Description
Key Focus Areas:
Zero Trust Security Architecture
Identity & Privileged Access Governance
Network Segmentation & Traffic Control
SIEM & Security Operations Integration
Conditional Access Engineering
JIT & PIM Privileged Access
Executive Summary
Architected a Zero Trust enterprise security architecture on Microsoft Azure, integrating identity governance, privileged access management, centralised network control, workload protection, and security monitoring into a unified security control plane.
The architecture establishes an identity-first security model leveraging Microsoft Entra ID Conditional Access, Privileged Identity Management (PIM), Azure Firewall with hub-and-spoke network topology, NSG-based micro-segmentation, Just-in-Time VM access, and Microsoft Sentinel — reducing attack surface, eliminating standing privileged access, and strengthening enterprise-wide security governance across hybrid environments.
The design aligns with NIST SP 800-207 Zero Trust Architecture guidance and CIS Controls v8, demonstrating how identity-driven security architectures can function as centralised enterprise security control planes for modern hybrid cloud environments.
Business Drivers
Traditional perimeter-based security models treat the network boundary as the primary trust boundary — assuming that traffic inside the perimeter is implicitly trustworthy. Modern enterprise environments with cloud infrastructure, remote workforces, and SaaS platforms have rendered this model operationally obsolete and increasingly dangerous.
This architecture was designed to address the security governance requirements of organisations where legacy perimeter-based approaches result in:
Excessive standing administrative privileges creating persistent high-value attack targets for credential-based attacks
Weak identity governance controls failing to enforce consistent authentication strength and access policy across resources
Inconsistent network segmentation enabling lateral movement between workloads following initial compromise
Limited centralised monitoring visibility preventing detection of identity abuse, privilege escalation, and lateral movement
Poor auditability of privileged administrative activities creating compliance exposure and forensic gaps
Difficulty aligning operational security controls with compliance frameworks including NIST, CIS, and ISO 27001
Fragmented security operations across identity, network, and workload domains preventing correlated threat detection
Operational Constraints
The architecture was designed to operate within the following constraints typical of hybrid enterprise environments:
Administrative access workflows must preserve operational flexibility — JIT access models must not create excessive friction for legitimate administrative operations
Security controls require centralised governance without introducing architectural complexity that reduces operational manageability
Network segmentation must balance workload isolation against application connectivity requirements — over-segmentation creates operational disruption
Hybrid and distributed workloads require consistent policy enforcement regardless of workload location
Monitoring capabilities require centralised telemetry correlation across identity, network, and workload domains simultaneously
Access management processes must minimise disruption to operational teams during adoption
Security controls must support audit and compliance requirements with minimal manual reporting effort
Objectives
Enforce identity-first security across all enterprise resources — identity replaces network location as the primary trust boundary
Eliminate standing privileged administrative access through Just-in-Time elevation and time-bound role assignments
Implement centralised network traffic governance through a hub-and-spoke architecture with Azure Firewall as the inspection control plane
Enable workload micro-segmentation through NSG-based east-west traffic controls
Reduce lateral movement exposure through layered segmentation and workload isolation
Strengthen visibility across identity, network, and workload security domains through centralised SIEM integration
Align the platform with NIST SP 800-207 Zero Trust Architecture and CIS Controls v8
Deliver an audit-ready enterprise security architecture with comprehensive logging and governance traceability
Architecture Principles
Identity as the primary security perimeter — network location is not a trust signal
Least-privilege operational access enforced across all administrative and service account roles
Just-in-Time administrative elevation eliminating standing privilege exposure
Centralised traffic inspection and governance through a single firewall control plane
Layered segmentation combining macro-level network isolation and workload-level micro-segmentation
Continuous monitoring and telemetry correlation across all security domains
Defense-in-depth enforcement — no single control is relied upon exclusively
Policy-driven access control through Conditional Access and Azure Policy guardrails
Auditability and compliance by design — every privileged action and access decision is logged
Architecture Overview
The solution is structured as a four-layer Zero Trust security control plane integrating identity governance, network segmentation, workload protection, and centralised security monitoring.
