Assess Security risks with Insights in Azure Migrate

Why Security matters in Migration

Migrating to the cloud is not only about speed and cost efficiency, it's also about building a secure foundation on Azure. As organizations move workloads to Azure, security often slips down the priority list, overshadowed by migration tasks and timelines. But here’s the truth: addressing security risks early in your migration strategy not only prevents costly surprises but also strengthens compliance, reduces risk exposure, and instills confidence across your business. A proactive approach ensures your cloud journey is smooth, secure, and future-ready.

That’s why we introduced Insights (preview) in Azure Migrate, to help you identify security risks before they become roadblocks during the migration journey. 

What are Insights?

Security Insights in Azure Migrate provides an integrated dashboard that surfaces potential risks in your on-premises environment during migration planning. Here are the key capabilities:

• Identify Windows and Linux servers with end of support operating system, end of support software and pending updates, and plan upgrade.
• Detect vulnerabilities in discovered software and take action to remediate risks.
• Identify unprotected servers without security or patch management software.
• Explore multiple security tools in the datacenter and plan to consolidate with Microsoft Defender for Cloud and Azure Update Manager.

How are Insights derived

Azure Migrate identifies potential security risks in your datacenter using software inventory data collected through the Azure Migrate appliance discovery process. When you run a discovery of your on-premises environment, you usually provide guest credentials for your Windows and Linux servers. This allows the tool to collect information about installed software, operating system configuration, and pending updates. Azure Migrate processes this data to generate key security insights without needing additional credentials or permissions.

Azure Migrate does not install additional agents or runs a deep scan of your environment. Security insights are limited to software and operating system data discovered through the Azure Migrate appliance quick discovery. It analyzes the collected software inventory data and cross-references it with publicly available vulnerability and support lifecycle databases to highlight security risks in your datacenter.

Security risks are derived through a series of following analyses:

• End-of-support software: Azure Migrate checks the versions of discovered software against the publicly available endoflife.date repository.  If software is found to be end of support, it flags it as a security risk. Identifying unsupported software early helps you plan upgrade or mitigations as part of your cloud migration.
• Vulnerabilities: Azure Migrate identifies installed software and operating system (OS) for each server. It maps the discovered software and OS with publicly available National Vulnerability Database (NVD), managed by NIST to identify vulnerabilities. Each vulnerability is categorized by risk level (Critical, High, Medium, Low) based on the CVSS score provided by NVD. You can take appropriate action to remediate risks for a secure migration.
• Pending updates for servers: Azure Migrate identifies machines that are not fully patched or updated based on Windows Update metadata for Windows servers and Linux package manager metadata for Linux servers. It also retrieves the classification of these updates (Critical, Security, Other updates) and shows them for further consideration.
• Missing security and patch management software: Azure Migrate classifies software by processing its name and publisher into predefined categories and sub-categories. It identifies unprotected servers that lack Security & Compliance software identified through software inventory. For example, if the software inventory indicates a server without software in categories such as, antivirus, threat detection, SIEM, IAM, or patch management, Azure Migrate flags the server as a potential security risk. By identifying fragmentation in Security software, you can plan consolidation with Azure security services. 

Note: Security insights in Azure Migrate help guide and highlight potential security risks in the datacenter. They are not meant to be compared with specialized security tools. We recommend adopting Azure services such as, Microsoft Defender for Cloud and Azure Update Manager for comprehensive protection of your hybrid environment.

Let's get started

Use appliance-based discovery in Azure Migrate to review Insights. Ensure guest discovery features are enabled on the appliance(s). It might take up to 24 hours after discovery to generate Insights. Go to the Azure Migrate portal and create a new project or select an existing project. Visit Explore inventory > Insights (preview) to get a summary of the security risks across Servers and Software. Explore the documentation and demo video for detailed guidance and start assessing and mitigating security risks during migration planning.