Azure Security Checklist Reference¶
Home > Reference > Security Checklist
Comprehensive security checklists and best practices for securing Azure cloud-scale analytics environments, including Azure Synapse Analytics, Azure Data Lake, and related services.
Table of Contents¶
- Overview
- Network Security
- Identity and Access Management
- Data Protection
- Key and Secret Management
- Monitoring and Auditing
- Compliance and Governance
- Development Security
- Service-Specific Security
- Incident Response
Overview¶
Security Framework¶
This security checklist follows the Azure Well-Architected Framework Security pillar and industry best practices.
| Security Domain | Priority | Scope |
|---|---|---|
| Identity & Access | Critical | Authentication, authorization, RBAC |
| Network Security | Critical | Firewalls, private endpoints, NSGs |
| Data Protection | Critical | Encryption, masking, classification |
| Key Management | High | Azure Key Vault, rotation policies |
| Monitoring | High | Logging, alerts, threat detection |
| Compliance | High | Regulatory requirements, auditing |
| DevSecOps | Medium | Secure development, CI/CD security |
Security Maturity Levels¶
┌─────────────────────────────────────────────────────────┐
│ Security Maturity Progression │
├─────────────────────────────────────────────────────────┤
│ │
│ Level 1: Basic │
│ - Basic authentication │
│ - Standard encryption │
│ - Manual security reviews │
│ │
│ Level 2: Intermediate │
│ - MFA enabled │
│ - Private endpoints configured │
│ - Automated monitoring │
│ - Key Vault integration │
│ │
│ Level 3: Advanced │
│ - Zero trust architecture │
│ - Customer-managed keys │
│ - Advanced threat protection │
│ - Continuous compliance monitoring │
│ │
│ Level 4: Enterprise │
│ - Security automation │
│ - AI-powered threat detection │
│ - Incident response automation │
│ - Comprehensive audit trails │
│ │
└─────────────────────────────────────────────────────────┘
Network Security¶
Checklist¶
- Implement Private Endpoints
- Configure private endpoints for all Synapse workspace connections
- Set up private endpoints for Azure Data Lake Storage Gen2
- Configure private endpoints for Azure Key Vault
-
Validate private DNS zones configuration
-
Configure Managed Virtual Network
- Enable managed virtual network for Synapse workspace
- Configure managed private endpoints
- Set up data exfiltration protection
-
Review outbound traffic rules
-
Firewall Configuration
- Set up IP firewall rules to restrict access
- Configure storage account firewall rules
- Implement network security groups (NSGs)
-
Review and minimize public access
-
Service Endpoints
- Enable service endpoints for supported services
- Configure VNet service endpoint policies
-
Validate service endpoint routing
-
DNS Configuration
- Configure private DNS zones for private endpoints
- Validate DNS resolution for private endpoints
- Document custom DNS configurations
Implementation Examples¶
Azure CLI - Private Endpoint Configuration¶
# Create private endpoint for Synapse workspace
az network private-endpoint create \
--name pe-synapse-workspace \
--resource-group rg-analytics-prod \
--vnet-name vnet-analytics \
--subnet snet-synapse \
--private-connection-resource-id "/subscriptions/{sub-id}/resourceGroups/rg-analytics-prod/providers/Microsoft.Synapse/workspaces/syn-analytics-prod" \
--connection-name synapse-connection \
--group-id Sql
# Create private DNS zone
az network private-dns zone create \
--resource-group rg-analytics-prod \
--name privatelink.sql.azuresynapse.net
# Link DNS zone to VNet
az network private-dns link vnet create \
--resource-group rg-analytics-prod \
--zone-name privatelink.sql.azuresynapse.net \
--name dns-link \
--virtual-network vnet-analytics \
--registration-enabled false
# Create private endpoint for storage
az network private-endpoint create \
--name pe-storage-dfs \
--resource-group rg-analytics-prod \
--vnet-name vnet-analytics \
--subnet snet-storage \
--private-connection-resource-id "/subscriptions/{sub-id}/resourceGroups/rg-analytics-prod/providers/Microsoft.Storage/storageAccounts/stadatalake001" \
--connection-name storage-connection \
--group-id dfs
Bicep - Network Security¶
// Synapse workspace with managed VNet
resource synapseWorkspace 'Microsoft.Synapse/workspaces@2021-06-01' = {
name: 'syn-analytics-prod'
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
defaultDataLakeStorage: {
