Think Your Azure environment is Secure? Prove It!

In today’s threat landscape, no organization can afford a lax security mindset. Cyberattacks are rampant—Microsoft observes over 4,000 password attacks per second globally (Microsoft Entra expands into Security Service Edge and Azure AD becomes Microsoft Entra ID | Microsoft Security Blog)—and human error plays a role in the vast majority of incidents (studies estimate 88–95% of breaches involve some human mistake) (World Economic Forum finds that 95% of cybersecurity incidents occur due to human error | Cybernews). A security-first culture is therefore essential: every employee, developer, and IT professional must understand that security is everyone’s responsibility, not just the security team’s. This article reviews how to build a security-first culture in an Azure-centric environment, focusing on people, processes, and technology, while updating important facts and terminology for 2025.

People: Empowering and Educating for Security

At the heart of any robust security strategy are the people who implement and adhere to it. Building a security-first culture means ensuring every individual understands their role in protecting the organization. This involves overcoming legacy mindsets and knowledge gaps. For example, some may downplay threats with an “it won’t happen to us” attitude or cling to outdated practices that worked in on-premises days. Such complacency is dangerous—if 95% of security incidents trace back to human error, training and awareness are critical (World Economic Forum finds that 95% of cybersecurity incidents occur due to human error | Cybernews).

Security awareness training should be frequent and evolving, not just an annual check-the-box exercise. Staff must stay informed about current threats (like phishing techniques or cloud-focused attacks) and how to respond. Leadership should champion security initiatives from the top, emphasizing that following security policies is part of everyone’s job. Encouraging a “report anything suspicious” mindset and removing stigma from reporting mistakes helps reinforce this culture. Establish clear roles and responsibilities for security: for instance, designate security champions in each team to advocate best practices. Holding individuals accountable in a supportive way (e.g. rewarding teams with no click-through phishing test failures, providing extra coaching where needed) fosters engagement. The goal is to make secure behavior the norm—whether it’s developers considering security in code or admins double-checking configurations.

Crucially, avoid the “old school” pitfalls: no more assuming the network perimeter alone will keep attackers out, or that only the IT security staff need to care about security. Modern zero-trust philosophies explicitly assume breach and require verification of each action. Every employee should internalize that a single weak link (like a reused password or an unlocked workstation) can compromise the whole organization. By cultivating a vigilant, informed workforce, you establish the human foundation of a security-first culture.

Process: Embedding Security into Operations and Governance

Having the right mindset is important, but it must be reinforced with well-defined processes. A security-first culture is sustained by integrating security into everyday workflows and cloud governance. Here are key process-oriented steps:

• Inventory and Visibility: First, capture the full scope of your Azure environment. This means identifying all subscriptions, resource groups, and even separate tenants under management (including any test or demo environments). You can’t secure what you don’t know you have. Use Azure Management Groups and tagging to organize assets, and consider Cloud Access Security Broker (CASB) tools or Azure AD Workbooks to discover shadow IT. Providing a centralized dashboard for security status across these environments (for example, Azure Lighthouse or Microsoft Defender for Cloud’s unified dashboard) helps teams monitor everything in one place.
• Security Baselines and Policies: Define a security baseline for all Azure resources and enforce it. Microsoft’s Cloud Adoption Framework and Well-Architected Framework provide guidance on baseline security configurations. Leverage Azure Policy to automatically audit or prevent non-compliant resources (for instance, require encryption at rest, or forbid open management ports on VMs). When a new Azure subscription or resource is created, it should by default adhere to your baseline (this addresses the need to scrutinize new subscriptions and not let them become weak links). Azure offers built-in policies that can be applied to ensure every project starts with proper guardrails. Regularly review and update these baselines as new threats and best practices emerge.
• Incident Response Process: As part of embedding security, establish clear procedures for incident response and remediation. Conduct drills or table-top exercises so that if an issue arises, everyone knows the chain of communication and their role in containing the problem. A culture of “security-first” means not panicking or hiding issues, but responding in a structured way to minimize impact.
• Pilot and Scale: If you are rolling out new security measures (say, enabling multifactor authentication for all users or implementing a new endpoint protection agent), consider a pilot program. For example, start with a subset of departments or a few customer tenants (if you are a service provider) to remediate issues and gather feedback. This phased approach (as hinted by “pilot remediation with 5 customer tenants” in our scenario) allows fine-tuning of processes before a wider rollout. After a successful pilot, execute a broader project to apply changes across the board (the “bulk project start”). Throughout, maintain ongoing awareness and training: accompany each new security control with user education so that it is adopted smoothly (e.g. instruct users on how to use new authentication apps or device compliance checks).

