Identity & Access Review
Assess Entra ID, MFA, Conditional Access, guest users, administrators, and access controls to reduce identity-related risk.
Azure Audit & Compliance Readiness
Microsoft Azure Cloud Security Audit Services
Independent Azure security assessments for identity, access, workloads, Microsoft Defender for Cloud, Secure Score, network exposure, logging, backup resilience, and compliance readiness.
OC Security Audit, with 25+ years of experience under the management of Ali Hassani, has worked on dozens of business networks in the Southern California, Irvine, and Los Angeles areas. With certifications such as CISSP, CCISO, MCSE, MCSA Security, MCITP, CCNA, CCNP, and more, we are professionals who help make your network and data more secure and your business more compliant.
◈Independent Review
▣Executive Reporting
✓Compliance Readiness
◎Prioritized Remediation
An audit gives you objective findings and practical guidance. Implementation turns those findings into action. We provide the clarity you need so you can make confident, prioritized decisions.
Audit-first clarity
Why an Azure Cloud Security Audit?
Azure environments grow quickly. Subscriptions, identities, virtual machines, storage accounts, vendors, applications, and policies can change over time. A structured audit identifies misconfigurations, excessive access, exposed workloads, missing monitoring, and compliance readiness gaps before they become business problems.
Network Exposure & Workload Audit
Evaluate Azure network architecture, NSGs, firewalls, public IPs, virtual machines, and workload configurations.
Defender for Cloud & Secure Score Review
Review Defender for Cloud recommendations, Secure Score, alerts, workload protection, and posture management data.
Compliance Readiness & Reporting
Map controls to HIPAA, PCI-DSS, SOC 2, NIST, ISO/IEC 27000, CMMC 2.0, and cyber insurance expectations.
Azure Security Implementation
- Designs and deploys security solutions
- Changes configurations and settings
- Provides hands-on technical implementation
- Improves and operates controls over time
VS
Azure Cloud Security Audit
- Independently reviews your environment
- Finds gaps, risks, and misconfigurations
- Prioritizes issues and recommendations
- Creates executive reporting and compliance mapping
Azure audit scope
What We Review During the Azure Security Audit
Our Azure Cloud Security Audit focuses on the areas most likely to create risk: identity, privileged access, exposed workloads, storage, encryption, cloud posture management, logging, backup resilience, and third-party access.
Entra ID, MFA & Conditional Access
Review identity policies, MFA enforcement, Conditional Access rules, sign-in protections, and risky authentication paths.
RBAC, PIM & Privileged Access
Assess role assignments, least privilege, PIM usage, owners, administrators, service principals, and break-glass accounts.
Defender for Cloud & Secure Score
Evaluate Defender plans, security recommendations, alerts, regulatory views, and Secure Score improvement opportunities.
VNets, NSGs & Azure Firewall
Review virtual networks, routing, NSG rules, public IPs, firewall posture, private endpoints, and internet-facing systems.
Storage, Encryption & Key Vault
Assess storage account settings, blob exposure, SAS tokens, encryption at rest/in transit, Key Vault access, and access keys.
Logging, Sentinel, Backup & DR
Review diagnostic settings, Azure Monitor, Log Analytics, Microsoft Sentinel, backup policies, retention, and restore readiness.
Practical methodology
Our Azure Cloud Security Audit Process
The audit is designed to be structured, evidence-driven, and practical for both leadership and technical teams.
1
Discovery & Scope
Identify tenants, subscriptions, workloads, compliance needs, vendors, and business priorities.
2
Evidence Collection
Collect relevant configuration data, policies, logs, screenshots, and settings through agreed methods.
3
Technical Review
Analyze identity, network, workloads, data protection, logging, backup, and governance controls.
4
Risk & Compliance Analysis
Rate findings by severity, likelihood, business impact, and compliance readiness relevance.
5
Report & Roadmap
Deliver executive and technical reporting with a prioritized remediation roadmap.
Azure Audit Deliverables
- Executive Summary: clear business-level overview of Azure risk, priorities, and impact.
- Technical Findings Report: detailed findings with evidence, severity, and remediation recommendations.
- Risk Prioritization: a practical method to focus on critical issues first.
- Secure Score & Defender Review: analysis of Secure Score, Defender for Cloud posture, recommendations, and alerts.
- Compliance Readiness Mapping: mapping to relevant security frameworks, control themes, and readiness expectations.
