Implementing Microsoft Azure Security

Azure Security Implementation Services

Protect Your Cloud & Business

Microsoft Azure delivers industry-leading cloud infrastructure and services — but without a strong security foundation, your organization is exposed to data breaches, ransomware, identity compromise, and costly regulatory violations (HIPAA, PCI-DSS, NIST, CCPA).

✅ Identity-First Security (Zero Trust)
✅ Secure Network Architecture
✅ Advanced Threat Detection & Response
✅ Data Protection & Encryption
✅ Incident Response & Threat Mitigation
✅ Vulnerability Assessment & Risk Analysis

At OC Security Audit, we combine over 25 years of security experience with best-practice cloud hardening frameworks to secure Azure workloads, protect data, and strengthen compliance posture.

Microsoft Azure Cloud Security, Implementing Microsoft Azure Cloud Security, Cybersecurity Audit company Irvine, California
Cybersecurity Audit Services in Irvine Orange County California, Cyber Security Assessment, Network Security, Audit
Cybersecurity Audit Services in Irvine Orange County California, Cyber Security Assessment, Network Security, Audit
Microsoft Azure Security Services

Microsoft Azure Security Services in Orange County, CA

OC Security Audit provides Microsoft Azure security services throughout Orange County, helping organizations secure cloud infrastructure, identities, data, workloads, and virtual networks.

Serving businesses in Irvine, Anaheim, Santa Ana, Costa Mesa, Newport Beach, Huntington Beach, Fullerton, Orange, Garden Grove, Mission Viejo, and other cities throughout Orange County, California.

  • Secure Azure cloud infrastructure and workloads
  • Protect identities, data, and virtual networks
  • Improve cloud security posture and compliance

Why Azure Security Matters

  • Publicly exposed storage and databases
  • Identity and access compromise
  • Lateral movement attacks
  • Ransomware and malware infiltration
  • Compliance violations

Azure Security Implementation Services

  • Identity & Access Management Hardening
  • Zero Trust Network Architecture
  • Data Protection & Encryption
  • Threat Detection & Response
  • Workload & App Security
  • Compliance & Audit Readiness
  • Backup, DR & Resilience Architecture

Strengthen your Azure security posture. Protect cloud assets, reduce risk, and prepare for compliance requirements.

Request Free Assessment
Azure Security Services

Azure Security Services We Implement

OC Security Audit helps businesses implement Microsoft Azure security controls across cloud infrastructure, identity, network, server, application, data protection, and monitoring layers.

Identity MFA, Conditional Access, RBAC, and privileged access controls.
Network Virtual networks, NSGs, Azure Firewall, VPN, and private endpoints.
Servers VM hardening, EDR, patching, encryption, and secure remote access.
SIEM Azure Monitor, Log Analytics, Microsoft Sentinel, and alerting.

Azure Identity Security

We secure Microsoft Entra ID by implementing MFA, Conditional Access, RBAC, privileged access controls, admin account separation, and identity monitoring.

Microsoft Entra ID MFA RBAC

Azure Network Security

We design and implement secure virtual networks, subnet segmentation, NSGs, routing controls, Azure Firewall, VPN connectivity, private endpoints, and traffic inspection.

VNet Design NSGs Private Endpoints

Azure VM Security

We harden Windows and Linux VMs by securing remote access, enabling EDR, applying patching controls, configuring host firewalls, enabling disk encryption, and sending logs to monitoring systems.

Windows & Linux EDR Disk Encryption

Azure Firewall and WAF Implementation

We configure Azure Firewall, firewall policies, application rules, network rules, threat intelligence filtering, and Web Application Firewall protections for internet-facing applications.

Azure Firewall WAF Threat Filtering

Azure Remote Access Security

We secure administrator access using Azure Bastion, VPN, just-in-time VM access, MFA, Conditional Access, privileged access controls, and logging.

Azure Bastion JIT Access Admin Security

Azure Monitoring and SIEM Integration

We configure Azure Monitor, Log Analytics, Defender for Cloud alerts, Microsoft Sentinel, log retention, incident rules, and security alerting.

Azure Monitor Log Analytics Sentinel

Azure Data Protection

We secure storage accounts, databases, Key Vault, encryption settings, private endpoints, backup policies, and access controls.

Storage Security Key Vault Backups

Azure Security Operations

We help organizations monitor alerts, review Secure Score, respond to incidents, maintain firewall rules, review access, and keep Azure workloads protected over time.

Secure Score Incident Response Continuous Review

Implement Azure Security Controls with OC Security Audit

From Microsoft Entra ID and Azure Firewall to virtual machine hardening, data protection, Microsoft Sentinel, and long-term security operations, OC Security Audit helps businesses strengthen Azure security across the full cloud environment.

Request Azure Security Implementation Help →

What Components of Microsoft Azure Need to Be Secured?

Microsoft Azure security requires layered protection across identity, governance, networking, virtual machines, remote access, endpoint protection, data services, cloud posture management, and continuous monitoring.

Azure Security Hardening

A secure Microsoft Azure environment requires more than enabling one security tool. Each layer of the cloud environment must be reviewed, configured, monitored, and maintained to reduce identity risk, network exposure, insecure administration, data leakage, and cloud misconfiguration.

Review Identity Security → View Monitoring Controls
10 Azure security areas that should be hardened and monitored.
24/7 Logging, alerting, and SIEM visibility for cloud threats.
MFA Identity protection for users, administrators, and privileged roles.
Zero Unnecessary public exposure for RDP, SSH, storage, and databases.

Microsoft Entra ID and Identity Access

MFA Conditional Access Least Privilege

Secure Azure identity controls with MFA, Conditional Access, role-based access control, privileged access management, identity protection, and access reviews.

Security controls

  • Enable multi-factor authentication for administrators and users.
  • Use Conditional Access policies.
  • Apply role-based access control using least privilege.
  • Use Privileged Identity Management for just-in-time admin access.
  • Disable legacy authentication and monitor risky sign-ins.

Azure Subscriptions and Management Groups

Governance Azure Policy Resource Locks

Azure subscriptions should be organized with governance, policy enforcement, security baselines, centralized logging, and role separation.

Security controls

  • Separate production, development, testing, and security subscriptions.
  • Use management groups for centralized governance.
  • Apply Azure Policy initiatives.
  • Configure resource locks for critical systems.
  • Enable Microsoft Defender for Cloud across subscriptions.

Azure Virtual Networks

Segmentation Private Endpoints DDoS Protection

Azure virtual networks must be segmented, filtered, monitored, and protected against unauthorized inbound and outbound traffic.

Security controls

  • Segment workloads by subnet.
  • Separate application, database, management, and security zones.
  • Apply Network Security Groups to subnets and interfaces.
  • Use private endpoints for Azure PaaS services.
  • Monitor network traffic with Network Watcher and flow logs.

Azure Firewall, NSGs, and WAF

Firewall NSGs OWASP

Azure network security should include layered filtering with NSGs, Azure Firewall, and Web Application Firewall protection.