By integrating these processes, security becomes a natural part of operations rather than an afterthought. When security requirements are woven into project kick-offs, change management, and daily checklists, the organization consistently operates with a security-first approach.

Technology: Leveraging Modern Security Tools and Controls

While people and process form the backbone, technology provides the critical tools to enforce and scale a security-first culture in Azure. Microsoft’s cloud offers a rich ecosystem of security technologies—using them effectively is key to staying ahead of threats. Below are the core areas to focus on:

• Identity and Access Management: Identities are the new perimeter in cloud. Microsoft Entra ID (formerly Azure Active Directory) is your primary identity platform, and it should be configured with strong protections. Multifactor Authentication (MFA) is non-negotiable for all users, and especially admins. Microsoft research shows that MFA can block over 99% of account compromise attacks (Announcing mandatory multi-factor authentication for Azure sign-in | Microsoft Azure Blog), yet too many breaches still occur because this basic control wasn’t in place. Entra ID offers security features appropriate to your licensing:
  • With Entra ID Free or Microsoft 365 licenses, enable Security Defaults to enforce baseline protections (which include MFA for admins and disabling legacy authentication protocols). This one-click setting dramatically improves security for organizations without premium licenses.
  • With Entra ID Premium P1/P2, create tailored Conditional Access policies. Conditional Access allows you to require MFA under certain conditions (e.g. when risk is detected, or for all users accessing the Azure portal), block access from unmanaged devices, enforce location or device compliance requirements, and more. Design policies to evaluate sign-in risk and device health, embodying Zero Trust principles (verify explicitly every access). For instance, you might have a policy: if a user sign-in is flagged as high-risk or coming from a new location, they must pass MFA and be on a compliant device. Such layered checks ensure that even if credentials are stolen, an attacker cannot easily use them (Security Should Be Your Priority: Why Partners Need to Join Mission 65 – MicroWarehouse).
  • Privileged Identity Management (PIM): For highly privileged roles, use Microsoft Entra Privileged Identity Management. PIM (part of Entra ID P2) makes admin roles just-in-time and approval-based, reducing the exposure of standing administrative privileges. An admin in PIM might have to activate their role and provide MFA each time, and the role auto-expires after a short duration. This limits what attackers can do even if they compromise an admin account.
• Phishing-Resistant Authentication: Basic MFA (e.g. SMS or app push) is now the baseline, but 2025 best practice is to adopt phishing-resistant MFA for critical accounts (like Global Administrators and subscription owners). Attackers have grown adept at phishing one-time codes or using “MFA fatigue” attacks to trick users. Methods such as FIDO2 security keys, certificate-based authentication (CBA), or Windows Hello for Business are resistant to phishing because they involve cryptographic exchange and are bound to the authentic login domain. Microsoft explicitly recommends requiring phishing-resistant MFA for all administrator roles (Require phishing-resistant