Written by: Donovan Crowley, Fortress SRM Director of Security Strategy

Cloud environments aren’t just that “data center in the sky” anymore. They have become the backbone of modern enterprise IT. And with hybrid and multi-cloud setups becoming the norm, Microsoft Azure is often at the center, powering it all. 

But here’s the catch: with great flexibility comes great complexity… and where there’s complexity, there’s risk. 

Azure’s power lies in its configurability, but that same flexibility makes misconfigurations easy to create and hard to spot. In fact, misconfigurations remain one of the leading causes of cloud breaches today, far more common than flashy exploits or headline-grabbing vulnerabilities. 

Across our assessments and incident response cases, we see the same pattern: a small configuration slip, seemingly harmless, quietly escalates into serious exposure. And often, it happens without generating a single alert. 

Some of the most overlooked risks we see again and again include: 

• Overly permissive access rules that expose private workloads. 
• Local or legacy accounts bypassing MFA or Conditional Access. 
• Dormant identities and unused resources creating governance blind spots. 
• Misconfigured or missing logs that hinder threat detection. 
• Persistent admin privileges without PIM or just-in-time controls. 

Alone, these issues might not look like much. But in a fast-moving cloud environment, they stack up. And attackers love that hidden surface, auditors find it fast, and defenders usually spot it too late. 

In this post, we’ll break down the top five Azure misconfigurations we see in the wild, why even experienced teams miss them, and how a focused Cloud Security Posture Management (CSPM) assessment can help you fix them quickly. 

Top 5 Azure Misconfigurations Putting You At Risk

Azure makes it easy to move fast. You can deploy an entire workload in minutes, integrate it, and scale instantly. But that speed also means you can misconfigure it just as quickly. 

Cloud environments never sit still. New resources spin up, identity assignments change, and hidden dependencies. As a result, the same core misconfigurations show up in almost every assessment we run, whether the organization is a small startup or a Fortune 100 enterprise. 

Here are the top five issues you cannot afford to ignore.  

1. NSGs and RBAC Gone Wild: The Danger of Overly Permissive Permissions

Too much access + too many privileges = your biggest Azure attack surface.  

What to Watch For (Common Symptoms)

• Open inbound Network Security Group (NSG) rules that allow traffic from 0.0.0.0/0, especially for RDP (port 3389) and SSH (port 22). 
• Excessive RBAC role assignments, where users or groups are given broad roles (e.g., Owner or Contributor) where specific, granular functional roles should be used (e.g., Reader, Virtual Machine Contributor, etc.). 
• “Temporary” or convenience-driven configuration access that never gets removed.

Why It Matters

Exposed ports are top targets for brute-force and credential-stuffing attacks. Overprivileged accounts turn a minor breach into a major one. Regulatory frameworks like CIS, ISO, and NIST flag this as high-right.  

What to Check Right Now

1.) Do any NSGs allow unrestricted inbound access? 
2.) Do you have more than a handful of Owner/Contributor assignments? 
3.) Are administrative ports directly exposed to the internet? 

Recommended Fixes

NSG Hardening 

• Restrict inbound access to known IP ranges only. Use IP whitelisting for administrative protocols.
• Remove public exposure entirely where possible and use Azure Bastion for secure admin access. 
• Use Azure site-to-site or point-to-point VPN to your work site or static remote sites instead of public access for resource management. 
• Enforce network hygiene and compliance with Azure Policy, including: 
  – Deny Public Inbound Ports 
  – Deny Internet Facing NSG Rules 

RBAC Hardening 

• Adopt a least-privilege roles only model.
• Favor granular roles such as: 
  – Virtual Machine Contributor 
  – Storage Blob Data Reader 
  – Key Vault Reader 
• Audit role assignments for overprivilege regularly. Example:
  az role assignment list --all --query "[?
roleDefinitionName=='Owner'].[principalName,scope]"
• Schedule recurring RBAC and NSG reviews with resource owners and identity teams.

Pro Tip: Automate the Safety Net 

To scale risk detection and remediation: 

• Use Azure Defender for Cloud and your SIEM to alert on risky NSG or RBAC configurations. 
• Enable Just-in-Time VM Access via Defender to reduce inbound port exposure during operational windows. 