- Remediation Roadmap: prioritized actions to reduce risk and improve Azure security posture.
- Optional Follow-Up Support: guidance and re-testing to validate improvements after remediation.
Compliance readiness support
Azure Compliance Readiness Mapping
OC Security Audit can map Azure findings to common security and compliance readiness expectations. This helps leadership understand which Azure risks may affect customer reviews, cyber insurance, vendor due diligence, internal governance, and formal audit preparation.
Our support is focused on readiness, gap analysis, advisory services, documentation support, control review, and preparation. It is not legal advice, formal certification, attestation, or regulatory determination.
Common findings
Common Azure Risks We Identify
Every Azure environment is different, but many organizations face recurring cloud security gaps that are difficult to see without a structured review.
Excessive PrivilegeToo many Global Administrators, Owners, or service principals with broad permissions.
Public ExposurePublic IPs, open management ports, risky NSG rules, and internet-facing systems.
Storage RiskBlob exposure, access keys, SAS token concerns, and missing private access controls.
Monitoring GapsMissing logs, weak alert routing, incomplete Log Analytics, and limited incident visibility.
Backup WeaknessesUnverified backups, unclear restore testing, or excessive administrative access to recovery systems.
Low Secure ScoreUnreviewed Defender for Cloud recommendations and risk-prioritized improvement opportunities.
Third-Party AccessGuest users, vendors, MSPs, developers, and external identities that need access review.
Compliance Evidence GapsMissing documentation, policy alignment, control validation, and readiness artifacts.
Southern California Azure audit support
Local Azure Security Audit Services in Orange County
OC Security Audit provides Azure Cloud Security Audit services for businesses in Irvine, Orange County, Los Angeles, and Southern California. We help local businesses evaluate Azure security posture, document cloud risks, prepare for compliance reviews, and prioritize remediation work.
IrvineOrange CountyLos AngelesSouthern CaliforniaSanta AnaAnaheimCosta MesaNewport Beach
Why choose OC Security Audit
Independent, Business-Focused Azure Audit Reporting
The purpose of the audit is to help your organization make better decisions. We explain technical risk in business language, prioritize remediation, and provide the evidence leadership needs to act.
- Independent Azure security review
- Executive and technical reporting
- Compliance readiness perspective
- Prioritized remediation roadmap
- Optional follow-up support through related security services
Related OC Security Audit services
Related Services
Azure security connects to network security, Microsoft 365, risk management, compliance readiness, and vCISO leadership. Explore related services below.
Security
Audit
HIPAA
Compliance
CISO
Questions businesses ask
Frequently Asked Questions
What is an Azure Cloud Security Audit?
An Azure Cloud Security Audit is a structured review of Microsoft Azure configurations, identity access, privileged roles, network exposure, storage security, encryption, logging, Microsoft Defender for Cloud, Secure Score, backup resilience, and compliance readiness.
How is an audit different from Azure security implementation?
An audit identifies risks, gaps, misconfigurations, and missing controls. Implementation configures, hardens, and remediates Azure security controls. Many businesses start with an audit before deciding which improvements to implement.
What do we receive at the end of the audit?
You receive an Azure security audit report with findings, severity levels, business risk explanations, evidence references, and a prioritized remediation roadmap.
Can this help with HIPAA, PCI-DSS, SOC 2, ISO 27001, or NIST readiness?
Yes. OC Security Audit can map Azure findings to compliance readiness expectations and security framework control themes to support formal audit preparation, customer security reviews, cyber insurance questionnaires, and internal governance discussions.
Do you fix Azure security issues after the audit?
The audit includes findings and recommendations. OC Security Audit can also provide optional remediation support through related Azure security implementation services when your organization is ready to fix identified issues.
Protect Your Azure Environment with a Practical, Independent Security Audit
Get clarity on misconfigurations, access risks, compliance gaps, and the next steps to strengthen your cloud environment.
◈ Independent & Objective
◇ No Vendor Bias
✓ Actionable Insights
▣ Business-Focused
Microsoft Azure Security Audit Checklist
Azure Cloud Security Audit Checklist
This checklist is for Azure Security audit. It is being used for IT administrators, CISO, and cybersecurity engineers. This can be used to review Microsoft Azure identity security, privileged access, network exposure, workload protection, Microsoft Defender for Cloud, Secure Score, logging, backup resilience, vendor access, and compliance readiness.
