Default Azure configurations are not secure enough for production use. Microsoft optimizes for ease of adoption, which means storage accounts accept public traffic, virtual machines allow password authentication, and diagnostic logging is turned off on most resources. These defaults create an attack surface that grows with every deployment.
The Center for Internet Security (CIS) publishes hardening benchmarks that address exactly this problem. The CIS Microsoft Azure Foundations Benchmark provides a prescriptive, consensus-driven set of configuration recommendations for securing Azure environments. Each recommendation includes a rationale, an audit procedure, and a remediation step. The benchmark is maintained by a community of security professionals and updated regularly as Azure services evolve.
This checklist distills the CIS Azure Foundations Benchmark into an actionable format organized by domain. It is not a substitute for reading the full benchmark — the complete document includes detailed audit procedures, CLI commands, and screenshots that go beyond what a checklist can provide — but it gives you a working reference for systematically hardening an Azure environment.
If you are building a new Azure environment, apply these controls from the start within your landing zone architecture. If you are hardening an existing environment, prioritize identity and networking controls first, then work through the remaining sections.
What Are CIS Benchmarks?
CIS Benchmarks are configuration guidelines developed through a consensus process that involves cybersecurity practitioners, technology vendors, and subject matter experts from government, industry, and academia. They are vendor-agnostic in philosophy but platform-specific in implementation. There are CIS Benchmarks for operating systems, cloud platforms, databases, network devices, web servers, and desktop software.
Each benchmark recommendation falls into one of two profiles:
- Level 1: Practical security controls that can be implemented in most environments with minimal impact on functionality or user experience. These are the baseline.
- Level 2: Controls intended for high-security environments where the additional restriction is acceptable. Level 2 controls may reduce functionality or increase operational complexity.
CIS Benchmarks are freely available for non-commercial use. Organizations that need automated assessment tooling, reporting, and remediation workflows can use CIS-CAT Pro or integrate CIS benchmark assessments through Microsoft Defender for Cloud.
CIS Benchmarks vs. Other Frameworks
CIS Benchmarks are technical configuration standards. They tell you what settings to change and what values to set. This makes them complementary to — not a replacement for — governance and compliance frameworks.
- NIST Cybersecurity Framework / NIST 800-53: NIST provides a risk management framework with control families (access control, audit and accountability, incident response, etc.). CIS Benchmarks provide the specific Azure configurations that implement many NIST controls. If you are working toward NIST compliance, CIS Benchmarks give you the technical implementation details.
- SOC 2: SOC 2 compliance requires demonstrating controls across trust service criteria (security, availability, processing integrity, confidentiality, privacy). CIS Benchmark configurations directly support the security criteria and provide auditable evidence of control implementation.
- HIPAA: For organizations handling protected health information, CIS Benchmarks help implement the technical safeguards required by the HIPAA Security Rule. Our HIPAA compliance checklist for cloud applications maps these requirements in detail.
- Azure Security Benchmark (ASB): Microsoft’s own Azure Security Benchmark is closely aligned with CIS and maps controls to both CIS Benchmarks and NIST 800-53. Defender for Cloud uses ASB as its default regulatory compliance standard.
The practical takeaway: use CIS Benchmarks as your technical implementation guide, and map the results to whatever compliance framework your organization is subject to.
Identity and Access Management
Identity compromise is the most common entry point for cloud breaches. Microsoft’s own threat intelligence data consistently shows that identity-based attacks — credential stuffing, phishing, token theft — dominate the cloud threat landscape. Hardening identity controls is the highest-leverage work you can do.
These controls align with a zero trust security model where every access request is verified regardless of origin.
Multi-Factor Authentication
- Ensure MFA is enabled for all users in Microsoft Entra ID (formerly Azure AD)
- Ensure MFA is enforced for all administrative roles (Global Administrator, Security Administrator, Exchange Administrator, SharePoint Administrator, Helpdesk Administrator, Billing Administrator, User Administrator, Authentication Administrator)
- Disable legacy authentication methods that bypass MFA (POP3, IMAP, SMTP AUTH, Exchange ActiveSync basic auth)
- Configure phishing-resistant MFA methods for privileged accounts (FIDO2 security keys, Windows Hello for Business, or certificate-based authentication)
- Enable MFA number matching and additional context to prevent MFA fatigue attacks
For a complete MFA and conditional access hardening guide, see our Microsoft 365 security hardening checklist.
