Good high-level overview. I do feel the Azure SQL Database service falls short for a couple of these threats.
- The SQL Server Data tools in Visual Studio and (I think) SQL Management Studio are NOT set up to encrypt connections by default. It's too easy for someone to connect directly to an Azure-hosted database (e.g. for dev, QA, or support) and forget to encrypt. Whenever we find out about that we immediately make them change their password, but it just shouldn't be so easy. Encryption should be turned on by default. In fact, I would also suggest the tools should throw up scary warnings if things aren't encrypted.
- Azure SQL databases should support Organizational (O365) accounts alongside local logins. It makes it tough to centralize security when you have to create separate logins with separate passwords on each logical server.