1. Identity Governance Layer
The identity governance layer establishes identity as the primary enterprise security perimeter through Microsoft Entra ID Conditional Access policies and Privileged Identity Management.
Conditional Access Policy Design
Conditional Access policies enforce context-aware access decisions at every authentication event — replacing implicit network-based trust with explicit identity, device, and risk-based verification.
Policy Name | Conditions | Grant Controls |
|---|---|---|
Require MFA — All Users | All cloud apps, all users | Require MFA |
Block Legacy Authentication | Legacy auth protocols | Block access |
Require Compliant Device — Privileged Access | Azure portal, admin consoles | Require Intune-compliant device |
Location-Based Access Restriction | Outside named trusted locations | Require MFA + require compliant device |
High-Risk Sign-In Response | Entra ID Identity Protection risk: High | Require MFA + require password change |
Block Unmanaged Devices — Sensitive Apps | Sensitive workload applications | Require Hybrid Azure AD joined or compliant device |
Conditional Access policies establish identity as the enforcement point for every access decision — regardless of whether the request originates from inside or outside the corporate network.
Privileged Identity Management (PIM)
PIM eliminates standing privileged role assignments — replacing permanent administrative access with Just-in-Time elevation workflows that activate privileges only when required and for defined durations.
Just-in-Time role activation requiring explicit request and business justification before privilege is granted
Approval workflows routing high-impact role activations through a designated approver before access is provided
Time-bound privilege assignments automatically expiring after defined activation windows (typically 1–4 hours)
Comprehensive privileged access audit trail capturing every activation request, approval decision, and role usage event
Eligible vs active role separation — administrators hold eligible assignments that require activation rather than permanent active assignments
PIM and JIT VM Access — Complementary Controls
PIM governs identity-layer privilege elevation — controlling who can activate Azure RBAC roles (e.g. Contributor, Security Admin) within the Azure management plane. JIT VM Access governs infrastructure-layer access — controlling when management ports (RDP, SSH) are exposed on specific virtual machines. Together they enforce privilege governance at both the identity and infrastructure layers: PIM ensures the right role is activated, JIT ensures the right port is opened, both for the minimum required duration.
2. Network Control Plane
The networking architecture is built on a hub-and-spoke topology with Azure Firewall as the centralised traffic inspection and governance control plane.
Hub-and-Spoke Network Topology
The hub VNet hosts centralised security services — Azure Firewall, management infrastructure, and jumpbox resources. Spoke VNets host workload subnets, connected to the hub through VNet peering with traffic routed through the central firewall.
Hub VNet — Subnet Architecture
Subnet | Purpose | Traffic Control |
|---|---|---|
AzureFirewallSubnet | Azure Firewall deployment | Centralised ingress/egress inspection |
ManagementSubnet | Administrative infrastructure | Restricted inbound — management only |
JumpboxSubnet | Secure administrative access point | Inbound from management subnet only |
Spoke VNet — Subnet Architecture
Subnet | Purpose | Traffic Control |
|---|---|---|
WorkloadSubnet | Application workloads | East-west restricted via NSG |
DataSubnet | Data tier workloads | Isolated — application subnet only |
Azure Firewall
Centralised ingress and egress inspection for all hub-and-spoke traffic flows
Application rule collections enforcing FQDN-based outbound access control
Network rule collections enforcing IP and port-based traffic policies
IDPS (Intrusion Detection and Prevention System) for threat-aware traffic inspection
Centralised firewall policy management enabling consistent rule enforcement across the environment
Diagnostic logging to Log Analytics for traffic visibility and threat correlation
Network Security Groups
Subnet-level NSG rules enforcing east-west traffic restrictions between workload tiers
Deny-all default rules with explicit allow rules for required traffic flows only
JIT-compatible NSG rule model — management port rules dynamically added and removed by JIT VM Access workflows
NSG flow logs enabled for network traffic visibility and forensic investigation support
3. Workload Protection Layer
Workload protection capabilities are implemented through Microsoft Defender for Cloud and Just-in-Time VM Access controls.
