Skip to main content

Cloud Security / Azure Security

Secure your Azure
environment, properly.

Microsoft Azure is a powerful platform. Securing it requires specialised knowledge that goes well beyond what generalist security consultants can provide. Cliffside's Azure security team brings deep expertise in the Microsoft security stack: Defender for Cloud, Sentinel, Entra ID, and the architecture patterns that determine whether your Azure environment is secure or exposed.

Book an Azure security review → All cloud services
80%
of Azure security incidents trace to identity misconfigurations
99.9%
of account compromises blocked by properly configured MFA
5–10
business days for a typical Azure security review

What we cover

End-to-end Azure security services.

Azure architecture review

Assessment of your Azure environment against Microsoft's Cloud Adoption Framework and Well-Architected Framework security pillar, identifying structural weaknesses and design debt.

Entra ID (Azure AD) hardening

Identity is the new perimeter in Azure. We assess and harden your Entra ID configuration, conditional access, MFA, privileged identity management, and guest access controls.

Defender for Cloud

Configuration and tuning of Microsoft Defender for Cloud, ensuring your workload protections, security posture management, and alert configurations are actually working for your environment.

Microsoft Sentinel

Sentinel deployment, data connector configuration, analytics rules, and incident response playbooks, building a SIEM that gives you meaningful signal, not just noise.

Misconfiguration remediation

Identification and remediation of common Azure misconfigurations: overly permissive storage accounts, exposed management ports, missing encryption, and weak identity controls.

Compliance & governance

Azure Policy, management groups, and governance controls to ensure your environment stays compliant with ISO 27001, APRA CPS 234, Essential Eight, and internal security standards.

Common findings

The Azure security issues we find most often.

Every Azure environment we review has configuration issues. Most are not exotic vulnerabilities. They are predictable misconfigurations that accumulate as organisations grow their Azure footprint without dedicated security oversight. These are the patterns we see repeatedly across Australian organisations:

  • Entra ID conditional access gaps. MFA enforced for some users but not all. Legacy authentication protocols still permitted. Conditional access policies that exclude break-glass accounts or service principals, creating bypass paths that attackers actively target.
  • Over-permissioned identities. Users and service principals with Owner or Contributor roles at subscription scope when they only need access to specific resource groups. Privileged Identity Management either not enabled or configured with permanent assignments instead of just-in-time elevation.
  • Storage accounts exposed to the internet. Blob containers with public access enabled, storage accounts without private endpoints, and shared access signatures with excessive permissions or no expiry dates.
  • Defender for Cloud partially deployed. Defender enabled for some workload types but not others. Secure score recommendations acknowledged but not actioned. Alert suppression rules that hide genuine findings alongside false positives.
  • Network security gaps. Network security groups with overly broad inbound rules (0.0.0.0/0 on management ports). Missing application-layer protections on internet-facing workloads. Virtual networks without proper segmentation between production and development environments.
  • Logging blind spots. Diagnostic settings not configured for critical resources. Activity logs retained for the default 90 days instead of the 12 months required by most compliance frameworks. Sentinel deployed but missing data connectors for key Azure services.

Shared responsibility

Azure secures the platform. You secure what's in it.

Microsoft's shared responsibility model is straightforward in principle but frequently misunderstood in practice. Microsoft secures the physical infrastructure, the hypervisor, and the platform services. You are responsible for everything above that: identity configuration, access controls, data classification, network rules, workload hardening, and detection and response.

This distinction matters because Microsoft holds ISO 27001 certification and IRAP PROTECTED assessment for Azure infrastructure. But those certifications cover Microsoft's controls, not yours. Your APRA CPS 234 obligations, your Essential Eight maturity targets, and your ISO 27001 ISMS scope all depend on how you configure and operate the platform, not on the platform's own certifications.

The practical consequence: when an auditor or regulator asks about your cloud security posture, "we use Azure" is not an answer. You need to demonstrate that your specific configurations meet the control requirements. That is what our Azure security review delivers.

Our approach

Our Azure security review process.

Cliffside's Azure security review combines automated scanning with manual expert analysis. Automated tools catch known misconfigurations at scale. Manual review catches architectural weaknesses, identity model flaws, and compliance gaps that no scanner can assess.

01
Scoping

We map your Azure subscription structure, identify the workloads in scope, and agree on the frameworks and compliance requirements that apply to your environment.

02
Automated & manual analysis

We run automated configuration checks across Entra ID, Defender for Cloud, networking, storage, and Key Vault, then layer manual analysis to identify risks that automated tools miss.

03
Architecture review

We assess your overall Azure architecture: management group hierarchy, network design, identity model, encryption approach, and detection capability against your threat model.

04
Findings & risk rating

Every finding is documented with evidence, mapped to the relevant compliance framework, and rated by business risk. We separate critical identity and exposure issues from low-priority hygiene items.

05
Remediation roadmap & debrief

A prioritised remediation plan with effort estimates, quick wins, and dependencies. Followed by a technical debrief with your engineering team and an executive summary for leadership.

Identity security

Entra ID and the identity perimeter.

In Azure, identity is the primary security boundary. Unlike traditional network-perimeter security, Azure's control plane is accessed entirely through Entra ID (formerly Azure Active Directory). If your Entra ID configuration is weak, your entire Azure environment is exposed regardless of how well you have configured everything else.