Use this checklist as a structured worksheet to document audit status, evidence, findings, remediation actions, and control alignment for Microsoft Azure cloud security reviews.
✓ CISO Ready
✓ IT Manager Friendly
✓ Project Tracking
✓ Compliance Readiness
58Azure audit tasks
10Audit domains
| ID | Domain | Control Area | Audit Task / Procedure | Evidence / Artifacts | Azure Portal / Tools | Severity | Priority | Status | Recommended Remediation / Notes |
|---|---|---|---|---|---|---|---|---|---|
| AZ-IA-01 | Identity & Access | Tenant identity baseline | Review Microsoft Entra ID tenant security baseline and identity protection posture. | Tenant settings export, security defaults/Conditional Access policy list, Identity Protection reports | Microsoft Entra admin center; Azure Portal; Defender for Cloud | Critical | High | Not Started | Document baseline identity controls, disable legacy exposure, and assign ownership for all identity policies. |
| AZ-IA-02 | Identity & Access | MFA coverage | Verify MFA enforcement for all users, administrators, privileged accounts, and external access scenarios. | Conditional Access policies, MFA registration report, break-glass exception list | Entra ID authentication methods; Conditional Access; Sign-in logs | Critical | High | Not Started | Enforce phishing-resistant MFA for administrators where possible and document break-glass controls. |
| AZ-IA-03 | Identity & Access | Conditional Access | Review Conditional Access policies for admin portals, risky sign-ins, locations, device compliance, and workload access. | Policy export, exclusions, named locations, report-only policy results | Entra ID Conditional Access | Critical | High | Not Started | Consolidate, test, and enforce Conditional Access policies with documented exception handling. |
| AZ-IA-04 | Identity & Access | Privileged roles | Review Global Administrator, Privileged Role Administrator, Owner, Contributor, User Access Administrator, and Security Administrator assignments. | Role assignment export, privileged role list, approval records | Entra ID roles; Azure RBAC; Management Groups; Subscriptions | Critical | High | Not Started | Remove unnecessary permanent roles and move privileged roles into PIM approval workflows. |
| AZ-IA-05 | Identity & Access | PIM deployment | Assess Microsoft Entra Privileged Identity Management use for Entra roles and Azure resource roles. | PIM role settings, activation history, approval workflows, eligible assignments | Entra ID Governance; Privileged Identity Management | Critical | High | Not Started | Enable PIM for key Azure and Entra roles, require justification, MFA, approval, and time-bound activation. |
| AZ-IA-06 | Identity & Access | Access reviews | Verify recurring access reviews for privileged roles, guest users, groups, and application access. | Access review schedules, review results, removals, exception approvals | Entra ID Governance; Access Reviews | High | High | Not Started | Create recurring access reviews for privileged users, guests, vendors, and sensitive application access. |
| AZ-IA-07 | Identity & Access | Guest users | Review external identities, B2B collaboration settings, guest users, sponsors, and inactive guests. | Guest user export, collaboration settings, inactive guest report, sponsorship records | Entra ID Users; External Identities; Access Reviews | High | Medium | Not Started | Restrict guest permissions, assign sponsors, remove stale guests, and require periodic guest access review. |
| AZ-IA-08 | Identity & Access | Service principals and app registrations | Audit app registrations, enterprise applications, secrets, certificates, API permissions, and consent grants. | App registration export, permission list, credential expiration list, consent records | Entra ID App registrations; Enterprise applications | Critical | High | Not Started | Remove excessive API permissions, rotate expiring secrets, use certificates or managed identities where possible, and monitor app consent. |
| AZ-IA-09 | Identity & Access | Break-glass accounts | Review emergency access accounts, controls, monitoring, and exclusion documentation. | Emergency account list, monitoring alerts, exclusion documentation, test records | Entra ID Users; Conditional Access; Azure Monitor | Critical | High | Not Started | Maintain two emergency access accounts, monitor sign-ins, document exclusions, and test access periodically. |
| AZ-IA-10 | Identity & Access | Legacy authentication | Check whether legacy protocols or weak authentication methods are allowed. | Sign-in logs, authentication methods policy, Conditional Access blocking policy | Entra ID Sign-in logs; Authentication methods; Conditional Access | Critical | High | Not Started | Block legacy authentication and remove weak authentication methods where possible. |
