Blog Azure Security & Compliance

7 Common Microsoft Azure Security Mistakes and How to Avoid Them

Most cloud security issues don’t come from outside attacks. Research shows that nearly 23% of cloud security incidents stem from cloud misconfigurations, leaving serious loopholes in your environment. 

From working with numerous Azure customers, we’ve identified recurring security pitfalls common across all industry verticals and company sizes. 

In this article, we’ll outline these common Azure security mistakes, explain why they matter, and show you how to mitigate the risks. 

Niels Kroeze

Author

Niels Kroeze IT Business Copywriter

Reading time 7 minutes Published: 03 October 2025

7 Common Microsoft Azure Security Mistakes 

We have compiled a list of 7 common security mistakes to avoid in Azure: 

  1. Not understanding the shared responsibility model 
  2. Unprotected public endpoints 
  3. Broken authorisation 
  4. Not encrypting data at rest 
  5. Unrestricted NSGs (Network Security Groups) 
  6. Insecure storage accounts 
  7. Lack of monitoring and logging 
Azure Security Ebook (1)

Security E-book

Learn how to secure your Azure environment with different technologies, tools and best practices we apply daily with our software-driven customers.

Download now!

1. Not understanding the Shared Responsibility Model 

A common misconception when organisations adopt the cloud is that cloud providers handle all security. In reality, providers like Microsoft Azure operate under a shared responsibility model for security, where: 

  • Microsoft is responsible for the security of the underlying infrastructure, including physical servers and networks.  
  • Customers are responsible for the security of their data and applications, as well as for configuring Azure services. 

Azure Shared Responsibility Model

Best Practices

  • Learn what your responsibilities are as customer and which responsibilities aren't.
  • Clearly document who within your organisation is responsible for which security tasks.
  • Set up identity and access management (IAM) properly.
  • Monitor and log actively.
  • Secure your data.

 

2. Unprotected public endpoints 

Unprotected public endpoints to websites, management ports, remote access to servers, or any of that expose you to the public internet. Essentially, every public IP address is a potential security risk. Before exposing anything, consider whether it’s really necessary.  

 

Best Practices

If so, you can do a few things to mitigate the risks:

Infrastructure as a Service (IaaS)
Use Access Control Lists (ACLs) and Network Security Groups (NSGs) to limit access. 
Enable Microsoft Defender Just-in-Time (JIT) access for temporary management sessions. 
Consider VPNs or appliances from the VM gallery for controlled access. 
Azure Bastion for administrative RDP/management access 

Use a hub/spoke model with a Firewall to reduce the number of Public IP's and centralise access control.

Richard van Tetering - Azure Consultant

Platform as a Service (PaaS)

Compute Layer:  

  • Firewalls, IP address filters 
  • Service endpoints to prevent outside Azure access 
  • Private endpoints for stricter security 

Data Layer: 

  • Network access lists for storage accounts 
  • IP address ranges for allowed access 
  • Virtual Networks and VPN 
  • SAS tokens (limited time/use, optional IP filtering) for public content 

Management layer:

  • Apply Conditional Access (MFA, IP restrictions) to management portals for stronger administrative security.

 

Even though a blob or file may be publicly accessible, SAS tokens give additional granularity for access control. This is a lower-impact measure compared to enforcing Private Link across everything, but it still significantly improves security. 

 

3. Broken authorisation: Giving every Azure user the Owner role 

Another common pitfall in Azure is broken authorisation—granting overly broad access within the management plane, where every Azure user is an owner. This happens in any organisation, project, or size, whether big or small, even within the scope of subscription or some of these very broad scopes. 

When onboarding new users, it’s common to copy the first user’s access—turning role-based access control (RBAC) into a “everyone has full rights” scenario.  

The problem is that the Owner can manage user access, create, update, and delete assignments, and invite anyone in. Additionally, they can create, read, update, and delete any resources within their scope. At the subscription level, a single Owner can remove other users, delete newly created resources, or grant access to anyone with an email address.

Mismanaged access like this creates major security risks across your Azure environment. 

 

Best Practices

This is what you should do instead:  

  • Separate administrative duties in Azure across roles. The Contributor role can handle most resource management tasks, while the User Access Administrator role should manage role assignments. Splitting these responsibilities ensures no single person has unrestricted control over both resources and access, thus improving security. 
  • Assign roles at the resource group level rather than the subscription level. Remember that static RBAC assignments remain until removed, so evaluate them regularly when making changes. 

