Most engineers think…
Most candidates answer "Azure is secure by default — Microsoft handles the security" — and the interview quietly ends there.
That single sentence fails you. Azure runs on the shared-responsibility model: Microsoft secures the physical cloud and platform, but identity, data and configuration are always the customer’s job. What an interviewer actually wants to hear is Conditional Access, least-privilege RBAC, PIM, hardened Key Vault and a rising Defender for Cloud secure score. This lesson trains the framing that gets you hired.
① Identity & access — Entra ID, RBAC, PIM and Conditional Access
Azure interviews open on identity, because in the cloud identity is the perimeter. Microsoft Entra ID (formerly Azure AD) is the identity provider; Conditional Access is the policy engine that decides, per sign-in, whether to grant access and under what conditions.
The Azure security vocabulary every interview opens with
Know these four cold before anything else. Tap each card.
The identity provider (formerly Azure AD) — users, groups, SSO, MFA and Conditional Access. The control plane for who you are.
The policy engine — if a signal (user, device, location, risk) matches, enforce a control (block or require MFA / compliant device). Zero Trust in action.
Privileged Identity Management — just-in-time, time-bound, approval-gated activation of eligible roles, so no one holds standing admin rights.
CSPM + secure score — continuously assesses your config against the Microsoft Cloud Security Benchmark and tells you exactly what to fix.
Two authorisation models confuse candidates. Azure RBAC governs what you can do to resources (VMs, storage, networks) at a scope; Entra roles govern the directory itself. PIM makes privileged roles eligible rather than permanent, so admins activate just-in-time. And Managed Identity lets a VM or app call other Azure services with no secret stored anywhere — the modern answer to "where do I keep the password?".
An app team at Infosys hard-codes a Storage account key in config to let their Azure VM read blobs. What is the right Azure-native fix?
What is Entra ID Protection, and how do risk-based Conditional Access policies work?
Entra ID Protection is the engine that scores identity risk in real time and feeds those scores to Conditional Access. It produces two signals interviewers expect you to name precisely. Sign-in risk is the probability that this authentication attempt isn't the real user — triggered by anonymous/Tor IPs, atypical (impossible) travel, malware-linked IPs or unfamiliar sign-in properties. User risk is the probability that the account itself is compromised — driven by leaked credentials found on the dark web or a pattern of risky sign-ins.
A risk-based Conditional Access policy turns those scores into action. Microsoft's recommended pattern: require MFA when sign-in risk is Medium or High, and require a secure password change (risk remediation) when user risk is High. The elegant part is self-remediation — a user who passes the MFA challenge or completes the secure password reset clears their own risk, so the admin never has to investigate routine events. Risk-based policies need Entra ID P2 (standard MFA/Conditional Access only needs P1). One 2026 fact worth dropping: the legacy risk policies that lived inside ID Protection are retiring on 1 October 2026 — you now configure risk policies in Conditional Access itself, which gives report-only mode, Graph API and the ability to combine risk with other conditions like location.
How and why do you block legacy authentication in Entra?
Legacy authentication is any protocol that can't do MFA — IMAP, POP3, SMTP AUTH, older Office clients. Block it because it is the single biggest MFA bypass: per Microsoft's telemetry, more than 99% of password-spray attacks and ~97% of credential-stuffing attacks ride legacy protocols, since an attacker who hits an IMAP endpoint never gets prompted for a second factor. You block it with a Conditional Access policy: All users → All resources → Conditions ▸ Client apps = Exchange ActiveSync clients + Other clients → Grant = Block. First identify who still uses it via the Entra sign-in logs (Client App filter), roll out in Report-only to avoid breaking a mailbox, then flip it On. Always exclude your break-glass accounts and migrate any script using legacy auth to a Managed Identity.
How would you design break-glass (emergency access) accounts?
Conditional Access is powerful enough to lock everyone out — a single mis-scoped “require compliant device” policy can leave you with no way back in. Break-glass accounts are the safety valve. Design them as: two cloud-only accounts (not federated, not synced from on-prem so an AD/sync outage can't kill them), with the Global Administrator role, excluded from every Conditional Access policy so a policy mistake never locks them out. Protect them instead with extremely long unique passphrases split and stored offline in a safe, phishing-resistant FIDO2 keys, and — critically — a monitored sign-in alert so any use of a break-glass account immediately pages the SOC. They are for emergencies only; everyday admin still goes through PIM just-in-time.
