CIS Benchmarks for Microsoft Azure: A Practical Security Hardening Guide

Key Takeaways

• CIS Microsoft Azure Foundations Benchmark v3.0.0 provides 100+ security controls across identity, storage, networking, compute, databases, logging, and key management.
• Microsoft Defender for Cloud automates compliance scanning with built-in regulatory compliance dashboards for CIS benchmarks.
• Common misconfigurations include overly permissive NSGs, public storage accounts, disabled diagnostic logging, and missing MFA enforcement.
• Mapping to compliance frameworks like SOC 2 and ISO 27001 is straightforward since both require the same fundamental security controls.
• Start with Entra ID and networking controls before moving to service-specific configurations, as these provide the broadest security impact.

If you're running infrastructure on Microsoft Azure, you've likely asked the question: "How do we know our Azure environment is actually secure?" The CIS Benchmarks for Azure provide a concrete answer, offering consensus-driven security guidelines that translate abstract security requirements into specific, actionable configurations.

This guide covers what the CIS Azure Benchmarks are, the key controls you need to implement, common misconfigurations we encounter during audits, and how these controls map to compliance frameworks like SOC 2 and ISO 27001.

What Are CIS Benchmarks for Azure?

The Center for Internet Security (CIS) publishes security configuration guidelines for major cloud platforms, operating systems, and applications. For Microsoft Azure, the primary document is the CIS Microsoft Azure Foundations Benchmark, currently at version 3.0.0 (released February 2025).

The benchmark provides prescriptive guidance covering:

• Identity and Access Management: Entra ID (formerly Azure AD) configuration, MFA enforcement, Conditional Access, privileged identity management
• Microsoft Defender for Cloud: Security posture configuration, threat protection settings
• Storage Accounts: Access controls, encryption, network restrictions, logging
• Database Services: Azure SQL, Cosmos DB, PostgreSQL, MySQL security configurations
• Logging and Monitoring: Azure Monitor, diagnostic settings, activity logs, alerts
• Networking: Network Security Groups, Azure Firewall, private endpoints, DDoS protection
• Virtual Machines: OS hardening, disk encryption, extension management
• Key Vault: Access policies, key rotation, secret management
• App Service: Web app security configurations

Each control includes a rationale explaining why it matters, audit procedures to check compliance, and remediation steps to fix issues.

For background on how CIS Benchmarks relate to CIS Controls, see our guide on CIS Benchmarks.

Understanding the Azure Foundations Benchmark

The CIS Azure Foundations Benchmark organizes controls into sections that align with Azure service categories. Unlike operating system benchmarks that might contain hundreds of settings, the Azure benchmark focuses on tenant-level, subscription-level, and resource-level configurations that apply broadly across your Azure environment.

Profile Levels

Like other CIS Benchmarks, Azure controls are divided into two levels:

Most organizations should implement all Level 1 controls and selectively adopt Level 2 controls based on their risk profile and compliance requirements.

Key CIS Controls by Service Area

Entra ID (Identity and Access Management)

Identity misconfigurations represent the highest-risk issues in Azure environments. The CIS Benchmark dedicates significant attention to Entra ID:

Enable Security Defaults or Conditional Access policies. Security Defaults provide baseline protection including MFA requirements for all users. For more granular control, disable Security Defaults and implement Conditional Access policies that require MFA based on risk signals, location, and device state.

Enforce MFA for all users, especially administrators. Every user who can access Azure resources should have MFA enabled. For privileged accounts (Global Administrators, Security Administrators, etc.), MFA should be mandatory with no exceptions. The benchmark specifically calls out requiring MFA for all administrative roles.

Block legacy authentication protocols. Protocols like POP, IMAP, and older Office clients don't support MFA and are frequently exploited. Create Conditional Access policies to block legacy authentication across your tenant.

Configure Privileged Identity Management (PIM). PIM provides just-in-time privileged access, requiring administrators to activate their roles for a limited time rather than holding permanent privileges. This reduces the attack surface from compromised admin accounts.

Require phishing-resistant MFA for administrators. The benchmark recommends FIDO2 security keys or Windows Hello for Business for privileged accounts, as these methods are resistant to phishing attacks that can bypass SMS or app-based MFA.

Review guest user access regularly. External users (B2B guests) should have their access reviewed periodically. Configure access reviews in Entra ID to automatically prompt owners to validate guest access.

