What is Azure Safeguards? (also: AzSafeguard)


Azure Safeguards is a team within Microsoft that writes software to improve the general security and protection of Azure machines. The team’s main focus lies on preventing, discovering, and minimizing the impact of cyber-attacks to and from Azure.

The team gets involved in the following scenarios:

  • An Azure machine is being attacked by an external source
  • An Azure machine shows an aggressive behaviour towards an external target/several external targets
  • An Azure machine seems to be attacked by/seems to be attacking another machine within Microsoft Azure

If your machine is either the target or the source of an attack you will receive a “red e-mail” with details on what is going on.

  • Some of the information that led to the conclusion that Azure Safeguards made will be shared
  • Azure Safeguards may give you a list of recommendations that you can implement to make your machine more secure
  • If your machine is the source of an attack, a deadline will be set by which the problem should be resolved

Is this deadline a hard deadline?

If you do not respond to Azure Safeguards and the traffic pattern does not change, they will potentially deactivate your deployment. This means that they will initiate a shutdown process. You can then always restart your deployment, once you are confident the issue is resolved.

In many cases the deployment is a production deployment and needs to stay online. You can ask for extra time to resolve the issue by responding to the e-mail.

What do I do next?

The first question to ask is “Is the behaviour shown something that could occur naturally on this machine?”. If the answer to this question is “Yes”, it may make sense to tell Azure Safeguards about this so an exception can be added in their logic. You may be required to provide a detailed subscription of what a “normal traffic pattern” for your VM looks like.

If the answer is “No”, then a security problem is very likely.

You can try to improve the general security of your VM. The recommendation – however – is to build a new – secure – VM and transfer your workload across. (Once the VM is compromised it will usually be a laborious task to find out exactly how it got compromised and how all traces of the security problem can be removed. Building a new VM with better security is usually quicker.)

Do you know about Azure Security Centre?

Especially if you are running a large number of virtual machines, then Azure Security Centre can help a great deal in monitoring the security status of your infrastructure.

The security centre feature is easy to enable. Simply search for “Security Center” (spelling does not change in localised versions of the portal) in the portal and enable the service for your subscription.

It can take several hours for the feature to become active across your whole infrastructure.

The security centre then shows you security risks across your infrastructure. This goes from missed critical updates to RDP brute force attempts.

Azure Security Center
Azure Security Center