Security controls

  • Deploy Azure Firewall or an approved third-party NGFW.
  • Use route tables to force traffic through inspection points.
  • Configure deny-by-default firewall rules.
  • Restrict RDP, SSH, SMB, SQL, and management ports.
  • Send firewall logs to Log Analytics or Microsoft Sentinel.

Azure Virtual Machines

Hardening Encryption Patching

Azure VMs need operating system hardening, patching, endpoint protection, disk encryption, secure remote access, and monitoring.

Security controls

  • Remove public IPs unless absolutely required.
  • Use Azure Bastion or VPN instead of direct RDP/SSH exposure.
  • Enable just-in-time VM access.
  • Apply OS security baselines and encrypt managed disks.
  • Send security logs to Log Analytics or SIEM.

Remote Access to Azure Servers

Azure Bastion JIT Access MFA

Remote access is one of the highest-risk areas in Azure. RDP and SSH should not be exposed directly to the internet.

Security controls

  • Remove public RDP and SSH access.
  • Use Azure Bastion for administrative access.
  • Require MFA for administrators.
  • Enable just-in-time VM access through Defender for Cloud.
  • Monitor failed login attempts and brute-force activity.

Antivirus, EDR, and Malware Protection

EDR Malware Tamper Protection

Azure workloads should have endpoint protection and EDR installed, monitored, and integrated into the security response process.

Security controls

  • Deploy Microsoft Defender for Endpoint or approved EDR.
  • Enable Defender for Servers where appropriate.
  • Monitor malware alerts and suspicious process activity.
  • Configure attack surface reduction rules.
  • Centralize EDR alerts into Microsoft Defender portal or SIEM.

Azure Storage, Databases, and Data Protection

Encryption Private Access Data Loss

Azure storage accounts, databases, and data services must be protected against public exposure, weak access controls, insecure keys, and data leakage.

Security controls

  • Disable anonymous public access unless explicitly required.
  • Use private endpoints for storage and database services.
  • Rotate storage account keys.
  • Encrypt data at rest and in transit.
  • Enable database auditing and threat detection.

Microsoft Defender for Cloud

Secure Score Recommendations Threat Detection

Microsoft Defender for Cloud should be enabled for posture management, recommendations, threat detection, and workload protection.

Security controls

  • Enable Defender for Cloud on Azure subscriptions.
  • Review Secure Score regularly.
  • Prioritize high-risk recommendations.
  • Enable workload plans for servers, storage, databases, and containers.
  • Integrate Defender alerts with Microsoft Sentinel or another SIEM.

Azure Logging, Monitoring, and SIEM

Logs Sentinel Incident Response

Azure security is incomplete without logging and monitoring. Security logs and Defender alerts should feed a SIEM for detection and response.

Security controls

  • Enable Azure Activity Logs and Microsoft Entra ID logs.
  • Enable diagnostic logs for critical Azure services.
  • Enable NSG flow logs, Azure Firewall logs, and WAF logs.
  • Send logs to Microsoft Sentinel or an existing SIEM.
  • Monitor failed logins, privilege changes, public IP creation, and risky sign-ins.

Azure Security Requires Full-Stack Cloud Protection

Securing Microsoft Azure means protecting identity, governance, networking, virtual machines, remote access, endpoint protection, data services, cloud posture management, and security monitoring. Each Azure component should be hardened, logged, reviewed, and continuously monitored.

Request an Azure Security Review →
Azure Security Implementation Roadmap

How to Implement Microsoft Azure Security

Use this step-by-step Azure security guide to review your cloud environment, secure identity, harden subscriptions, protect networks and virtual machines, configure logging, enable Microsoft Defender for Cloud, and build ongoing security operations.

Start the Azure Security Review → Jump to Logging and Sentinel
13 Implementation phases for Microsoft Azure security.
IAM Identity-first security using MFA, RBAC, and Conditional Access.
SIEM Centralized logging with Log Analytics and Microsoft Sentinel.
Ops Ongoing monitoring, patching, alert review, and improvement.

Review the Azure Environment

Begin by identifying Azure subscriptions, management groups, resource groups, users, administrators, virtual networks, virtual machines, storage accounts, databases, applications, firewalls, and public-facing services.

Implementation tasks

  • Inventory Azure subscriptions and resource groups.
  • Identify internet-facing resources.
  • Review all public IP addresses.
  • Identify administrative users and privileged roles.
  • Review network architecture.
  • Review remote access methods.
  • Identify unprotected VMs.
  • Review logging and monitoring coverage.
  • Document security gaps and risk areas.

Secure Microsoft Entra ID

Identity is the control plane for Azure. If identities are compromised, attackers can create resources, access data, change firewall rules, disable logging, and move laterally.

Implementation tasks

  • Enforce MFA for all administrators.
  • Configure Conditional Access policies.
  • Block legacy authentication.
  • Implement least-privilege RBAC.
  • Enable Privileged Identity Management.
  • Review Global Administrator accounts.
  • Configure access reviews.
  • Monitor risky users and risky sign-ins.
  • Separate admin accounts from regular user accounts.
  • Secure service principals and application registrations.

Harden Azure Subscriptions and Governance

Azure subscriptions should be governed with policies, role separation, resource controls, and centralized security visibility.

Implementation tasks

  • Organize subscriptions under management groups.
  • Apply Azure Policy security baselines.
  • Restrict creation of public IPs where possible.
  • Enforce allowed regions.
  • Require tags for ownership and data classification.
  • Configure resource locks for critical workloads.
  • Enable Defender for Cloud.
  • Enable activity logging.
  • Review subscription-level role assignments.
  • Remove unused or excessive permissions.

Design Secure Azure Network Architecture

Azure networks should be segmented and controlled. Do not place all workloads in one flat virtual network.

Implementation tasks

  • Create separate subnets for web, application, database, management, and security services.
  • Apply NSGs to each subnet.
  • Restrict inbound traffic by source, destination, and port.
  • Route outbound traffic through Azure Firewall or approved NGFW.
  • Use private endpoints for PaaS services.
  • Use VPN or ExpressRoute for private connectivity.
  • Enable DDoS protection for public-facing critical systems.
  • Use Network Watcher for troubleshooting and visibility.
  • Enable flow logs for network traffic analysis.

Implement Azure Firewall and Traffic Inspection

Firewall policies should control both inbound and outbound traffic. Many Azure breaches occur because resources are exposed directly to the internet or outbound traffic is unrestricted.

Implementation tasks

  • Deploy Azure Firewall or approved NGFW.
  • Create application and network rule collections.
  • Deny unnecessary outbound traffic.
  • Block high-risk ports.
  • Restrict administrative traffic.
  • Enable threat intelligence filtering.
  • Configure DNS and FQDN filtering.
  • Send firewall logs to Log Analytics or Sentinel.
  • Review and document firewall changes.
  • Test traffic flow after rule implementation.

Secure Remote Access to Azure VMs

Remote access should be controlled, logged, and protected by MFA. Avoid exposing RDP and SSH to the internet.