Enable self-service password reset with strong authentication. SSPR reduces helpdesk burden but must be configured securely. Require multiple authentication methods and avoid security questions, which can be guessed or researched.

Storage Accounts

Storage account misconfigurations remain one of the most common causes of data breaches in cloud environments:

Require secure transfer (HTTPS only). All storage accounts should have "Secure transfer required" enabled, forcing all requests to use HTTPS. This prevents data interception during transit.

Disable public blob access. Unless you explicitly need public access for static websites or public assets, disable "Allow Blob public access" at the storage account level. This prevents accidental exposure of containers and blobs.

Enable infrastructure encryption. Beyond the default service-level encryption, enable infrastructure encryption for an additional layer of encryption at the hardware level. This provides defense-in-depth for highly sensitive data.

Use private endpoints instead of public access. Configure Private Link endpoints to access storage accounts over your private network. Disable public network access entirely for storage accounts containing sensitive data.

Enable soft delete for blobs and containers. Soft delete provides a recovery window for accidentally deleted data. Configure retention periods appropriate for your recovery requirements.

Enable storage account access logging. Configure diagnostic settings to capture read, write, and delete operations. These logs are essential for incident investigation and compliance evidence.

Rotate storage account access keys. Access keys provide full access to storage accounts. Rotate them regularly (the benchmark recommends within 90 days) and prefer Entra ID authentication or SAS tokens with limited permissions.

Set minimum TLS version to 1.2. Older TLS versions have known vulnerabilities. Configure storage accounts to reject connections using TLS 1.0 or 1.1.

Network Security Groups (NSGs)

NSGs are your primary network filtering mechanism in Azure. Proper configuration is critical:

Restrict SSH access from the internet. No NSG rule should allow inbound SSH (port 22) from 0.0.0.0/0 or "Any." Use Azure Bastion, Just-In-Time VM access, or VPN for administrative access.

Restrict RDP access from the internet. The same principle applies to RDP (port 3389). Internet-exposed management ports are a primary target for attackers.

Restrict UDP services from the internet. Unless specifically required, block inbound UDP from the internet. Many UDP-based services are vulnerable to amplification attacks or have known vulnerabilities.

Enable NSG Flow Logs. Flow logs capture traffic metadata for NSGs, enabling security analysis and incident investigation. Store flow logs in a storage account and optionally send them to Log Analytics for querying.

Associate NSGs with all subnets. Every subnet should have an NSG attached, even if it's just a default-deny rule. This ensures no subnet is accidentally left unprotected.

Document and justify all allow rules. Each NSG rule allowing traffic should have a documented business justification. Review rules regularly and remove any that are no longer needed.

Virtual Machines

VM security settings protect your compute workloads from various attack vectors:

Enable Azure Disk Encryption. All OS and data disks should be encrypted using Azure Disk Encryption (which uses BitLocker for Windows or DM-Crypt for Linux) or server-side encryption with customer-managed keys.

Install and configure endpoint protection. Microsoft Defender for Endpoint or an equivalent antimalware solution should be deployed on all VMs. Ensure real-time protection is enabled and definitions are updated.

Enable Just-In-Time VM access. JIT access closes management ports by default and opens them temporarily when administrators need access. This dramatically reduces exposure to brute-force attacks.

Use managed identities instead of service principals. When VMs need to access other Azure resources, use managed identities rather than storing credentials on the VM. This eliminates credential management and reduces exposure risk.

Keep VMs updated. Enable Azure Update Manager to ensure VMs receive security patches promptly. The benchmark recommends system updates be applied within 30 days of release.

Disable unnecessary VM extensions. Each installed extension increases attack surface. Remove extensions that aren't actively used.

Enable boot diagnostics to a secure storage account. Boot diagnostics help troubleshoot startup issues but must be stored securely. Use a storage account with appropriate access controls.

Azure SQL Database

Database security requires attention to network access, encryption, and auditing:

Enable transparent data encryption (TDE). TDE encrypts data at rest and should be enabled on all Azure SQL databases. For enhanced security, use customer-managed keys rather than service-managed keys.

Enable auditing for Azure SQL databases. Configure auditing to capture database events and store them in a storage account or Log Analytics workspace. Audit logs are essential for compliance and incident investigation.

