More Irish public sector bodies are moving workloads to Microsoft Azure, often under tight budgets and tighter deadlines. The default Azure configuration is convenient, not secure. Under NIS2 and the public sector security baseline, convenient is not good enough. Here is a practical hardening checklist.
Identity Is The Perimeter
Enforce phishing resistant MFA for every administrator through Conditional Access. Use Privileged Identity Management so standing global admin access simply does not exist. Review guest accounts monthly, because forgotten external users are a recurring breach path.
Lock Down The Network
Disable public network access on storage accounts and databases by default. Use Private Endpoints and Network Security Groups. Put management ports behind Just In Time access rather than leaving RDP and SSH open to the internet.
Turn On The Telemetry
Enable Microsoft Defender for Cloud across your subscriptions and route logs into Microsoft Sentinel. Logs you never collected cannot help you during an incident. Set retention to meet your reporting obligations under NIS2.
Govern With Policy
Azure Policy can enforce encryption, block public IP addresses, and require tagging automatically across every subscription. Manual review does not scale. Codify the rules so misconfiguration is prevented, not discovered later.
Check Your Region
Keep data in EU regions such as North Europe, which is hosted in Dublin, to satisfy data residency expectations. Confirm that backups and disaster recovery copies stay in region too.
Written by Shreesh, Shamrock Security