1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Microsoft Azure Security Solutions

Monitoring and Auditing


Course Introduction
Course Conclusion
Start course
1h 32m

*** Please note: An updated version of this course is available here. ***


Security is a critical concern for anyone who uses the cloud. Microsoft takes this seriously and built and operates the Azure Platform with security as a key principle. Microsoft secures data centers, and management applications; and provides pay-as-you-go security services. Learn how to take advantage of these security features and services to enable strong security practices in your organization and to protect and secure your own cloud applications.

This course is for security engineers, chief security officers, solution architects, information technologists or anyone wanting to understand security options within the Azure platform.
Viewers should have a basic understanding of cyber security, authentication and authorization best practices, and encryption. Some familiarity with the Azure platform will also be helpful but is not required.

Learning Objectives


  • Understand the shared responsibility model
  • Learn how to secure Azure resources such as virtual machines and storage accounts
  • Learn how to secure your Azure-based applications
  • Learn how to monitor your Azure resources with Azure Security Center


Welcome and Introduction: A brief introduction to the course and an overview of what Bill and Maura will be covering.

Shared Responsibility: In this lesson we'll cover Cyber Security, using CIA Principle: Confidentiality – Integrity. Availability; what security professionals do to ensure the parts of CIA: Prevent – Detect – Respond.
Microsoft’s responsibilities and their own security/compliance processes. What a customer is responsible for. And finally the tools that Azure provides, including AAD, Encryption, secure networking

Protecting Accounts: In this lesson we'll cover Azure Active Directory, and Mult-Factor Authorization.

Securing the Azure Portal: In this lesson we'll cover role-based access control.

Indentity Management for Apps: In this lesson we'll cover AAD protection and integration for business Apps.

Network Security: In this lesson we'll cover Virtual Private Networks and firewalls.

Data Security: In this lesson we'll cover Encryption and Masking.

Secrets Management: In this lesson we'll cover Key Vault and Shared Access Signatures.

Monitoring and Audting: In this lesson we'll discuss the Azure Security Center.

Course Conclusion: Course Wrap-Up


In this lecture we review the Azure services for security monitoring and auditing. Recall that in our security practices, we want to prevent, detect, and respond to security threats. Monitoring and auditing are techniques for detecting. With adequate monitoring of our infrastructure, we can detect possible scenarios which could lead to security breaches such as virtual machines needing security patches. Azure provides several portal features that help us here. Let's start with Azure Security Center, then we'll mention a couple of others briefly.

Generally speaking, Azure Security Center provides two types of services, configuration analysis and a more advanced threat monitoring. With configuration analysis, Azure Security Center reviews the configuration of our existing resources, and recommends additional security measures offered by the platform. Recalling that cloud security is a shared responsibility between Azure and your organization, Azure Security Center also helps you keep up with your side of the responsibilities. You can think of Azure Security Center as a service that reminds us to use the types of Azure security features we've discussed in this course. For example, Azure Security Center might provide virtual machine recommendations such as to apply missing operating systems patches, or install anti-malware software, or enable a firewall. It may provide network recommendations, such as to add a network security group firewall.

And there may be data storage recommendations, such as turning on auditing in Azure's SQL database, or turning on transparent data encryption, or turning on at rest encryption for Azure storage, and there are many more. The recommendations can usually be acted on right there within the Azure Security Center portal. For example with a couple of mouse clicks you can install anti-malware software on a virtual machine, or enable encryption at rest for storage. You may not want to accept all of the recommendations. You can dismiss recommendations individually, or set policies governing which recommendations are interesting to your organization. Further, while the core experience and features are Microsoft first party services, they've done a nice job of integrating third party services into the experience as well. You will see first party and third party solution recommendations. While they are out of scope for this course, there are quite a few third party security offerings worth considering. The configuration analysis features are currently offered for free in the basic tier, though some of the recommendations would cost money to accept. For example if you added a third party web application firewall, that would not be free. In addition to the basic tier configuration analysis, Azure Security Center also offers more advanced threat detection with their standard tier.

Some of this is offered through VM agents. Some of the detections that you might find are alerts when a virtual machine is communicating with a suspected malware server, an alert when Azure's SQL database detects a potential SQL injection attack pattern, or an alert when malware is detected on a virtual machine.