Never say Microsoft handles security. Cite the shared-responsibility model: Microsoft secures the physical cloud and platform, but identity, data and configuration are always the customer's job. The interviewer wants Conditional Access + least-privilege RBAC + a rising Defender secure score — that is your half of the deal.
② Network security — NSG, Azure Firewall, Private Link and the hub-spoke
Azure network security is layered, and interviewers test whether you confuse the layers. An NSG is a free, stateful L3-4 rule set on a subnet or NIC; an ASG is a logical tag (web, app, db) you reference inside NSG rules so you stop maintaining IP lists. Azure Firewall is the paid, central L3-7 firewall in the hub VNet doing FQDN filtering, IDPS and threat-intel.
▶ Watch a sign-in get evaluated by Conditional Access
How a user reaches a cloud app only after identity, signals and grant controls are checked. Press Play for the healthy path, then Break it to see the failure.
Private Endpoint via Private Link pulls a PaaS service (Storage, SQL, Key Vault) onto a private IP inside your VNet — the public endpoint can then be disabled. Azure Bastion removes public RDP/SSH; forced tunneling (a UDR) forces all egress through the firewall instead of straight out.
A TCS app reaches its Azure Storage account over the public internet even after a Private Endpoint was created. Best explanation?
Pause & Predict
Does a Private Endpoint by itself stop all public access to a Storage account? Type your guess.
Priya at Wipro faces this
A new internal API on an Azure VM must reach Azure SQL privately, but it keeps connecting over the public endpoint.
The Private Endpoint exists, but the VNet still resolves the SQL FQDN to the public IP because the Private DNS Zone isn't linked.
From the VM, nslookup the SQL FQDN — a public IP means private DNS isn't applied; a 10.x private IP means it's correct.
VNet ▸ Private DNS Zones + Private Endpoint ▸ DNS configurationLink the privatelink.database.windows.net Private DNS Zone to the VNet (or set a conditional forwarder on-prem), then set the SQL firewall to deny public network access.
nslookup now returns the 10.x private IP; the app connects privately and the public path is closed.
③ Data & platform protection — Key Vault, encryption, Storage and Defender for Cloud
Secrets, keys and certificates live in Key Vault. A 2026 gotcha: from API version 2026-02-01 new vaults default to Key Vault RBAC instead of legacy Key Vault access policy. RBAC is preferred because it scopes least-privilege roles centrally, supports PIM and is auditable, where access policies are per-vault and coarse.
🖥️ This is the screen you'll build Zero-Trust access in — Entra ID ▸ Security ▸ Conditional Access ▸ New policy in the Azure portal. Fields ①②③ decide who is challenged and how.
① Users defines who the policy targets — scope tightly and always exclude a break-glass account. ② Target resources (Cloud apps) is what they’re reaching. ③ Grant = the control: Require MFA is the single highest-value policy an interviewer wants to hear. Start every policy in Report-only before flipping it On.
Encryption at rest is on by default; encryption in transit is enforced with HTTPS-only and TLS 1.2. For Storage, the wins are: disable public access, scope SAS tokens tightly, and front it with a Private Endpoint. Defender for Cloud then scores the whole estate.
Platform-managed vs customer-managed keys — and what infrastructure (double) encryption adds
Azure encrypts every storage account, managed disk and database at rest by default with 256-bit AES using platform-managed keys — Microsoft generates, stores and rotates them, zero configuration, no extra cost. You switch to customer-managed keys (CMK) when compliance demands that you control the key lifecycle: your RSA key lives in Key Vault or Managed HSM and, via envelope encryption, wraps the data-encryption key. The payoff: you own rotation and you can revoke the key to make the data instantly unreadable. The trade-off interviewers want to hear: more control means more responsibility — if your key is lost or revoked by accident, the service loses access too.
Don't confuse CMK with infrastructure encryption. That is the double-encryption answer: a second encryption layer beneath the service layer, with a separate key and a different algorithm so a flaw or compromise in one layer can't expose the data. The two layers use independent key hierarchies — the service layer can be PMK or CMK, but the infrastructure layer is always Microsoft-managed. It must be enabled at storage-account creation and is meant for high-assurance/regulated workloads; for most workloads single-layer SSE is already strong enough.
Pause & Predict
Why is Key Vault RBAC preferred over the legacy access-policy model? Type your guess.
