![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 40%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
Azure Migrate
A central hub of Azure cloud migration services and tools to discover, assess, and migrate workloads to the cloud.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
- Pre-Migration (preparation & planning)
- Discovery & Assessment Security
- Use Azure Migrate Appliance with least-privilege accounts to collect metadata.
- Encrypt any exported assessment data at rest and in transit.
- Ensure the appliance has no inbound connectivity; it only communicates outbound to Azure.
- Credentials & Access Control
- Store migration tool credentials in Azure Key Vault, not in scripts or config files.
- Use Just-In-Time (JIT) access and role-based access control (RBAC) for migration accounts.
- Enforce Multi-Factor Authentication (MFA) for migration admins.
- Baseline Security Checks
- Patch on-prem servers before migration to reduce vulnerabilities.
- Remove unused software/services to minimize attack surface.
- Audit and clean up unnecessary privileged accounts.
- Migration (lift-and-shift process)
- Network Security
- Use encrypted VPN or ExpressRoute to connect on-premises to Azure; avoid unencrypted public endpoints.
- Implement Network Security Groups (NSGs) to restrict traffic to migration appliances and destination VMs.
- Data Protection
- Enable disk encryption (BitLocker / Azure Disk Encryption) for migrated VHDs.
- Use storage encryption (Azure Storage Service Encryption) when staging VMs in Azure.
- Verify that replication traffic uses TLS 1.2 or higher.
- Identity & Access Management
- Use Managed Identities for automation tasks (where possible) instead of service accounts with stored credentials.
- Ensure conditional access policies are in place if you’re synchronizing with Entra ID.
- Post-Migration (hardening & ongoing security)
- Post-Migration Hardening
- Revalidate firewall and NSG rules to follow least privilege.
- Use Azure Bastion for secure VM access instead of exposing RDP/SSH to the internet.
- Remove any temporary migration accounts or agents not needed post-migration.
- Monitoring & Threat Protection
- Enable Microsoft Defender for Cloud for workload security recommendations.
- Turn on Azure Monitor / Log Analytics to capture logs from migrated VMs.
- Configure security alerts and integrate with SIEM (Microsoft Sentinel, Splunk, etc.).
- Data Security
- Re-encrypt disks with Azure-managed or customer-managed keys (CMK).
- Store sensitive secrets in Azure Key Vault, not in migrated config files.
- Review compliance with frameworks (CIS, NIST, ISO) as required.
- Identity & Compliance
- Integrate VMs with Entra ID join or hybrid join for central control.
- Apply Conditional Access and Privileged Identity Management (PIM) for admin accounts.
- Review audit logs to ensure no sensitive data was exposed during migration.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 23%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)