2. Local Admin Accounts That Won’t Quit: The Risk of Skipping Entra ID (Azure AD) Authentication 

Local accounts are like leftover sushi: they might look fine, but they’re a hazard.  

What to Watch For (Common Symptoms) 

• VMs or workloads accessed via local admin accounts, often shared informally among teams. 
• Applications or automation authenticate with static credentials embedded in code or stored insecurely. 
• Service accounts operating without lifecycle control, MFA, or logging. 

These shortcuts may speed things up, but they bypass every layer of modern identity security. 

Why It Matters

Attackers love static secrets, and local accounts bypass modern identity controls. Entra ID bypass = no MFA, no audit trail, and a giant gap in zero-trust.  

What to Check Right Now

1.) Are any VMs or workloads still using local admin accounts? 
2.) Do any apps or scripts rely on embedded secrets? 
3.) Are service accounts operating without logging or lifecycle management? 

Recommended Fixes

Enforce Entra ID Authentication First: 

• Enable Azure AD login for all VMs to centralize authentication and logging. 
• For Windows VMs, use Azure AD joined or Hybrid Join with AADLoginForWindows VM extension. 

Replace Secrets with Managed Identities: 

• Use System-assigned or User-assigned Managed Identities for Azure resources to access other services securely. 
• Eliminate secrets stored in code, environment variables, or key vaults. 

Secure Administrative Access  

• Disable direct local admin access wherever possible. 
• Leverage Azure Bastion or Just-in-Time (JIT) VM Access for secure admin connections. 
• Enforce session expiry, logging, and MFA via Privileged Identity Management (PIM) or conditional access. 

Audit and Cleanup Local Admin Accounts: 

• Inventory all local admin accounts across VM fleets. Use PowerShell or CLI to enumerate accounts:
  Get-LocalGroupMember -Group "Administrators"
• Regularly rotate or remove local accounts not tied to valid operational workflows. 
• Schedule recurring reviews to prevent “set-and-forget” accounts.  

Pro Tip: Continuous Detection 

• Use tools like Microsoft Defender for Cloud and Microsoft Entra ID Identity Protection for continuous detection of anomalous sign-in behavior. 
• Focus on accounts that haven’t yet been migrated to Entra ID.  

3. Stale Resources and Identity Sprawl: Why Azure Cleanup Can’t Wait

Old VMs, unused accounts, orphaned disks… clutter isn’t just messy, it’s also super risky.  

What to Watch For (Common Symptoms) 

• Dormant service principals, legacy user accounts, or invalid Entra ID credentials left active. 
• Stopped or orphaned VMs, unattached disks, and retired resource groups still incurring cost or creating risk. 
• Resource sprawl caused by ad hoc deployments without naming standards, tagging, or lifecycle policies. 

Even well-managed environments accumulate this kind of “cloud waste” and unmanaged sprawl without guardrails. Not only does this create hidden risk, but it also makes audits, costs analysis, and compliance much harder than they need to be.  

Why It Matters

Dormant assets = unmonitored attack surface. Plus, they inflate costs and complicate audits.  

What to Check Right Now

1.) Any identities or service principals not used in 90+ days? 
2.) Stopped or deallocated VMs, unattached disks, or idle load balancers? 
3.) Resources missing tags or lifecycle policies? 

Recommended Fixes 

Audit Entra ID Objects: 

• Scan Entra ID users, groups, and service principals for inactivity:
  (MSOL module deprecated in April): Get-
EntraInactiveSignInUser -LastSignInBeforeDaysAgo 90 -All
• Remove or disable any identities not used in the past 90 days. 
• Rotate shared or service account credentials regularly. 

Identify Stale Azure Resources: 

• Use Azure Advisor and Cost Management to detect unused resources. 
• Enable Azure Resource Graph Explorer to query at scale across subscriptions: 
  resources
| where type == 'microsoft.compute/virtualmachines'
| extend powerState = tostring(properties.extended.instanceView.powerState.displayStatus) 
| where powerState == 'VM deallocated' or powerState == 'VM stopped' 
| project name, resourceGroup, powerState, location 
| order by name asc 

Apply Naming, Tagging, and Lifecycle Standards: 

• Adopt consistent resource naming conventions and tagging requirements for ownership, environment, and expiration. 
• Automate tagging via deployment pipelines or Azure Policy for consistency. 