Implementation tasks

  • Remove public IP addresses from VMs where possible.
  • Disable direct internet RDP and SSH.
  • Deploy Azure Bastion.
  • Enable just-in-time VM access.
  • Require MFA for administrators.
  • Use Conditional Access for portal access.
  • Restrict access to approved admin groups.
  • Monitor failed login attempts.
  • Use session recording where required.
  • Document emergency access procedures.

Harden Azure Virtual Machines

Each VM should be secured like a production server, even if it is hosted in Azure.

Implementation tasks

  • Apply Windows or Linux security baselines.
  • Enable disk encryption.
  • Install EDR or Microsoft Defender for Endpoint.
  • Enable vulnerability assessment.
  • Patch operating systems and applications.
  • Disable unused services.
  • Restrict local administrator accounts.
  • Configure host firewalls.
  • Enable backup.
  • Send Windows Event Logs or Linux syslogs to Log Analytics.
  • Monitor suspicious process execution.
  • Review exposed ports and services.

Secure Azure Applications and Web Services

Applications hosted in Azure should be protected at the identity, network, application, and logging layers.

Implementation tasks

  • Place public web apps behind WAF.
  • Use Azure Application Gateway WAF or Azure Front Door WAF.
  • Enable HTTPS only.
  • Use managed certificates where possible.
  • Enforce secure TLS settings.
  • Use managed identities for backend access.
  • Store secrets in Key Vault.
  • Restrict app service access with private endpoints or access restrictions.
  • Enable application logging.
  • Monitor authentication failures and suspicious requests.

Protect Storage, Databases, and Sensitive Data

Data services are common targets because misconfigured storage accounts and databases can expose sensitive information.

Implementation tasks

  • Disable public anonymous storage access.
  • Use private endpoints.
  • Restrict access by identity and network.
  • Enable encryption.
  • Rotate access keys.
  • Use Key Vault for secrets.
  • Enable database auditing.
  • Enable threat detection for databases.
  • Review shared access signatures.
  • Monitor unusual downloads or access attempts.
  • Back up critical data.
  • Test restore procedures.

Enable Defender for Cloud and Workload Protection

Defender for Cloud helps identify misconfigurations, prioritize risk, and detect threats across Azure workloads.

Implementation tasks

  • Enable Defender for Cloud.
  • Review Secure Score.
  • Enable Defender plans for relevant workloads.
  • Turn on Defender for Servers.
  • Turn on Defender for Storage.
  • Turn on Defender for Databases.
  • Turn on Defender for Containers if AKS is used.
  • Configure security contacts.
  • Review recommendations weekly.
  • Assign remediation tasks.
  • Connect alerts to SIEM or ticketing systems.

Configure Azure Logging and Microsoft Sentinel

Security teams need centralized logs to detect attacks and investigate incidents.

Implementation tasks

  • Create or configure Log Analytics workspace.
  • Enable Azure Activity Logs.
  • Enable Microsoft Entra ID logs.
  • Enable Defender for Cloud alerts.
  • Enable VM security logs.
  • Enable firewall and WAF logs.
  • Enable NSG flow logs.
  • Enable Key Vault logs.
  • Enable storage and database logs.
  • Connect logs to Microsoft Sentinel.
  • Create analytic rules.
  • Configure incident notifications.
  • Build automated response playbooks.
  • Define log retention requirements.

Implement Backup, Recovery, and Resilience

Azure security should include recovery planning. Ransomware, accidental deletion, misconfiguration, and account compromise can all affect cloud workloads.

Implementation tasks

  • Enable Azure Backup for critical VMs.
  • Protect databases with backup policies.
  • Enable soft delete where supported.
  • Use immutable backup options where appropriate.
  • Test restores regularly.
  • Document recovery time objectives.
  • Document recovery point objectives.
  • Separate backup administration from production administration.
  • Monitor backup failures.
  • Protect backup vaults with MFA and RBAC.

Create Ongoing Security Operations

Azure security is not a one-time configuration. It requires continuous monitoring, patching, alert review, access review, and improvement.

Implementation tasks

  • Review Defender for Cloud recommendations.
  • Monitor Sentinel incidents.
  • Review privileged access.
  • Review firewall and NSG rules.
  • Review public IP exposure.
  • Patch VMs and applications.
  • Test incident response procedures.
  • Review backup success.
  • Validate logging coverage.
  • Update policies as the environment changes.

Build Azure Security as a Continuous Program

Implementing Microsoft Azure security requires more than a one-time configuration. Organizations should continuously review identity, governance, networking, virtual machines, applications, data protection, logging, backup, and security operations as the cloud environment changes.

Request an Azure Security Assessment →

Microsoft Azure Security Checklist

A dedicated Azure security assessment worksheet for reviewing identity, privileged access, RBAC, Conditional Access, network architecture, storage, Key Vault, workloads, Microsoft Defender for Cloud, Sentinel, backup, compliance, governance, and continuous security optimization.

All review fields in this website version are locked and non-writable. The filters remain usable for viewing and sorting the checklist, but checklist values cannot be edited from the page.

Scroll vertically and horizontally to review all Azure security controls. Update status, owner, last checked date, remediation notes, due date, and residual risk directly in the worksheet-style table.