| AZ-GOV-01 | Governance & Subscription | Tenant and subscription inventory | Create an inventory of tenants, management groups, subscriptions, resource groups, and owners. | Tenant list, subscription list, resource group export, owner mapping | Azure Portal; Management Groups; Subscriptions; Resource Graph | High | High | Not Started | Create a complete inventory and assign ownership for subscriptions, resource groups, and critical resources. |
| AZ-GOV-02 | Governance & Subscription | Management groups | Assess management group hierarchy and whether policies are applied consistently. | Management group hierarchy, policy assignment export, inheritance review | Azure Management Groups; Azure Policy | Medium | Medium | Not Started | Design management groups to support policy inheritance, separation of duties, and environment segmentation. |
| AZ-GOV-03 | Governance & Subscription | Azure Policy | Review Azure Policy initiatives, assignments, exemptions, and compliance state. | Policy assignments, compliance reports, exemptions, non-compliant resource list | Azure Policy; Defender for Cloud regulatory compliance | High | High | Not Started | Implement baseline Azure Policy initiatives and document exemption approval workflows. |
| AZ-GOV-04 | Governance & Subscription | Resource tagging | Review tags for owner, environment, business unit, data classification, cost center, and criticality. | Resource export with tags, tagging policy, exception list | Azure Resource Graph; Azure Policy; Azure Portal | Medium | Medium | Not Started | Create required tag policies and remediate untagged resources. |
| AZ-GOV-05 | Governance & Subscription | Change control | Assess Azure change management for high-risk resources and privileged configuration changes. | Change tickets, deployment records, activity logs, approval evidence | Azure Activity Log; DevOps pipelines; ITSM/ticketing system | High | Medium | Not Started | Define change approval requirements for high-risk Azure changes and connect activity logs to tickets. |
| AZ-DEF-01 | Defender for Cloud & Secure Score | Defender coverage | Review Defender for Cloud enablement, plans, subscriptions, and workload coverage. | Defender plan status, coverage report, subscription settings | Microsoft Defender for Cloud | High | High | Not Started | Enable appropriate Defender plans for critical workloads and document ownership for recommendations. |
| AZ-DEF-02 | Defender for Cloud & Secure Score | Secure Score review | Capture Secure Score, score history, risk level, and high-impact recommendations. | Secure Score screenshot/export, recommendation list, score trend | Defender for Cloud Secure Score | High | High | Not Started | Prioritize high-risk Secure Score recommendations and assign remediation owners. |
| AZ-DEF-03 | Defender for Cloud & Secure Score | Security recommendations | Review Defender recommendations by risk level, affected resources, attack paths, and governance ownership. | Recommendation export, affected resources, risk level, owner mapping | Defender for Cloud Recommendations | High | High | Not Started | Review recommendations weekly and track remediation in the risk register or ticketing system. |
| AZ-DEF-04 | Defender for Cloud & Secure Score | Regulatory compliance view | Review regulatory compliance dashboards and MCSB/CIS/NIST/PCI/HIPAA policy mapping where applicable. | Compliance dashboard export, failed controls, exemption list | Defender for Cloud Regulatory Compliance | Medium | Medium | Not Started | Use compliance views for readiness tracking and document control gaps without representing them as certification. |
| AZ-DEF-05 | Defender for Cloud & Secure Score | Security alerts | Review alert severity, routing, ownership, closure reasons, and incident response integration. | Alert history, closed alert samples, incident tickets, notification rules | Defender for Cloud Alerts; Microsoft Sentinel; Azure Monitor | Critical | High | Not Started | Route critical alerts to responsible teams and document triage and escalation procedures. |
| AZ-NET-01 | Network Security & Exposure | Public IP inventory | Identify all public IPs and internet-facing resources. | Public IP export, resource inventory, DNS records, exposure report | Azure Resource Graph; Public IP Addresses; Defender for Cloud | Critical | High | Not Started | Remove unnecessary public IPs, document business justification, and monitor exposed resources. |
| AZ-NET-02 | Network Security & Exposure | NSG rules | Review Network Security Group inbound and outbound rules for overly permissive access. | NSG rule export, effective security rules, flow logs where available | Network Security Groups; Network Watcher | Critical | High | Not Started | Restrict broad inbound rules, remove unused access, and document approved exposure. |
