Security Baseline

How to implement Microsoft Defender, encryption, threat detection, and compliance in landing zones.

Security Architecture Overview

Microsoft Defender for Cloud

Defender Plans

Plan	Coverage	Key Features
CSPM (Free)	Posture management	Secure Score, recommendations
Defender for Servers	VMs	Vulnerability scanning, EDR
Defender for Containers	AKS, ACR	Image scanning, runtime
Defender for Storage	Storage accounts	Malware scanning
Defender for SQL	SQL databases	Threat detection
Defender for App Service	Web apps	OWASP protection
Defender for Key Vault	Key Vaults	Access anomalies
Defender for ARM	Resource Manager	Suspicious operations
Defender for DNS	DNS	Domain threats

Enable Defender with Policy

targetScope = 'subscription'

resource defenderServers 'Microsoft.Security/pricings@2023-01-01' = {
  name: 'VirtualMachines'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'P2'
  }
}

resource defenderContainers 'Microsoft.Security/pricings@2023-01-01' = {
  name: 'Containers'
  properties: {
    pricingTier: 'Standard'
  }
}

resource defenderStorage 'Microsoft.Security/pricings@2023-01-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'DefenderForStorageV2'
  }
}

resource defenderSQL 'Microsoft.Security/pricings@2023-01-01' = {
  name: 'SqlServers'
  properties: {
    pricingTier: 'Standard'
  }
}

resource defenderKeyVault 'Microsoft.Security/pricings@2023-01-01' = {
  name: 'KeyVaults'
  properties: {
    pricingTier: 'Standard'
  }
}

Auto-Provisioning

resource autoProvisionMDE 'Microsoft.Security/autoProvisioningSettings@2017-08-01-preview' = {
  name: 'default'
  properties: {
    autoProvision: 'On'
  }
}

resource defenderAutoProvision 'Microsoft.Security/serverVulnerabilityAssessmentsSettings@2023-05-01' = {
  name: 'default'
  properties: {
    selectedProvider: 'MdeTvm'
  }
}

Microsoft Sentinel

Architecture

Essential Data Connectors

Connector	Data	Priority
Azure Activity	Management plane operations	High
Entra ID	Sign-ins, audit logs	High
Microsoft Defender for Cloud	Security alerts	High
Azure Firewall	Network traffic	High
Microsoft 365	Email, SharePoint	High
DNS	Query logs	Medium
Azure Key Vault	Access logs	Medium

Bicep: Sentinel Deployment

resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
  name: 'log-sentinel-prod-001'
  location: location
  properties: {
    sku: {
      name: 'PerGB2018'
    }
    retentionInDays: 90
  }
}

resource sentinel 'Microsoft.SecurityInsights/onboardingStates@2023-02-01' = {
  name: 'default'
  scope: logAnalytics
  properties: {}
}

resource azureActivityConnector 'Microsoft.SecurityInsights/dataConnectors@2023-02-01' = {
  name: 'azureActivity'
  scope: logAnalytics
  kind: 'AzureActivity'
  properties: {
    linkedResourceId: subscription().id
  }
}

Encryption

Encryption Strategy

CMK Configuration

resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: 'kv-cmk-prod-001'
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'premium' // For HSM-backed keys
    }
    tenantId: subscription().tenantId
    enableRbacAuthorization: true
    enablePurgeProtection: true
    enableSoftDelete: true
    softDeleteRetentionInDays: 90
    networkAcls: {
      bypass: 'AzureServices'
      defaultAction: 'Deny'
    }
  }
}

resource encryptionKey 'Microsoft.KeyVault/vaults/keys@2023-02-01' = {
  parent: keyVault
  name: 'storage-cmk'
  properties: {
    kty: 'RSA'
    keySize: 4096
    keyOps: ['encrypt', 'decrypt', 'wrapKey', 'unwrapKey']
    rotationPolicy: {
      lifetimeActions: [
        {
          trigger: {
            timeAfterCreate: 'P90D'
          }
          action: {
            type: 'Rotate'
          }
        }
      ]
      attributes: {
        expiryTime: 'P1Y'
      }
    }
  }
}

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: 'stcmkprod001'
  location: location
  kind: 'StorageV2'
  sku: {
    name: 'Standard_LRS'
  }
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${managedIdentity.id}': {}
    }
  }
  properties: {
    encryption: {
      keySource: 'Microsoft.Keyvault'
      keyvaultproperties: {
        keyname: encryptionKey.name
        keyvaulturi: keyVault.properties.vaultUri
      }
      identity: {
        userAssignedIdentity: managedIdentity.id
      }
      services: {
        blob: {
          enabled: true
        }
        file: {
          enabled: true
        }
      }
    }
  }
}

Security Policies

Azure Security Benchmark

The Azure Security Benchmark is Microsoft's recommended security baseline:

targetScope = 'managementGroup'

resource asbInitiative 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
  name: 'azure-security-benchmark'
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
    displayName: 'Azure Security Benchmark'
    enforcementMode: 'Default'
    parameters: {}
  }
}