multifactor authentication for Microsoft Entra administrator roles – Microsoft Entra ID | Microsoft Learn) (Require phishing-resistant multifactor authentication for Microsoft Entra administrator roles – Microsoft Entra ID | Microsoft Learn). In Entra ID Conditional Access, you can enforce this by using the “Authentication Strength” feature to require phishing-resistant MFA for sensitive roles or applications (Require phishing-resistant multifactor authentication for Microsoft Entra administrator roles – Microsoft Entra ID | Microsoft Learn). By implementing these advanced methods for your top-tier accounts, you significantly lower the risk of a breach via credential phishing.
• Secure Management Access: Administrative access to cloud resources should be tightly controlled. Ensure that management endpoints (like RDP/SSH on Azure VMs or Azure management ports) are not left open to the internet. Azure provides tools like Just-in-Time VM Access (part of Microsoft Defender for Cloud) which closes inbound management ports and opens them only temporarily when an admin needs access, after they authenticate. Similarly, consider using Azure Bastion or VPN gateways for admins to access VMs securely, instead of exposing ports. Within the Azure Portal and Entra admin center, use role-based access control (RBAC) to grant the least privilege needed—audit who has Owner or Contributor rights on subscriptions and tighten those where possible, delegating read or specific role rights instead. A security-first approach means even internal team members should only have the access necessary for their job (principle of least privilege)
• Cloud Security Posture Management (CSPM): Utilize Microsoft Defender for Cloud (formerly Azure Security Center) to continuously assess your Azure resources’ security posture. Microsoft Defender for Cloud provides a Secure Score for your Azure subscriptions, listing recommendations like enabling MFA on accounts, turning on encryption, configuring diagnostic logging, etc. (Note: Azure Security Center and Azure Defender were rebranded as Microsoft Defender for Cloud in late 2021 (A new name for multi-cloud security: Microsoft Defender for Cloud | Microsoft Community Hub), so ensure any old references to those names are updated). The Secure Score is expressed as a percentage; it quantifies how many of Microsoft’s recommended security best practices you have adopted. Regularly review the recommendations and remediate them to improve your score. Not only does a higher score mean you’re safer, but if you’re a Microsoft cloud partner, it may be required to maintain your status.
• Monitoring and Alerts: Set up alerting for suspicious activities. Azure provides many options: Microsoft Defender for Cloud can alert on threats to Azure resources (like VMs communicating with known malware domains), Defender for Cloud Apps (MCAS) can detect anomalous usage of SaaS apps, and Entra ID Identity Protection (part of Entra ID P2) will flag risky sign-ins or compromised accounts. Additionally, enable Azure Monitor logs and Microsoft Sentinel for a holistic SIEM solution if resources allow. A culture of security includes promptly responding to alerts, so define processes (as above) to triage and respond to these notifications. Also configure a security notification contact in your tenant to ensure Microsoft can reach you with any critical security alerts (for example, notifications of nation-state attack activity or emergency patches).