# Azure Security Area Control Type Checklist Item / Security Control Azure Services / Scope Implementation Guidance Verification Questions Evidence / Documents to Review Risk Level Risk Assessment Risk Impact if Not Controlled Recommended Frequency Last Date Checked Status Owner Remediation / Action Required Due Date Residual Risk / Exception Notes Priority Score Compliance Mapping
1 Identity Technical Enforce MFA for all users with priority protection for administrators and high-risk roles. Microsoft Entra ID, admin accounts, standard users, privileged roles Require MFA for all users. Use stronger authentication methods for administrators and sensitive applications. Document and approve all MFA exclusions. Is MFA required for all users? Are administrators protected? Are exclusions documented and approved? MFA registration report, Conditional Access policies, exception list, admin role inventory Critical MFA reduces credential-based attacks and account takeover risk across Azure and Microsoft 365. Compromised passwords may lead to tenant takeover, data exposure, and privileged misuse. Monthly Locked field Not Started Identity Owner Locked remediation notes Locked field Locked exception notes 115 NIST AC-2, IA-2; CIS Azure
2 Identity Technical Configure Conditional Access policies for location, device, risk, and application sensitivity. Conditional Access, Entra ID, compliant devices, sensitive applications Create baseline and privileged-access policies. Require MFA, compliant devices, trusted locations, or session controls based on risk. Are risky locations blocked? Are managed devices required? Are sensitive apps protected with stronger controls? Conditional Access policy export, report-only results, sign-in logs, device compliance reports Critical Reduces unauthorized access through context-aware authentication controls. Risky sign-ins may reach Azure, SaaS, or Microsoft 365 resources. Monthly Locked field Not Started Security Owner Locked remediation notes Locked field Locked exception notes 115 NIST AC-3, IA-2; CIS Azure
3 Identity Technical Block legacy authentication protocols. Entra ID, Exchange Online, Microsoft 365, legacy protocols Block protocols that cannot enforce MFA, such as POP, IMAP, SMTP AUTH where not required, and other legacy methods. Are legacy protocols disabled? Are legacy sign-ins monitored? Are exceptions removed or approved? Legacy authentication sign-in report, Conditional Access policies, service exception records High Blocks insecure authentication methods that bypass modern protections. Attackers may bypass MFA and compromise accounts through outdated protocols. Monthly Locked field Not Started Identity Owner Locked remediation notes Locked field Locked exception notes 90 CIS Azure; NIST IA-2
4 Identity Technical Enable Identity Protection policies for risky users and risky sign-ins. Microsoft Entra ID Protection, user risk, sign-in risk Configure risk-based policies to require password reset, MFA, or block access based on user and sign-in risk severity. Are user-risk policies enabled? Are sign-in risk policies enforced? Are risky accounts reviewed? Identity Protection settings, risky users report, sign-in risk logs, remediation records High Automates response to suspected credential compromise and abnormal sign-ins. Compromised accounts may remain active and continue accessing sensitive resources. Weekly Locked field Not Started Identity Owner Locked remediation notes Locked field Locked exception notes 90 NIST AU-6, IA-5
5 Identity Administrative Review and lifecycle-manage guest and external users. Entra B2B, guest users, external collaboration settings Restrict guest invitations, enforce access reviews, remove inactive guests, and limit external sharing based on business need. Are guests reviewed regularly? Are inactive guests removed? Are external sharing settings restricted? Guest user inventory, access review reports, collaboration settings, removal records Medium Limits external access to approved users and business needs. Former vendors or unmanaged guests may retain access to sensitive resources. Quarterly Locked field Not Started Identity Governance Owner Locked remediation notes Locked field Locked exception notes 65 NIST AC-2; ISO 27001
6 Privileged Access Technical Enable Privileged Identity Management for Azure and Entra administrator roles. Microsoft Entra PIM, Azure roles, Entra roles, privileged groups Convert standing admin roles to eligible roles. Require MFA, approval, justification, and time-bound activation. Are admin roles eligible instead of permanent? Are activation durations limited? Is justification required? PIM role settings, activation logs, eligible assignment report, approval workflow settings Critical Limits standing administrative privilege and reduces impact of compromised admin accounts. Permanent admin access can enable full tenant or subscription compromise. Monthly Locked field Not Started PIM Owner Locked remediation notes Locked field Locked exception notes 115 NIST AC-5, AC-6; CIS Azure
7 Privileged Access Administrative Review excessive, permanent, stale, or unnecessary admin role assignments. Global Administrator, Privileged Role Administrator, Owner, Contributor, security roles Review privileged assignments and remove unnecessary access. Require approval records for permanent access. Who has admin access? Are permanent assignments justified? Are stale assignments removed? Admin role assignment report, access review evidence, remediation tickets, approval records Critical Ensures privileges remain appropriate, justified, and auditable. Excessive privilege increases blast radius of account compromise and insider misuse. Monthly Locked field Not Started Security Owner Locked remediation notes Locked field Locked exception notes 115 NIST AC-2, AC-6
8 RBAC Technical Apply RBAC using least privilege at the minimum required scope. Management groups, subscriptions, resource groups, resources, managed identities Assign roles at resource or resource group scope where possible. Avoid broad subscription Owner or Contributor assignments. Are roles assigned at minimum scope? Are broad subscription assignments justified? RBAC export, role assignment report, scope review, access review records High Limits permissions to the smallest practical scope. Over-scoped access may allow users or services to modify unrelated resources. Quarterly Locked field Not Started Azure Owner Locked remediation notes Locked field Locked exception notes 90 NIST AC-6; CIS Azure
9 RBAC Technical Review custom roles, orphaned assignments, service principals, and automation identities. Custom RBAC roles, service principals, managed identities, automation accounts Audit non-human identities and custom role definitions. Remove stale identities and overbroad permissions. Do custom roles grant broad actions? Are unused assignments removed? Are service identities least-privileged? Custom role definitions, service principal permission review, orphaned assignment report High Prevents hidden privilege paths through custom roles and application identities. Automation or application identities may be abused to modify resources or exfiltrate data. Quarterly Locked field Not Started Cloud Identity Owner Locked remediation notes Locked field Locked exception notes 90 NIST AC-6, IA-5
10 Privileged Access Technical Secure and monitor break-glass emergency accounts. Emergency access accounts, Entra ID, alerting, audit logs Use cloud-only emergency accounts, protect credentials, monitor all sign-ins, and test access periodically. Are emergency accounts cloud-only? Are they monitored? Are credentials protected and tested? Break-glass account inventory, sign-in alerts, access test records, credential handling procedure High Maintains emergency access while preventing misuse or unnoticed sign-ins. Emergency accounts may be abused or unavailable during tenant lockout events. Quarterly Locked field Not Started Identity Owner Locked remediation notes Locked field Locked exception notes 90 NIST CP-2, AC-2
11 Governance Administrative Organize Azure subscriptions under management groups. Management groups, subscriptions, landing zones Use management groups to separate production, non-production, shared services, security, and sandbox environments. Are subscriptions logically grouped? Are policies and RBAC inherited from the right scope? Management group hierarchy, subscription inventory, access model, landing zone design Medium Provides consistent governance and access control across Azure. Unstructured subscriptions lead to inconsistent controls and unclear ownership. Semiannually Locked field Not Started Cloud Governance Owner Locked remediation notes Locked field Locked exception notes 65 NIST PM-5; ISO 27001
