Ask an expert: Dig into Azure security best practices

Azure security best practices with Jussi Roine Azure security best practices with Jussi Roine

Microsoft’s Jussi Roine offered expert advice for protecting your Azure environment during his Deploy presentation. The conversation brought up lots of Azure security questions, so we rounded them up to give you the answers.  

Ensuring that your data is protected is an integral part of any Azure governance strategy. During Deploy, ShareGate’s expert-led event on Azure governance, Microsoft’s Jussi Roine (@jussiroine) helped us better understand how to use the security tools available in Azure.

We learned a lot from Jussi, but the audience still had Azure security questions. In this blog, Jussi tackles those questions so that you can feel fully prepared to create a robust security plan for your workloads in Azure and even in on-prem and other cloud workloads as well.

ShareGate has been helping IT professionals succeed in the Microsoft cloud for over a decade. We hope this blog helps you better understand Azure security—but if you’re looking for a tool to make managing Azure even easier, check out how ShareGate Overcast can give you better visibility and control in Azure.

Keep reading to get the answers to these audience questions, and for more Azure security best practices, you can watch Jussi’s 1-hour Deploy presentation.


What’s the difference between Azure Security Center and Azure Sentinel? 

Azure Security Center (ASC) gives you visibility over and recommendations for all Azure services, VMs, and workloads. ASC gives you a centred view on all things security by keeping data from all of the workloads you care about, your Azure security policies, and your Secure Score in one location.

A screenshot of the Azure Security Center interface on the overview page

Azure Security Center helps you keep your Azure data and services secure.

Azure Sentinel is a newer tool being offered by Microsoft that allows you to input logs and events from Azure, Microsoft 365, your on-prem environment, other cloud environments, and third-party or custom applications into Azure log analytics.

You get to keep all of this data from different infrastructures in one place and apply machine learning, as well as your own custom rules, to better understand what’s going on across all of your workloads. This is particularly important if you have a hybrid environment.

Once all of this data is in Azure log analytics, you can investigate, manually respond, or set up auto-remediation depending on what Azure Sentinel discovers about your environments.

There’s a lot of functionality in Azure Sentinel; it has an extensibility approach that allows you to have your runbooks do things for you, and you can get into customizing and using engines that somebody else customized for you as well.

A screenshot of the Azure Sentinel interface on the overview page

Azure Sentinel collects data from all users, devices, and infrastructures to give you better visibility over your organization's security

So when should you use ASC vs. Azure Sentinel? If you’re just getting started with these tools, you should master ASC before moving onto Azure Sentinel because the latter often relies on the data from the former. You need to understand ASC before really knowing what you want to push through Azure Sentinel.

This is especially true since ASC is already in your Azure tenant, you just have to enable it and configure it a bit. If you want to use Azure Sentinel, you have to use the ASC connector so that all of the data from ASC will appear in Azure Sentinel as well.

Important reminder! There are free and paid versions of Azure Sentinel that influence what types of data you can bring in, but Microsoft 365 data is always free to import! So when you enable Azure Sentinel, you should definitely connect it with your Microsoft 365 tenants.

How do you really estimate what your cost will be for Azure Sentinel? The Calculator doesn’t usually give an accurate estimation.

The challenge with Azure Sentinel is that when you start using it, you need to input the data to start estimating how much you’re getting out of it and how much you’re paying for it.

There’s a free pre-paid tier that allows you to allocate a certain amount to resources. For instance, you could set it up so that you only pay $100 per month.

My advice here is to do your own estimate. Have a look at the source systems, figure out how much data you’re expending on those resources, and then add a buffer of about 20%. That should give you a fairly close estimate of what the true cost will be.

Does Azure’s identity secure score replace Secure Score in Microsoft 365?

No, it doesn’t. In Azure AD, you have the identity secure score, which provides a score based on how aligned your identities and practices around managing them are with Microsoft’s recommendations for security.

Secure Score in Microsoft 365 gives a 360-degree view of your tenant’s security—both for Microsoft 365 and the relevant workloads in Azure (and especially Azure AD).

At the time of writing, your Azure identity secure score is represented as a number between 1 and 223. The higher your score, the better your security, so your goal should be to get as close to 223 as you can without needlessly making your users jump through hoops.

For example, one really easy adjustment to make that will increase your score is enabling multi-factor authentication (MFA) on accounts with owner and write permissions.

A screen shot of Azure Security Center's recommendations, showing that enabling MFA is the top recommendation for improving Azure identity secure score

Through Azure Security Center, you can easily enable multi-factor authentication and increase your Azure identity secure score.

I think enabling MFA should be at the top of everyone’s security to-do list anyways; the fact that it gives you easy secure score points makes it feel like a fun gamefied nudge to make those easy improvements.

Can you whitelist an IP address to a secure Azure portal for a specific subscription?

Conditional Access (as part of Azure AD) does not apply at a subscription level, but at a tenant-level. As such, you can enforce strong authentication for Azure Management duties—but beyond that, you can’t dynamically specify an IP as allowed (or blocked) based on which subscription the admin needs to maintain.

There are ways around this, though: You could use separate admin accounts and enforce MFA for those, or enforce allow/block access based on IPs and then match that with admin access.

We could easily spend two hours dissecting the ways different joined devices will interact with each other. You need to take extra care to manage those devices, especially when they’re hybrid.

To manage these devices in the cloud, you would presumably be using Intune or Endpoint Manager. You would probably also have another way of managing them on-prem, either by relying on the local active directory group policy objects or using a systems center.

If it’s a mobile device, you want to keep it simple since people already have enough trouble getting things to work on their mobile devices.

Jussi Roine (@jussiroine)

So typically, if it’s a mobile device, you want to keep it simple since people already have enough trouble getting things to work on their mobile devices.

As for the SSPR, Microsoft now supports the ability to push a password reset from Azure AD to Windows 10. And with SSPR having that capability itself, you can also have that on mobile devices (excluding laptops).

Myself, I would rely on configuring it so that people have to use a real browser. It works on tablet browsers as well, it just requires more work.

What are the limitations on using Self-Service Password Reset when you’re using Active Directory Connect to synchronize users and passwords from on-prem Active Directory?

There aren't really any limitations with Self-Service Password Reset (SSPR). You need to enable password write-back, so when a user resets their Azure AD password, that change can be written back to the on-prem Active Directory.

There’s a separate setting you need to enable for password write-back. If you choose not to enable it, then the user will still have the old password in the local AD, and the new password in the cloud. And then, when you keep synchronizing from on-prem to the cloud, it will overwrite again.

What do you advise for secure app access of Microsoft 365 on mobile: Intune or Conditional Access?

This depends heavily on the specific needs of your organization. Conditional Access is great to get started with, as it’s easy to later combine with Intune.

When capabilities for Conditional Access are exhausted, I advise moving on to Intune—unless there are other benefits to deploying Intune before this, such as inventory reporting. See Microsoft’s guidance for additional insights.


Like other aspects of Azure governance, ensuring you have a well-thought out strategy for how you’ll approach security is key. Making sure that the rest of your team and your users understand and comply with security guidelines is equally important.

Oftentimes, you have many pathways that can help you achieve similar results. However, deciding ahead of time exactly which methods your organization will use—what tools you'll use for certain processes or who will have what permissions—will help keep your data and environment secure and organized.


Ready to start proactively managing and optimizing Azure costs?  

Recommended by our team

What did you think of this article?