Pro Tip: Automate Cleanup 

• Build recurring workflows with Azure Automation runbooks or Logic Apps.
• Flag inactive objects and notify resources owners before automatic removal.

4. Missing Logs = Blind Security: Missing Log Configuration on Azure Resources

No logs = no visibility. Without proper logging, breaches, misconfigurations, or insider activity can fly under the radar.  

Logging is the backbone of cloud observability and security. Yet, in many Azure environments, critical resources are provisioned without proper diagnostic settings, leaving teams without visibility into performance, access, or potential compromise. 

Common Symptoms 

• Resources like Virtual Machines, Storage Accounts, Key Vaults, Databases, and App Services do not have diagnostic logs enabled. 
• Logs aren’t routed to a central Log Analytics Workspace (LAW), SIEM, or secure storage. 
• Inconsistent or absent log retention policies across teams or subscriptions.  

Without logs, security teams operate blind, and incidents may only be discovered after significant damage.  

Why It Matters 

Logs are the foundation of detection, investigation, and compliance. Without them, you’re flying blind.  

What to Check Right Now

1.) Are all critical resources logging to a central destination? 
2.) Are retention policies consistent and compliant? 
3.) Are diagnostic settings deployed at scale for all subscriptions and management groups? 

Recommended Fixes 

Enforce Diagnostic Settings at Scale 

• Use built-in Azure Policies to automatically audit and deploy diagnostics, such as: 
  – Audit Diagnostic Settings 
  – Deploy Diagnostic Settings for Key Vault 
  – Audit VMs without Monitoring Agent 
• Assign these policies at management group or subscription level for wide coverage. 

Confirm Logging Across Resource Types 

• List diagnostic settings for resource groups or resource types using the CLI:
   
  az monitor diagnostic-settings list –resource-group <resource-group-name> 
  
• Identify gaps and generate a remediation plan based on priority. 

Centralize Log Routing and Retention 

• Forward logs to: 
  – A Log Analytics Workspace (LAW) for structured queries and alerts 
  – A SIEM platform (e.g., Microsoft Sentinel, Elastic, SentinelOne Singularity) for threat detection 
  – Or secure storage with immutable retention policies for compliance 

Enable Additional Monitoring Signals 

• Activity Logs: Track control-plane activity and administrative actions. 
• VMInsights: Provide rich OS-level visibility for virtual machines. 
• Defender for Cloud logs: Monitor workload-level vulnerability and threat detection. 

Pro Tip: Continuous Coverage 

• Build a “Log Coverage Report” with Azure Monitor Workbooks or custom Resource Graph queries.  
• Use this to continuously assess and visualize log gaps across all assets in your tenant. 

5. Azure Admins Without PIM or Role Controls: A Ticking Time Bomb

Without Just-in-Time (JIT) and Privileged Identity Management (PIM), a single compromised admin can put your entire environment at risk. 

What to Watch For (Common Symptoms) 

• High-privilege roles (Global Admin, User Access Administrator, Owner) assigned permanently to user accounts or groups. 
• No guardrails in place for role assignment, expiration, or user justification. 
• Lack of auditing or monitoring on administrative role usage. 

Permanent admin assignments create a latent breach vector. Attackers are big fans of accounts that never expire. 

Why It Matters 

Violates least privilege and zero trust. Attackers actively target standing admin roles to move laterally. Compliance frameworks demand temporary, auditable, controlled privileged access.  

What to Check Right Now

1.) Which users or groups hold permanent high-privilege roles? 
2.) Are there no approval workflows or time limits in place? 
3.) Is JIT VM access enabled for administrative connections? 

Recommended Fixes 

Enable Privileged Identity Management (PIM) 

• Apply PIM to all high-impact roles including: 
  – Global Administrator 
  – Security Administrator 
  – Owner, Contributor (for resource-level RBAC) 
• Enforce:
  – Time-bound access (e.g., 4-hour windows) 
  – Justification and MFA for elevation 
  – Approval workflows for sensitive roles 

Audit and Rotate Standing Privileges 

• Review all current assignments to high-privilege roles by navigating to the Azure Portal and exporting the assignment list from PIM. 
• Remove or transition permanent assignments to eligible assignments under PIM. 
• Use Continuous Access Evaluation (CAE) in Entra ID to revoke access quickly if user risk changes or session anomalies are detected. 

