# Role Deep Dive: Azure Security Engineer
---
## Role Overview
Azure Security Engineers design, implement, and mainta=
in the
security posture of Azure environments. They protect data, identities,
applications, and infrastructure from threats. They implement zero-trust
architecture, manage identity security, configure network defenses,
and respond to security incidents.
**Alternative Titles:** Clo=
ud
Security Engineer, Azure Security Architect, Cloud Security Analyst,
Information Security Engineer
**Typical Salary Range:** $=
110,000
– $180,000 (US)
---
## Core Responsibilities
### 1. Identity & Access Security (25% of role)
- Implement and manage Microsoft Entra ID security fea=
tures
- Design and enforce Conditional Access policies
- Implement Privileged Identity Management (PIM)
- Configure MFA for all users (pa=
sswordless
where possible)
- Manage application permissions and consent
- Implement identity protection and risk policies
**Granular Tasks:**
- **Conditional Access Policies (Build in this order
1. Block leg=
acy
authentication protocols (IMAP, POP, SMTP)
2. Require M=
FA for
all users (with exclusions for break-glass accounts)
3. Require M=
FA for
Azure management (all admin portals)
4. Block acc=
ess from
untrusted countries
5. Require c=
ompliant
device for corporate resources
6. Require M=
FA +
compliant device for privileged roles
7. Block sig=
n-in for
high-risk users (Identity Protection)
8. Require M=
FA for
medium-risk sign-ins (Identity Protection)
9. Require t=
erms of
use for guest access
10. Session
controls: limited access for unmanaged devices
- **PIM Configuration:**
- All admin =
roles:
eligible (not permanent), require MFA on activation, require approval, max
8-hour activation
- Owner/Cont=
ributor
on subscriptions: eligible, require approval + ticket number
- Key Vault
Contributor: eligible, 1-hour max
- Break-glass
accounts: permanent Global Admin (2 accounts, 30-char passwords, stored in
physical safe)
- Configure =
access
reviews: quarterly review of all PIM-eligible assignments
- **Identity Protection:**<= o:p>
- User risk =
policy:
High risk → block sign-in, force password reset
- Sign-in ri=
sk
policy: Medium risk → require MFA, High risk → block
- Risky user=
s:
investigate, dismiss false positives, confirm compromised → reset
password + revoke sessions
- Configure =
risk
detections: impossible travel, anonymous IP, malware-linked IP, unfamiliar
sign-in properties
- **Application Security:**=
- Review app
registrations: minimize permissions (delegated > application)
- Admin cons=
ent
workflow: users can request, admins approve
- Restrict
third-party app consent (require admin approval for new apps)
- Credential
management: certificate-based > secret-based for service principals
- Rotate sec=
rets
every 90 days (automated via Key Vault)
### 2. Network Security (20% of role)
- Implement zero-trust network architecture
- Configure Azure Firewall (Standard and Premium)
- Implement WAF policies (App Gateway / Front Door)
- Configure NSGs with least-privilege rules
- Implement Private Endpoints for all PaaS services
- Configure DDoS Protection
- Implement DNS security
**Granular Tasks:**
- **Zero-Trust Network Architectur=
e:**
- Verify exp=
licitly:
authenticate and authorize every request (MFA, Conditional Access, RBAC)
- Use least
privilege: minimal access, just-in-time, PIM
- Assume bre=
ach: microsegmentation, Private Endpoints, blast radius
containment
- All PaaS s=
ervices:
Private Endpoints (disable public access)
- All manage=
ment:
Bastion (no public RDP/SSH), JIT VM access
- All outbou=
nd:
Azure Firewall (inspect, filter, log)
- All web tr=
affic:
WAF (Prevention mode)
- Network
segmentation: separate subnets per tier, NSGs deny-all default
- **Azure Firewall Premium:**
- TLS inspec=
tion:
inspect encrypted traffic (deploy certificates, configure key vault)
- IDPS: enab=
le
signature mode (alert + deny), tune rules (disable false positives)
