bbabafemi
All posts
Security

Hardening a new Azure subscription: my first-10-settings checklist

The first ten things I configure on every new Azure subscription before any workload goes near it. Identity, policy, monitoring, and the things teams forget until it's too late.

August 12, 2025 3 min readby Babafemi Bulugbe

Whenever I land in a fresh Azure subscription, the first thing I do is not deploy anything. I spend an hour locking it down. Here's the checklist I run through, in the order I run it.

1. Turn on Defender for Cloud — at least the free tier

Go to Microsoft Defender for Cloud → Environment settings → your subscription → Defender plans. Even if you're not paying for the workload protections, the free Cloud Security Posture Management tier gives you Azure Security Benchmark scoring, secure score, and recommendations. Enable it on day one.

2. Set up Activity Log alerts for high-risk operations

You want to know immediately when someone:

  • Creates a new role assignment at subscription scope.
  • Modifies a Key Vault access policy.
  • Changes a Network Security Group's rules.
  • Disables a diagnostic setting.

A handful of Microsoft.Authorization/roleAssignments/write and Microsoft.KeyVault/vaults/accessPolicies/write action group alerts on the Activity Log is enough to catch the vast majority of "wait, who did that?" moments.

3. Enforce Entra ID for everything — kill local admin habits

Disable subscription-level "classic administrators" if anything is still using them. Move all human access to Entra ID groups, then to roles via PIM (more on PIM in a separate post).

4. Turn on diagnostic settings to a Log Analytics workspace

Create a single workspace, name it predictably (e.g. law-platform-prod), and route the Activity Log there. Later, route resource diagnostics there too. You don't need to do anything with the data yet — just make sure it's flowing. You'll thank yourself the first time you have to investigate something.

5. Apply baseline Azure Policy assignments

At minimum:

  • Allowed locations — pin to your data residency.
  • Audit VMs without managed disks — flag old patterns.
  • Require diagnostic settings on resources — so #4 actually catches everything.
  • Inherit tags from resource group — pay-attribution sanity later.

The built-in Azure Security Benchmark initiative is a solid one to assign in audit mode at minimum.

6. Lock down NSG defaults

A new subscription doesn't have NSGs, but the moment someone deploys a VM, an NSG appears with a permissive default. Add an Azure Policy that denies inbound RDP/SSH from * or Internet — force tunnel traffic through Bastion or a VPN.

7. Force HTTPS-only and TLS 1.2+ on App Services and Storage

Two policies:

  • Storage accounts should require secure transfer
  • Function apps and App Services should only be accessible over HTTPS

Both deny effects. Both should be on.

8. Set a budget and a cost alert

Cost Management → Budgets. Set one at the subscription level for whatever number you don't want to wake up to. Configure email alerts at 50% and 90%. This isn't security, but it prevents the most common Azure incident: surprise bills.

9. Configure Conditional Access (at the tenant level)

If you don't already have Conditional Access policies, get a baseline in:

  • Block legacy authentication.
  • Require MFA for all users (or at minimum, all admins).
  • Block sign-ins from countries you don't operate in.

This is tenant-wide, not subscription-specific, but it's pointless to harden Azure if attackers can phish their way in via Entra ID.

10. Document everything in a subscription-baseline.md in your repo

I keep a markdown file in our IaC repo that lists every single setting on this list, who applied it, and the date. Future-you will need this when audit season comes around.

That's the checklist. None of these are clever — but together they raise the floor enough that the next 50 things you deploy aren't sitting on quicksand.

#azure#security#governance#entra-id#defender