All these technologies should be leveraged in a coordinated way. Importantly, keep software and agent tools up to date (EDR, AV, etc., on all endpoints) and manage device health via Intune or similar so that only trusted devices access Azure resources (Security Should Be Your Priority: Why Partners Need to Join Mission 65 – MicroWarehouse). By taking advantage of Azure’s native security capabilities and enforcing them consistently, you create a strong technical backbone for your security-first culture.

2025 Mandates: MFA Enforcement and Secure Score Requirements

The push for a security-first approach is not just coming from within organizations—Microsoft itself is raising the floor on security requirements for all Azure and Microsoft 365 tenants. As of 2024–2025, two major initiatives are in play that IT professionals must be aware of: mandatory MFA enforcement and the drive for improved Secure Scores.

Mandatory MFA by Microsoft: Microsoft announced that it will require multifactor authentication for all users signing into Azure services, rolling out in phases. Phase 1 starts in October 2024, when MFA becomes required to sign in to the Azure Portal, Microsoft Entra ID admin center, and Intune admin center (Plan for mandatory Microsoft Entra multifactor authentication (MFA) – Microsoft Entra ID | Microsoft Learn). This enforcement will be gradually enabled on all tenants. By early 2025 (around February), this requirement will extend to the Microsoft 365 Admin Center as well (Plan for mandatory Microsoft Entra multifactor authentication (MFA) – Microsoft Entra ID | Microsoft Learn). Phase 2, later in 2025, will enforce MFA for command-line and automation scenarios: Azure CLI, Azure PowerShell, the Azure mobile app, and infrastructure-as-code tools will all require MFA for login (Plan for mandatory Microsoft Entra multifactor authentication (MFA) – Microsoft Entra ID | Microsoft Learn). In practical terms, this means if a user (especially a privileged user) tries to access these interfaces without having MFA configured, they will be blocked. Organizations should prepare now: ensure every user has MFA set up (at least via an authenticator app or phone, if not more advanced methods). Identify any service accounts or scripts using basic authentication—those won’t be able to do interactive MFA, so Microsoft recommends migrating such scenarios to workload identities (managed identities or service principals) which are exempt from the user MFA requirement (Plan for mandatory Microsoft Entra multifactor authentication (MFA) – Microsoft Entra ID | Microsoft Learn). The mandatory MFA rollout underscores the importance of MFA (no one will be able to claim “it’s optional” anymore), and it aligns with the fact that it foils 99% of attacks on accounts (Announcing mandatory multi-factor authentication for Azure sign-in | Microsoft Azure Blog). Come 2025, if you haven’t enabled MFA in your Azure tenant, Microsoft will effectively flip it on for you—so it’s far better to proactively implement it on your own terms. Global administrators have the ability to postpone the enforcement for a few months (Microsoft allows deferral until Sept 30, 2025 for complex cases) (Plan for mandatory Microsoft Entra multifactor authentication (MFA) – Microsoft Entra ID | Microsoft Learn), but the direction is clear: MFA will soon be a universal prerequisite.

Secure Score and “Mission 65”: In recent years Microsoft has been heavily promoting the improvement of organizations’ Secure Score as a measure of good security hygiene. Secure Score can refer to Microsoft Secure Score (encompassing Microsoft 365 identity, device, and app security) and Azure Secure Score (focused on Azure resource configurations via Defender for Cloud). By 2025, Microsoft and its partners expect customers to attain a secure score above a certain minimum threshold. In fact, Microsoft launched an initiative often referred to as “Mission 65”, which strives for a minimum Secure Score of 65% across tenants (Microsoft Inspire: Wat zijn de nieuwste ontwikkelingen op gebied van IT-security?). In practice, a 65% score means you’ve implemented a majority of recommended improvements, indicating a solid foundational security posture. Many partners have taken this to heart; for example, one Microsoft partner program challenges organizations to commit to maintaining at least 65% Secure Score as a baseline for cybersecurity resilience (Security Should Be Your Priority: Why Partners Need to Join Mission 65 – MicroWarehouse) (Security Should Be Your Priority: Why Partners Need to Join Mission 65 – MicroWarehouse). The impetus behind Mission 65 is that organizations with significantly lower Secure Scores are at much higher risk of breaches and may even face consequences in the partner ecosystem. Microsoft has introduced a Security requirements dashboard in Partner Center that shows partners their secure score and required actions to improve it (Security requirements dashboard for Partner Center – Partner Center | Microsoft Learn) (Security requirements dashboard for Partner Center – Partner Center | Microsoft Learn). Not meeting certain critical requirements (like MFA enforcement, role coverage, etc.) can result in point deductions and, in extreme cases, the risk of the partner being offboarded or losing incentives.

For IT professionals, the takeaway is: use the Secure Score as a continuous improvement tool. In Azure, go to Microsoft Defender for Cloud’s Secure Score overview to see where you stand. If your score is below 65%, prioritize the recommended actions provided—these could include enabling MFA for all users, turning on endpoint protection, restricting admin privileges, securing storage accounts, etc. Many recommendations can be applied with Azure Policy or via scripts in bulk. Track your progress over time; Microsoft provides APIs and Workbooks (such as the Azure Secure Score API or Graph Security API) so you can programmatically monitor your score (Track your secure score – Microsoft Defender for Cloud | Microsoft Learn) (Track your secure score – Microsoft Defender for Cloud | Microsoft Learn). Improving your Secure Score not only reduces your breach risk but may also be necessary to comply with industry standards or Microsoft’s partner requirements. It’s a tangible way to demonstrate that your security posture is getting stronger – which is exactly the goal of a security-first culture.

