Azure CIS Benchmark Foundations v3.0 Hardening Guide

What the CIS Azure Foundations Benchmark Covers

The CIS Microsoft Azure Foundations Benchmark is the authoritative configuration baseline for Azure subscription-level controls. Like its AWS counterpart, it targets the cloud control plane rather than individual hosts, covering Microsoft Entra ID (formerly Azure AD), Defender for Cloud, storage accounts, database services, logging, networking, and virtual machine configurations.

Version 3.0 (released in 2024) contains approximately 200 controls across the Azure platform. The benchmark covers both single-subscription deployments and multi-subscription tenants, with controls that apply at the tenant level (Entra ID) and at the subscription level (storage, networking, compute).

Azure misconfiguration patterns are similar to AWS at a conceptual level (excessive permissions, unencrypted storage, exposed network surface, insufficient logging) but the implementation differs because of the underlying platform model: Entra ID instead of IAM, Resource Groups and Subscriptions instead of accounts, Defender for Cloud instead of Security Hub, Storage Accounts and Containers instead of S3 buckets.

Section 1: Identity and Access Management (Microsoft Entra ID)

The Entra ID section establishes identity discipline at the tenant level:

Restrict access to the Azure AD administration portal. Limit who can view and configure tenant settings.

Enable Security Defaults or Conditional Access. The tenant must have either Security Defaults enabled or Conditional Access policies that achieve equivalent protection. Tenants without either are exposed to credential-stuffing and MFA-bypass attacks.

Ensure MFA is enabled for all privileged users. Global administrators, privileged role administrators, security administrators, and similar high-privilege accounts must use MFA. No exceptions.

Limit the number of Global Administrators to less than 5. Global Administrator is the most privileged role. Fewer Global Admins reduces the attack surface and creates clearer accountability.

Enable "Restrict access to Azure AD administration portal". Limit which non-admin users can browse Entra ID configuration.

Restrict user consent for applications. Default user consent permits applications to receive permissions that may exceed what is needed. Restricting consent requires admin review.

Enable Privileged Identity Management (PIM) for privileged role activations. PIM provides just-in-time privilege elevation, separation of administration time from steady-state, and audit trails for privilege use.

The Entra ID section is where most Azure-specific tenant misconfiguration accumulates. Many tenants are deployed with permissive defaults that the benchmark explicitly contradicts.

Section 2: Microsoft Defender for Cloud

Defender for Cloud (formerly Azure Security Center) provides cloud workload protection and configuration assessment. The benchmark requires its activation across the subscription:

Ensure that Microsoft Defender for Cloud is enabled at all standard plan levels including Defender for Servers, App Service, SQL, Storage, Containers, Key Vault, and ARM.

Ensure auto-provisioning of the Log Analytics agent. Defender's host-level analysis requires the agent on every monitored VM.

Ensure Defender for Cloud notifications are configured. Without notification configuration, Defender findings sit in the console without driving response.

Ensure the Microsoft Defender for Cloud Default Policy is configured at the appropriate level. The policy controls which Defender recommendations apply across the subscription.

Defender for Cloud findings complement CIS benchmark scanning: Defender focuses on workload threats (suspicious processes, anomalous logins) while CIS benchmarks focus on configuration controls.

Section 3: Storage Accounts

The storage section addresses Azure Storage account configuration:

Ensure that "Secure transfer required" is set to "Enabled". The storage account must require HTTPS for all data transfer. HTTP must be rejected.

Ensure that "Public access level" is set to "Private" for blob containers. Default public access on blob containers is a common Azure breach pattern.

Ensure that "Public network access" is disabled where possible. For storage accounts accessed only from inside Azure, disable public network access entirely.

Ensure that "Allow Azure services on the trusted services list to access this storage account" is enabled. The trusted services list permits necessary internal Azure traffic without opening broader access.

Ensure soft delete is enabled for blobs. Soft delete protects against accidental or malicious blob deletion.

Ensure soft delete is enabled for containers. Similar protection at the container level.

Ensure storage account encryption with customer-managed keys (CMK) for sensitive data. Microsoft-managed keys are appropriate for most data; CMK is appropriate where the organization needs key custody.

Ensure storage account access keys are rotated periodically. Long-lived storage account keys are a credential risk; rotation is the mitigation.

Ensure shared access signature (SAS) tokens expire within an appropriate window. Long-lived SAS tokens are equivalent to long-lived credentials.

The storage section is critical because Azure storage accounts hold much of the data in a typical Azure tenant. Misconfiguration here has the highest blast radius of any Azure misconfiguration class.

Section 4: Database Services

The database section addresses Azure SQL Database, Azure Database for PostgreSQL, Azure Database for MySQL, and Azure Cosmos DB:

Ensure Azure Defender is enabled for each database service in use

Ensure SQL Server auditing is enabled with sufficient retention

Ensure that "Connection throttling" is set to "On" for Azure SQL

Ensure that "Threat Detection types" is set to "All" for Azure SQL

Ensure that "Auditing" Retention is set to >= 90 days

Ensure Azure SQL servers are configured with virtual network rules to restrict network access

Ensure transparent data encryption (TDE) is enabled for Azure SQL databases

Ensure database firewalls are restrictive: avoid 0.0.0.0 in the allowed IP range

Ensure Azure Active Directory authentication is configured for Azure SQL servers

The database controls reflect that database servers are often the highest-value target in an environment. Strong authentication, encryption at rest, network restriction, and comprehensive audit logging are all enforced.

Section 5: Logging and Monitoring

The logging section establishes the platform-level audit infrastructure:

Ensure that a "Diagnostic Setting" exists for the subscription, forwarding activity logs to a Log Analytics workspace, storage account, or event hub.