12 Governance Technical Apply Azure Policy initiatives for baseline security. Azure Policy, initiatives, management groups, subscriptions Assign policies for diagnostics, encryption, allowed locations, public IP restrictions, tagging, Defender coverage, and private endpoints. Are security baselines enforced? Are non-compliant resources remediated? Are exemptions approved? Policy assignments, compliance dashboard, remediation tasks, exemptions High Enforces consistent security standards and reduces configuration drift. Uncontrolled resources may violate security and compliance requirements. Monthly Locked field Not Started Governance Owner Locked remediation notes Locked field Locked exception notes 90 CIS Azure; NIST CM-6
13 Governance Administrative Separate production, development, testing, and security subscriptions. Subscriptions, resource groups, RBAC, networks Segment environments using subscriptions, resource groups, RBAC, VNets, and policies to prevent accidental access and lateral movement. Are production resources isolated? Are developers restricted from production? Subscription map, RBAC assignments, network diagram, deployment process High Reduces operational mistakes and cross-environment compromise. Dev/test compromise may impact production systems and data. Semiannually Locked field Not Started Cloud Platform Owner Locked remediation notes Locked field Locked exception notes 90 NIST AC-4, SC-7
14 Governance Administrative Require resource tags for owner, application, environment, and data classification. Azure resources, tags, cost management, asset inventory Enforce mandatory tags and use them for reporting, ownership, incident response, and cost/security optimization. Are resources tagged? Are unowned resources investigated? Tag compliance report, asset inventory, cost report, owner register Medium Improves accountability, asset management, and incident response. Unowned resources may remain unpatched, exposed, or unmanaged. Monthly Locked field Not Started Cloud Operations Owner Locked remediation notes Locked field Locked exception notes 65 NIST CM-8
15 Network Security Technical Segment VNets and subnets to isolate workloads and reduce lateral movement. VNets, subnets, route tables, peering Separate web, application, database, management, security, and shared services subnets. Are sensitive workloads isolated? Are routes documented? Are unnecessary peerings removed? VNet diagrams, subnet list, route tables, peering inventory High Segmentation reduces lateral movement and limits compromise impact. Flat networks can allow compromised workloads to reach sensitive systems. Quarterly Locked field Not Started Network Owner Locked remediation notes Locked field Locked exception notes 90 NIST SC-7; CIS Azure
16 Network Security Technical Use hub-and-spoke architecture for centralized security controls where appropriate. Hub VNet, spoke VNets, Azure Firewall, DNS, VPN, ExpressRoute Route spoke traffic through a central hub for inspection, shared services, DNS, and secure hybrid connectivity. Is traffic inspected through central controls? Are shared services protected? Are routes validated? Network architecture diagram, route tables, firewall routing evidence, hub-and-spoke design Medium Supports consistent inspection, routing, and policy enforcement. Inconsistent network controls may create unmanaged paths and security gaps. Semiannually Locked field Not Started Cloud Network Owner Locked remediation notes Locked field Locked exception notes 65 NIST SC-7
17 Network Security Technical Use Private Endpoints for critical Azure PaaS services. Storage, SQL, Key Vault, App Services, private DNS zones, Private Link Deploy private endpoints and disable public network access for sensitive services where possible. Which services still allow public access? Are private DNS zones configured correctly? Private Endpoint inventory, public network access settings, private DNS configuration Critical Restricts access to sensitive services through private connectivity. Critical services may be reachable from the internet and targeted for attack. Monthly Locked field Not Started Network Owner Locked remediation notes Locked field Locked exception notes 115 NIST SC-7; CIS Azure
18 Network Security Technical Review NSG inbound and outbound rules for least access and conflicts. NSGs, Application Security Groups, flow logs, Traffic Analytics Remove broad rules, restrict management ports, define outbound controls, and resolve rule conflicts. Are broad inbound ports restricted? Are outbound controls defined? Are rule conflicts resolved? NSG rule export, flow logs, Traffic Analytics reports, unused rule review Critical Controls network access and supports forensic visibility. Exposed services, data exfiltration, rule bypass, and unauthorized network access. Monthly Locked field Not Started Network Owner Locked remediation notes Locked field Locked exception notes 115 NIST SC-7
19 Network Security Technical Review and reduce public exposure. Public IPs, VMs, databases, App Services, APIs, load balancers Identify and remove exposed RDP/SSH, databases, APIs, public storage, and unmanaged internet-facing resources. Are management ports exposed? Are databases public? Are undocumented resources identified? Public IP inventory, Defender exposure findings, NSG review, asset inventory Critical Reduces attack surface by finding and removing unnecessary internet exposure. Brute-force attacks, service exploitation, data exposure, and unmanaged attack paths. Monthly Locked field Not Started Cloud Security Owner Locked remediation notes Locked field Locked exception notes 115 CIS Azure; NIST SC-7
20 Firewall / WAF Technical Deploy Azure Firewall or approved NGFW for centralized traffic inspection. Azure Firewall, Firewall Policy, route tables, NGFW Inspect ingress, egress, and east-west traffic. Use route tables to force traffic through approved security controls. Is traffic routed through inspection? Are firewall logs enabled? Are rules documented? Firewall policy export, route tables, diagnostic logs, network diagram Critical Provides centralized traffic control, inspection, and logging. Uninspected traffic may enable malware communication, exfiltration, or lateral movement. Monthly Locked field Not Started Security Owner Locked remediation notes Locked field Locked exception notes 115 NIST SC-7
21 Firewall / WAF Technical Review firewall policies for permissive rules and threat intelligence settings. Azure Firewall, firewall policies, threat intelligence Use deny-by-default policy, restrict broad rules, enable threat intelligence filtering, and assign owners to exceptions. Are firewall rules overly broad? Are temporary rules expired? Are threat intelligence controls enabled? Firewall policy export, rule owner list, exception records, change tickets Critical Protects Azure network workloads from malicious traffic and unmanaged access. Overly broad rules can expose services and allow threat communication. Monthly Locked field Not Started Security Owner Locked remediation notes Locked field Locked exception notes 115 NIST SC-7, CM-3
22 Firewall / WAF Technical Use WAF for public-facing web applications. Application Gateway WAF, Front Door WAF, OWASP rules Enable managed OWASP rules, review exclusions, and monitor blocked requests for public web apps. Are public apps behind WAF? Are WAF exclusions justified? Are blocked requests reviewed? WAF policy settings, blocked request logs, application inventory, exclusion list Critical Protects web apps from common application-layer attacks. Web attacks may exploit vulnerable applications or expose data. Monthly Locked field Not Started Application Security Owner Locked remediation notes Locked field Locked exception notes 115 OWASP ASVS; PCI DSS