Defender for Cloud secure score for an HCL subscription suddenly drops 12 points overnight. What does that most likely indicate?
Karthik at an Indian bank faces this
Auditors flag that a Storage account holding statements is reachable from the public internet with a long-lived account-key SAS.
Public network access is enabled and a non-expiring account-key SAS is in use — both violate least-privilege and are flagged by Defender for Cloud.
Check Storage ▸ Networking (public access) and the SAS type/expiry; review the Defender for Cloud Storage recommendations.
Storage ▸ Networking + Defender for Cloud ▸ RecommendationsDisable public network access, add a Private Endpoint, replace the account-key SAS with short-lived user-delegation SAS (or Managed Identity + RBAC), and enable Defender for Storage.
Defender for Cloud recommendations clear and the secure score rises; the account is only reachable privately.
Defender for Cloud — free Foundational CSPM vs the paid Defender plans
Interviewers probe whether you know what's free and what costs money. When you turn Defender for Cloud on, you get Foundational CSPM at no cost: asset inventory, security recommendations against the Microsoft Cloud Security Benchmark, multicloud coverage and the secure score — that is the “posture for free” layer. Paying unlocks two distinct things. Defender CSPM is the advanced posture plan — attack path analysis, the cloud security graph (security explorer), agentless vulnerability and secrets scanning, and risk prioritisation. Separately, the Defender workload plans (Defender for Servers, Storage, SQL, Containers, Key Vault, App Service) add real-time threat protection per resource type. The clean one-liner: Foundational CSPM tells you what's mis-configured for free; Defender CSPM prioritises the riskiest attack paths; the Defender workload plans detect active attacks — and those alerts flow into Sentinel for investigation.
Meera at Zomato faces this
Finance wants the Azure security bill cut, so a manager asks whether they can simply turn Defender for Cloud off and still “see the secure score”.
The team conflates the free Foundational CSPM tier (secure score, recommendations) with the paid Defender CSPM and workload plans — turning everything off would lose posture and threat detection.
Review Environment settings ▸ Defender plans to see which paid plans are on, and which resource types they bill for (VMs, Storage accounts, SQL).
Defender for Cloud ▸ Environment settings ▸ Defender plansKeep free Foundational CSPM on everywhere (secure score + MCSB recommendations cost nothing); scope the paid Defender for Servers/Storage/SQL plans to production and crown-jewel data only, instead of switching protection off across the estate.
The secure score and recommendations still render, threat detection stays on the workloads that matter, and the bill drops without blinding the SOC.
A classic interview gotcha: CMK and infrastructure encryption are not the same thing. CMK swaps in your key for the service-level encryption (control + revocation); infrastructure encryption adds a second, always-Microsoft-managed layer underneath for double encryption. You can run both together. And remember encryption-at-rest is on by default with platform-managed keys — choosing CMK is about control and compliance, not about “turning encryption on”.
Default encryption at rest protects against stolen disks — it does NOT stop an over-permissioned identity, a public Storage endpoint, or a leaked SAS. Real data protection is RBAC least-privilege on Key Vault, disabled public access, Private Endpoints, and a Defender for Cloud secure score you actually act on.
④ Monitoring & governance + troubleshooting — Sentinel, Policy and the shared-responsibility model
Posture and detection are different jobs. Microsoft Sentinel is the cloud-native SIEM/SOAR — it ingests logs, you hunt with KQL and automate response with playbooks. Azure Policy enforces guardrails at scale; Azure Monitor and Log Analytics are the telemetry pipeline underneath both.
Pause & Predict
Defender for Cloud or Microsoft Sentinel — when do you reach for each? Type your guess.
Sneha at Flipkart faces this
The SOC must investigate an Entra sign-in spike from impossible-travel locations and correlate it with Azure activity-log changes.
This is detection/hunting across multiple sources, not a posture gap — the right tool is the SIEM, not Defender for Cloud alone.
Connect the Entra ID and Azure Activity data connectors, then hunt in KQL across SigninLogs and AzureActivity.
Sentinel ▸ Data connectors + Hunting (KQL)Build a KQL analytics rule joining SigninLogs (risky sign-ins) with AzureActivity (role assignments), and attach a playbook to disable the account and notify the SOC.
The rule fires on the next anomaly; the playbook auto-contains the account and opens an incident.