- Web catego=
ries:
block gambling, malware, phishing categories
- URL filter=
ing:
allow specific URLs within FQDNs
- DNS proxy:=
enable,
configure custom DNS servers, use FQDN in network rules
- **WAF Policy:**
- OWASP 3.2 =
rule set
- Prevention=
mode
(not detection) for production
- Custom rul=
es:
block specific IP ranges, geo-filter (allow only company countries)
- Exclusions:
exclude specific request fields from WAF inspection (e.g., large file uploa=
ds)
- Rate limit=
ing:
limit requests per IP (e.g., 1000/minute)
- **NSG Hardening:**
- Default: d=
eny all
inbound, allow all outbound
- Add only s=
pecific
allow rules with narrow source/dest/port
- Use Servic=
e Tags
instead of IP ranges (Storage, Sql, AppService)
- Use ASGs f=
or
workload grouping
- No "A=
llow
Any" rules (no 0.0.0.0/0 inbound)
- Review and=
clean
up unused rules monthly
### 3. Data Protection & Encryption (15% of role)<= o:p>
- Implement encryption at rest (AES-256, customer-mana=
ged
keys)
- Implement encryption in transit (TLS 1.2+, enforce H=
TTPS)
- Implement encryption in use (Confidential Computing)=
- Configure Azure Key Vault (secrets, keys, certificat=
es)
- Implement data classification and protection
- Configure database security (TDE, Always Encrypted,
Dynamic Data Masking)
**Granular Tasks:**
- **Key Vault Security:**
- RBAC autho=
rization
model (not access policies)
- Private En=
dpoint
for all access
- Firewall: =
deny
public access, allow specific VNets
- Soft delet=
e:
enabled (default), purge protection: enabled
- Audit logg=
ing:
send to Log Analytics + Storage Account
- Key rotati=
on:
auto-rotate on creation (set rotation policy)
- Certificate
auto-renewal: integrate with DigiCert/GlobalSign
- HSM-backed=
keys
for cryptographic operations (Premium or Managed HSM)
- **Encryption at Rest:**
- Platform-m=
anaged
keys (PMK): default, no management overhead
- Customer-m=
anaged
keys (CMK): store in Key Vault, full control, rotation
- Customer-m=
anaged
keys with auto-rotate: set rotation policy in Key Vault
- When to us=
e CMK:
regulatory requirements, key custody requirements, multi-tenant isolation
- **SQL Database Security:*=
*
- TDE (Trans=
parent
Data Encryption): enabled by default (PMK). Use CMK for compliance.
- Always Enc=
rypted:
encrypt columns client-side. DB never sees plaintext. Use with Key Vault.
- Dynamic Da=
ta
Masking: mask SSN, credit card in results (e.g., XXX-XX-1234)
- Row-Level
Security: filter rows by user context
- Auditing: =
log all
database events to Storage Account + Log Analytics
- Microsoft =
Defender
for SQL: vulnerability assessment, threat detection
- Firewall: =
deny
public access, allow only from VNets/Private
Endpoints
- **Data Classification:**<= o:p>
- Microsoft =
Purview
Information Protection: classify and label data
- Sensitivity
labels: Public, Internal, Confidential, Highly Confidential
-
Auto-classification: scan and label based on content (SSN, credit card
patterns)
- DLP (Data =
Loss
Prevention): prevent sharing of sensitive data
### 4. Threat Detection & Response (15% of role)
- Configure Microsoft Defender for Cloud
- Implement Microsoft Sentinel (SIEM + SOAR)
- Configure threat detection across all services
- Create incident response playbooks
- Conduct threat hunting
**Granular Tasks:**
- **Defender for Cloud:**
- Enable all
Defender plans (Servers, App Service, SQL, Storage, Containers, Key Vault, =
DNS,
IoT, Databases)
- Review Sec=
ure
Score weekly, remediate critical recommendations
- Configure =
email
notifications for critical alerts
- Enable JIT=
VM
access for all internet-facing VMs
- Export ale=
rts to
Sentinel for centralized investigation
- **Sentinel Setup:**
- Data conne=
ctors:
Entra ID, Microsoft 365, Azure Activity, Security Alerts, DNS, Firewall
- Third-party
connectors: Palo Alto, Cisco, Fortinet, Okta
- Analytics =
rules:
- Schedule=
d:
failed logins from same IP > 10 in 5 minutes