Configure Advanced Threat Protection. Azure SQL's threat protection detects anomalous database activities, SQL injection attempts, and other threats. Enable it for all production databases.

Restrict public network access. Disable "Allow Azure services and resources to access this server" unless specifically required. Use private endpoints and firewall rules to limit access to known IP ranges.

Enforce a minimum TLS version of 1.2. Configure Azure SQL to reject connections using older TLS versions.

Configure short-term and long-term backup retention. The benchmark recommends backup retention periods appropriate for your recovery requirements and compliance obligations.

Enable Azure Active Directory authentication. Prefer Entra ID authentication over SQL authentication. Entra ID provides centralized identity management, MFA support, and better audit trails.

Key Vault

Proper key and secret management is fundamental to cloud security:

Enable soft delete and purge protection. Soft delete prevents accidental deletion of vaults, keys, and secrets. Purge protection ensures deleted items cannot be permanently removed until the retention period expires.

Enable logging for Key Vault. Configure diagnostic settings to capture all operations on the vault. These logs show who accessed what secrets and when.

Use private endpoints for Key Vault access. Access Key Vault over your private network using Private Link. Disable public network access for vaults containing production secrets.

Enable automatic key rotation. Configure Key Vault to automatically rotate keys at defined intervals. The benchmark recommends rotation within 90 days for most use cases.

Set expiration dates on secrets and keys. All secrets and keys should have expiration dates. This ensures credentials don't remain valid indefinitely if rotation processes fail.

Use RBAC instead of access policies. Azure RBAC for Key Vault provides more granular permissions and integrates with Entra ID Privileged Identity Management. Migrate from legacy access policies to RBAC.

Azure Monitor and Logging

Comprehensive logging is essential for security monitoring and incident response:

Enable Activity Log alerts for critical operations. Configure alerts for high-impact operations including:

• Policy assignment changes
• Network Security Group changes
• Security solution modifications
• SQL Server firewall rule changes
• Security policy changes
• Custom role creation or modification

Configure diagnostic settings for all resources. Azure resources don't send logs to Azure Monitor by default. Configure diagnostic settings to capture platform logs and metrics for all critical resources.

Set appropriate log retention periods. Configure Log Analytics workspace retention appropriate for your compliance requirements. The benchmark recommends a minimum of 90 days for security logs.

Create a centralized Log Analytics workspace. Aggregate logs from across subscriptions into a central workspace for unified security monitoring and analysis.

Enable Microsoft Defender for Cloud recommendations. Defender for Cloud continuously assesses your environment and provides security recommendations. Configure it to cover all subscriptions and resource types.

Common Azure Misconfigurations We Find During Audits

Based on our compliance and security work with Azure customers, these issues appear repeatedly:

MFA Not Enforced for All Users

We frequently find Azure tenants where MFA is enabled for administrators but not enforced for regular users. Since any compromised account can potentially access Azure resources, MFA should be mandatory for everyone.

The fix: implement Conditional Access policies requiring MFA for all users when accessing Azure management endpoints. Use Security Defaults if you don't need granular Conditional Access.

Public Storage Accounts

Storage accounts with public blob access enabled, combined with containers set to "Blob" or "Container" access level, expose data to anyone who discovers the URL. We find this configuration regularly, often created for temporary file sharing and never locked down.

The fix: disable "Allow Blob public access" at the storage account level. Use SAS tokens with short expiration times for legitimate public sharing needs.

Overly Permissive NSG Rules

NSG rules allowing SSH or RDP from 0.0.0.0/0 created during initial deployment often remain in place. Similarly, we find rules allowing all inbound traffic for "testing" that become permanent.

The fix: audit all NSG rules allowing traffic from the internet. Implement Azure Bastion or JIT VM access for administrative access. Remove or restrict any rules without documented business justification.

Diagnostic Logging Not Configured

Azure resources don't send diagnostic logs anywhere by default. Many environments have critical resources with no logging configured, leaving security teams blind to potential incidents.

The fix: create a standard diagnostic setting policy that applies to all resources. Use Azure Policy to enforce diagnostic settings at scale.

Missing Activity Log Alerts

The Activity Log captures subscription-level operations, but without alerts, nobody monitors it in real-time. We often find environments where the Activity Log exists but no alerts notify administrators of critical changes.

