Most UK businesses are now running at least part of their operations in the cloud, whether that’s Microsoft 365 for email and productivity, Azure for hosting, or a combination of cloud-based applications. The security benefits of well-managed cloud environments are real: enterprise-grade infrastructure, automatic updates, and built-in redundancy that most businesses couldn’t afford to replicate on-premise.

But cloud migration doesn’t transfer all security responsibility to the provider. Understanding exactly where Microsoft’s responsibility ends and yours begins is one of the most important (and most misunderstood) aspects of cloud security for business.

 

 

 

The Shared Responsibility Model

 

Every major cloud provider, including Microsoft, operates on what’s known as the shared responsibility model. The principle is straightforward: the cloud provider secures the infrastructure, and the customer secures what they put in it.

In practice, for businesses using Microsoft 365 and Azure, this means:

Microsoft is responsible for: Physical data centre security, network infrastructure, the availability of the platform, and the security of the underlying hardware and software that runs its services.

Your business is responsible for: The data you store in the cloud, who has access to it, how it’s configured, the devices used to access it, and the identities and accounts your employees use to log in.

This is where many businesses are unknowingly exposed. Assuming that because data is stored with Microsoft it is therefore secured by Microsoft leads to gaps — particularly around access controls, account security, and data governance — that attackers actively exploit.

Identity Is the New Perimeter

 

In a traditional on-premise IT environment, security was largely built around the network — if you were inside the office network, you were generally trusted. Cloud environments don’t work that way. With data accessible from anywhere, on any device, identity becomes the primary security boundary.

This makes securing user accounts and access controls the most critical aspect of cloud security for most businesses. Key measures include:

Multi-Factor Authentication (MFA) — Enforcing MFA across all Microsoft 365 and Azure accounts is the single highest-impact security measure available to most businesses. A compromised password alone is not enough to access an MFA-protected account, blocking the vast majority of credential-based attacks.

Conditional Access — Microsoft Entra ID’s Conditional Access policies allow businesses to define rules governing when and how accounts can be accessed. Blocking logins from unexpected countries, requiring compliant devices, or enforcing additional verification for sensitive applications are all achievable through Conditional Access without impacting legitimate users significantly.

Privileged Identity Management — Admin accounts represent the highest-value targets for attackers. Limiting who holds admin privileges, requiring justification for elevated access, and using just-in-time access for administrative tasks reduces the blast radius if an account is compromised.

Regular Access Reviews — Permissions accumulate over time. Former employees, changed roles, and legacy projects can all leave access rights in place long after they’re needed. Regular reviews of who has access to what — particularly in SharePoint, Teams, and Azure — are an essential housekeeping task.

Common Cloud Security Misconfigurations

 

Misconfiguration is one of the leading causes of cloud data breaches. The flexibility that makes cloud environments powerful also means there are many settings that can be configured insecurely, often without anyone realising. Common examples in Microsoft 365 and Azure include:

Overly permissive sharing settings — SharePoint and OneDrive can be configured to allow external sharing with anyone who has a link. For many businesses, this setting is broader than intended and creates unnecessary exposure.

Unreviewed guest access — Microsoft Teams allows external guest users to be added to teams and channels. Without regular review, former suppliers, contractors, or clients may retain access to internal conversations and files long after the relationship has ended.

Default Microsoft 365 security settings — Microsoft’s default configurations are designed for broad compatibility, not maximum security. Businesses that haven’t reviewed and tightened their security settings are likely running with less protection than their Microsoft 365 licence actually provides.

Exposed Azure resources — Virtual machines, storage accounts, and databases deployed in Azure without proper network security group rules or access restrictions can be discoverable and accessible from the public internet.

Data Protection and UK GDPR in the Cloud

 

Migrating to the cloud doesn’t change your obligations under UK GDPR — it changes how you fulfil them. Key considerations include:

Data residency — Microsoft’s UK data centres mean that data stored in Microsoft 365 and Azure can be kept within the UK and EU, supporting compliance with data sovereignty requirements. However, this needs to be explicitly configured rather than assumed.

Data classification and governance — Knowing what sensitive data you hold, where it’s stored in your cloud environment, and who can access it is a prerequisite for both compliance and security. Microsoft Purview provides data classification and governance capabilities within Microsoft 365 that help businesses maintain this visibility.

Breach response — UK GDPR requires notification of certain breaches to the ICO within 72 hours. Having monitoring and alerting in place to detect unusual activity — such as large volumes of data being downloaded or shared externally — is essential for meeting this obligation.

Monitoring and Threat Detection

 

Cloud environments generate significant volumes of log and activity data. Without tools to analyse it, security incidents can go undetected for extended periods. Microsoft 365 Defender and Microsoft Sentinel provide threat detection and response capabilities that help businesses identify and respond to suspicious activity across their Microsoft cloud environment — from unusual sign-in patterns to potential data exfiltration.

For businesses without an in-house security team, these tools are most effective when managed by a provider with the expertise to configure them correctly and respond to alerts appropriately.

Getting Your Microsoft Cloud Security Right

 

The gap between what Microsoft 365 and Azure can provide from a security perspective and what most businesses actually have configured is significant. Closing that gap doesn’t require a large budget — it requires proper configuration, ongoing management, and an understanding of where the risks lie.

At Via Wire, we configure and manage Microsoft 365 and Azure security for businesses of all sizes, covering identity management, Conditional Access, security monitoring, and compliance configuration. Get in touch today to discuss your cloud security requirements.