Microsoft Defender for Cloud
Continuous security posture management across all Azure workloads through Secure Score monitoring
Vulnerability assessment identifying unpatched systems, misconfigured resources, and security recommendation gaps
Workload hardening guidance aligned to CIS benchmark recommendations for Azure VMs and PaaS services
Threat protection alerts for suspicious workload activity, anomalous process execution, and potential compromise indicators
Azure Policy integration enforcing security baseline configurations across workload deployments
Just-in-Time VM Access
Management ports (RDP port 3389, SSH port 22) blocked by default through NSG rules — no standing exposure of administrative access ports
JIT access requests require explicit user request, business justification, and defined access duration
Approved JIT requests dynamically open management ports for the requesting source IP only, for the approved duration only
Automatic port closure after access window expiry — no manual cleanup required
Complete JIT access audit trail capturing every request, approval, access event, and automatic closure
4. Monitoring & Detection Layer
Centralised monitoring and detection are implemented through Azure Monitor, Log Analytics, and Microsoft Sentinel — providing unified security visibility across identity, network, and workload domains.
Azure Monitor & Log Analytics
Centralised telemetry collection from all security-relevant sources: Entra ID sign-in and audit logs, Azure Firewall logs, NSG flow logs, Defender for Cloud alerts, VM activity logs
Log Analytics Workspace as the unified security data platform enabling cross-domain query and correlation
Azure Policy diagnostic setting enforcement ensuring all resources consistently forward logs to the central workspace
Microsoft Sentinel
SIEM platform ingesting centralised Log Analytics security telemetry for threat detection and incident correlation
Analytics rules detecting identity abuse patterns, privilege escalation, suspicious network traffic, and workload anomalies
Incident correlation connecting identity events, network alerts, and workload telemetry into unified investigation timelines
SOAR playbooks automating response actions — compromised account containment, anomalous IP blocking, SOC notification
Zero Trust coverage dashboard monitoring policy compliance, Conditional Access effectiveness, and PIM activation patterns
Azure Policy Governance
Policy assignments enforcing security baseline configurations across all deployed resources
Audit and deny policies preventing deployment of non-compliant resources outside defined security standards
Compliance dashboard providing continuous governance visibility and drift detection across the Azure environment
Architecture Diagram
Technologies Used
Category | Technologies |
|---|---|
Identity & Governance | Microsoft Entra ID, Conditional Access, Privileged Identity Management (PIM) |
Network Security | Azure Firewall, Azure Virtual Networks, Network Security Groups, Hub-and-Spoke Topology |
Workload Protection | Microsoft Defender for Cloud, Just-in-Time VM Access |
Governance Enforcement | Azure Policy |
Monitoring & SIEM | Azure Monitor, Log Analytics Workspace, Microsoft Sentinel |
Automation & Administration | PowerShell, Azure CLI |
Compliance Frameworks | NIST SP 800-207 Zero Trust Architecture, CIS Controls v8, ISO 27001 |
Key Challenges Addressed
Eliminating standing privileged administrative access — addressed through PIM Just-in-Time role activation, replacing permanent active role assignments with time-bound eligible assignments requiring explicit activation, justification, and approval.
Standardising identity governance across environments — addressed through Conditional Access policies enforcing consistent MFA, device compliance, and risk-based authentication requirements across all cloud applications and administrative consoles.
Designing centralised network controls without operational bottlenecks — addressed through hub-and-spoke topology routing all traffic through Azure Firewall with application and network rule collections that enforce policy without requiring manual per-connection intervention.
Preventing lateral movement between workloads — addressed through subnet-level NSG deny-all defaults with explicit allow rules restricting east-west traffic to required application-tier communication flows only.