- Fusion:
multi-stage attack detection (correlate across signals)
- ML-based:
anomaly detection on user behavior
- Playbooks =
(Logic
Apps):
- Auto-blo=
ck IP:
alert → add IP to NSG deny rule / Firewall block list
- Disable =
user:
alert → disable Entra ID account → revoke sessions
- Isolate =
VM:
alert → add NSG rule blocking all inbound/outbound
- Notify t=
eam:
alert → Teams message → ServiceNow ticket
- Hunting qu=
eries:
proactively search for indicators of compromise
- Watchlists=
: VIP
users, known malicious IPs, authorized admin machines
- Workbooks:
security operations dashboard
- **Incident Response Process:**
1. Detect: a=
lert
from Defender/Sentinel/custom analytics
2. Triage: a=
ssess
severity, scope, impact
3. Contain: =
isolate
affected resources (NSG rules, disable accounts)
4. Investiga=
te:
review logs, timeline, related alerts
5. Remediate=
: fix
vulnerability, rotate credentials, patch systems
6. Recover: =
restore
services, verify clean state
7. Post-inci=
dent:
root cause analysis, update policies, update playbooks
### 5. Governance & Compliance (15% of role)
- Implement Azure Policy for security enforcement
- Configure compliance assessments (Defender for Cloud=
)
- Implement regulatory compliance (ISO 27001, SOC 2, H=
IPAA,
PCI DSS, GDPR, NIST)
- Conduct security assessments and audits
- Manage security baselines
**Granular Tasks:**
- **Key Security Policies:*=
*
- Deny public
endpoints on PaaS services (Storage, SQL, Key Vault)
- Require en=
cryption
at rest (audit resources without encryption)
- Require HT=
TPS only
on App Service
- Deny resou=
rce
creation in non-approved regions
- Require ta=
gs (DataClassification, Owner)
- Audit diag=
nostic
settings (ensure logging enabled)
- Deny privi=
leged
containers in AKS
- Require SQ=
L TDE
enabled
- Audit NSG =
rules
allowing unrestricted inbound access
- **Compliance Dashboard:**=
- Defender f=
or Cloud
→ Regulatory Compliance
- Map contro=
ls to
Azure Policy
- Track comp=
liance
percentage per standard
- Export com=
pliance
report for auditors
- Assign rem=
ediation
tasks to resource owners
### 6. Application Security (10% of role)
- Secure App Service and AKS deployments
- Implement API security (APIM, OAuth2, rate limiting)=
- Review application architecture for security
- Implement secure development practices
**Granular Tasks:**
- App Service: HTTPS only, min TLS 1.2, disable FTP, d=
isable
remote debugging, managed identity, private endpoint
- AKS: private cluster, network policies (Calico/Ciliu=
m),
workload identity, pod security standards, secret store CSI driver, image
scanning
- APIM: validate JWT, rate limit, CORS policy, IP filt=
ering,
client certificate auth
- Container security: scan images (Defender for Contai=
ners),
sign images, pin digests
---
## Azure Services Used Daily
| Category | Services |
|---|---|
| Identity | Entra ID, PIM, Identity Protection, Condi=
tional
Access, Managed Identity |
| Network | Azure Firewall, WAF, NSG, Private Link, Ba=
stion,
DDoS Protection, Front Door |
| Data Protection | Key Vault, Managed HSM, TDE, Always
Encrypted, Dynamic Data Masking, Purview |
| Threat Detection | Defender for Cloud, Sentinel, Def=
ender
for Endpoint, Identity Protection |
| Governance | Azure Policy, Blueprints, Management Gr=
oups,
RBAC |
| Compliance | Microsoft Purview, Compliance Manager,
Regulatory Compliance |
---
## Security Architecture Checklist
### Identity
- [ ] MFA enabled for all u=
sers
- [ ] Conditional Access po=
licies
enforced
- [ ] PIM for all privilege=
d roles
- [ ] =
Passwordless
authentication available
- [ ] Legacy authentication=
blocked
- [ ] Break-glass accounts
configured (2 accounts, stored securely)
- [ ] Guest access reviewed
quarterly
- [ ] Access reviews for all
privileged roles
### Network
- [ ] Private Endpoints for=
all
PaaS services
- [ ] Azure Firewall in hub=
-spoke
- [ ] WAF on all web entry =
points
(Prevention mode)
