What is Microsoft's Secure Future Initiative (SFI)?

Posted: (EET/GMT+2)

 

Microsoft has expanded its Secure Future Initiative, or SFI, which they announced last November with a clear message: security should be prioritized above new features.

SFI was originally launched in November 2023 as a company-wide effort to improve how Microsoft designs, builds, tests, and operates its products and services.

In the May 2024 update, Microsoft says it is expanding the initiative based on lessons from recent security incidents, including Storm-0558 and Midnight Blizzard.

The practical point is that this is not only a security team project. Microsoft describes SFI as applying across the company, including product engineering, operations, identity, infrastructure, and leadership accountability.

For Azure and .NET developers, the interesting part is the direction this sets for the platform. We should expect more security-focused defaults and more pressure to remove older, weaker configuration patterns.

Examples that are already familiar in Azure projects include:

  • using Microsoft Entra ID instead of shared secrets where possible
  • using managed identities for Azure resources
  • requiring multi-factor authentication for administrative access
  • limiting public network access to databases and storage accounts
  • reviewing application permissions instead of granting broad access.

A typical Azure application should avoid storing long-lived secrets in configuration files when managed identity is available.

DefaultAzureCredential credential = new DefaultAzureCredential();

SecretClient client = new SecretClient(
        new Uri("https://myvault.vault.azure.net/"),
        credential);

That pattern lets the hosting environment provide the identity, instead of placing passwords or connection strings directly in the application configuration.

SFI is a good reminder to review deployment templates as well as application code. Many security issues are introduced through infrastructure defaults, not only through C# code.

For example, check whether resources are still publicly reachable:

az storage account show \
    --name mystorageaccount \
    --resource-group myresourcegroup \
    --query allowBlobPublicAccess

Or list role assignments for a resource group:

az role assignment list \
    --resource-group myresourcegroup \
    --output table

Tip: when reviewing older Azure environments, start with identity, secrets, public endpoints, and role assignments. Those usually reveal the most important cleanup work first.

For developers, the takeaway is simple: security work is becoming more visible in everyday platform decisions. Expect defaults, tooling, and documentation to keep moving toward least privilege, stronger identity, and fewer shared secrets.

Good summer reading!