Our Entra ID assessment covers the controls that matter most:

  • Conditional access policies. Are they comprehensive? Do they cover all user types, all applications, and all access scenarios? Are legacy authentication protocols blocked?
  • Privileged Identity Management (PIM). Are privileged roles assigned permanently or through just-in-time activation? Are approval workflows and access reviews configured for Global Administrator and other high-impact roles?
  • Guest and external access. Who has been invited to your tenant? What can they access? Are B2B collaboration settings appropriately restricted?
  • Application registrations and service principals. What permissions have been granted to applications? Are there stale app registrations with credentials that have not been rotated?
  • Authentication methods. Is phishing-resistant MFA (FIDO2 keys, Windows Hello for Business, certificate-based authentication) available for privileged users, or are you relying solely on push notifications that can be bypassed through MFA fatigue attacks?

Compliance mapping

Azure controls mapped to Australian compliance frameworks.

If your organisation is implementing Essential Eight or pursuing ISO 27001 certification, your Azure environment is a significant part of the control scope. The good news is that Azure provides native capabilities that support most of the controls these frameworks require. The challenge is configuring them correctly and maintaining evidence.

Essential Eight mapping: Entra ID conditional access supports the multi-factor authentication strategy. Microsoft Defender for Endpoint and Intune support application control and user application hardening. Azure Update Manager and Defender for Cloud support patching operating systems and applications. Entra ID PIM directly supports restricting administrative privileges. Azure Backup and immutable storage support regular backups.

ISO 27001 Annex A mapping: Entra ID covers A.9 (access control). Azure Policy and management groups cover A.5 (information security policies). Azure Monitor and Sentinel cover A.12 (operations security) and A.16 (incident management). Azure Key Vault covers A.10 (cryptography). Network security groups and Azure Firewall cover A.13 (communications security).

Our Azure security review includes a compliance mapping deliverable that shows exactly where your Azure configuration meets, partially meets, or fails to meet each relevant control. This gives you audit-ready evidence and a clear remediation roadmap for the gaps.

"We engaged with Cliffside Cybersecurity to help us with security testing and assurance activities, and they've been amazing. Their team is very knowledgeable and experienced. They don't just follow a standard checklist; they really understand our business and how we work."

Head of Information Security, Australia's top 3 retail group

Frequently asked questions.

What does an Azure security review include?
A comprehensive Azure security review covers Entra ID configuration and conditional access policies, Defender for Cloud secure score and workload protections, network architecture and NSG rules, storage account exposure, Key Vault configuration, Azure Policy and governance controls, and compliance mapping against ISO 27001, APRA CPS 234, and Essential Eight. Every finding is prioritised by business risk with specific remediation guidance.
How long does an Azure security review take?
A typical Azure security review takes 5 to 10 business days depending on the size and complexity of your environment. Single-subscription environments with standard configurations are at the shorter end. Organisations with multiple subscriptions, complex Entra ID configurations, hybrid identity setups, or extensive custom Azure Policy definitions require longer. The review includes identity analysis, network assessment, security tooling evaluation, and a prioritised remediation report.
Do you support multi-subscription and hybrid environments?
Yes. We regularly assess Azure environments with multiple subscriptions, management group hierarchies, and hybrid configurations spanning on-premises Active Directory and Entra ID. Hybrid identity environments introduce specific risks around synchronisation, pass-through authentication, and conditional access policy gaps that cloud-only setups do not face. We also assess Azure Arc configurations for organisations managing non-Azure resources through Azure's control plane.
How does Azure security relate to ISO 27001 and Essential Eight?
Azure provides the platform, but compliance is your responsibility under the shared responsibility model. ISO 27001 Annex A controls and Essential Eight strategies map directly to Azure configurations: Entra ID for access control, Azure Policy for application control, Microsoft Defender for endpoint protection, and Azure Monitor for logging and detection. Microsoft holds its own certifications including ISO 27001 and IRAP PROTECTED, but these cover Microsoft's infrastructure, not your workloads or configurations.
What is the difference between an Azure security review and a penetration test?
A penetration test simulates an attacker exploiting specific vulnerabilities in your environment. An Azure security review is broader: it assesses your entire cloud architecture, identity model, data protection, governance controls, and compliance posture. We often recommend both. The architecture review fixes systemic design issues first, then a penetration test validates whether the controls hold under attack conditions.
Can you help us migrate to Azure securely?
Yes. Security architecture should be built into an Azure migration from day one. We embed security into your Azure landing zone design: management group structure, subscription topology, networking, identity federation, encryption, logging, and governance guardrails. This prevents the common pattern where organisations migrate quickly, accumulate security debt in Entra ID and networking, and then spend more remediating misconfigurations than they would have spent designing it properly.

Related services

Connected cloud security services.

AWS Security

IAM hardening, S3 reviews, GuardDuty tuning, and Well-Architected security reviews for AWS environments.

Explore →
Microsoft 365 Security

Defender for Office 365, Entra ID, DLP, Intune, and Sentinel configuration for the Microsoft productivity stack.

Explore →
Cloud Migration Security

Build security into your cloud migration from day one. Architecture, shared responsibility, and Australian regulatory considerations.

Explore →
Penetration Testing

Validate your Azure security controls under real attack conditions with OSCP and CREST certified testers.

Explore →

Know where your Azure
environment is exposed.

Book a free Azure security assessment conversation. We'll scope a review that gives you a clear picture of your security posture and a prioritised remediation plan.

Book a free consultation →All cloud services

Not sure where to start?

Book a free Lighthouse Assessment. Honest, transferable, no lock-in.

Book Free Assessment