Azure Landing Zone Security Checklist

If you’re interested in learning how to build a complete enterprise Azure Landing Zone Framework, this is covered in detail here: Mastering Azure Landing Zone Framework Enterprise Architecture

1. Identity and Access Management

1. Use Microsoft Entra ID as the central identity provider
2. Enforce Multi-Factor Authentication for all users and administrators
3. Implement Role-Based Access Control with least privilege
4. Use Privileged Identity Management for elevated roles
5. Avoid standing Global Administrator assignments
6. Implement Conditional Access policies
7. Regularly review access assignments and remove unused identities

2. Management Groups and Subscription Design

1. Use Management Groups for hierarchical governance
2. Separate subscriptions by environment (Prod, Dev, Test)
3. Apply policies at Management Group level
4. Restrict access at root and top-level groups
5. Use dedicated subscriptions for identity and security services
6. Standardize subscription naming and tagging

3. Network Security Architecture

1. Implement hub-and-spoke topology
2. Use centralized Azure Firewall in hub network
3. Apply Network Security Groups for subnet protection
4. Enable DDoS Protection Standard
5. Use private endpoints for PaaS services
6. Avoid exposing services directly to the internet

4. Platform Security and Baselines

1. Use Azure Policy to enforce security baselines
2. Deploy initiatives aligned with CAF or CIS benchmarks
3. Deny non-compliant resource deployments
4. Standardize configurations across subscriptions
5. Continuously evaluate compliance

5. Resource Organization and Tagging

1. Enforce tagging policies (owner, environment, cost center)
2. Use naming conventions for all resources
3. Group resources logically
4. Apply consistent governance standards

6. Logging, Monitoring, and SIEM

1. Enable diagnostic logs for all resources
2. Centralize logs in Log Analytics workspace
3. Integrate with Microsoft Sentinel
4. Enable activity logs at subscription level
5. Set alerts for security and operational events
6. Retain logs based on compliance requirements

7. Threat Protection and Security Center

1. Enable Microsoft Defender for Cloud
2. Review Secure Score regularly
3. Enable threat protection across all services
4. Monitor recommendations and remediate issues
5. Detect suspicious activities and anomalies

8. Data Protection and Encryption

1. Enforce encryption at rest and in transit
2. Use customer-managed keys where required
3. Store secrets in Azure Key Vault
4. Enable disk encryption and storage encryption
5. Classify and protect sensitive data

9. Governance and Compliance

1. Use Azure Policy and Blueprints for governance
2. Implement compliance frameworks (ISO, NIST, CIS)
3. Conduct regular audits
4. Maintain documentation of configurations
5. Implement change management processes

10. Connectivity and Hybrid Security

1. Secure VPN and ExpressRoute connections
2. Restrict hybrid network access
3. Monitor connectivity and traffic
4. Validate both cloud and on-prem security posture
5. Use firewalls for traffic inspection

11. Backup and Disaster Recovery

1. Implement Azure Backup across workloads
2. Use Azure Site Recovery for DR
3. Test recovery procedures regularly
4. Maintain backup retention policies
5. Ensure geo-redundancy where required

12. DevOps and Deployment Security

1. Secure CI/CD pipelines
2. Use managed identities for deployments
3. Avoid storing secrets in code
4. Implement approval workflows
5. Scan templates and code for vulnerabilities

13. Continuous Security Operations

1. Perform regular security posture assessments
2. Continuously monitor resource activity
3. Audit configurations periodically
4. Update policies based on evolving threats
5. Validate compliance regularly
6. Maintain documentation and runbooks

Always use best practices. Never assume trust. Always verify access. Security is not static and must be continuously monitored, reviewed, and improved.