Key Takeaways and Action Plan

Building a security-first culture in Azure is an ongoing journey combining training, process discipline, and technical enforcement. To recap the most important steps and corrections for 2025:

• MFA, MFA, MFA – Enable it everywhere: This cannot be overstated. Enforce MFA for all users (with Conditional Access or Security Defaults) and require phishing-resistant MFA for admin roles for maximum protection (Require phishing-resistant multifactor authentication for Microsoft Entra administrator roles – Microsoft Entra ID | Microsoft Learn). Given Microsoft’s upcoming mandate, this is both an immediate security win and a compliance requirement (Plan for mandatory Microsoft Entra multifactor authentication (MFA) – Microsoft Entra ID | Microsoft Learn).
• Adopt Zero Trust principles: Treat every access attempt as untrusted until verified. Use Conditional Access to check device compliance, user risk, location, etc., on top of credentials (Security Should Be Your Priority: Why Partners Need to Join Mission 65 – MicroWarehouse). Limiting access on a need-to-know basis (least privilege) and using PIM for admin roles will contain potential breaches.
• Establish clear security processes: Inventory all Azure subscriptions/tenants you manage and bring them under a governance framework. Apply a security baseline (using Azure Policy and blueprints) so new projects don’t start from scratch on security. Regularly review roles and logs. Have an incident response plan and test it. Documentation (like an internal security portal or runbook) and training ensure everyone knows what to do.
• Leverage Azure’s security tools: Turn on Microsoft Defender for Cloud to get visibility into misconfigurations and threats in your Azure environment. This tool (formerly Azure Security Center) provides recommendations that directly feed your Secure Score. Also use tools like Defender for Cloud Apps, Entra ID Protection, and Sentinel as needed for a comprehensive defense-in-depth monitoring strategy.
• Improve your Secure Score continuously: Use the Secure Score as a metric to drive improvement. Aim for the “Mission 65” target of 65% or higher Secure Score (Microsoft Inspire: Wat zijn de nieuwste ontwikkelingen op gebied van IT-security?), and then keep raising it. A high Secure Score reflects that you’re following many best practices. It can also keep you in good standing with Microsoft’s requirements for partners and customers. Low-hanging fruit like MFA, disabling legacy auth, and setting up proper alerts will boost your score significantly and reduce real-world risk.
• Stay updated and avoid deprecated terms: Ensure you use the correct, up-to-date nomenclature and understand new features. For instance, Azure AD is now Microsoft Entra ID (Microsoft Entra expands into Security Service Edge and Azure AD becomes Microsoft Entra ID | Microsoft Security Blog) – the rename doesn’t change functionality but reinforces the broader Entra identity security family. Azure Security Center/Defender is now Defender for Cloud (A new name for multi-cloud security: Microsoft Defender for Cloud | Microsoft Community Hub). Using current terminology in your documentation and discussions avoids confusion. Additionally, keep an eye on new Azure and Microsoft 365 security features (like continuous access evaluation, Security Copilot AI assistance, etc.) as they emerge, and evaluate how they can further strengthen your security posture.

With these steps, an organization can cultivate a strong security-first culture. The key is consistency and commitment: security isn’t a one-time project but a core value that guides daily operations. By educating people, refining processes, and deploying the right technologies (and keeping them updated), you create layers of defense that make cyber attacks dramatically harder. In a world of escalating threats, such a culture not only protects your Azure environment but also enables the business to innovate with confidence, knowing that security is built-in from the start.

Security is a journey, not a destination—start with the fundamentals (if you haven’t already, go enable MFA right now!), score some quick wins (close those exposed ports, rotate that one stale password), and gradually mature your capabilities. With management support and the entire organization engaged, a security-first culture in Azure is an achievable and worthwhile goal that will pay off by reducing incidents and strengthening trust with customers and partners. Your cloud footprint can be both agile and secure – and in 2025 and beyond, it must be.

#AzureSpringClean, #AzureFamily and #AZOps