Privileged Access Management
- Ensure that no subscription has more than 3 users assigned to the Owner role
- Ensure that no resource group has more than 3 users assigned to the Owner role
- Remove custom Owner roles that are not actively needed
- Enable Privileged Identity Management (PIM) for just-in-time administrative access (requires Entra ID P2)
- Configure PIM activation to require MFA, justification, and approval for Global Administrator and other high-privilege roles
- Set maximum PIM activation duration to 8 hours or less
- Review role assignments quarterly and remove stale or unnecessary assignments
Conditional Access and Guest Access
- Ensure Conditional Access policies are configured to block legacy authentication protocols
- Ensure Conditional Access policies require MFA for Azure management (portal, CLI, PowerShell)
- Restrict guest user access to properties and memberships of their own directory objects
- Ensure that only administrators can invite guest users
- Ensure guest users are reviewed and removed quarterly
- Disable self-service group and app access for guest accounts
Security Defaults and Password Policies
- Enable Security Defaults if Conditional Access is not in use (Security Defaults are a free baseline that enforces MFA and blocks legacy auth)
- Ensure that password hash synchronization is enabled for hybrid identity environments
- Ensure that the “Notify users on password resets” setting is enabled
- Ensure that the “Notify all admins when other admins reset their password” setting is enabled
- Configure banned password lists to prevent use of organization-specific weak passwords
Networking
Network controls limit the blast radius of a compromise. Even if an attacker gains valid credentials, properly configured network security controls prevent lateral movement and restrict access to sensitive resources.
Network Security Groups (NSGs)
- Ensure that no NSG allows unrestricted inbound access on port 22 (SSH) from the internet (0.0.0.0/0)
- Ensure that no NSG allows unrestricted inbound access on port 3389 (RDP) from the internet
- Ensure that no NSG allows unrestricted inbound access on port 1433 (SQL Server) from the internet
- Ensure that no NSG allows unrestricted inbound access on port 5432 (PostgreSQL) from the internet
- Ensure that no NSG allows unrestricted inbound access on UDP port 53 (DNS) from the internet
- Review all NSG rules with a source of “Any” or “0.0.0.0/0” and replace with specific IP ranges or service tags
- Enable NSG flow logs for all NSGs and send them to a Log Analytics workspace for analysis
Azure Firewall and Network Architecture
- Deploy Azure Firewall or a third-party network virtual appliance (NVA) in the hub VNet for centralized traffic inspection
- Configure default route tables (0.0.0.0/0) on spoke subnets to route all outbound traffic through the hub firewall
- Restrict outbound internet access to only the FQDNs and ports your workloads require
- Enable Azure Firewall threat intelligence-based filtering in “Alert and Deny” mode
- Ensure Azure DDoS Protection is enabled on virtual networks hosting internet-facing workloads
Private Endpoints and Service Access
- Use Private Endpoints for Azure PaaS services (Storage Accounts, SQL Database, Key Vault, Cosmos DB, Event Hubs) to eliminate public internet exposure
- Disable public network access on PaaS services after Private Endpoints are configured
- Configure Private DNS Zones for Private Endpoint name resolution
- Ensure that service endpoints are used where Private Endpoints are not yet supported
- Disable public IP addresses on virtual machines unless explicitly required and documented
Network Watcher
- Enable Network Watcher in every Azure region where you have resources deployed
- Configure NSG flow logs with a retention period of at least 90 days
- Enable Traffic Analytics on NSG flow logs to identify traffic patterns and anomalies
Storage Account Hardening
Azure Storage Accounts are frequently the target of data exfiltration. They hold blobs, file shares, queues, and tables that often contain sensitive business data. The default configuration leaves several attack vectors open.