Let's go have a look at Azure Security Center in the portal. Here we are back in Azure portal, let's go to Azure Security Center. We have not configured Azure Security Center yet, but already it's doing some work for us. First we'll take the advice here and turn on Azure Security Center standard features. To turn it on, we select our subscription, we turn on Data collection, we'll automatically create a storage account per region. We'll keep the default prevention policies. We'll turn on all email notifications. And we'll start with the Standard tier 60-day Free Trial. Save. So we just asked Azure to enable the Azure Security Center standard tier.

This will add the advanced threat detection capabilities. But it's already gone and done some static analysis, and it has some suggestions. Let's have a look at those. Let's click on the donut to see specific recommendations. The first two are marked as resolved. That's because we enabled the standard tier Azure Security Center capability. The next one suggests we Add a Next Generation Firewall. I'll skip that recommendation. Let's go on to the next one. Enable Network Security Groups on subnets. Let's check out the subnet, let's create a new network security group, go back to our list, Enable Auditing & Threat detection on SQL servers. There are three listed here, these are all Azure SQL database servers, so let's click on the first one, we'll turn on Auditing, we'll turn on Threat Detection. We'll send alerts to this email address, and hit save. Let's go to the second one, give it the same treatment, now we'll do the same one for the third. Moving right along, the next recommendation is to Apply disk encryption.

This is for our Windows server 2008 virtual machine. There's not a one-click resolution here, so we'll skip this for now. Enable encryption for our Azure Storage Account. We see that there are a number of Azure Storage Accounts one of which is already resolved because we did this exercise earlier in this course. We can go through and enable encryption on these others. We've enabled encryption on these four storage accounts, this is marked as resolved. The next recommendation is to add a vulnerability assessment solution to our Windows 2008 virtual machine, we can select it here, and we can go through the installation process to add a Qualys agent. We'll skip that for now. Go back to the next recommendation, which is to Enable Transparent Data Encryption on our three SQL Azure databases. We've already done it on a fourth and we can go ahead and do it to these other three.

I've gone ahead and started the enablement process for transparent data encryption, so we'll go to the final security recommendation, this is to provide security contact details, and this is already resolved, because I provided an email address and a telephone number. There you have it, that should give you an idea of the kinds of recommendations and the ease with which you can resolve most of them, available through Azure's Security Center. We see that we're left with three recommendations we can go back into the donut and we can choose to ignore these. You may not want to ignore them, but just to show the process I can hit dismiss. At least now you know how you can dismiss a specific recommendation.

Two more quick comments before we leave the Azure Security Center. One is this Log Integration option allows exporting data to an external SIM, a security incident in event management system. And finally you can also view the Azure Security Center data through Power BI. As you probably realize, Azure Security Center focuses on protecting Azure resources. But it's not the only service within Azure, relevant for security monitoring and analysis. For native Azure services, the first party Microsoft services offered in Azure. Azure Security Center is still typically the best resource, but in other circumstances other services may add more value. For example, OMS can incorporate signals from other data sources such as on premises systems, other clouds and third party services running within your Azure subscription such as firewalls. These signals are not available in Azure Security Center. So OMS adds unique value there. OMS also nicely supports searching through the logged events including for example some possibly security related events such as those gathered from Windows server event logs.

Azure Monitor is another service worth mentioning. The Azure monitoring blade in the portal can be useful when analyzing issues to see general health, but will unlikely be your first stop for security related analysis. Before we leave this lecture, let's point out a couple of additional resources. Here's a good overview of both Azure Security Services for Monitoring and Alerting (https://blogs.msdn.microsoft.com/cloud_solution_architect/2016/02/20/monitoring-and-alerting-in-azure/), and another good overview for Azure Monitoring and Diagnostics (https://docs.microsoft.com/en-us/azure/azure-monitor/).

About the Author

Bill Wilder is a hands-on architect currently focused on building cloud-native solutions on the Microsoft Azure cloud platform. Bill is CTO at Finomial which provides SaaS solutions to the global hedge fund industry from the cloud, co-founded Development Partners Software in 1999, and has broad industry experience with companies of all sizes – from modest startups to giant enterprises. Bill has been leading the Boston Azure group since founding it in 2009, has been recognized as a Microsoft MVP for Azure since 2010, and is author of Cloud Architecture Patterns (O’Reilly Media, 2012). He speaks frequently at community events, and occasionally at conferences, usually on topics relating to cloud, cybersecurity, and software architecture.