You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security/fundamentals/isolation-choices.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ author: msmbaldwin
6
6
ms.service: security
7
7
ms.subservice: security-fundamentals
8
8
ms.topic: article
9
-
ms.date: 12/03/2025
9
+
ms.date: 01/06/2026
10
10
ms.author: mbaldwin
11
11
12
12
---
@@ -73,7 +73,7 @@ The rest of the Azure roles in Azure allow management of specific Azure resource
73
73
74
74
Some other capabilities for Microsoft Entra ID include:
75
75
76
-
- Microsoft Entra ID enables SSO to SaaS applications, regardless of where they're hosted. Some applications are federated with Microsoft Entra ID, and others use password SSO. Federated applications can also support user provisioning and [password vaulting](https://www.techopedia.com/definition/31415/password-vault).
76
+
- Microsoft Entra ID enables SSO to SaaS applications, regardless of where they're hosted. Some applications are federated with Microsoft Entra ID, and others use password SSO. Federated applications can also support user provisioning and [password vaulting](/entra/identity/enterprise-apps/configure-password-single-sign-on-non-gallery-applications).
77
77
78
78
- Access to data in [Azure Storage](https://azure.microsoft.com/services/storage/) is controlled via authentication. Each storage account has a primary key ([storage account key](../../storage/common/storage-account-create.md), or SAK) and a secondary secret key (the shared access signature, or SAS).
79
79
@@ -305,10 +305,10 @@ Azure deployment has multiple layers of network isolation. The following diagram
305
305
306
306
**Traffic isolation:** A [virtual network](../../virtual-network/virtual-networks-overview.md) is the traffic isolation boundary on the Azure platform. Virtual machines (VMs) in one virtual network cannot communicate directly to VMs in a different virtual network, even if both virtual networks are created by the same customer. Isolation is a critical property that ensures customer VMs and communication remains private within a virtual network.
307
307
308
-
[Subnet](../../virtual-network/virtual-networks-overview.md) offers an additional layer of isolation with in virtual network based on IP range. IP addresses in the virtual network, you can divide a virtual network into multiple subnets for organization and security. VMs and PaaS role instances deployed to subnets (same or different) within a VNet can communicate with each other without any extra configuration. You can also configure [network security group (NSGs)](../../virtual-network/virtual-networks-overview.md) to allow or deny network traffic to a VM instance based on rules configured in access control list (ACL) of NSG. NSGs can be associated with either subnets or individual VM instances within that subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances in that subnet.
308
+
[Subnet](../../virtual-network/virtual-networks-overview.md) offers an additional layer of isolation with in virtual network based on IP range. IP addresses in the virtual network, you can divide a virtual network into multiple subnets for organization and security. VMs and PaaS role instances deployed to subnets (same or different) within a VNet can communicate with each other without any extra configuration. You can also configure [network security groups (NSGs)](../../virtual-network/network-security-groups-overview.md) to allow or deny network traffic to a VM instance based on security rules. NSGs can be associated with either subnets or individual network interfaces attached to VMs. When an NSG is associated with a subnet, the security rules apply to all the VM instances in that subnet.
309
309
310
310
## Next Steps
311
311
312
-
- Learn about [Network Isolation Options for Machines in Windows Azure Virtual Networks](https://azure.microsoft.com/blog/network-isolation-options-for-machines-in-windows-azure-virtual-networks/). This includes the classic front-end and back-end scenario where machines in a particular back-end network or subnetwork may only allow certain clients or other computers to connect to a particular endpoint based on an allowlist of IP addresses.
312
+
- Learn about [network security groups](/azure/virtual-network/network-security-groups-overview). Network security groups filter network traffic between Azure resources in a virtual network, allowing you to restrict traffic to subnets or virtual machines based on source, destination, port, and protocol using security rules.
313
313
314
314
- Learn about [virtual machine isolation in Azure](/azure/virtual-machines/isolation). Azure Compute offers virtual machine sizes that are isolated to a specific hardware type and dedicated to a single customer.
@@ -23,21 +23,36 @@ As of June 15, 2017, Microsoft no longer requires pre-approval to conduct a pene
23
23
> [!IMPORTANT]
24
24
> While notifying Microsoft of pen testing activities is no longer required customers must still comply with the [Microsoft Cloud Unified Penetration Testing Rules of Engagement](https://www.microsoft.com/msrc/pentest-rules-of-engagement).