By managing roles carefully, splitting duties, and applying governance, you reduce the risk of accidental or malicious misuse of privileges in Azure. Use Management Groups and Azure policies to setup this up.

Azure Security Workshop

Want to learn how to secure your Azure cloud?

Then watch our FREE 90-minute Azure Security Webinar for practical tips, best practices, and demos on securing your Azure environment. 

Watch it now!

4. Not encrypting data at rest 

Data encryption is one of the most effective security measures organisations can undertake to protect their data. Even if data is stolen, encryption prevents unauthorised access. 

Best Practices

Use solutions like Azure Disk Encryption and Azure Key Vault

 

5. Unrestricted Network Security Groups (NSGs) 

Network Security Groups (NSGs) control inbound and outbound traffic to Azure resources. While they provide a strong layer of protection, misconfigurations are common and often leave environments exposed.

Some of the biggest mistakes when it comes to NSGs include: 

  • Leaving NSGs wide open: allowing inbound access from “Any” source or outbound access without restriction. 
  • Using overly permissive rules 
  • Not segmenting traffic between subnets or workloads. 
  • Forgetting to apply NSGs consistently across all resources. 
  • Relying only on NSGs without additional layers like firewalls. 

As a consequence, malicious actors can target your VMs and services, and exploit attempts, with mistakes like exposed management ports increasing the likelihood of compromised environments. 

 

Best Practices

Undertake these actions to prevent any risks:

  • Open only the minimum required ports, allowing only necessary traffic while blocking all other traffic.  
  • Regularly review and tighten your NSG rules. 
  • Restrict access to trusted IP ranges or through a VPN. 
  • Use Just-in-Time (JIT) access for RDP/SSH instead of leaving them permanently open. 
  • Combine NSGs with Azure Firewall or Web Application Firewall (WAF) for deeper inspection. 

By following these practices and applying the principle of least privilege, while also tightening rules, you can significantly reduce your attack surface. 

 

6. Insecure Storage Accounts 

Azure Storage provides scalable and secure cloud storage for data, apps and backups. However, it can leave your data exposed or become vulnerable to unauthorised access when misconfigured. An example of this kind is when a storage accounts are left with public access, which can lead to unauthorised access or even data breaches and data loss. 

Other common mistakes include: 

  • Using shared keys instead of role-based access control (RBAC). 
  • Not restricting access to trusted networks or IP ranges. 
  • Relying on default configurations without reviewing them. 

 

Best Practices

Do this to secure your storage accounts: 

  • Always disable public access (unless you have a strong business case) 
  • Use Azure RBAC with managed identities instead of account keys. 
  • Restrict access with network rules, private endpoints and service endpoints. 
  • Enable logging and monitoring 
  • Prefer customer-managed keys (CMK) for sensitive workloads. 
  • Apply SaS (Shared Access Signatures )tokens with expiration and IP restrictions for external sharing. 
Marc Bosgoed

Security Scan

Need to increase security for your Azure environment? Grab your chance now and request a free security scan!

Yes I want it!

7. Lack of monitoring and logging 

Last but not least, a very common pitfall in Azure projects is missing audit logging completely. This isn’t only about logs being too limited or not detailed enough – it’s about not having them at all

Without proper monitoring and logging, you can’t detect crucial anomalous activity, or investigate incidents with precision. Not all Azure services emit audit logs by default, retention is often short (90 days for Azure Activity Logs). While you might get some metrics from Azure Monitor for services (like Azure Key Vault), you don't always get to see detailed activity within those logs. 

 

Best Practices

To mitigate logging gaps you can set up automatic alerts: 

  • Enable Microsoft Defender for each service (e.g., Key Vault, Storage Account). This gives you custom or automatic alerts based on utilisation. 

Example (Storage Account): 

  • Alert if someone accesses it from an unusual location. 
  • Alert if there’s potential data exfiltration. 
  • Alert on unusual user activity. 

Even if you don’t onboard into Sentinel and don’t have a full SOC team watching, these alerts are still valuable. Consistent monitoring in Azure is key part to strengthen your cloud security posture giving you early visibility into potential threats on which you can quickly respond.

Working Jack

Reach Out to Us!

Intercept can help you secure your Azure cloud so you can focus on delivering value to your customers and driving business.