accountUrl: 'https://stadatalake001.dfs.core.windows.net'
filesystem: 'data'
}
managedVirtualNetwork: 'default'
managedVirtualNetworkSettings: {
preventDataExfiltration: true
allowedAadTenantIdsForLinking: [
tenantId
]
}
publicNetworkAccess: 'Disabled'
}
}
// Network security group
resource nsg 'Microsoft.Network/networkSecurityGroups@2023-04-01' = {
name: 'nsg-synapse-subnet'
location: location
properties: {
securityRules: [
{
name: 'AllowSynapseStudio'
properties: {
priority: 100
direction: 'Inbound'
access: 'Allow'
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '443'
sourceAddressPrefix: 'AzureCloud'
destinationAddressPrefix: '*'
}
}
{
name: 'DenyAllInbound'
properties: {
priority: 4096
direction: 'Inbound'
access: 'Deny'
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
}
}
]
}
}
Identity and Access Management¶
Checklist¶
- Microsoft Entra ID (Azure AD) Authentication
- Enable Microsoft Entra ID authentication for all services
- Disable SQL authentication where possible
- Configure conditional access policies
-
Implement Microsoft Entra ID groups for access management
-
Multi-Factor Authentication (MFA)
- Enforce MFA for all admin accounts
- Configure MFA for privileged users
- Set up security defaults or conditional access
-
Monitor MFA usage and compliance
-
Managed Identities
- Use system-assigned managed identities for Azure resources
- Configure user-assigned managed identities where needed
- Grant minimum required permissions to managed identities
-
Document all managed identity assignments
-
Role-Based Access Control (RBAC)
- Create custom RBAC roles with least privilege
- Review and audit role assignments regularly
- Use Azure AD Privileged Identity Management (PIM)
- Implement just-in-time (JIT) access for privileged operations
-
Document RBAC model and assignments
-
Service Principals
- Use service principals with limited scope for automation
- Rotate service principal credentials regularly
- Store service principal secrets in Key Vault
- Monitor service principal usage
Implementation Examples¶
Azure CLI - Identity Configuration¶
# Enable managed identity for Synapse workspace
az synapse workspace update \
--name syn-analytics-prod \
--resource-group rg-analytics-prod \
--enable-managed-identity true
# Assign RBAC role to managed identity
SYNAPSE_IDENTITY=$(az synapse workspace show \
--name syn-analytics-prod \
--resource-group rg-analytics-prod \
--query identity.principalId -o tsv)
az role assignment create \
--assignee $SYNAPSE_IDENTITY \
--role "Storage Blob Data Contributor" \
--scope "/subscriptions/{sub-id}/resourceGroups/rg-analytics-prod/providers/Microsoft.Storage/storageAccounts/stadatalake001"
# Create custom role for analytics users
az role definition create --role-definition '{
"Name": "Analytics Data Reader",
"Description": "Read access to analytics data",
"Actions": [
"Microsoft.Synapse/workspaces/read",
"Microsoft.Synapse/workspaces/sqlPools/*/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read"
],
"NotActions": [],
"DataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{sub-id}/resourceGroups/rg-analytics-prod"
]
}'
# Configure conditional access (via Azure Portal or Graph API)
PowerShell - PIM Configuration¶
# Install required modules
Install-Module -Name Az.Resources
Install-Module -Name Microsoft.Graph
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
# Create PIM eligible assignment
$params = @{
principalId = "user-principal-id"
roleDefinitionId = "role-definition-id"
directoryScopeId = "/"
scheduleInfo = @{
startDateTime = Get-Date
expiration = @{
type = "afterDuration"
duration = "PT8H"
}
}
}
New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params
Data Protection¶
Checklist¶
- Encryption at Rest
- Enable encryption for all storage accounts
- Implement customer-managed keys (CMK) where required
- Configure double encryption for sensitive data
-
Verify encryption status across all services
-
Encryption in Transit
- Enforce TLS 1.2+ for all connections
- Disable insecure protocols (TLS 1.0, 1.1)
- Configure secure transfer required for storage accounts
-
Use HTTPS for all API endpoints
-
Data Masking and Protection
- Implement dynamic data masking for PII data
- Configure column-level security
- Set up row-level security (RLS)
-
Implement data classification and labeling
-
Data Governance
- Configure Azure Purview integration
- Implement data lineage tracking