- Ensure that “Secure transfer required” is enabled on all storage accounts (enforces HTTPS; rejects HTTP)
- Ensure that the minimum TLS version is set to TLS 1.2
- Ensure that “Allow Blob Public Access” is disabled on all storage accounts (prevents anonymous public access to containers and blobs)
- Ensure that default network access for storage accounts is set to “Deny” (use firewall rules and Private Endpoints to whitelist access)
- Ensure that “Allow Azure services on the trusted services list to access this storage account” is enabled only when needed, and understand which services are included
- Ensure that storage account access keys are rotated on a regular schedule (every 90 days)
- Prefer Microsoft Entra ID authentication over shared access keys where possible
- Enable soft delete for blobs and containers with a retention period of at least 7 days (protects against accidental or malicious deletion)
- Enable versioning on blob storage to maintain a history of changes
- Enable Azure Storage logging to record all read, write, and delete operations
- Configure immutability policies for compliance-sensitive data that must not be altered or deleted
Virtual Machine Hardening
Virtual machines remain one of the most common Azure workload types and present a large attack surface if not properly hardened.
OS-Level Controls
- Ensure that OS-level disk encryption is enabled using Azure Disk Encryption (ADE) or encryption at host
- Ensure that only approved VM extensions are installed
- Ensure that the Azure Monitor Agent (AMA) or Log Analytics agent is installed on all VMs for log collection
- Ensure that all VMs are running a supported operating system with active security updates
- Enable automatic OS patching or use Azure Update Manager to enforce a patching schedule
- Ensure that endpoint protection (Microsoft Defender for Endpoint or equivalent) is installed on all VMs
Access and Authentication
- Disable password authentication for Linux VMs and require SSH key-based authentication
- Ensure that just-in-time (JIT) VM access is enabled through Microsoft Defender for Cloud to restrict management port access
- Do not assign public IP addresses to VMs unless explicitly required; use Azure Bastion for administrative access
- Ensure that VMs are placed in NSG-protected subnets with least-privilege inbound rules
- Disable serial console access unless actively needed for troubleshooting
Managed Disks and Data Protection
- Ensure all VM disks (OS and data) use managed disks, not unmanaged disks
- Ensure that unattached disks are encrypted
- Ensure that managed disks use platform-managed keys (PMK) or customer-managed keys (CMK) stored in Key Vault
- Review and delete unattached managed disks that are no longer needed
Database Security
Azure offers multiple database services — Azure SQL Database, Azure Database for PostgreSQL, Azure Database for MySQL, Cosmos DB — each with its own security configuration surface. The following controls apply broadly, with service-specific notes where relevant.
- Ensure that Azure SQL Database Auditing is enabled and configured to write to a Log Analytics workspace or storage account
- Ensure that Azure SQL Database Threat Detection (Advanced Threat Protection) is enabled
- Ensure that the Azure SQL Database firewall denies access by default and only allows specific IP ranges or virtual network rules
- Ensure that Transparent Data Encryption (TDE) is enabled on all Azure SQL Databases (enabled by default, but verify it has not been disabled)
- Ensure that Azure SQL Database connections enforce a minimum TLS version of 1.2
- Ensure that Azure SQL Database connections use Private Endpoints instead of public endpoints
- Ensure that Microsoft Entra ID authentication is configured for Azure SQL Database (in addition to or instead of SQL authentication)
- Ensure that the Azure SQL Database “Allow Azure services and resources to access this server” setting is disabled unless explicitly required
- For Azure Database for PostgreSQL and MySQL, ensure that “Enforce SSL connection” is enabled
- For Cosmos DB, ensure that the firewall is configured and that public network access is disabled when using Private Endpoints
- Review database-level user accounts and remove any that are unnecessary, especially accounts with db_owner or equivalent privileges
Key Vault Configuration
Azure Key Vault stores cryptographic keys, secrets, and certificates that protect your most sensitive resources. A misconfigured Key Vault can expose secrets to unauthorized principals or allow keys to be used without proper auditing.
For a deeper dive into Key Vault troubleshooting, see our guide on diagnosing and resolving access denied errors in Azure Key Vault.