Balancing segmentation with application connectivity requirements — addressed through layered rule design combining Azure Firewall application rules for outbound governance and NSG rules for east-west control, allowing legitimate application traffic while blocking unrestricted lateral movement.
Integrating security telemetry across identity, network, and workload domains — addressed through centralised Log Analytics Workspace ingesting diagnostic logs from all security-relevant Azure services, providing a unified data platform for Sentinel-based correlation.
Delivering audit-ready governance controls — addressed through comprehensive PIM audit logging, Conditional Access sign-in logs, Azure Firewall diagnostic logs, NSG flow logs, and JIT access audit trails — all centralised in Log Analytics for consistent audit evidence collection.
Design Decisions & Rationale
PIM over Static RBAC Assignments : Permanent active RBAC role assignments create standing high-value targets — a compromised administrator credential provides immediate unrestricted access to its assigned scope. PIM eliminates this by making privilege elevation an explicit, time-bound, audited action rather than a permanent state. The operational cost — activating a role before performing administrative tasks — is a deliberate friction point that significantly reduces the blast radius of credential compromise.
Hub-and-Spoke Network Topology with Centralised Firewall : Flat network architectures without centralised traffic inspection allow unrestricted lateral movement following initial compromise. Hub-and-spoke topology forces all inter-spoke and external traffic through a central Azure Firewall inspection point — providing consistent traffic governance, centralised logging, and a single policy enforcement boundary across the network estate.
Layered Segmentation — Azure Firewall and NSGs : Azure Firewall and NSGs provide complementary but distinct segmentation capabilities. Azure Firewall governs north-south traffic (internet ingress/egress) and hub-to-spoke routing with application-layer awareness. NSGs enforce east-west micro-segmentation within spoke subnets at the workload level. Neither control alone provides the same depth — the combination enforces both macro-level network governance and workload-level isolation simultaneously.
Conditional Access as Primary Access Enforcement : Network location is no longer a reliable trust signal in hybrid and cloud environments. Conditional Access policies evaluate identity, device health, location, and sign-in risk at every authentication event — enforcing access decisions based on verified context rather than assumed network trust. This positions identity as the new security perimeter, consistent with NIST SP 800-207 Zero Trust principles.
JIT VM Access for Management Port Control : Permanently open RDP and SSH ports on internet-facing or network-accessible VMs represent a persistent attack surface that automated scanners and brute-force tools continuously probe. JIT VM Access eliminates standing port exposure — management ports are closed by default and opened only on-demand for approved source IPs for defined durations. The combination with PIM ensures both the identity-layer role and the infrastructure-layer port are governed through the same JIT access model.
Centralised SIEM Integration Through Sentinel : Security controls operating without centralised telemetry correlation produce isolated alerts that cannot be connected into coherent attack narratives. Sentinel ingests identity, network, and workload telemetry into a unified analytics platform — enabling detection of multi-stage attack chains that would be invisible to individual tool monitoring and providing the SOC visibility required for effective Zero Trust security operations.
Trade-offs & Design Constraints
PIM Activation Friction for Operational Teams : Just-in-Time role activation introduces deliberate friction into administrative workflows — administrators must request, justify, and wait for approval before performing privileged tasks. For organisations with high-frequency administrative operations, this friction can create operational pressure to bypass JIT workflows or configure excessively long activation windows that reduce the security benefit. Change management, clear operational procedures, and appropriately scoped activation windows are essential for successful PIM adoption.
Azure Firewall Cost at Enterprise Scale : Azure Firewall Premium with IDPS capability carries significant hourly cost independent of traffic volume. For organisations with high east-west traffic volumes between spokes, additional data processing costs accumulate. Cost-benefit analysis must weigh centralised inspection capability against traffic-based cost — organisations with predominantly internal east-west traffic patterns should evaluate whether NSG-only micro-segmentation is sufficient for some spoke-to-spoke flows.