- [ ] NSGs with least-privi=
lege
rules
- [ ] No public RDP/SSH (Ba=
stion
only)
- [ ] DDoS Protection for
public-facing workloads
- [ ] Network segmentation
(separate subnets per tier)
### Data
- [ ] Encryption at rest (C=
MK for
sensitive data)
- [ ] Encryption in transit=
(TLS
1.2+)
- [ ] Key Vault for all
secrets/keys/certificates
- [ ] Data classification
implemented
- [ ] Database security (TD=
E,
masking, auditing, RLS)
- [ ] Immutable storage for=
audit
logs
### Monitoring
- [ ] Defender for Cloud en=
abled on
all resources
- [ ] Sentinel for SIEM + S=
OAR
- [ ] Diagnostic settings o=
n all
resources
- [ ] Alert rules for criti=
cal
events
- [ ] Incident response pla=
ybooks
automated
### Governance
- [ ] Azure Policy enforcing
security baseline
- [ ] Compliance dashboard =
tracked
- [ ] Security baselines ap=
plied to
all resources
- [ ] Tagging strategy enfo=
rced (DataClassification, Owner)
---
## Certification Path
| Certification | Level | Focus |
|---|---|---|
| **SC-900** | Foundational | Security fundamentals |<= o:p>
| **AZ-500** | Associate | **Core cert** — Azure Secur=
ity
Engineer |
| **SC-100** | Expert | Cybersecurity Architect |
| **SC-200** | Associate | Security Operations Analyst
(Sentinel focus) |
| **SC-300** | Associate | Identity & Access
Administrator (Entra ID focus) |
### AZ-500 Exam Breakdown
| Domain | Weight |
|---|---|
| Manage identity and access | 20-25% |
| Secure networking | 20-25% |
| Secure compute, storage, and databases | 25-30% |
| Manage security operations | 25-30% |
---
## Interview Focus Areas
1. **How do you implement zero-trust in Azure?**
→ Ver=
ify
explicitly (MFA, Conditional Access, RBAC), use least privilege (PIM, JIT),
assume breach (Private Endpoints, microsegmentation,
WAF, blast radius containment).
2. **Walk me through your Conditional Access strategy.**
→ Blo=
ck
legacy auth → MFA for all → MFA for Azure management →
geo-block → compliant device → risk-based policies. Report-only
mode first, then enforce.
3. **How do you secure PaaS servic=
es?**
→ Pri=
vate
Endpoints (no public access), Azure Firewall for outbound, WAF for web entr=
y,
Managed Identity for auth, CMK for encryption, diagnostic logging, Azure Po=
licy
to enforce.
4. **How do you detect and respond to threats?**
→ Def=
ender
for Cloud for detection, Sentinel for SIEM+SOAR, automated playbooks for
response (block IP, disable user, isolate VM), incident response process
(detect-triage-contain-investigate-remediate-recover).
5. **How do you manage secrets across the organization?**
→ Key=
Vault
per environment, RBAC authorization, Private Endpoints, audit logging,
auto-rotation, Managed Identity for all service auth, no credentials in cod=
e or
config.
6. **How do you implement compliance (HIPAA/PCI/GDPR
→ Azu=
re
Policy for compliance controls, Defender for Cloud regulatory dashboard,
Private Endpoints, encryption, audit logging to immutable storage, data
classification, DLP, access reviews.
7. **How do you secure AKS?**
→ Pri=
vate
cluster, network policies, workload identity, CSI driver for secrets, pod
security standards, image scanning, RBAC with Entra ID, Azure Policy for AK=
S,
Defender for Containers.
8. **What is PIM and why is it cri=
tical?**
→
Just-in-time privileged access. No permanent admin roles. Eligible assignme=
nts
require approval + MFA + time limit. Reduces attack surface from compromised
admin accounts.
9. **How do you handle a security =
incident?**
→ Det=
ect
(alert) → Triage (severity, scope) → Contain (isolate resources)
→ Investigate (logs, timeline) → Remediate (fix, rotate, patch)
→ Recover (restore, verify) → Post-incident (RCA, update polici=
es).
10. **How do you implement encryption strategy?**
→ At= rest: AES-256, PMK default, CMK for sensitive data (Key Vault auto-rotate). In transit: TLS 1.2+ enforced. In use: Confidential Computing (SGX/TEE) for sensitive workloads. Keys in Key Vault/Managed HSM.