- Ensure that Key Vault is configured to use Azure RBAC for the data plane (preferred over legacy access policies for granular control and auditability)
- Ensure that soft delete is enabled on all Key Vaults (enabled by default since February 2025; verify older vaults)
- Ensure that purge protection is enabled to prevent permanent deletion of secrets and keys during the retention period
- Ensure that the Key Vault firewall is enabled and default action is set to “Deny”
- Ensure that Key Vault is accessible only through Private Endpoints and trusted Microsoft services
- Ensure that Key Vault diagnostic logging is enabled and logs are sent to a Log Analytics workspace (log categories: AuditEvent, AzurePolicyEvaluationDetails)
- Ensure that key expiration dates are set on all cryptographic keys
- Ensure that secret expiration dates are set on all secrets
- Configure key rotation policies to automate key rotation on a defined schedule
- Review Key Vault access regularly and remove principals that no longer require access
Logging and Monitoring
Without logging, you have no visibility into what is happening in your environment. Without monitoring, logs are just data sitting in storage. The CIS Benchmark dedicates significant attention to logging and monitoring because these controls are the foundation of incident detection and response.
If you are troubleshooting missing data in your monitoring setup, our guide on diagnosing missing metrics in Azure Monitor covers common pitfalls.
Activity Log and Diagnostic Settings
The Azure Activity Log records control-plane operations — resource creation, deletion, modification, role assignments, and policy evaluations. This is your audit trail for who did what to which Azure resource.
- Ensure that a diagnostic setting exists for the Azure Activity Log that sends logs to a Log Analytics workspace
- Ensure that Activity Log retention is configured for at least 365 days (via the Log Analytics workspace retention setting or export to a storage account)
- Create Activity Log alerts for the following critical operations:
- Create, update, or delete Network Security Group
- Create, update, or delete Network Security Group rule
- Create, update, or delete SQL Server firewall rule
- Create, update, or delete security policy
- Create, update, or delete security solution
- Create or update Azure Policy assignment
- Delete Azure Policy assignment
Resource Diagnostic Settings
Beyond the Activity Log, individual Azure resources generate diagnostic logs that capture data-plane operations — who accessed a blob, what queries ran against a database, which secrets were read from Key Vault.
- Enable diagnostic settings on all critical resources: Key Vaults, Storage Accounts, SQL Databases, App Services, Virtual Network Gateways, and Load Balancers
- Send all diagnostic logs to a centralized Log Analytics workspace
- Ensure that diagnostic log retention meets your compliance requirements (SOC 2, HIPAA, PCI DSS, or internal policy)
- Configure diagnostic settings as part of your infrastructure-as-code templates so that every new resource is automatically instrumented
Microsoft Defender for Cloud
Microsoft Defender for Cloud is the primary tool for automated CIS Benchmark assessment in Azure. It continuously evaluates your resource configurations against security baselines and generates a Secure Score.
- Enable Microsoft Defender for Cloud on all subscriptions
- Enable the enhanced security features (Defender plans) for the workload types you use:
- Defender for Servers (VM vulnerability assessment, adaptive application controls, JIT access)
- Defender for Storage (malware scanning, sensitive data threat detection)
- Defender for SQL (vulnerability assessment, Advanced Threat Protection)
- Defender for Key Vault (anomalous access detection)
- Defender for App Service
- Defender for DNS
- Defender for Resource Manager
- Configure the Regulatory Compliance dashboard to track CIS Microsoft Azure Foundations Benchmark compliance
- Configure auto-provisioning of the Azure Monitor Agent to ensure all VMs report security data
- Enable continuous export of Defender for Cloud alerts and recommendations to a Log Analytics workspace or Event Hub
- Configure email notifications for high-severity security alerts to your security operations team
- Review and remediate Defender for Cloud recommendations weekly
- Set a target Secure Score and track progress over time
Azure Monitor and Alerting
- Ensure that an action group is configured with appropriate notification channels (email, SMS, webhook to your incident management system)
- Create metric alerts for critical infrastructure: VM CPU utilization, storage account availability, SQL Database DTU consumption, Key Vault availability
- Configure Service Health alerts to receive notifications about Azure platform incidents, planned maintenance, and health advisories affecting your subscriptions
- Create log-based alerts for security-relevant events: failed sign-ins, privilege escalations, resource deletions, policy violations
Automated Compliance Checking
Manual checklist reviews are necessary but insufficient for maintaining compliance at scale. Azure environments change constantly — new resources are deployed, configurations are modified, team members join and leave. Automated compliance checking ensures that your environment stays hardened between manual reviews.