Apply Just-In-Time Access 

• In addition to PIM for identity roles, configure Just-in-Time VM access via Defender for Cloud. 
• This locks down inbound RDP/SSH and only opens access upon authorized request for a limited time. 

Pro Tip: Continuous Monitoring 

• Integrate audit logs from PIM and JIT into a SIEM (e.g., Microsoft Sentinel).
• Monitor privilege elevations to detect unusual patterns and get early warnings on potential misuse.  

CSPM Assessment: Fast, Focused, Continuous

Traditional audits provide only a snapshot in time. Azure environments evolve constantly, and point-in-time reviews cannot keep up. Cloud Security Posture Management, or CSPM, changes that. It delivers automated visibility, intelligent detection, and prioritized remediation, giving your team both immediate and ongoing security improvements.

Bottom line: CSPM turns “Oops, Azure did it again” into “Got it covered.”

Why CSPM Matters

Even small misconfigurations can have major consequences:

• Ransomware exposure – open ports and stale accounts are actively exploited.
• Compliance failures – HIPAA, PCI DSS, ISO 27001, and other frameworks require proper access controls and audit trails.
• Unexpected downtime – misconfigurations can disrupt critical workloads.
• Reputational damage – customers expect reliable operations, not incident disclosures.

CSPM gives you continuous, automated insight into your environment. It identifies the misconfigurations that cause the most risk, including overly permissive access, stale identities, missing logs, credential misuse, and standing admin privileges. Every finding is tied to context, severity, business impact, and compliance requirements, so you know exactly what to fix first.

With CSPM in place, you move from reacting to incidents to preventing them. From scrambling before audits to walking in prepared. From hoping you are secure to knowing exactly where you stand.

What You Get with a CSPM Assessment

A CSPM assessment from Fortress SRM is conducted by our veteran cloud security analysts using modern tooling to deliver rapid visibility, automated detection, and actionable remediation tailored to your Azure environment.

• Rapid visibility – every user, resource, and permission across your Azure tenant.
• Automated detection – misconfigurations and security gaps with context and priority.
• Actionable remediation – clear, tailored steps for your environment.
• Continuous posture improvement – structured, ongoing cloud security management.

Next Step

Do not wait for an auditor or an attacker to uncover your risks. Fortress SRM provides hands-on support and continuous improvement to help you stay ahead of threats and ensure compliance.

Contact Fortress SRM to schedule your Azure CSPM Assessment and see exactly where your risks are and how to fix them fast.

The post Oops, Azure Did It Again: 5 Risks You Can’t Ignore appeared first on Fortress SRM.

Spoiler alert: Yes, you are.

Regardless of what your business does, what industry it operates in, or what size it is – you ARE a target for cybercrime.

Let’s look at the statistics.

• 43% of all data breaches involve small and medium-sized businesses (Verizon, 2022)
• 61% of all SMBs have reported at least one cyber-attack during the previous year (Verizon, 2022)
• 43% of SMBs have no cybersecurity defense plan in place, leaving their financial, customer and business data at risk (BullGuard, 2020)
• $2.98M is the average cost of a data breach for SMBs with fewer than 500 employees (Ponemon Institute, 2021)
• While any business with a computer system is at risk, the most targeted industries are in finance and insurance, manufacturing, professional services, and healthcare (IBM, 2021)

Summary: SMBs are absolutely at risk for cybercrime.

Let’s put the size of this problem in perspective: If cybercrime was measured as a country, it would be the world’s third-largest economy behind the US and China. (Cybersecurity Ventures, 2022)

Bringing awareness to the cybercrime issue is the first step towards solving it, because the problem is only getting worse.

• Cybersecurity Ventures predicts cybercrime will grow 15% per year, reaching $10.5 trillion annually by 2025
• It is estimated that ransomware attacks will increase in frequency, from every 11 seconds in 2021 to every 2 seconds by 2031 (Cybersecurity Ventures, 2022)
• In a recent survey of 500 CEOs, 18% said cybersecurity risk is the largest threat to their organization’s growth through 2024, up from 10% in 2020 (KPMG, 2021)

On the positive side, there is a growing awareness of cybersecurity risk.

