Skip to main content
Version: Next

Task 03: Configure Security Baselines

Runbook Azure

DOCUMENT CATEGORY: Runbook SCOPE: Security baseline configuration PURPOSE: Review and remediate security recommendations MASTER REFERENCE: Microsoft Learn - Security Baselines

Status: Active

Security baselines provide a standardized set of security configurations based on Microsoft best practices. This step reviews Defender for Cloud recommendations and remediates high-priority findings before Azure Local deployment.

Proactive Security

Addressing security recommendations before deploying Arc-enabled servers and the Azure Local cluster reduces the attack surface and simplifies post-deployment hardening.

Overview

Baseline CategoryFocus AreaPriority
ComputeVM security, extensions, encryptionHigh
NetworkingNSG rules, public access, network segmentationHigh
IdentityRBAC, privileged accounts, MFAHigh
DataEncryption at rest, Key Vault configurationMedium
MonitoringDiagnostic settings, log retentionMedium

Prerequisites

  • Defender for Cloud enabled (Step 2)
  • Azure Policy initiatives assigned (Step 3)
  • Security Administrator role or equivalent

Variables from variables.yml

VariableConfig PathExample
AZURE_SUBSCRIPTION_IDazure.subscription.id00000000-0000-0000-0000-000000000000
AZURE_RESOURCE_GROUPazure.resource_group.namerg-azurelocal-prod-eus2
AZURE_KEYVAULT_NAMEazure.keyvault.namekv-azl-dal-prod-01

Procedure

Review Security Recommendations

  1. Navigate to Defender for Cloud
  • In Azure Portal, go to Microsoft Defender for Cloud
  • Click Recommendations in the left menu
  1. Filter by Severity
  • Set Severity filter to High
  • Review the list of high-severity recommendations
  1. Review by Resource Type
  • Click Inventory to view resources
  • Filter by resource type (VMs, Key Vaults, Storage, etc.)
  • Click a resource to see its security findings

Remediate High-Priority Recommendations

Key Vault Recommendations

  1. Key Vault should use RBAC permission model
  • Navigate to Key Vault → Access configuration
  • Select Azure role-based access control
  • Click Save
  1. Key Vault should have soft delete enabled
  • Navigate to Key Vault → Properties
  • Verify soft delete is enabled (default in new vaults)
  1. Key Vault should have purge protection enabled
  • Navigate to Key Vault → Properties
  • Enable Purge protection

Network Recommendations

  1. Subnets should be associated with an NSG
  • Navigate to Virtual Network → Subnets
  • Verify each subnet has an NSG attached
  • Apply NSGs created in Stage 06
  1. Management ports should be protected with JIT
  • In Defender for Cloud, go to Workload protections
  • Click Just-in-time VM access
  • Enable JIT for management VMs

Storage Recommendations

  1. Storage accounts should use private link
  • Navigate to Storage account → Networking
  • Configure private endpoints (if required)
  1. Secure transfer to storage accounts should be enabled
  • Navigate to Storage account → Configuration
  • Verify Secure transfer required is enabled

Export Recommendations

  1. Export to CSV
  • In Recommendations view, click Download CSV
  • Save for documentation and tracking
  1. Configure Continuous Export
  • Go to Environment settings → Your subscription
  • Click Continuous export
  • Configure export to Log Analytics or Event Hub

Common Recommendations for Azure Local

RecommendationCategoryRemediation
Enable MFA for accounts with owner permissionsIdentityConfigure Conditional Access (Step 6)
Subnets should be associated with NSGNetworkApply NSGs from Stage 06
Key Vault should use RBACDataUpdate Key Vault access model
Enable Defender for serversComputeEnable in Defender for Cloud (Step 2)
Storage accounts should restrict network accessDataConfigure private endpoints
Management ports should be protectedNetworkEnable JIT access

Validation

# Get secure score
$secureScore = az security secure-score show --name ascScore | ConvertFrom-Json
Write-Host "Current Secure Score: $($secureScore.score.current) / $($secureScore.score.max)" -ForegroundColor Cyan

# Get recommendation count by status
$recommendations = az security assessment list | ConvertFrom-Json
$healthy = ($recommendations | Where-Object { $_.status.code -eq "Healthy" }).Count
$unhealthy = ($recommendations | Where-Object { $_.status.code -eq "Unhealthy" }).Count

Write-Host "`nRecommendation Status:"
Write-Host " Healthy: $healthy" -ForegroundColor Green
Write-Host " Unhealthy: $unhealthy" -ForegroundColor $(if ($unhealthy -gt 0) { "Yellow" } else { "Green" })

Expected Output

Current Secure Score: 72 / 100

Recommendation Status:
 Healthy: 45
 Unhealthy: 8

Secure Score Target

Score RangeStatusAction
80-100%ExcellentMaintain current posture
60-79%GoodAddress high-severity items
40-59%FairPrioritize remediation plan
0-39%PoorImmediate attention required
note

Secure score may take up to 24 hours to reflect changes after remediation.

Troubleshooting

IssueCauseResolution
Secure score not updating after remediationAssessment cycle not yet completedWait up to 24 hours; force refresh by navigating to Defender for Cloud > Secure score and clicking refresh
Remediation script fails with authentication errorsAzure context expired or wrong subscriptionRe-authenticate: Connect-AzAccount; verify context: Get-AzContext; set correct subscription
Recommendations show resources not in scopePolicy evaluation includes resources outside intended scopeReview assignment scope; add exclusions for out-of-scope resource groups or subscriptions

Next Steps

Proceed to Task 5: Enable Security Logging to configure security event collection.

PreviousUpNext
← Task 02: Azure PolicyPhase 04: Security & GovernanceTask 04: Security Logging →
VersionDateAuthorChanges
1.0.02026-03-24Azure Local Cloudnology TeamInitial release