Azure security architecture: controls, policies, and reference designs aligned to Microsoft Cloud Security Benchmark, CAF, and Zero Trust.
Built by a Cybersecurity Architect implementing Azure security at enterprise scale. This repository documents real-world security controls, not theoretical frameworks.
This repository is an Azure security reference architecture covering the key domains that matter in enterprise cloud deployments: identity security, network controls, data protection, DevSecOps pipelines, and compliance posture.
Everything here is based on real implementation decisions made in production Azure environments — including the trade-offs, constraints, and lessons learned.
What this is not: A tutorial. A copy-paste of Microsoft documentation. A feature list.
What this is: An architect's working reference for building defensible Azure environments.
Azure provides hundreds of security controls. Most organizations implement 30–40% of them. The gap is not knowledge — it is architecture decision-making:
- Which controls matter most for your threat model?
- Which Azure Policy definitions should you enforce vs. audit?
How do you balance security with developer velocity?
What does Zero Trust actually mean in an Azure context beyond marketing?
This repository answers those questions with concrete implementations.
azure-security-framework/ ├── identity/ │ ├── conditional-access-policies.md # Zero Trust identity controls │ ├── privileged-identity-management.md # PIM design decisions │ └── managed-identities-guide.md # Eliminating credentials at scale ├── network/ │ ├── hub-spoke-architecture.md # Reference network topology │ ├── private-endpoints-design.md # PaaS security without public exposure │ └── nsg-design-principles.md # NSG rules that scale ├── data-protection/ │ ├── encryption-at-rest.md # Key Vault, BYOK, CMK │ ├── data-classification.md # Microsoft Purview integration │ └── storage-security.md # Blob, ADLS, SQL security controls ├── devsecops/ │ ├── pipeline-security.md # Azure DevOps / GitHub Actions hardening │ ├── container-security.md # AKS security baseline │ └── iac-security-scanning.md # Checkov, tfsec, Defender for DevOps ├── compliance/ │ ├── azure-policy-library.md # Custom + built-in policy assignments │ ├── mcsb-control-mapping.md # Microsoft Cloud Security Benchmark │ └── defender-for-cloud-posture.md # CSPM configuration and remediation └── README.md
Domain Coverage Key Controls Status Identity & Access Zero Trust Identity Conditional Access, PIM, Managed Identities 🗓️ In Progress Network Security Defense in Depth Hub-Spoke, Private Endpoints, NSG 🗓️ In Progress Data Protection Encrypt Everything Key Vault, CMK, Microsoft Purview 🗓️ In Progress DevSecOps Shift Left Pipeline scanning, IaC security, container hardening 🗓️ In Progress Compliance & Posture Continuous Compliance Azure Policy, MCSB, Defender for Cloud 🗓️ In Progress Every control in this repository is evaluated against four principles:
- Assume Breach — Design controls that limit blast radius, not just prevent initial compromise
- Verify Explicitly — Never trust location, network, or service identity alone
- Least Privilege — Just-Enough-Access, Just-In-Time access for all identities
Defense in Depth — Multiple independent controls; no single point of failure
Service principal secrets expire, get rotated inconsistently, and end up in source code. Managed identities eliminate the credential lifecycle problem entirely. This repository documents the migration patterns and the edge cases where service principals are still required.
Service endpoints extend the VNet boundary but the service still has a public endpoint that can be accessed from other networks. Private endpoints inject the service into your VNet with a private IP. The operational overhead is worth it for any service handling sensitive data.
Enforcing policies in production without understanding the blast radius causes service disruptions. The pattern documented here: audit first (4 weeks), review non-compliant resources, create exemptions for legitimate exceptions, then enforce. Skip this and you will break production.
- All ARM templates and Bicep files in this repository should be scanned with Checkov or tfsec before deployment
- Azure Policy definitions marked as
Enforcehave been validated in non-production environments first
- Conditional Access policies require careful baseline testing — always use Report-Only mode first
Network changes (NSG rules, Private Endpoint creation) should be peer-reviewed before deployment
- Key Vault configurations documented here follow the principle of no public network access by default
This repository is documentation-first, not code-first. The rationale:
Most Azure security failures are not technical failures — they are architecture and decision failures. A well-documented wrong decision is more dangerous than undocumented correct code. Every section documents the why, not just the what.
Code samples (Bicep, ARM, PowerShell, KQL) will be added alongside the architectural documentation as the repository grows.
Surya | Cybersecurity Architect | CISSP
Specializing in Azure Security, Microsoft Sentinel, and Cloud Security Architecture.
86sunbot/azure-security-framework
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