Ensure that "Activity Log Alert" exists for specific high-sensitivity events:

Create or update policy assignment

Delete policy assignment

Create or update SQL server firewall rule

Update security policy

Create or update Network Security Group

Delete Network Security Group

Create or update Network Security Group rule

Delete Network Security Group rule

Create or update Network Watcher

Delete Network Watcher

Ensure that logging for Azure Key Vault is enabled. Key Vault contains the cryptographic material protecting other resources; access to it must be audited comprehensively.

Ensure log retention is sufficient. The benchmark specifies minimum retention; regulatory frameworks may require longer.

The activity log alerts deserve particular attention. Many Azure tenants lack alerting on security-relevant configuration changes. Without alerts, changes occur silently and are detected only at the next manual review.

Section 6: Networking

The networking section addresses Network Security Groups, virtual networks, and Application Gateway:

Ensure that RDP access is restricted from the internet. NSG rules permitting 0.0.0.0/0 to port 3389 are a critical finding.

Ensure that SSH access is restricted from the internet. Same principle for SSH on port 22.

Ensure that UDP services aren't reachable from internet: high-risk UDP ports should not be exposed.

Ensure that Network Security Group Flow Log retention is greater than 90 days.

Ensure that Network Watcher is enabled for the subscription in each region with resources.

Ensure that Azure Web Application Firewall is enabled for Application Gateway.

Ensure that DDOS Protection Standard is enabled: for production workloads, DDoS protection is meaningful.

The 0.0.0.0/0 controls match the AWS equivalents and are violated in roughly the same patterns: troubleshooting access not reverted, broad ranges used when narrow ranges would suffice, default NSGs that permit broad traffic.

Section 7: Virtual Machines

The VM section addresses compute-specific controls at the management plane level:

Ensure that "OS disk are encrypted". Azure Disk Encryption or Server-Side Encryption with customer-managed keys.

Ensure that "Data disks" are encrypted.

Ensure that "Unattached disks" are encrypted.

Ensure that only approved extensions are installed.

Ensure that endpoint protection for all virtual machines is installed.

Ensure that the latest OS patches for all virtual machines are applied.

Ensure that VHDs are encrypted.

For the operating system inside the VM, separate CIS benchmarks apply (CIS Windows Server 2022, CIS Ubuntu 24.04, CIS RHEL 9). The Azure Foundations benchmark covers the platform-level controls; OS-level controls require separate benchmark scanning of each VM.

Section 8: Other Security Considerations

Several controls do not fit neatly into the above sections:

Ensure that the expiration date is set on all secrets in Key Vault. Indefinite-lifetime secrets accumulate.

Ensure that the expiration date is set on all keys in Key Vault.

Ensure that Resource Locks are set for resource groups containing critical resources. Resource locks prevent accidental deletion.

Ensure that Azure Policy is set to enforce the security baselines that the organization requires.

The Key Vault controls address the cryptographic material the rest of the environment depends on. Key Vault misconfiguration cascades to every resource using its keys.

Multi-Subscription and Tenant-Level Operations

Most Azure deployments at any meaningful scale operate across multiple subscriptions organized into management groups. The benchmark applies at both tenant and subscription levels:

Tenant-level controls (Entra ID, Defender plans, certain policies) apply once across all subscriptions

Subscription-level controls (storage, database, network, VM controls) apply per subscription

Effective scanning operates at both levels. Tenant-level findings affect the whole organization; subscription-level findings affect a single subscription. Reporting must distinguish between the two for the right team to own remediation.

Common Azure Configuration Drift

Azure environments exhibit drift patterns parallel to AWS:

Storage accounts opened for cross-subscription access without restricting source. A storage account is opened to permit another subscription to access data, with broader-than-needed access granted.

NSGs opened during troubleshooting and not reverted. SSH or RDP exposed to the internet during a debugging session.

Diagnostic settings disabled or never enabled on new resources. Resources created without forwarding logs to the central Log Analytics workspace.

Defender plans disabled or downgraded. Cost optimization pressure leads to Defender plans being switched off, removing detection capability.

Privileged role assignments accumulating. Users granted privileged roles for specific tasks and never removed.

Key Vault access policies too permissive. Access policies granted at the resource level rather than narrowly scoped.

How Continuous Compliance Supports the Azure Benchmark

The Azure Foundations benchmark, like the AWS counterpart, is not assessable through periodic audit at any meaningful scale. With dozens of subscriptions, hundreds of resource types, and continuous change driven by both managed services and operational activity, continuous scanning is the only viable model.

Continuous compliance scanning provides:

Per-subscription compliance against the full benchmark

Real-time drift detection when controls degrade

Per-resource detail showing the specific resource and the specific control violated

Tenant-level consolidation of multi-subscription findings

Remediation tracking with owner and target date

Multi-framework mapping showing each control's coverage of NIST 800-53, ISO 27001, SOC 2, HIPAA, PCI DSS

How CISGuard Supports Azure CIS Benchmark Compliance

CISGuard's Azure scanner evaluates the full CIS Microsoft Azure Foundations Benchmark v3.0 with patterns suited to Azure environments:

Multi-subscription scanning with tenant-level rollup

Multi-region evaluation with regional gap visibility

Continuous scanning at configurable cadence

Drift detection with timestamped baseline comparisons

Multi-framework mapping showing how each Azure control satisfies NIST 800-53, ISO 27001, SOC 2, FedRAMP, CMMC, HIPAA, PCI DSS

Azure Government support for FedRAMP and CMMC environments

Immutable audit trail for assessor and continuous monitoring evidence

See Azure CIS Benchmark coverage in CISGuard or request an Azure compliance assessment.