Every cloud environment we audit has the same gaps. Not in the fancy services, but in the basics. Identity is too permissive. Networking is flat. Resources have no tags. Cost management is an afterthought.
Identity comes first
Before you deploy anything, get your identity right. Microsoft Entra ID (formerly Azure AD) with conditional access, privileged identity management, and RBAC scoped to the narrowest possible level. Not “Owner on the subscription.”
Networking is security
A flat network with public endpoints is not a cloud architecture. It is a risk. Hub-spoke topologies, private endpoints, network security groups, and DNS resolution all need to be designed before workloads land.
Tag everything
If a resource does not have an environment, owner, and cost-centre tag, you cannot manage it. You cannot report on cost, you cannot enforce governance, and you cannot clean up when the project ends.
FinOps is not optional
Set up Azure Cost Management on day one. Create budgets, set alerts, and review spend weekly. Right-size VMs, use reserved instances for predictable workloads, and delete what you are not using.
These are not exciting topics. But they are the foundation that everything else depends on.