23 Remote Access Technical Remove direct internet exposure of RDP and SSH. Azure VMs, public IPs, NSGs, management ports Block direct inbound RDP and SSH from the internet. Remove public IPs from VMs where possible. Are any VMs exposing RDP or SSH? Are exceptions approved? Are brute-force attempts monitored? Public IP inventory, NSG rules, Defender findings, failed login logs Critical Reduces brute-force, credential stuffing, and remote exploitation risk. Exposed management ports may lead to server compromise and ransomware. Monthly Locked field Not Started Server Owner Locked remediation notes Locked field Locked exception notes 115 CIS Azure; NIST SC-7
24 Remote Access Technical Use Azure Bastion, VPN, or ExpressRoute for administrative access. Azure Bastion, VPN Gateway, ExpressRoute, admin networks Require private administrative access through Bastion, VPN, or ExpressRoute. Limit access to approved administrators. Is Bastion deployed? Are admins required to use private access? Are access logs reviewed? Bastion configuration, VPN settings, route tables, access logs High Provides secure remote administration without exposing VM management ports. Admins may connect insecurely from unmanaged networks or expose management services. Quarterly Locked field Not Started Network Owner Locked remediation notes Locked field Locked exception notes 90 NIST AC-17
25 Remote Access Technical Enable just-in-time VM access. Defender for Cloud JIT, Azure VMs, NSGs Open management ports only when approved, for limited time, and from approved source IPs. Is JIT enabled? Are source IPs restricted? Are requests logged? JIT policy settings, Defender recommendations, request logs High Reduces management port exposure windows. Persistent management access increases attack surface and brute-force risk. Monthly Locked field Not Started Cloud Security Owner Locked remediation notes Locked field Locked exception notes 90 NIST AC-17
26 Virtual Machines Technical Apply Windows and Linux security baselines to Azure VMs. Azure VMs, Windows, Linux, configuration management Harden OS settings, disable unused services, restrict local admins, enable host firewall, and remove unnecessary software. Are OS baselines applied? Are local admins restricted? Are unused services disabled? Baseline reports, configuration records, local admin review, VM inventory High Reduces compromise risk for compute workloads. Weak server configuration may enable malware, lateral movement, or privilege escalation. Quarterly Locked field Not Started Workload Owner Locked remediation notes Locked field Locked exception notes 90 CIS Benchmarks; NIST CM-6
27 Virtual Machines Technical Patch operating systems and third-party applications regularly. Azure Update Manager, VMs, applications Use Azure Update Manager or approved patching process. Prioritize critical and internet-facing systems. Are critical patches installed? Are failed updates remediated? Are exceptions documented? Patch reports, update compliance dashboard, vulnerability scan results Critical Reduces exploit risk for known vulnerabilities. Unpatched systems may be exploited, encrypted by ransomware, or used for lateral movement. Weekly Locked field Not Started Workload Owner Locked remediation notes Locked field Locked exception notes 115 NIST SI-2
28 Virtual Machines Technical Encrypt VM managed disks and use customer-managed keys where required. Managed disks, Disk Encryption Sets, Key Vault, CMK Enable encryption for managed disks. Use CMK for regulated or high-sensitivity workloads. Are disks encrypted? Are CMKs required? Are key permissions controlled? Disk encryption settings, Key Vault integration, CMK inventory High Protects data confidentiality for VM disks. Disk data may be exposed through theft, misconfiguration, or compliance failure. Quarterly Locked field Not Started Data Protection Owner Locked remediation notes Locked field Locked exception notes 90 NIST SC-28
29 Virtual Machines Technical Collect VM security logs centrally. Windows Event Logs, Linux syslog, Azure Monitor Agent, Log Analytics Install Azure Monitor Agent and collect security, system, application, and syslog events as required. Are VM logs collected? Are agents healthy? Are logs retained? Log Analytics coverage report, agent health, data collection rules High Supports threat detection, troubleshooting, and forensic investigations. Compromise evidence may be unavailable during incident response. Monthly Locked field Not Started Monitoring Owner Locked remediation notes Locked field Locked exception notes 90 NIST AU-2, AU-6
30 Endpoint Security Technical Deploy EDR or Microsoft Defender for Endpoint to Azure VMs. Microsoft Defender for Endpoint, Defender for Servers, Azure VMs Deploy and monitor endpoint protection on Windows and Linux VMs. Confirm all agents are healthy. Are all VMs covered? Are agents healthy? Are detections reviewed? EDR coverage report, device inventory, alert records, agent health report Critical Detects malware, suspicious behavior, credential theft, and lateral movement. Compromised endpoints may remain undetected and spread ransomware. Weekly Locked field Not Started Endpoint Security Owner Locked remediation notes Locked field Locked exception notes 115 NIST SI-3, SI-4
31 Endpoint Security Technical Enable malware protection, tamper protection, and attack surface reduction controls. Defender for Endpoint, antivirus, ASR rules Enable real-time protection, ransomware protection, tamper protection, and attack surface reduction rules. Is antivirus active? Are signatures current? Are ASR rules enforced? AV status report, EDR policy, ASR settings, malware alert history High Reduces malware execution and endpoint compromise. Malware or attacker tools may run without prevention or detection. Monthly Locked field Not Started Endpoint Security Owner Locked remediation notes Locked field Locked exception notes 90 NIST SI-3
32 Storage & Data Technical Disable public blob access unless explicitly approved. Azure Storage, Blob containers, file shares Block anonymous public access for storage accounts and containers unless documented and approved. Is public blob access disabled? Are public containers approved and reviewed? Storage configuration, public access report, container inventory, exception records Critical Prevents accidental or malicious exposure of cloud-stored data. Sensitive files may be publicly accessible or reachable from untrusted networks. Monthly Locked field Not Started Storage Owner Locked remediation notes Locked field Locked exception notes 115 CIS Azure; NIST AC-3
33 Storage & Data Technical Restrict storage access through private endpoints or approved networks. Storage accounts, firewalls, private endpoints, Entra ID Use storage firewall, private endpoints, Microsoft Entra authentication, and least-privilege IAM. Are storage accounts restricted to trusted networks? Are private endpoints configured? Storage firewall settings, private endpoint inventory, IAM assignments, access logs Critical Restricts data access to trusted identities and networks. Attackers may access storage data over public endpoints or weak credentials. Monthly Locked field Not Started Storage Owner Locked remediation notes Locked field Locked exception notes 115 NIST SC-7, AC-3
34 Storage & Data Technical Control and rotate storage keys and SAS tokens. Storage account keys, SAS tokens, managed identities Use short-lived SAS tokens, rotate keys, monitor key usage, and replace stored secrets with managed identities. Are access keys rotated? Are SAS tokens short-lived? Are shared secrets minimized? Key rotation records, SAS review, access logs, key usage report High Reduces unauthorized data access from leaked or long-lived storage credentials. Leaked tokens or keys may provide broad access to storage data. Monthly Locked field Not Started Storage Owner Locked remediation notes Locked field Locked exception notes 90 NIST IA-5
35 Storage & Data Technical Enable storage logging and monitor unusual access. Storage logs, diagnostic settings, Log Analytics, Sentinel Log storage access and alert on unusual downloads, anonymous access, key usage, or access from risky locations. Are storage logs enabled? Are unusual downloads alerted? Diagnostic settings, storage access logs, Sentinel alerts, incident records High Improves visibility into data access and possible exfiltration. Data theft may not be detected or investigated effectively. Monthly Locked field Not Started SOC Owner Locked remediation notes Locked field Locked exception notes 90 NIST AU-6