SigninLogs
| where RiskLevelDuringSignIn == "high"
| where IPAddress !startswith "10." and IPAddress !startswith "172.16."
| project TimeGenerated, UserPrincipalName, IPAddress, Location
| join kind=inner (
AzureActivity
| where OperationNameValue == "Microsoft.Authorization/roleAssignments/write"
) on $left.UserPrincipalName == $right.CallerTimeGenerated UserPrincipalName IPAddress Location 2026-06-11T04:12:00Z rahul@infra.bank.in 203.0.113.51 Singapore 2026-06-11T04:13:20Z rahul@infra.bank.in 203.0.113.51 Singapore (2 rows) — risky sign-in immediately followed by a self role-assignment
Whose responsibility is it to configure least-privilege RBAC and disable public Storage access in Azure?
Arjun at an Indian bank faces this
A compliance rule requires that no Storage account in production is ever created with public access — but developers keep creating them.
There is no preventive guardrail; relying on people to remember is not governance.
Audit current state in Defender for Cloud, then author an Azure Policy with a 'deny' effect scoped to the production management group.
Azure Policy ▸ Definitions / Assignments (deny effect)Assign a built-in/custom Azure Policy that denies Storage accounts with public network access at the management-group scope, so non-compliant resources can't be created at all.
A developer's public-Storage deployment now fails at create time with a policy-deny error; existing ones show non-compliant for remediation.
Don't close an Azure access ticket on 'should be fine'. Entra sign-in logs prove identity + Conditional Access; the IAM blade and an 'AuthorizationFailed' 403 prove RBAC; effective security rules prove the NSG/Firewall path; nslookup proves Private Endpoint DNS. Walk the ladder — identity, authZ, network, DNS — and the symptom points to the rung.
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from Microsoft Azure docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: why is identity the perimeter in Azure, not the network firewall? Then compare to the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- Microsoft Entra ID
- Formerly Azure AD — Microsoft's cloud identity provider: users, groups, SSO, MFA, Conditional Access.
- Conditional Access
- Entra's policy engine — IF signals (user/device/location/risk) match, THEN enforce block or require MFA / compliant device.
- Azure RBAC vs Entra roles
- Azure RBAC governs resources (subscription→RG→resource); Entra roles govern the directory (e.g. Global Admin).
- PIM
- Privileged Identity Management — just-in-time, time-bound, approval-gated activation of eligible privileged roles.
- Managed Identity
- An Entra identity Azure manages for a resource so code calls Key Vault/Storage with no stored secret.
- NSG / ASG
- NSG = free L3-4 allow/deny on subnet/NIC; ASG = a logical label (web/db) referenced inside NSG rules.
- Azure Firewall
- Managed central L3-7 firewall in the hub VNet — FQDN filtering, DNAT/SNAT, TLS inspection, IDPS, threat-intel.
- Private Endpoint / Private Link
- A private-IP NIC that projects a PaaS service into your VNet, removing public exposure (pair with Private DNS).
- Key Vault (RBAC vs access policy)
- Managed secret/key/cert store; RBAC = central least-privilege roles (default from API 2026-02-01) vs legacy per-vault access policies.
- Defender for Cloud / Sentinel
- Defender for Cloud = CSPM + secure score (posture); Sentinel = cloud SIEM/SOAR with KQL hunting (detect & respond).
📚 Sources
- Microsoft Learn — What is a private endpoint? (Azure Private Link). learn.microsoft.com/azure/private-link/private-endpoint-overview
- Microsoft Learn — Prepare for Key Vault API version 2026-02-01: Azure RBAC as default. learn.microsoft.com/azure/key-vault/general/access-control-default
- Microsoft Learn — Grant access to Key Vault using Azure RBAC. learn.microsoft.com/azure/key-vault/general/rbac-guide
- Microsoft Learn — What is Cloud Security Posture Management (CSPM) — Defender for Cloud. learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management
- Microsoft Learn — What is Microsoft Sentinel? (cloud-native SIEM) & Transition to the Defender portal. learn.microsoft.com/azure/sentinel/overview
- Microsoft Learn — Azure security baseline / Microsoft Cloud Security Benchmark (MCSB). learn.microsoft.com/security/benchmark/azure
What's next?
Cleared the Azure round? Keep going — the interview-prep library covers AWS, Zscaler, Palo Alto, Fortinet, Checkpoint and more, all in the same hands-on style.