ChecklistUpdated 2026-02-15For: Azure customers, BFSI on Azure, M365-heavy organisations, Azure DevOps + GitHub Enterprise teams

Azure Cloud Security Assessment Checklist

Most Azure breaches we investigate trace back to identity, not platform — over-broad RBAC, unmanaged service principals, Conditional Access gaps. This checklist is what our auditors run through during an Azure security assessment, organised by attack-surface area and mapped to CIS Azure + Microsoft Cloud Security Benchmark (MCSB).

Talk to an expert All resources

The Checklist

Identity (Entra ID + Conditional Access)

No Global Admin without PIM (privileged identity management)
Conditional Access blocks legacy auth (modern-auth only)
Conditional Access requires MFA for all admin + risky sign-ins
App passwords disabled tenant-wide
Guest invite policy restricted (allowed domains, MFA required)
Sign-in risk policy + user risk policy configured
Token lifetime policies tuned (default = 90 days is too long for admins)
Application registrations + service principals reviewed quarterly
Workload identity federation used instead of long-lived secrets where possible

RBAC + governance

No standing Owner / Contributor at subscription level (use PIM)
Management groups + SCPs (Azure Policy) in place
Resource tagging policy enforced
Activity log diagnostic settings enabled to Log Analytics workspace
Microsoft Defender for Cloud enabled at the right plan (P2 for most workloads)

Networking

No 0.0.0.0/0 management-port access (RDP 3389, SSH 22)
Azure Firewall / NGFW deployed at hub for outbound filtering
Private Endpoints used for PaaS services (Storage, Key Vault, SQL, Cosmos)
Network Watcher enabled per region
DDoS Protection Standard for internet-facing workloads
ExpressRoute + Private Peering for cross-region traffic (where in scope)

Data + secrets

Storage accounts have public blob access disabled tenant-wide
SAS tokens reviewed and rotated; user-delegation SAS preferred
Key Vault soft-delete and purge-protection enabled
Customer-Managed Keys (CMK) used where required (BFSI, regulator)
Cosmos DB / SQL: TLS 1.2+, encryption-at-rest with CMK
Defender for Storage / SQL enabled

Compute + Kubernetes

Defender for Containers / Servers enabled
AKS: managed identity for nodes; no service-principal long-lived creds
AKS: OPA/Gatekeeper / Azure Policy add-on for admission control
AKS: pod-managed identities (workload identity)
VM extensions for endpoint protection rolled out
Just-in-Time VM access for management ports
Trusted launch / secure boot enabled on supporting VM SKUs

DevOps + CI/CD

GitHub Advanced Security / GitGuardian / TruffleHog for secret scanning
Dependabot / Snyk / Veracode SCA in pipelines
Codeowners + branch protection on default branch
Service connections in Azure DevOps use federated identity (no long-lived secrets)
Pipeline scanning (Checkov, Tfsec, Snyk IaC) for Terraform/Bicep
Container image scanning (Defender, Trivy, Snyk Container)

Detection + response

Microsoft Sentinel deployed with at least the top-20 analytics rules tuned
Defender for Cloud Apps (MCAS) for SaaS visibility
Defender for Endpoint deployed on 100% of in-scope endpoints
Sentinel automation rules for high-severity findings
Incident response playbook tested in last 12 months

Frequently asked questions

What's the difference between CIS Azure and Microsoft Cloud Security Benchmark (MCSB)?

CIS Azure is community-maintained, Microsoft-recommended; MCSB is Microsoft's own framework aligned to CIS, NIST and PCI DSS. We use both — MCSB for Microsoft-native context, CIS for industry-standard alignment.

Is Defender for Cloud enough or do we need a third-party CNAPP?

Defender for Cloud is strong if you're Azure-only or M365-heavy. Multi-cloud (AWS + Azure + GCP) typically needs a third-party CNAPP (Wiz, Prisma, Tenable Cloud Security, Lacework) for a single pane of glass.

How often should we run an Azure assessment?

Annual minimum; quarterly for regulated industries (BFSI). Plus continuous CSPM monitoring via Defender for Cloud or a third-party CNAPP.

What's the most common Azure finding?

Over-broad RBAC at the subscription level — Owner / Contributor granted to humans and service principals 'just in case'. Found in 90%+ of first-time assessments.

Does the assessment cover Microsoft 365?

Yes — M365 + Entra ID + Defender for Cloud Apps are tightly coupled to Azure. We include M365 in every Azure assessment by default.

Related services

More resources

Need help executing this?

Talk to Digital Defense — India's CERT-In Empanelled cybersecurity team.

Book a consultation

Digital Defense

Online | Typically replies instantly

Hi there! 👋 Welcome to Digital Defense. I'm here to help you with your cybersecurity needs. How can I assist you today?