• Global spending on security awareness training for employees will reach $10 billion by 2027 (Cybersecurity Ventures, 2022)
• Gartner predicts that 40% of company boards will have a dedicated cybersecurity committee by 2025 (Gartner, 2021) and that by 2024, 75% of CEOs will be personally liable for cybersecurity incidents (Gartner, 2020)

These statistics are probably low because cybercrime is typically undercounted; most are never reported due to organizational embarrassment, fear of brand damage, and the belief that law enforcement can’t do anything to help. Some experts estimate as few as 10% of cybercrimes are reported. (Cybersecurity Ventures, 2022)

As more and more SMBs evolve digitally, cybersecurity becomes more important. On average, 72% of any organizations’ customer interactions are digital (MuleSoft, 2022) and that means the likelihood of being a target for cybercriminals increases. It doesn’t matter if your organization has, uses, or creates data – just being a business that a cybercriminal can target is enough to put you at risk.

Another significant area of cyber risk are your third-party relationships. More and more organizations are being asked by their partners to prove cybersecurity systems are in place before filling out RFPs or RFQs or engaging in business with them. Marketing agencies, accounting and payroll firms, payment processors, and software platforms are being told to become cyber secure or risk losing business.

Cyber threats are increasing every day and organizations of all sizes and in all industries are at risk of ransomware attacks, malware infections, insider threats, and data breaches.

Your organization has 2 options: 1) be proactive and protect yourself before it happens, or, 2) be reactive and remediate the damage when it happens.

Are you confident in your current cyber risk strategy and execution?
If you’d like to have a confidential conversation with one of our cybersecurity experts to improve your security posture, we’re here to help.

About Fortress: 
Fortress Security Risk Management protects companies from the financial, operational, and emotional ravages of cybercrime by enhancing the performance of their people, processes, and technology.  

Offering a robust co-managed solution to enhance an internal IT team’s capability and capacity, Fortress features a full suite of managed security services (SOC, patching, EDR, backups) plus specialized services like Cybersecurity-as-a-Service, Incident Response including disaster recovery & remediation, M&A cyber due diligence, GRC advisory, identity & access management, threat management, vulnerability assessments, and technical testing. With headquarters in Cleveland, Fortress supports companies with both domestic and international operations. 

In Case of Emergency: 
Cyber Attack Hotline: 888-207-0123 | Report an Attack: IR911.com  

For Preventative and Emergency Resources, please visit: 
RansomwareClock.org

The post I’m Not a Target for Cybercrime. Or Am I? appeared first on Fortress SRM.

With many customers still recovering from the impact of the ongoing pandemic, MSPs have become a vital part of the success of businesses worldwide. MSPs not only empower organizations to leverage intricate technologies but also help them keep a strict focus on their core business goals without straining their budgets.

The annual MSP 500 list is divided into three sections: the MSP Pioneer 250, recognizing companies with business models weighted toward managed services and largely focused on the SMB market; the MSP Elite 150, recognizing large, data center-focused MSPs with a strong mix of on- and off-premises services; and the Managed Security 100, recognizing MSPs focused primarily on off-premises and cloud-based security services.

Fortress was selected for their approach to full-spectrum cybersecurity in combination with working with world-class tools, all while leading their clients to a more secure future.

“In addition to having to adjust their own business operations to account for the changed conditions during the pandemic, MSPs have also seen increased demand for their managed communications, collaboration and security services,” said Blaine Raddon, CEO of The Channel Company. “The solution providers on our 2022 MSP 500 list deserve credit for their innovative and game-changing approaches to managed services in these unpredictable times, as well as their ability to optimize operational efficiencies and systems without straining IT budgets.”

“Fortress is honored to be included in CRN’s MSP 500 list,” says Andy Jones, CEO of Fortress, “We have been working hard for our clients and look forward to continuing to secure more organizations in 2022.” 

The MSP 500 list can be found in the February 2022 issue of CRN and online at www.crn.com/msp500

The post Fortress Recognized in the Security 100 Category on CRN’s 2022 MSP 500 List appeared first on Fortress SRM.