25
25
26
+
## Permitted testing
27
+
28
+
You can perform penetration testing on your own Azure-hosted applications and services without prior approval. This includes testing:
29
+
30
+
* Your endpoints hosted on Azure Virtual Machines
31
+
* Azure App Service applications (Web Apps, API Apps, Mobile Apps)
32
+
* Azure Functions and API endpoints
33
+
* Azure Websites
34
+
* Any other Azure services where you own or have explicit authorization to test the deployed resources
35
+
26
36
Standard tests you can perform include:
27
37
28
38
* Tests on your endpoints to uncover the [Open Web Application Security Project (OWASP) top 10 vulnerabilities](https://owasp.org/www-project-top-ten/)
39
+
* Dynamic Application Security Testing (DAST) of your web applications and APIs
29
40
*[Fuzz testing](https://www.microsoft.com/research/blog/a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers/) of your endpoints
30
41
*[Port scanning](https://en.wikipedia.org/wiki/Port_scanner) of your endpoints
31
42
43
+
## Prohibited testing
44
+
32
45
One type of pen test that you can't perform is any kind of [Denial of Service (DoS)](https://en.wikipedia.org/wiki/Denial-of-service_attack) attack. This test includes initiating a DoS attack itself, or performing related tests that might determine, demonstrate, or simulate any type of DoS attack.
33
46
34
-
> [!Note]
35
-
> You may only simulate attacks using Microsoft approved testing partners:
36
-
> -[BreakingPoint Cloud](https://www.ixiacom.com/products/breakingpoint-cloud): A self-service traffic generator where your customers can generate traffic against DDoS Protection-enabled public endpoints for simulations.
37
-
> -[Red Button](https://www.red-button.net/): Work with a dedicated team of experts to simulate real-world DDoS attack scenarios in a controlled environment.
38
-
> -[RedWolf](https://www.redwolfsecurity.com/services/#cloud-ddos) a self-service or guided DDoS testing provider with real-time control.
39
-
>
40
-
> To learn more about these simulation partners, see [testing with simulation partners](../../ddos-protection/test-through-simulations.md).
47
+
## DDoS simulation testing
48
+
49
+
If you need to test your DDoS resilience, you can use Microsoft-approved simulation partners. These partners provide controlled DDoS simulation services that don't violate the penetration testing rules:
50
+
51
+
-[BreakingPoint Cloud](https://www.ixiacom.com/products/breakingpoint-cloud): A self-service traffic generator where your customers can generate traffic against DDoS Protection-enabled public endpoints for simulations.
52
+
-[Red Button](https://www.red-button.net/): Work with a dedicated team of experts to simulate real-world DDoS attack scenarios in a controlled environment.
53
+
-[RedWolf](https://www.redwolfsecurity.com/services/#cloud-ddos): A self-service or guided DDoS testing provider with real-time control.
54
+
55
+
To learn more about these simulation partners, see [testing with simulation partners](../../ddos-protection/test-through-simulations.md).
Copy file name to clipboardExpand all lines: articles/security/fundamentals/ransomware-detect-respond.md
+1-3Lines changed: 1 addition & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.service: security
6
6
ms.subservice: security-fundamentals
7
7
ms.topic: article
8
8
ms.author: mbaldwin
9
-
ms.date: 04/16/2025
9
+
ms.date: 01/06/2026
10
10
11
11
---
12
12
@@ -82,8 +82,6 @@ Our Rapid Ransomware Recovery services are treated as "Confidential" for the dur
82
82
83
83
For comprehensive ransomware protection guidance across all Microsoft platforms and services, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware).
84
84
85
-
See the white paper: [Azure defenses for ransomware attack whitepaper](https://azure.microsoft.com/resources/azure-defenses-for-ransomware-attack).
86
-
87
85
Other Azure ransomware articles:
88
86
89
87
-[Ransomware protection in Azure](ransomware-protection.md)
Copy file name to clipboardExpand all lines: articles/security/fundamentals/ransomware-features-resources.md
+1-3Lines changed: 1 addition & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.service: security
6
6
ms.subservice: security-fundamentals
7
7
ms.topic: article
8
8
ms.author: mbaldwin
9
-
ms.date: 04/16/2025
9
+
ms.date: 01/06/2026
10
10
---
11
11
12
12
# Azure features & resources that help you protect, detect, and respond to ransomware attacks
@@ -136,8 +136,6 @@ For detailed information on how Microsoft secures our cloud, visit the [service
136
136
137
137
For comprehensive ransomware protection guidance across all Microsoft platforms and services, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware).
138
138
139
-
See the white paper: [Azure defenses for ransomware attack whitepaper](https://azure.microsoft.com/resources/azure-defenses-for-ransomware-attack).