The fix: configure Activity Log alerts for the operations specified in the CIS Benchmark. Send alerts to a monitored mailbox or integrate with your SIEM.

Legacy Authentication Not Blocked

Many Azure tenants still allow legacy authentication protocols that bypass MFA. Attackers specifically target these protocols because they only require username and password.

The fix: create Conditional Access policies blocking legacy authentication for all users. Monitor sign-in logs for any remaining legacy authentication attempts.

Using Microsoft Defender for Cloud for CIS Compliance

Microsoft Defender for Cloud provides automated compliance scanning against CIS Benchmarks. The Regulatory Compliance dashboard shows your compliance posture against various standards, including the CIS Microsoft Azure Foundations Benchmark.

Key capabilities include:

Continuous compliance assessment: Defender for Cloud continuously evaluates your Azure resources against benchmark controls and generates recommendations when configurations don't meet requirements.

Compliance dashboard: View your compliance percentage across all controls, broken down by control domain and severity.

Secure Score integration: Many CIS controls contribute to your overall Secure Score, providing a single metric for security posture.

Multi-subscription visibility: Aggregate compliance data across all subscriptions in your organization.

Remediation guidance: Each recommendation includes step-by-step remediation instructions and often a "Quick Fix" option for automated remediation.

Export capabilities: Export compliance data for reporting and integrate with Azure Logic Apps for automated workflows.

Enabling CIS Benchmark Assessment

To enable CIS compliance scanning in Defender for Cloud:

1. Navigate to Microsoft Defender for Cloud in the Azure Portal
2. Go to Regulatory compliance
3. Click "Manage compliance policies"
4. Select your subscription
5. Enable the CIS Microsoft Azure Foundations Benchmark standard

Defender for Cloud will begin assessing resources against the benchmark and populate compliance data within a few hours.

Mapping CIS Benchmarks to SOC 2 and ISO 27001

If you're pursuing SOC 2 Type 2 or ISO 27001 certification, CIS Benchmark compliance provides strong coverage of the technical controls these frameworks require.

SOC 2 Alignment

The SOC 2 Trust Services Criteria map directly to CIS controls:

ISO 27001 Alignment

ISO 27001 Annex A controls also align with CIS recommendations. The table below references ISO 27001:2022 control categories:

Implementing CIS Benchmarks doesn't automatically make you compliant with either framework, but it addresses the majority of technical controls auditors will examine.

Azure Security Hardening Checklist

Use this checklist to assess your current CIS Benchmark compliance:

Identity (Entra ID)

• Security Defaults enabled or equivalent Conditional Access policies in place
• MFA enforced for all users
• MFA enforced for all administrators
• Legacy authentication blocked
• Privileged Identity Management configured for admin roles
• Guest access reviewed regularly
• Self-service password reset configured securely

Storage Accounts

• Secure transfer required enabled
• Public blob access disabled
• Private endpoints configured
• Soft delete enabled
• Diagnostic logging configured
• Access keys rotated regularly
• Minimum TLS version set to 1.2

Networking

• No NSG rules allow SSH from 0.0.0.0/0
• No NSG rules allow RDP from 0.0.0.0/0
• NSG Flow Logs enabled
• NSGs associated with all subnets
• Network Watcher enabled in all regions
• All allow rules documented and justified

Virtual Machines

• Azure Disk Encryption enabled
• Endpoint protection deployed
• Just-In-Time access configured
• Managed identities used instead of service principals
• VMs kept updated
• Boot diagnostics enabled securely

Databases

• TDE enabled on all Azure SQL databases
• Auditing configured
• Advanced Threat Protection enabled
• Public network access restricted
• Minimum TLS version set to 1.2
• Entra ID authentication preferred

Key Vault

• Soft delete and purge protection enabled
• Diagnostic logging configured
• Private endpoints used
• Key rotation configured
• Expiration dates set on secrets and keys
• RBAC used instead of access policies

Monitoring

• Activity Log alerts configured for critical operations
• Diagnostic settings configured for all resources
• Log retention periods appropriate for compliance
• Centralized Log Analytics workspace configured
• Defender for Cloud enabled and configured

Bastion helps companies achieve SOC 2, ISO 27001, and other compliance certifications while ensuring their cloud infrastructure is genuinely secure. If you're working on Azure security hardening or preparing for a compliance audit, reach out to us.