Last Updated on May 15, 2026 by Arnav Sharma
In October 2023, the NSA and CISA published a joint advisory detailing the most common cybersecurity misconfigurations they observed during red team assessments and network defence operations across large organisations, including critical infrastructure. The list was not theoretical. It was drawn from real penetration tests and incident response engagements across some of the most security-conscious environments in the world.
Two years later, the same misconfigurations remain the dominant attack surface in enterprise environments. This is not a failure of awareness. It is a failure of execution, and for Azure environments specifically, it is a failure of architecture.
This article covers each misconfiguration with Azure-specific context, the Defender for Cloud control that detects it, and the remediation that actually sticks.
Why Misconfigurations Dominate the Threat Landscape
The Cloud Security Alliance has ranked misconfiguration and inadequate change control as the greatest threat to cloud environments for two consecutive years. Gartner has predicted that 99% of all cloud security failures are the customer’s fault, not the cloud provider’s.
IBM’s Cost of a Data Breach Report 2024 puts a number on it: cloud misconfiguration is responsible for 15% of all data breaches, on par with phishing, at an average breach cost of $4.88 million. CrowdStrike’s 2025 Global Threat Report found that valid account abuse is the top initial access vector, enabled in nearly every case by a misconfiguration in identity or access management rather than a vulnerability exploit.
The practical implication is that misconfiguration remediation has a higher return on security investment than almost any other control category, because it directly removes the conditions that enable the most common attack paths.
Misconfiguration 1: Default Credentials and Configurations
The NSA and CISA advisory lists default credentials as the most frequently exploited misconfiguration across enterprise networks. This covers factory-set passwords on network devices, default service accounts with unchanged credentials in Active Directory, and default configurations in cloud services that prioritise ease of use over security.
In Azure environments, this manifests most commonly as:
- Storage accounts with public blob access enabled (the Azure default prior to November 2023 allowed public access by default on new storage accounts)
- Azure SQL databases with SQL authentication enabled alongside Entra ID authentication, with the SQL admin password set to a predictable pattern
- Default network security group (NSG) rules that allow inbound traffic on broad port ranges
Microsoft Defender for Cloud’s foundational CSPM detects storage accounts with public access enabled and SQL instances without Entra-only authentication. The remediation is policy enforcement at the Management Group level using Azure Policy deny effects, not point-in-time fixes that drift back to default over time.
Misconfiguration 2: Improper Separation of Privileges
Excessive privilege is the misconfiguration that converts a compromised account into a catastrophic incident. The NSA advisory specifically called out flat privilege structures where large numbers of accounts hold administrative rights that are not required for their function.
In Azure, this translates directly to three patterns: Global Administrator accounts used for day-to-day administration, service principals with Owner or Contributor rights at subscription scope rather than the minimum required scope, and managed identities with subscription-level RBAC assignments when resource group or resource-level assignments are sufficient.
Microsoft Entra Privileged Identity Management (PIM) addresses the human account problem through just-in-time access with approval workflows, time-limited activation, and access reviews. For service principals, the fix is a combination of periodic access reviews in Entra ID and Defender for Cloud’s recommendations for over-permissioned identities.
The metric worth tracking is the ratio of permanent privileged role assignments to PIM-eligible assignments. In a well-configured tenant, permanent Global Administrator assignments should be in the low single digits, with all other privileged access flowing through PIM.
Misconfiguration 3: Insufficient Internal Network Monitoring
The advisory noted that many enterprise networks lack sufficient visibility into internal east-west traffic, allowing attackers who have established initial access to move laterally without detection for extended periods.
Mandiant’s 2024 incident response data puts the global median dwell time at 11 days. That is 11 days of undetected attacker activity inside the network after initial compromise. In Azure, insufficient monitoring typically means Microsoft Sentinel is deployed but not connected to all relevant data sources, Defender for Cloud alerts are not integrated into the SIEM, or Defender for Endpoint is deployed on servers but not configured to generate process-level telemetry.
The minimum viable monitoring stack for Azure environments is Sentinel with the Microsoft Defender XDR connector, Defender for Cloud with enhanced security features enabled, and diagnostic settings pushing NSG flow logs, Azure Firewall logs, and Key Vault audit logs into a Log Analytics Workspace with sufficient retention. The detection gaps that matter most are lateral movement between Azure VMs, anomalous Key Vault access, and unexpected service principal activity outside business hours.
Misconfiguration 4: Lack of Network Segmentation
Flat network architectures where a compromise in one workload can directly reach any other workload are a persistent finding across enterprise environments. In Azure, this manifests as hub-spoke VNet architectures with missing or overly permissive peering rules, or worse, all workloads deployed in a single VNet with no subnet-level NSG controls.
The Azure Well-Architected Framework’s security pillar explicitly recommends network segmentation using Azure Firewall Premium for inter-spoke traffic inspection, combined with Application Security Groups (ASGs) to replace IP-based NSG rules with identity-based rules that follow resources even as they scale.
For organisations running Azure Virtual Network Manager, the security admin rules feature provides centralised, non-overridable NSG policies that apply across all VNets in a management group, closing the governance gap where individual teams deploy workloads without applying baseline segmentation controls.
Misconfiguration 5: Poor Patch Management
Unpatched vulnerabilities are not new on any misconfiguration list, but the NSA advisory noted that poor patch management remains prevalent even in organisations with dedicated security teams, primarily because patch coverage is incomplete rather than absent.
