Physical storage itself is encrypted and in addition to that drives due for replacement are securely utilized with methods that are NIST 800-88 compliant
Azure Services have built-in multi-level mechanisms that ensure isolation of access to client resources
- the Supervised Entity against unauthorized access by other users (including other "malicious" clients of the service). In addition, mechanisms are implemented notifying you of any attempt to access between client environments. Mechanisms are also used to safeguard the availability of resources for clients and to block excessive resource allocation.
A description of the mechanisms used is available here >>>