Conditional Access Coverage Gaps for Legacy Applications : Conditional Access policies apply to applications integrated with Entra ID through modern authentication protocols. Legacy applications using NTLM, Kerberos, or basic authentication cannot be governed through Conditional Access. Blocking legacy authentication protocols — while essential for security — may break legacy application access for organisations that have not completed modern authentication migration. Legacy application inventory and modernisation planning must precede aggressive legacy authentication blocking.
NSG Rule Complexity at Scale : As workload complexity grows, NSG rule sets expand — creating management overhead and increasing the risk of misconfiguration or rule conflicts. In large environments, NSG rule management through Infrastructure as Code (Bicep, Terraform) and Azure Policy enforcement is essential to maintain rule consistency and prevent configuration drift over time.
Hub-and-Spoke Scalability for High-Throughput Workloads : Routing all inter-spoke traffic through the hub Azure Firewall introduces a potential throughput bottleneck for high-bandwidth workloads. Azure Firewall has defined throughput limits per SKU — Standard (30 Gbps) and Premium (100 Gbps). Organisations with high-throughput workload-to-workload communication should evaluate Azure Virtual WAN with Secured Virtual Hub as an alternative to single-hub-firewall topologies for better throughput scalability.
Projected Outcomes
The architecture is designed to deliver the following operational and security outcomes in a production enterprise environment:
Elimination of standing privileged administrative access through PIM Just-in-Time role activation across all administrative roles
Measurably reduced attack surface through JIT VM Access eliminating standing management port exposure
Improved lateral movement resistance through hub-and-spoke segmentation and NSG-based east-west traffic control
Centralised network traffic governance and inspection through Azure Firewall as the single enforcement control plane
Enhanced security visibility across identity, network, and workload domains through unified Sentinel-based monitoring
Improved threat detection and incident correlation capabilities through cross-domain telemetry aggregation
Alignment with NIST SP 800-207 Zero Trust Architecture and CIS Controls v8 compliance frameworks
Audit-ready enterprise security architecture with comprehensive logging across all privileged access and network traffic events
Future Evolution
User and Entity Behaviour Analytics (UEBA) integration for advanced insider threat and compromised account detection
Automated risk-based Conditional Access policies dynamically adjusting access requirements based on real-time Entra ID Identity Protection risk scores
Azure Virtual WAN migration for improved hub-and-spoke scalability and multi-region connectivity governance
Adaptive micro-segmentation through Azure Network Manager for centralised policy-driven NSG management at scale
Infrastructure as Code governance through Bicep and Azure Policy for consistent, auditable security control deployment
AI-assisted threat detection through Microsoft Security Copilot integration for accelerated incident investigation
Cross-cloud identity federation expansion extending Zero Trust governance to AWS and GCP workloads
Automated compliance reporting and drift detection through Azure Policy compliance dashboards and Defender for Cloud regulatory compliance views
Key Takeaways
Identity governance is the foundational layer of any Zero Trust architecture — network location cannot serve as a trust signal in hybrid and cloud environments
Eliminating standing privileges through PIM Just-in-Time elevation is one of the highest-impact security improvements available for enterprise environments — credential compromise without standing privilege has dramatically reduced blast radius
Layered segmentation combining centralised firewall governance and workload-level NSG micro-segmentation provides depth that neither control achieves independently
Conditional Access engineering requires careful policy design — overly aggressive policies break legitimate workflows, while gaps in policy coverage leave attack surface unaddressed
JIT VM Access and PIM are complementary controls governing different layers of the privilege stack — identity-layer elevation and infrastructure-layer port access should both be governed through JIT models
Centralised SIEM visibility is the operational prerequisite for Zero Trust security operations — controls without telemetry correlation cannot detect multi-stage attacks that traverse identity, network, and workload boundaries
Azure Policy governance guardrails are essential for maintaining Zero Trust security posture at scale — manual configuration governance degrades over time without automated policy enforcement