- Set up data catalog
-
Configure data retention policies
-
Data Exfiltration Protection
- Enable data exfiltration protection in managed VNet
- Configure approved managed private endpoints only
- Monitor and alert on unauthorized data transfers
- Implement DLP policies
Implementation Examples¶
Azure CLI - Data Protection¶
# Enable encryption with CMK
az storage account update \
--name stadatalake001 \
--resource-group rg-analytics-prod \
--encryption-key-source Microsoft.Keyvault \
--encryption-key-vault https://kv-analytics-prod.vault.azure.net/ \
--encryption-key-name storage-encryption-key
# Enable infrastructure encryption (double encryption)
az storage account create \
--name stadatalake001 \
--resource-group rg-analytics-prod \
--location eastus \
--sku Standard_LRS \
--kind StorageV2 \
--require-infrastructure-encryption true
# Enforce minimum TLS version
az storage account update \
--name stadatalake001 \
--resource-group rg-analytics-prod \
--min-tls-version TLS1_2
T-SQL - Dynamic Data Masking¶
-- Create table with masked columns
CREATE TABLE dbo.Customers (
CustomerId INT PRIMARY KEY,
FirstName NVARCHAR(50),
LastName NVARCHAR(50),
Email NVARCHAR(100) MASKED WITH (FUNCTION = 'email()'),
Phone NVARCHAR(20) MASKED WITH (FUNCTION = 'partial(1,"XXX-XXX-",4)'),
SSN NVARCHAR(11) MASKED WITH (FUNCTION = 'default()'),
CreditCard NVARCHAR(16) MASKED WITH (FUNCTION = 'partial(0,"XXXX-XXXX-XXXX-",4)'),
Salary DECIMAL(18,2) MASKED WITH (FUNCTION = 'random(10000, 100000)')
);
-- Grant unmask permission to specific users
GRANT UNMASK TO [AnalyticsAdmin];
-- Row-level security
CREATE SCHEMA Security;
GO
CREATE FUNCTION Security.fn_SecurityPredicate(@TenantId INT)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN SELECT 1 AS fn_SecurityPredicate_result
WHERE @TenantId = CAST(SESSION_CONTEXT(N'TenantId') AS INT)
OR IS_MEMBER('db_owner') = 1;
GO
CREATE SECURITY POLICY Security.TenantFilter
ADD FILTER PREDICATE Security.fn_SecurityPredicate(TenantId) ON dbo.SalesData,
ADD BLOCK PREDICATE Security.fn_SecurityPredicate(TenantId) ON dbo.SalesData
WITH (STATE = ON);
Key and Secret Management¶
Checklist¶
- Azure Key Vault Configuration
- Store all secrets, keys, and certificates in Key Vault
- Enable soft delete and purge protection
- Implement access policies with least privilege
- Configure Key Vault firewall rules
-
Enable Key Vault diagnostics logging
-
Key Rotation
- Rotate keys and secrets on regular schedule (90 days recommended)
- Automate key rotation where possible
- Document rotation procedures
-
Test rotation without downtime
-
Access Management
- Use managed identities for Key Vault access
- Implement Azure RBAC for Key Vault (recommended over access policies)
- Separate key vaults for different environments
- Monitor and alert on Key Vault access
Implementation Examples¶
Azure CLI - Key Vault Setup¶
# Create Key Vault with security features
az keyvault create \
--name kv-analytics-prod \
--resource-group rg-analytics-prod \
--location eastus \
--enable-soft-delete true \
--enable-purge-protection true \
--enable-rbac-authorization true \
--public-network-access Disabled
# Create private endpoint for Key Vault
az network private-endpoint create \
--name pe-keyvault \
--resource-group rg-analytics-prod \
--vnet-name vnet-analytics \
--subnet snet-keyvault \
--private-connection-resource-id "/subscriptions/{sub-id}/resourceGroups/rg-analytics-prod/providers/Microsoft.KeyVault/vaults/kv-analytics-prod" \
--connection-name keyvault-connection \
--group-id vault
# Grant managed identity access to Key Vault
az role assignment create \
--assignee $SYNAPSE_IDENTITY \
--role "Key Vault Secrets User" \
--scope "/subscriptions/{sub-id}/resourceGroups/rg-analytics-prod/providers/Microsoft.KeyVault/vaults/kv-analytics-prod"
# Create encryption key
az keyvault key create \
--vault-name kv-analytics-prod \
--name storage-encryption-key \
--protection software \
--size 2048
# Store database connection string
az keyvault secret set \
--vault-name kv-analytics-prod \
--name sql-connection-string \
--value "Server=tcp:syn-analytics-prod.sql.azuresynapse.net,1433;Database=analytics_db;Authentication=Active Directory Managed Identity;"
Python - Key Vault Integration¶
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from azure.keyvault.keys import KeyClient
import os
class SecureConfigManager:
"""Manage secrets and keys from Azure Key Vault."""
