services to the public internet and significantly reduces the attack surface.
| Security Control | Purpose | Recommended For | Azure SKU Required |
|---|---|---|---|
| Network Security Groups | Subnet and VM-level traffic filtering | All Azure deployments | Free |
| Azure Firewall | Centralised network security | Multi-subnet environments | Standard or Premium |
| Private Endpoints | Private access to PaaS services | All PaaS service access | Standard pricing |
| Azure DDoS Protection | Distributed denial of service mitigation | Internet-facing workloads | Standard tier |
| Azure Bastion | Secure RDP/SSH without public IPs | All VM management | Basic or Standard |
| Web Application Firewall | OWASP threat protection | Web applications | Application Gateway WAF v2 |
Data Protection and Encryption
Protecting data in your Azure environment is not just a security best practice — it is a legal requirement under UK GDPR. The regulation requires appropriate technical and organisational measures to protect personal data, and encryption is one of the most fundamental technical measures available.
Encryption at Rest
Azure encrypts all data at rest by default using Microsoft-managed keys. However, for sensitive data and for compliance with stricter regulatory requirements, you should consider using customer-managed keys stored in Azure Key Vault. This gives you full control over the encryption keys, including the ability to rotate, disable, or revoke them. Customer-managed keys are particularly important for businesses in regulated sectors such as financial services and healthcare.
Encryption in Transit
Ensure that all data in transit is encrypted using TLS 1.2 or later. This applies to communications between your on-premises environment and Azure (typically via VPN or ExpressRoute), between Azure services, and between your users and Azure-hosted applications. Disable older TLS versions (1.0 and 1.1) on all Azure services — these are known to be vulnerable and should not be used.
Azure Security Best Practices
- MFA enforced for all users, phishing-resistant for admins
- Conditional Access policies blocking risky sign-ins
- RBAC with least-privilege role assignments
- Private Endpoints for all PaaS service access
- Customer-managed encryption keys in Key Vault
- Microsoft Defender for Cloud enabled and monitored
- Azure Policy enforcing compliance baselines
Common Azure Security Mistakes
- Multiple Global Admin accounts without PIM
- Storage accounts with public blob access enabled
- VMs with public IP addresses and open RDP ports
- No NSGs on subnets — all traffic flows freely
- Legacy authentication protocols still enabled
- Defender for Cloud recommendations ignored
- No backup or disaster recovery configuration
Monitoring and Threat Detection
Security is not a one-time configuration exercise — it requires continuous monitoring and the ability to detect and respond to threats in real time. Azure provides several tools for this purpose.
Microsoft Defender for Cloud
Microsoft Defender for Cloud (formerly Azure Security Center) provides a unified security management view across your Azure resources. It continuously assesses your environment against security best practices and compliance standards, provides a Secure Score that quantifies your security posture, and generates actionable recommendations for improvement. Enable Defender for Cloud on all subscriptions and aim for a Secure Score of at least 80%.
Microsoft Sentinel
For more advanced threat detection, Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) solution that collects and analyses security data from across your entire environment — not just Azure, but also on-premises systems, Microsoft 365, and third-party services. Sentinel uses artificial intelligence and machine learning to identify threats that might be missed by traditional rule-based detection. While it adds cost, it provides the level of visibility and threat detection that regulators and cyber insurance providers increasingly expect.
UK GDPR and Data Residency Considerations
UK businesses using Azure must ensure that their cloud environment meets UK GDPR requirements. This includes understanding where your data is stored — Azure offers UK South and UK West data centre regions, and for UK GDPR compliance, you should configure your resources to use these regions wherever possible. While UK GDPR does not strictly prohibit storing data outside the UK, keeping data in UK regions simplifies your compliance position and avoids the complexities of international data transfer mechanisms.
Azure Policy can be used to enforce data residency requirements automatically. Create a policy that restricts resource deployment to the UK South and UK West regions, ensuring that no team member accidentally creates resources in a non-UK region. This is a simple but effective governance control that prevents compliance issues before they occur.
The NCSC publishes fourteen Cloud Security Principles that UK organisations should consider when evaluating and using cloud services. Azure provides detailed documentation mapping its controls to each of these principles. Key areas to focus on include: data in transit protection, asset protection and resilience, separation between customers, personnel security, secure service administration, audit and monitoring, and identity and authentication. Reviewing Microsoft's compliance documentation against these principles is an essential step for any UK business deploying workloads on Azure.
Backup and Disaster Recovery
The shared responsibility model means that while Microsoft ensures the availability of the Azure platform, you are responsible for backing up your data and planning for disaster recovery. Azure Backup provides a managed backup service for virtual machines, databases, and file shares. Azure Site Recovery provides disaster recovery orchestration, enabling you to replicate workloads to a secondary region and fail over automatically if the primary region becomes unavailable.
For UK businesses, a common approach is to use UK South as the primary region and UK West as the disaster recovery region. This keeps all data within the UK while providing geographic redundancy. Test your disaster recovery plan regularly — at least quarterly — to ensure that it works when you need it.
Need Help Securing Your Azure Environment?
Cloudswitched is a Microsoft Solutions Partner with deep expertise in Azure security. We help UK businesses configure, monitor, and maintain secure Azure environments — from initial setup through to ongoing compliance management. Protect your cloud investment with expert guidance.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.