In Azure, Defender for Cloud’s vulnerability assessment (powered by Qualys or Microsoft Defender Vulnerability Management) provides continuous assessment of Azure VMs, container images, and connected on-premises servers via Azure Arc. The Defender for Cloud secure score includes specific recommendations for critical and high-severity CVEs on compute resources.
The operational gap is not usually detection. It is the change management process that converts a vulnerability finding into a deployed patch within an acceptable window. Organisations running Azure Update Manager can enforce compliance policies that require critical patches to be applied within defined SLA windows, with non-compliant resources flagged for escalation.
Misconfiguration 6: Bypass of System Access Controls
The advisory highlighted techniques attackers use to bypass access controls, including abuse of trusted relationships, exploitation of multi-factor authentication gaps, and use of valid credentials obtained through phishing or credential theft.
In Azure, the specific control gap is Conditional Access policy coverage. Many organisations have Conditional Access policies that apply to interactive browser-based sign-ins but do not cover legacy authentication protocols, service-to-service authentication flows, or access from Entra ID-joined devices that are not compliant with Intune policies.
The audit query to run in Entra ID is sign-in logs filtered to legacy authentication protocols over the past 30 days. Any successful sign-ins using BasicAuth, SMTP AUTH, or IMAP represent a bypass path that Conditional Access MFA requirements do not cover.
Misconfiguration 7: Weak or Misconfigured MFA
MFA is not binary. The NSA advisory distinguished between organisations with no MFA and organisations with MFA implementations that are bypassable through SIM swapping, real-time phishing proxies (Evilginx-style tools), or push notification fatigue attacks.
Microsoft’s own Entra ID telemetry showed that phishing-resistant MFA (FIDO2 security keys or certificate-based authentication) reduces account compromise risk to near zero for covered accounts, while SMS-based MFA reduces risk by approximately 76% compared to password-only authentication. The 76% figure sounds strong until you consider that SMS MFA is regularly bypassed in targeted attacks.
The migration path in Azure is Entra ID’s Authentication Methods policies, which allow targeted rollout of FIDO2 or certificate-based authentication to privileged accounts before broader deployment. Conditional Access Authentication Strengths allows enforcement of phishing-resistant MFA for specific applications, starting with Azure portal, Entra ID, and any application handling sensitive data.
Misconfiguration 8: Insufficient Access Control Lists on Network Shares and Services
Over-permissive access to internal file shares and services enables attackers who have established a foothold to access sensitive data without needing to escalate privileges. In Azure, this translates to Azure Files shares with permissions set at the storage account level rather than per share, Azure Blob containers with container-level public access enabled, and Key Vaults accessible from all VNets rather than specific private endpoints.
Microsoft Purview’s data map can discover and classify sensitive data across Azure Storage, SQL, and other data services, identifying where sensitive data is stored without appropriate access controls. The remediation priority order is: disable public access at the storage account level first, then apply private endpoints for storage and Key Vault, then review and tighten RBAC assignments at the resource level.
Misconfiguration 9: Poor Credential Hygiene
The advisory noted that credentials stored in plaintext, in code repositories, in configuration files accessible to overly broad audiences, and in browser-stored password caches represent one of the highest-yield targets for attackers post-initial-access.
In Azure DevOps and GitHub Actions pipelines, hardcoded secrets in pipeline YAML files, ARM templates, or Terraform configurations are a common finding. Microsoft Defender for DevOps (part of Defender for Cloud) scans Azure DevOps and GitHub repositories for exposed secrets and IaC misconfigurations before deployment. Azure Key Vault with managed identity authentication is the correct pattern: applications reference Key Vault at runtime rather than holding credentials in their own configuration.
Entra ID’s credential assessment feature within Identity Secure Score identifies accounts with passwords that have not been changed recently, accounts without password expiry policies, and service accounts with long-lived credentials that should be migrated to managed identities.
Misconfiguration 10: Unrestricted Code Execution
The final misconfiguration on the NSA list covers environments where code execution is unrestricted, either because application control policies are absent, because PowerShell execution policies are set to unrestricted, or because users have local administrator rights that allow arbitrary code installation.
In Azure, this translates to VM configurations that allow unrestricted PowerShell execution without script block logging, Azure App Services running without application control or WAF integration, and Azure Kubernetes Service (AKS) pods running as root without PodSecurity admission controls.
Defender for Cloud’s adaptive application controls use machine learning to build allowlists of legitimate processes running on Azure VMs and Azure Arc-connected servers, then alert on deviations. For AKS, the Azure Policy add-on for Kubernetes enforces pod security standards that prevent privileged containers, host namespace access, and other high-risk execution configurations.
The Secure Score as a Misconfiguration Dashboard
Microsoft Defender for Cloud’s secure score is a useful operational metric precisely because it maps directly to the misconfiguration categories above. A secure score below 70% on a production Azure subscription indicates that multiple high-severity misconfigurations are present that an attacker could use to establish initial access, move laterally, or exfiltrate data.
The score is not a compliance checkbox. It is a continuously updated signal of configuration drift. Organisations that establish a baseline secure score and then track weekly changes have an early warning system for misconfigurations introduced through new deployments, infrastructure changes, or policy drift. Governance pipelines that block deployments failing Defender for Cloud security assessments are the architectural pattern that prevents the misconfiguration problem from recurring after each remediation cycle.
I help organisations secure their cloud infrastructure and stay ahead of evolving cyber threats. Microsoft MVP and Certified Trainer, author of Mastering Azure Security, and founder of arnav.au — a platform for practical Cloud, Cybersecurity, DevOps and AI content.