def __init__(self, vault_url: str):
self.credential = DefaultAzureCredential()
self.secret_client = SecretClient(vault_url=vault_url, credential=self.credential)
self.key_client = KeyClient(vault_url=vault_url, credential=self.credential)
def get_secret(self, secret_name: str) -> str:
"""Retrieve secret from Key Vault."""
try:
secret = self.secret_client.get_secret(secret_name)
return secret.value
except Exception as e:
print(f"Error retrieving secret {secret_name}: {e}")
raise
def set_secret(self, secret_name: str, secret_value: str) -> None:
"""Store secret in Key Vault."""
try:
self.secret_client.set_secret(secret_name, secret_value)
print(f"Secret {secret_name} stored successfully")
except Exception as e:
print(f"Error storing secret {secret_name}: {e}")
raise
def rotate_secret(self, secret_name: str, new_value: str) -> None:
"""Rotate secret with new value."""
# Store new version
self.set_secret(secret_name, new_value)
# Old versions are automatically retained
print(f"Secret {secret_name} rotated successfully")
# Usage
config_manager = SecureConfigManager(
vault_url="https://kv-analytics-prod.vault.azure.net"
)
# Retrieve secrets
db_connection = config_manager.get_secret("sql-connection-string")
api_key = config_manager.get_secret("external-api-key")
Monitoring and Auditing¶
Checklist¶
- Diagnostic Logging
- Enable diagnostic settings for all Synapse components
- Send logs to Log Analytics workspace
- Configure SQL audit logs for all SQL pools
- Enable Apache Spark application logs
-
Set appropriate log retention periods
-
Security Monitoring
- Implement Microsoft Defender for Cloud
- Enable Microsoft Defender for SQL
- Configure security alerts and notifications
- Set up Microsoft Sentinel integration
-
Monitor Key Vault access logs
-
Activity Monitoring
- Monitor Azure Activity Log
- Track resource changes
- Review access logs regularly
- Monitor for unauthorized access attempts
-
Track privilege escalation events
-
Automated Response
- Configure automated security responses
- Set up alert action groups
- Implement automated remediation where possible
- Test incident response procedures
Implementation Examples¶
Azure CLI - Monitoring Setup¶
# Create Log Analytics workspace
az monitor log-analytics workspace create \
--resource-group rg-analytics-prod \
--workspace-name law-analytics-prod \
--location eastus
# Enable diagnostic settings for Synapse
az monitor diagnostic-settings create \
--name synapse-diagnostics \
--resource "/subscriptions/{sub-id}/resourceGroups/rg-analytics-prod/providers/Microsoft.Synapse/workspaces/syn-analytics-prod" \
--logs '[
{"category":"SynapseRbacOperations","enabled":true},
{"category":"GatewayApiRequests","enabled":true},
{"category":"BuiltinSqlReqsEnded","enabled":true},
{"category":"IntegrationPipelineRuns","enabled":true},
{"category":"IntegrationActivityRuns","enabled":true}
]' \
--metrics '[{"category":"AllMetrics","enabled":true}]' \
--workspace "/subscriptions/{sub-id}/resourceGroups/rg-analytics-prod/providers/Microsoft.OperationalInsights/workspaces/law-analytics-prod"
# Enable SQL auditing
az synapse sql audit-policy update \
--resource-group rg-analytics-prod \
--workspace-name syn-analytics-prod \
--state Enabled \
--blob-storage-target-state Enabled \
--storage-account stadatalake001 \
--storage-endpoint https://stadatalake001.blob.core.windows.net
# Enable Microsoft Defender for SQL
az security pricing create \
--name SqlServerVirtualMachines \
--tier Standard
KQL - Security Monitoring Queries¶
// Monitor failed authentication attempts
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SYNAPSE"
| where Category == "SynapseRbacOperations"
| where OperationName == "RoleAssignmentDelete" or OperationName == "RoleAssignmentCreate"
| project TimeGenerated, OperationName, Identity, ResultType, _ResourceId
| order by TimeGenerated desc
// Track high-privilege operations
AzureActivity
| where ActivityStatusValue == "Success"
| where OperationNameValue in ("Microsoft.Authorization/roleAssignments/write", "Microsoft.Authorization/roleAssignments/delete")
| project TimeGenerated, Caller, OperationNameValue, ResourceGroup, _ResourceId
| order by TimeGenerated desc
// Monitor Key Vault access
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where OperationName == "SecretGet"
| summarize AccessCount = count() by CallerIPAddress, identity_claim_oid_g, bin(TimeGenerated, 1h)
| where AccessCount > threshold
| order by AccessCount desc
// Alert on suspicious activity
SecurityAlert
| where TimeGenerated > ago(24h)
| where AlertSeverity in ("High", "Medium")
| project TimeGenerated, AlertName, AlertSeverity, Description, RemediationSteps
| order by TimeGenerated desc
Compliance and Governance¶
Checklist¶
- Compliance Frameworks
- Document compliance requirements (GDPR, HIPAA, SOC2, etc.)
