Azure infrastructure security review process. Use when reviewing RBAC and managed identities, auditing Storage account configurations, securing Azure Functions and App Service, reviewing Bicep/ARM templates or Terraform, or configuring VNet and NSGs. Also use when service principals use secrets, Storage allows public blob access, Azure SQL uses SQL auth instead of Azure AD, or NSG rules allow 0.0.0.0/0. Essential for Key Vault integration, Microsoft Defender, private endpoints, and Azure security scanning.
Azure provides strong security controls, but they must be explicitly configured. This skill guides systematic review of Azure infrastructure for security misconfigurations.
Core principle: Use managed identities, not service principal secrets. Azure AD authentication with managed identities eliminates credential management and reduces attack surface.
Identity is the foundation. Start here:
Review Role Assignments
Check Managed Identities
Verify Azure AD Integration
Then verify network isolation:
Network Security Groups
Private Endpoints
Access Restrictions
Finally, verify data security:
Encryption
Storage Security
// ❌ CRITICAL: Owner at subscription
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: subscription()
properties: {
roleDefinitionId: 'Owner' // Too broad!
principalId: principalId
}
}
// ❌ HIGH: Contributor role (still too broad)
roleDefinitionId: 'Contributor'
// ❌ HIGH: Service principal with secret
// (Should use managed identity)
// ❌ MEDIUM: Assignment at subscription level