Azure has quietly become the default cloud for a huge slice of UK business, and attackers have noticed. Where five years ago an opportunistic intruder might have phished credentials and gone hunting for file shares, today they head straight for the Azure portal. Once they are in, the consequences spread quickly: privilege escalation through misconfigured roles, data exfiltration from storage accounts, and persistence that survives password resets. Hardening Azure properly takes more than turning on Defender.
Identity Is the New Perimeter
Network boundaries matter less in the cloud. Identity does most of the heavy lifting, which means Entra ID, formerly Azure AD, is the real battleground. Conditional access policies, sensible MFA, restricted legacy protocols, and tight control over privileged accounts make a far bigger difference than any firewall rule. Yet many tenants still allow legacy authentication for a handful of forgotten apps, leave global admin counts in double digits, and grant Owner roles where Contributor would be enough. Each shortcut becomes someone’s stepping stone.
Storage Accounts Keep Leaking
Public blob containers continue to feature in breach reports despite Microsoft’s best efforts. Defaults have improved, but historical containers, third-party integrations, and developers chasing convenience still expose data they meant to keep private. Even where containers are properly locked down, shared access signatures with overly long expiry windows and excessive permissions create their own risks. Strong Azure penetration testing programmes test the storage layer specifically, including the SAS URLs your applications hand out to clients.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
Comments: Almost every Azure assessment I run uncovers at least one over-permissioned managed identity or service principal. They are easy to miss because they get created during deployment scripts, granted broad rights for convenience, and never reviewed. An attacker who phishes a developer account often inherits those identities by proxy.
Network Controls Still Matter
Identity does not eliminate the need for network thinking. Private endpoints, network security groups, and proper segmentation between subscriptions stop lateral movement when an attacker does get in. Forgetting to lock down management ports on legacy IaaS workloads remains one of the easiest ways to lose a tenant. So does relying on a single shared virtual network for production and development. Treat each environment as a separate blast radius and the impact of any single mistake stays contained.
Logging That Actually Helps
Azure produces oceans of telemetry. Most of it sits unused. The teams that detect intrusions early are the ones that ingest sign-in logs, audit logs, and key activity events into a SIEM with sensible alerting. Watch for impossible travel, unusual consent grants, mass downloads from SharePoint, and changes to conditional access policies. Test those alerts regularly, ideally during your assessment, to confirm they actually fire when the conditions are met.
Putting It Into Practice
If you have not had a proper review of your Azure tenant in the past year, you almost certainly have findings waiting to be discovered. The good news is that most of the issues are configurable rather than fundamental, which means a competent tester can give you a clear remediation path. Choose the best penetration testing company with genuine cloud experience rather than a generalist who scans everything with the same tool.