- Configure Microsoft Purview compliance
- Implement regular compliance audits
-
Maintain compliance documentation
-
Data Residency
- Configure data residency requirements
- Document data storage locations
- Implement geo-restrictions where required
-
Validate cross-border data transfer compliance
-
Retention Policies
- Configure retention policies for all data
- Implement automated data lifecycle management
- Document retention schedules
-
Set up legal hold capabilities
-
Audit Trails
- Enable comprehensive audit logging
- Implement immutable audit logs
- Configure audit log retention
- Regular audit log reviews
Compliance Configuration¶
# Enable Azure Policy for compliance
az policy assignment create \
--name enforce-synapse-security \
--policy "/providers/Microsoft.Authorization/policySetDefinitions/Azure-Synapse-Analytics-Security" \
--scope "/subscriptions/{sub-id}/resourceGroups/rg-analytics-prod"
# Create custom policy for data residency
az policy definition create \
--name restrict-resource-locations \
--rules '{
"if": {
"not": {
"field": "location",
"in": ["eastus", "westus", "centralus"]
}
},
"then": {
"effect": "deny"
}
}'
Development Security¶
Checklist¶
- Secure Development Lifecycle
- Implement secure coding practices
- Conduct code security reviews
- Use static code analysis tools
-
Implement dependency scanning
-
CI/CD Security
- Secure CI/CD pipelines
- Implement secret scanning in repositories
- Use separate service principals for CI/CD
-
Implement approval gates for production
-
Environment Isolation
- Separate development, test, and production environments
- Use different subscriptions/resource groups
- Implement environment-specific access controls
-
No production data in non-production environments
-
Source Control Security
- No secrets in source control
- Enable branch protection policies
- Require code reviews for all changes
- Use signed commits where possible
Service-Specific Security¶
Synapse Analytics¶
- Configure managed VNet for workspace
- Enable data exfiltration protection
- Implement private endpoints for all connections
- Configure workspace firewall rules
- Enable SQL auditing and threat detection
- Implement column-level and row-level security
- Configure Spark pool security settings
Azure Data Lake Storage Gen2¶
- Enable hierarchical namespace
- Configure ACLs on folders and files
- Implement storage firewall rules
- Use private endpoints for storage access
- Enable versioning for critical data
- Configure lifecycle management policies
- Enable blob soft delete
Azure Key Vault¶
- Enable soft delete and purge protection
- Implement network restrictions
- Use Azure RBAC for access control
- Enable Key Vault diagnostics
- Configure key expiration policies
- Implement automated key rotation
Incident Response¶
Checklist¶
- Incident Response Plan
- Document incident response procedures
- Define incident severity levels
- Establish communication protocols
-
Assign incident response roles
-
Detection and Alert
- Configure security alerts
- Set up automated detection rules
- Integrate with SIEM (Microsoft Sentinel)
-
Test alerting mechanisms
-
Response Procedures
- Document containment procedures
- Establish evidence collection process
- Define escalation paths
-
Conduct regular incident response drills
-
Post-Incident
- Conduct post-incident reviews
- Document lessons learned
- Update security controls
- Update incident response plan
Best Practices Summary¶
Critical Security Controls¶
| Control | Priority | Implementation Effort |
|---|---|---|
| Enable MFA for all admin accounts | Critical | Low |
| Implement private endpoints | Critical | Medium |
| Enable encryption at rest and in transit | Critical | Low |
| Configure RBAC with least privilege | Critical | Medium |
| Enable comprehensive logging | High | Medium |
| Implement data classification | High | High |
| Configure automated backups | High | Low |
| Enable threat detection | High | Low |
| Implement secret rotation | Medium | Medium |
| Conduct regular security reviews | Medium | Ongoing |
Related Resources¶
- Azure Security Baseline for Synapse
- Azure Security Best Practices
- Microsoft Cloud Security Benchmark
- Azure Well-Architected Framework - Security
- Network Security Best Practices
- Data Governance Guide
Note: Security requirements and best practices evolve continuously. Review and update security configurations regularly to maintain compliance and protection against emerging threats.