Microsoft Defender for Cloud Regulatory Compliance
The Regulatory Compliance dashboard in Defender for Cloud is the most straightforward way to automate CIS Benchmark assessment. It maps Defender for Cloud recommendations to CIS Benchmark controls and shows your compliance percentage across each control domain.
To configure it:
- Open Microsoft Defender for Cloud in the Azure portal
- Navigate to Regulatory compliance in the left menu
- Select Manage compliance policies
- Add the CIS Microsoft Azure Foundations Benchmark standard to each subscription
- Review the compliance assessment and prioritize failed controls
The dashboard updates automatically as your environment changes. Each failed control links to a detailed recommendation with remediation steps.
Azure Policy
Azure Policy enforces compliance proactively by preventing non-compliant resource configurations from being deployed and by auditing existing resources against policy definitions.
- Assign the CIS Microsoft Azure Foundations Benchmark policy initiative to your management group or subscriptions
- Review non-compliant resources identified by the policy initiative
- Set critical policies to “Deny” mode to prevent non-compliant deployments (for example: deny storage accounts with public blob access, deny VMs without disk encryption)
- Set informational policies to “Audit” mode to track compliance without blocking deployments
- Create remediation tasks for existing non-compliant resources where auto-remediation is supported
- Integrate policy compliance reports into your governance review process
Infrastructure as Code
The most reliable way to maintain CIS compliance is to encode hardened configurations in your infrastructure-as-code templates. When every resource is deployed from a template that already includes the correct security settings, manual misconfiguration becomes much less likely.
- Define hardened default configurations for storage accounts, VMs, databases, Key Vaults, and networking resources in your Terraform modules or Bicep templates
- Run policy validation against templates before deployment using
az policy state trigger-scanor third-party tools like Checkov, tfsec, or KICS - Store templates in version control with pull request reviews that include security review
- Use CI/CD pipelines to enforce that all Azure deployments go through the approved template path
Implementation Priorities
Not every control in this checklist carries equal weight. If you are starting from a default Azure configuration, prioritize in this order:
- Identity: Enforce MFA for all users and administrators. Block legacy authentication. Limit Owner role assignments. This addresses the most common attack vector.
- Networking: Close unrestricted inbound access on management ports (SSH, RDP). Enable NSG flow logs. Deploy Private Endpoints for PaaS services.
- Logging: Enable Activity Log diagnostic settings and Defender for Cloud. Without logging, you cannot detect or investigate incidents.
- Storage and data: Disable public blob access. Enforce HTTPS. Enable soft delete.
- Compute: Enable disk encryption. Deploy endpoint protection. Enable JIT VM access.
- Database: Enable auditing and threat detection. Enforce TLS 1.2. Restrict firewall rules.
- Key Vault: Enable RBAC, soft delete, purge protection, and diagnostic logging.
- Automation: Assign CIS policy initiatives. Configure Defender for Cloud regulatory compliance tracking. Encode hardened configurations in IaC templates.
Maintaining Compliance Over Time
Hardening is not a one-time project. Azure environments drift. New resources are deployed by teams who may not be aware of the security baseline. Configurations change during troubleshooting and do not get reverted. Team members leave and their access is not removed.
Sustaining CIS Benchmark compliance requires:
- Scheduled reviews: Review Defender for Cloud Secure Score and regulatory compliance dashboard weekly. Address regressions immediately.
- Automated policy enforcement: Use Azure Policy in “Deny” mode for critical controls so that non-compliant configurations cannot be deployed.
- Change management: Require infrastructure changes to go through version-controlled templates with security review.
- Access reviews: Conduct quarterly reviews of role assignments, guest accounts, and service principal permissions.
- Incident response integration: Ensure that Defender for Cloud alerts feed into your incident response workflow. A hardened environment that nobody monitors is only marginally better than an unhardened one.
The CIS Benchmark provides the technical standard. Microsoft Defender for Cloud provides the continuous assessment. Azure Policy provides the enforcement mechanism. Combined with disciplined change management and regular access reviews, these tools give you a defensible, auditable Azure security posture that satisfies CIS, supports your compliance obligations under SOC 2, HIPAA, and NIST, and materially reduces your risk of a cloud security incident.