36 Key Management Technical Store secrets, keys, and certificates in Azure Key Vault. Azure Key Vault, secrets, certificates, applications Remove secrets from code, app settings, scripts, and documents. Use Key Vault references and managed identities. Are secrets stored in Key Vault? Are secrets removed from code? Are managed identities used? Key Vault inventory, app configuration review, code review findings Critical Protects credentials and cryptographic material from exposure. Secret leakage can lead to application compromise and data theft. Monthly Locked field Not Started Key Vault Owner Locked remediation notes Locked field Locked exception notes 115 NIST IA-5, SC-12
37 Key Management Technical Restrict Key Vault access, enable soft delete, purge protection, and private endpoints. Key Vault, RBAC, private endpoints, purge protection Limit access by role, restrict network access, enable soft delete and purge protection, and alert on high-risk operations. Who can access secrets? Is purge protection enabled? Are secret reads monitored? Key Vault access review, RBAC assignments, soft delete settings, diagnostic logs Critical Protects secrets, certificates, and encryption keys from unauthorized use or deletion. Secret theft, key deletion, application compromise, and irreversible data access issues. Monthly Locked field Not Started Key Vault Owner Locked remediation notes Locked field Locked exception notes 115 NIST SC-12, SC-28
38 Databases Technical Disable public network access for Azure databases where possible. Azure SQL, MySQL, PostgreSQL, Cosmos DB, private endpoints Use private endpoints and restrict firewall rules. Require documented approval for public database exposure. Are databases publicly accessible? Are private endpoints configured? Are firewall rules restricted? Database networking settings, firewall rules, private endpoint inventory Critical Reduces exposure of sensitive data services to internet-based attacks. Public databases may be brute-forced, exploited, or accessed by unauthorized users. Monthly Locked field Not Started Database Owner Locked remediation notes Locked field Locked exception notes 115 NIST SC-7; CIS Azure
39 Databases Technical Enable database auditing, threat detection, and vulnerability assessment. Azure SQL, Defender for SQL, database logs Enable audit logs, failed login monitoring, vulnerability assessment, and Defender alerts for database services. Is auditing enabled? Are failed logins reviewed? Are database alerts escalated? Audit settings, database logs, Defender for SQL alerts, assessment reports High Provides visibility into database misuse, attacks, and weak configuration. Database attacks may go undetected and evidence may be missing. Monthly Locked field Not Started Database Owner Locked remediation notes Locked field Locked exception notes 90 NIST AU-2, SI-4
40 Databases Technical Back up databases and test restore procedures. Azure SQL, PostgreSQL, MySQL, Cosmos DB, backups Confirm backup retention, geo-redundancy if needed, and periodic restore testing for critical databases. Are backups configured? Are restores tested? Are RPO/RTO requirements met? Backup settings, restore test records, recovery plan, retention policy Critical Supports recovery from deletion, corruption, ransomware, or outage. Data loss, extended downtime, and failed disaster recovery. Quarterly Locked field Not Started Database Owner Locked remediation notes Locked field Locked exception notes 115 NIST CP-9, CP-10
41 Applications Technical Secure Azure App Services and Function Apps. App Services, Function Apps, managed identities, TLS, Key Vault Enforce HTTPS, modern TLS, managed identities, Key Vault references, access restrictions, and diagnostic logs. Are secrets removed from app settings? Is HTTPS enforced? Are logs enabled? App configuration review, managed identity assignments, Key Vault references, TLS settings High Protects hosted applications from weak configuration and credential exposure. Hard-coded secrets, insecure traffic, unauthorized access, and weak incident investigation. Monthly Locked field Not Started Application Owner Locked remediation notes Locked field Locked exception notes 90 OWASP ASVS; NIST SC-8
42 Applications Technical Protect APIs with authentication, authorization, and abuse controls. API Management, App Gateway, WAF, Entra ID, rate limiting Require authentication, authorization, rate limiting, logging, and validation for APIs. Use WAF or API gateway controls where appropriate. Are APIs authenticated? Are rate limits configured? Are unauthorized requests monitored? API Management policies, authentication settings, access logs, WAF logs Critical Prevents unauthorized API access and abuse. Unauthenticated APIs may expose data, business logic, or administrative functions. Monthly Locked field Not Started Application Security Owner Locked remediation notes Locked field Locked exception notes 115 OWASP API Security
43 Containers / AKS Technical Restrict AKS cluster access and enforce Kubernetes RBAC. AKS, Microsoft Entra ID, Kubernetes RBAC, API server Integrate AKS with Entra ID, restrict API server access, use least-privilege Kubernetes RBAC, and avoid local admin accounts. Is AKS admin access restricted? Is API server exposed? Are Kubernetes roles reviewed? AKS access settings, Kubernetes RBAC, API server settings, audit logs High Reduces cluster takeover and privilege escalation risk. Exposed or over-permissioned clusters may enable container compromise and lateral movement. Monthly Locked field Not Started Container Owner Locked remediation notes Locked field Locked exception notes 90 NIST AC-6; CIS Kubernetes
44 Containers / AKS Technical Scan container images and protect registries. Azure Container Registry, container images, Defender for Containers Scan images, remove vulnerable images, restrict registry permissions, and monitor image pulls and pushes. Are images scanned? Are vulnerable images blocked? Is ACR access controlled? Image scan reports, ACR permissions, registry logs, deployment records High Reduces supply-chain and vulnerable image risk. Vulnerable images or unauthorized registry access may compromise workloads. Monthly Locked field Not Started Container Owner Locked remediation notes Locked field Locked exception notes 90 NIST SI-2; SLSA
45 Containers / AKS Technical Apply AKS network policies and runtime monitoring. AKS, network policies, Defender for Containers, Log Analytics Enforce pod-to-pod network controls, monitor runtime activity, and forward container logs to SIEM. Are network policies enforced? Are runtime alerts reviewed? Are logs centralized? Network policies, cluster logs, Defender alerts, Log Analytics records High Reduces container lateral movement and improves detection. Container compromise may spread or remain undetected. Monthly Locked field Not Started Container Owner Locked remediation notes Locked field Locked exception notes 90 CIS Kubernetes; NIST SI-4
46 Defender & Monitoring Technical Enable Microsoft Defender for Cloud across all subscriptions. Defender for Cloud, Defender plans, subscriptions Enable Defender CSPM and relevant workload plans for servers, storage, SQL, containers, APIs, and key services. Are Defender plans enabled for all needed services? Are critical workloads covered? Defender plan coverage, subscription settings, Secure Score report Critical Provides posture management and workload threat protection. Security gaps may persist and active threats may not be detected quickly. Monthly Locked field Not Started Cloud Security Owner Locked remediation notes Locked field Locked exception notes 115 NIST RA-5, SI-4
47 Defender & Monitoring Technical Review Secure Score, attack paths, recommendations, and threat alerts. Defender for Cloud, Secure Score, recommendations, alerts Prioritize critical recommendations, assign owners, remediate findings, and track exceptions. Are critical recommendations prioritized? Are alerts investigated? Secure Score report, recommendation backlog, threat alert records, remediation tracker High Improves Azure security posture and remediation accountability. Misconfigurations and active threats may remain unresolved. Weekly Locked field Not Started Cloud Security Owner Locked remediation notes Locked field Locked exception notes 90 NIST RA-5, CA-7