140
-
141
139
Other Azure ransomware articles:
142
140
143
141
-[Ransomware protection in Azure](ransomware-protection.md)
Copy file name to clipboardExpand all lines: articles/security/fundamentals/ransomware-prepare.md
+1-3Lines changed: 1 addition & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.service: security
6
6
ms.subservice: security-fundamentals
7
7
ms.topic: article
8
8
ms.author: mbaldwin
9
-
ms.date: 04/23/2025
9
+
ms.date: 01/06/2026
10
10
---
11
11
12
12
# Prepare for a ransomware attack
@@ -147,8 +147,6 @@ For detailed guidance, see [Backup and restore plan to protect against ransomwar
147
147
148
148
For comprehensive ransomware protection guidance across all Microsoft platforms and services, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware).
149
149
150
-
See the white paper: [Azure defenses for ransomware attack whitepaper](https://azure.microsoft.com/resources/azure-defenses-for-ransomware-attack).
151
-
152
150
Other Azure ransomware articles:
153
151
154
152
-[Ransomware protection in Azure](ransomware-protection.md)
Copy file name to clipboardExpand all lines: articles/security/fundamentals/shared-responsibility.md
+44-6Lines changed: 44 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ author: msmbaldwin
6
6
ms.service: security
7
7
ms.subservice: security-fundamentals
8
8
ms.topic: article
9
-
ms.date: 12/03/2025
9
+
ms.date: 01/06/2026
10
10
ms.author: mbaldwin
11
11
#customer intent: As a cloud security administrator, I want to understand the shared responsibility model in Azure so that I can clearly identify which security tasks are mine and which are handled by Microsoft.
12
12
---
@@ -15,18 +15,56 @@ ms.author: mbaldwin
15
15
As you consider and evaluate public cloud services, it's critical to understand the shared responsibility model and which security tasks the cloud provider handles and which tasks you handle. The workload responsibilities vary depending on whether the workload is hosted on Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or in an on-premises datacenter.
16
16
17
17
## Division of responsibility
18
-
In an on-premises datacenter, you own the whole stack. As you move to the cloud some responsibilities transfer to Microsoft. The following diagram illustrates the areas of responsibility between you and Microsoft, according to the type of deployment of your stack.
18
+
19
+
In an on-premises datacenter, you own the whole stack. As you move to the cloud, some responsibilities transfer to Microsoft. The following diagram illustrates the areas of responsibility between you and Microsoft, according to the type of deployment of your stack.
For all cloud deployment types, you own your data and identities. You're responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control. Cloud components you control vary by service type.
23
24
25
+
### Responsibility matrix
26
+
27
+
The following table details the division of responsibility between you and Microsoft for each area of your stack:
| Operating system | Customer | Customer | Microsoft | Microsoft |
38
+
| Physical hosts | Customer | Microsoft | Microsoft | Microsoft |
39
+
| Physical network | Customer | Microsoft | Microsoft | Microsoft |
40
+
| Physical datacenter | Customer | Microsoft | Microsoft | Microsoft |
41
+
42
+
### Responsibilities you always retain
43
+
24
44
Regardless of the type of deployment, you always retain the following responsibilities:
25
45
26
-
- Data
27
-
- Endpoints
28
-
- Account
29
-
- Access management
46
+
-**Data** - You're responsible for your data, including data classification, data protection, encryption decisions, and compliance with data governance requirements.
47
+
-**Endpoints** - You're responsible for protecting client devices and endpoints that access your cloud services, including mobile devices, laptops, and desktops.
48
+
-**Accounts** - You're responsible for managing user accounts, including creating, managing, and removing user access.
49
+
-**Access management** - You're responsible for implementing and managing access controls, including role-based access control (RBAC), multifactor authentication, and conditional access policies.
50
+
51
+
### Shared responsibilities explained
52
+
53
+
Some responsibilities are shared between you and Microsoft, with the division varying by service model:
54
+
55
+
-**Applications** - In IaaS, you're fully responsible for deployed applications. In PaaS and SaaS, Microsoft manages parts of the application stack, but you're responsible for application configuration, code security, and access controls.
56
+
-**Network controls** - In IaaS, you configure all network security including firewalls and network segmentation. In PaaS, Microsoft provides baseline network security, but you configure application-level network controls. In SaaS, Microsoft manages network security.
57
+
-**Client devices** - In SaaS scenarios, Microsoft may provide some device management capabilities, but you're responsible for endpoint protection and compliance.
58
+
59
+
### Microsoft responsibilities
60
+
61
+
Microsoft is responsible for the underlying cloud infrastructure, which includes:
62
+
63
+
-**Physical security** - Securing datacenters, including facilities, physical access controls, and environmental controls.
64
+
-**Physical network** - Managing network infrastructure, including routers, switches, and cables within datacenters.
65
+
-**Physical hosts** - Managing and maintaining the physical servers that host cloud services.
66
+
-**Hypervisor** - Managing the virtualization layer that enables virtual machines in IaaS and PaaS.
67
+
-**Platform services** - In PaaS and SaaS, Microsoft manages operating systems, runtime environments, and middleware.
0 commit comments