Essential Security Policies

Policy	Effect	Purpose
Require secure transfer	Deny	HTTPS only for storage
Require TLS 1.2	Deny	Minimum TLS version
Deny public blob access	Deny	Prevent data exposure
Require private endpoints	Audit	Network isolation
Require disk encryption	Audit	Data at rest
Deploy Defender	DeployIfNotExists	Enable protection
Require diagnostics	DeployIfNotExists	Security logging
Deny public IP	Deny	Limit internet exposure

Bicep: Custom Security Policy

resource denyPublicStorage 'Microsoft.Authorization/policyDefinitions@2021-06-01' = {
  name: 'deny-public-blob-access'
  properties: {
    displayName: 'Deny public blob access on storage accounts'
    policyType: 'Custom'
    mode: 'All'
    metadata: {
      category: 'Storage'
    }
    policyRule: {
      if: {
        allOf: [
          {
            field: 'type'
            equals: 'Microsoft.Storage/storageAccounts'
          }
          {
            field: 'Microsoft.Storage/storageAccounts/allowBlobPublicAccess'
            notEquals: false
          }
        ]
      }
      then: {
        effect: 'Deny'
      }
    }
  }
}

Private Endpoints

Private Link Architecture

Bicep: Private Endpoint

resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-05-01' = {
  name: 'pe-st-prod-001'
  location: location
  properties: {
    privateLinkServiceConnections: [
      {
        name: 'storage-connection'
        properties: {
          privateLinkServiceId: storageAccount.id
          groupIds: ['blob']
        }
      }
    ]
    subnet: {
      id: privateEndpointSubnet.id
    }
  }
}

resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-05-01' = {
  parent: privateEndpoint
  name: 'default'
  properties: {
    privateDnsZoneConfigs: [
      {
        name: 'privatelink-blob'
        properties: {
          privateDnsZoneId: blobPrivateDnsZone.id
        }
      }
    ]
  }
}

DDoS Protection

DDoS Architecture

Bicep: DDoS Protection

resource ddosPlan 'Microsoft.Network/ddosProtectionPlans@2023-05-01' = {
  name: 'ddos-prod-001'
  location: location
  properties: {}
}

resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
  name: 'vnet-prod-001'
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: ['10.0.0.0/16']
    }
    ddosProtectionPlan: {
      id: ddosPlan.id
    }
    enableDdosProtection: true
  }
}

Security Monitoring

Key Security Logs

Log	Source	Retention
Azure Activity	Subscription	2 years
Entra ID Sign-ins	Azure AD	2 years
Entra ID Audit	Azure AD	2 years
NSG Flow Logs	Network	90 days
Firewall Logs	Azure Firewall	90 days
Key Vault Logs	Key Vault	2 years
Defender Alerts	MDC	90 days

Security Alerts Configuration

resource securityAlert 'Microsoft.Insights/activityLogAlerts@2020-10-01' = {
  name: 'security-configuration-change'
  location: 'global'
  properties: {
    enabled: true
    scopes: [
      subscription().id
    ]
    condition: {
      allOf: [
        {
          field: 'category'
          equals: 'Security'
        }
        {
          field: 'operationName'
          equals: 'Microsoft.Security/policies/write'
        }
      ]
    }
    actions: {
      actionGroups: [
        {
          actionGroupId: securityActionGroup.id
        }
      ]
    }
  }
}

Security Checklist

✅ Identity

MFA enforced for all users
Conditional Access policies active
PIM enabled for privileged roles
Break glass accounts configured

✅ Network

✅ Data

Encryption at rest enabled
TLS 1.2+ enforced
Customer-managed keys for sensitive data
Key rotation configured

✅ Monitoring

Microsoft Defender enabled
Sentinel deployed
Security alerts configured
Log retention set

✅ Governance

Azure Security Benchmark assigned
Security policies enforced
Compliance dashboard reviewed

Quick Reference Card

Component	Configuration
Defender	Enable all plans for landing zones
Sentinel	Centralized in Management subscription
Encryption	CMK for sensitive workloads
Private Endpoints	Required for Corp landing zones
TLS	1.2 minimum, 1.3 preferred
Key Vault	Premium SKU, RBAC authorization

Next Steps

Continue to Governance & Policy to learn about Azure Policy, compliance, and cost management.

Security Architecture Overview​

Microsoft Defender for Cloud​

Defender Plans​

Enable Defender with Policy​

Auto-Provisioning​

Microsoft Sentinel​

Architecture​

Essential Data Connectors​

Bicep: Sentinel Deployment​

Encryption​

Encryption Strategy​

CMK Configuration​

Security Policies​

Azure Security Benchmark​

Essential Security Policies​

Bicep: Custom Security Policy​

Private Endpoints​

Private Link Architecture​

Bicep: Private Endpoint​

DDoS Protection​

DDoS Architecture​

Bicep: DDoS Protection​

Security Monitoring​

Key Security Logs​

Security Alerts Configuration​

Security Checklist​

✅ Identity​

✅ Network​

✅ Data​

✅ Monitoring​

✅ Governance​

Quick Reference Card​

Next Steps​