48 Logging & Monitoring Technical Enable Azure Activity Logs and Microsoft Entra logs. Azure Activity Logs, Entra sign-in logs, audit logs, risk logs Collect and retain control-plane, identity, sign-in, audit, and risk events. Are subscription and identity logs collected? Are logs retained and protected? Diagnostic settings, Log Analytics workspace, Entra logs, retention configuration Critical Provides visibility into administrative and identity activity. Unauthorized changes or account compromise may not be investigated. Monthly Locked field Not Started Monitoring Owner Locked remediation notes Locked field Locked exception notes 115 NIST AU-2, AU-6
49 Logging & Monitoring Technical Enable diagnostic logs for critical Azure resources. Azure Monitor, diagnostic settings, Log Analytics Enable logs for firewall, NSGs, WAF, Key Vault, Storage, SQL, VMs, App Services, AKS, and backup services. Are diagnostic settings enabled everywhere? Are logs sent to the correct workspace? Diagnostic settings export, workspace coverage report, data collection rules High Creates visibility for security detection, audit, and forensics. Security events may be missed or unavailable during investigation. Monthly Locked field Not Started Monitoring Owner Locked remediation notes Locked field Locked exception notes 90 NIST AU-12
50 Logging & Monitoring Technical Configure log retention and protect logging workspaces. Log Analytics workspaces, retention, RBAC, resource locks Set retention based on compliance and forensic needs. Restrict access and deletion of logs and workspaces. Does retention meet requirements? Are logs protected from deletion? Workspace retention settings, RBAC assignments, resource locks, policy settings High Preserves evidence for investigations and compliance. Logs may be unavailable or deleted during an incident. Quarterly Locked field Not Started SOC Owner Locked remediation notes Locked field Locked exception notes 90 NIST AU-11
51 Sentinel & Response Technical Connect Microsoft Sentinel to required Azure and Microsoft security data sources. Microsoft Sentinel, data connectors, Log Analytics Connect Entra ID, Azure Activity, Defender for Cloud, Defender for Endpoint, firewall, WAF, VM, Key Vault, Storage, and database logs. Are all required data sources connected? Are logs flowing? Are connector failures monitored? Sentinel connector list, data ingestion report, connector health, workspace logs Critical Improves detection, correlation, and incident response. Delayed detection, poor correlation, and incomplete forensic evidence. Monthly Locked field Not Started SOC Owner Locked remediation notes Locked field Locked exception notes 115 NIST SI-4, IR-5
52 Sentinel & Response Technical Configure Sentinel analytics rules, incidents, watchlists, and automation playbooks. Microsoft Sentinel, analytics rules, playbooks, incidents Create and tune analytics rules, build watchlists for critical assets and privileged users, and test SOAR playbooks. Are analytics rules tuned? Are playbooks tested? Are incidents assigned and tracked? Analytics rule review, playbook test records, incident queue, watchlists High Improves threat detection and response automation. Manual response delays and missed correlations may increase breach impact. Monthly Locked field Not Started SOC Owner Locked remediation notes Locked field Locked exception notes 90 NIST IR-4, IR-5
53 Backup & Recovery Technical Enable Azure Backup for critical VMs and workloads. Azure Backup, Recovery Services Vault, Backup Vault Enable backup for critical workloads, configure retention, and monitor backup success and failures daily. Are backups enabled? Are backup jobs successful? Are failures escalated? Backup reports, vault settings, retention policy, failure alerts Critical Ensures recoverability after deletion, ransomware, corruption, or outage. Data loss, downtime, failed recovery, and ransomware payment pressure. Daily Locked field Not Started Backup Owner Locked remediation notes Locked field Locked exception notes 115 NIST CP-9
54 Backup & Recovery Technical Protect backup vaults and test restores. Recovery Services Vault, soft delete, immutability, restore testing Enable soft delete, immutability where appropriate, restricted administration, and quarterly restore testing. Are restores tested? Are vaults protected? Are immutable protections configured? Vault security settings, restore test records, ransomware protection settings Critical Validates recovery and reduces ransomware impact. Backups may be deleted, corrupted, or unusable when needed. Quarterly Locked field Not Started Backup Owner Locked remediation notes Locked field Locked exception notes 115 NIST CP-10
55 Compliance Administrative Map Azure controls to applicable compliance requirements. Azure Policy, Defender compliance dashboard, evidence repository Map controls to HIPAA, PCI DSS, NIST, CIS, ISO 27001, SOC 2, or internal policies as applicable. Are standards mapped? Are gaps assigned? Is evidence maintained? Compliance mapping, regulatory dashboard, evidence repository, remediation tracker High Supports compliance readiness and governance. Audit gaps, unmanaged regulatory risk, and inconsistent controls. Quarterly Locked field Not Started Compliance Owner Locked remediation notes Locked field Locked exception notes 90 HIPAA, PCI, NIST, CIS, ISO
56 Compliance Administrative Document exceptions, residual risk, and compensating controls. Risk register, exception register, approvals Ensure exceptions have owner, approval, business justification, expiration date, and compensating controls. Are exceptions documented and time-bound? Are compensating controls validated? Exception register, risk acceptance approvals, review records High Prevents permanent undocumented security gaps. Untracked exceptions may become long-term unmanaged risk. Monthly Locked field Not Started Risk Owner Locked remediation notes Locked field Locked exception notes 90 NIST RA-3, POA&M
57 Cost & Optimization Administrative Review unused and orphaned Azure resources. Subscriptions, public IPs, disks, NICs, storage, snapshots Identify and remove unused public IPs, VMs, disks, NICs, load balancers, snapshots, and unowned resources. Are unused resources removed? Are orphaned resources investigated? Are resources tagged? Cost reports, unused resource inventory, tag compliance report, asset inventory Medium Reduces attack surface and unnecessary cloud spend. Unused resources may remain exposed, unpatched, and costly. Monthly Locked field Not Started Cloud Operations Owner Locked remediation notes Locked field Locked exception notes 65 NIST CM-8
58 Cost & Optimization Administrative Review Defender licensing and security-versus-cost decisions. Defender plans, licensing, cost management Confirm security plans are enabled for critical workloads and cost reductions do not disable required protections. Is Defender coverage cost-effective? Are critical workloads protected? Defender licensing review, cost report, workload criticality list Medium Balances security coverage and cloud cost management. Critical workloads may lose security visibility due to cost-cutting. Quarterly Locked field Not Started Cloud Security Owner Locked remediation notes Locked field Locked exception notes 65 FinOps; NIST PM-3
59 Operations Administrative Maintain an Azure security remediation roadmap. Risk register, remediation backlog, executive reporting Prioritize improvements by risk, business impact, exposure, and compliance requirements. Assign owners and target dates. Are improvements prioritized by risk? Are owners assigned? Is progress reported? Security roadmap, executive risk reports, remediation tracker Medium Creates long-term improvement plan for sustainable Azure security maturity. Security gaps may remain unresolved without ownership or sequencing. Quarterly Locked field Not Started Security Leadership Locked remediation notes Locked field Locked exception notes 65 NIST CA-5
60 Operations Administrative Perform continuous Azure security operations reviews. Defender, Sentinel, Azure Policy, RBAC, network, backups Review posture, alerts, incidents, access, firewall rules, vulnerabilities, backups, and exceptions on a recurring schedule. Are security reviews recurring? Are metrics reported? Are stale risks closed? Monthly review minutes, KPI dashboard, incident metrics, remediation progress Medium Ensures Azure security remains effective as the environment changes. Configuration drift and unresolved risks may grow over time. Monthly Locked field Not Started Security Operations Owner Locked remediation notes Locked field Locked exception notes 65 NIST CA-7
60Visible controls
0Critical controls visible
0High controls visible
AllActive type filters