| AZ-NET-03 | Network Security & Exposure | Management ports | Check exposure of RDP, SSH, WinRM, SQL, SMB, and administrative interfaces. | Port exposure scan, NSG rules, Defender recommendations, public endpoint list | Defender for Cloud; Network Watcher; NSGs; Azure Bastion | Critical | High | Not Started | Close direct management ports and use VPN, private access, Just-in-Time access, or Azure Bastion. |
| AZ-NET-04 | Network Security & Exposure | Azure Firewall/WAF | Review Azure Firewall, WAF, routing, policies, logging, and threat intelligence configuration. | Firewall policy export, WAF policy, route tables, logs, threat intelligence setting | Azure Firewall; Application Gateway WAF; Front Door WAF; Log Analytics | High | High | Not Started | Enable logging, tune policies, validate routing, and monitor denied traffic and WAF events. |
| AZ-NET-05 | Network Security & Exposure | Private endpoints | Review use of private endpoints for storage, databases, Key Vault, and sensitive PaaS services. | Private endpoint list, public network access settings, DNS configuration | Private Link; Storage; SQL; Key Vault; Azure DNS | High | Medium | Not Started | Move sensitive PaaS services to private endpoints and disable public access where possible. |
| AZ-NET-06 | Network Security & Exposure | Network segmentation | Assess segmentation between production, development, management, and sensitive workloads. | Network diagrams, route tables, NSGs, firewall rules, subnet inventory | Virtual Networks; Subnets; NSGs; Azure Firewall | High | Medium | Not Started | Implement segmentation using VNets, subnets, NSGs, firewall policy, and private access patterns. |
| AZ-DATA-01 | Data Protection & Storage | Storage account inventory | Inventory storage accounts, owners, data classification, and business purpose. | Storage account export, owner map, data classification notes, tag review | Storage Accounts; Azure Resource Graph | High | Medium | Not Started | Assign ownership and classification to each storage account and remove unused accounts. |
| AZ-DATA-02 | Data Protection & Storage | Blob exposure | Review blob containers for public access, anonymous access, and risky sharing. | Container list, public access settings, Defender findings, access policy list | Storage Accounts; Defender for Cloud; Azure Policy | Critical | High | Not Started | Disable anonymous access unless formally approved, documented, and monitored. |
| AZ-DATA-03 | Data Protection & Storage | SAS tokens and access keys | Review shared access signatures, storage account keys, rotation practices, and key-based access. | SAS policy review, key rotation records, access key usage, logs | Storage Accounts; Storage Explorer; Activity Logs | Critical | High | Not Started | Limit SAS duration, rotate keys, use Entra ID authorization where possible, and monitor key usage. |
| AZ-DATA-04 | Data Protection & Storage | Encryption | Verify encryption at rest and in transit for storage, databases, disks, and key services. | Encryption settings, TLS settings, disk encryption status, database encryption status | Storage; SQL; Disks; Key Vault; Defender for Cloud | High | High | Not Started | Enforce encryption requirements and disable weak TLS or unencrypted access paths. |
| AZ-DATA-05 | Data Protection & Storage | Key Vault | Audit Key Vault access policies/RBAC, public access, soft delete, purge protection, logging, and key rotation. | Key Vault configuration, access list, diagnostic settings, key rotation records | Azure Key Vault; Entra ID; Azure Monitor | Critical | High | Not Started | Restrict Key Vault access, enable purge protection and logging, and rotate keys and secrets. |
| AZ-DATA-06 | Data Protection & Storage | Database security | Review Azure SQL, Cosmos DB, PostgreSQL/MySQL, and other database security settings. | Database firewall settings, encryption settings, auditing configuration, vulnerability findings | Azure SQL; Cosmos DB; PostgreSQL/MySQL; Defender for Cloud | High | High | Not Started | Restrict database network access, enable auditing, apply encryption, and remediate database security findings. |
| AZ-WL-01 | Virtual Machines & Workloads | VM inventory and ownership | Inventory VMs, operating systems, owners, criticality, tags, and environment. | VM export, owner list, OS inventory, tag report, criticality mapping | Virtual Machines; Azure Resource Graph; Defender for Cloud | High | Medium | Not Started | Maintain VM inventory with owner, environment, criticality, and patch responsibility. |
| AZ-WL-02 | Virtual Machines & Workloads | Patch status | Review OS patching, missing updates, maintenance windows, and update management coverage. | Patch reports, update assessment, maintenance configuration, exception list | Update Manager; Defender for Cloud; Log Analytics | Critical | High | Not Started | Implement patch management for all workloads and track exceptions or unsupported systems. |
| AZ-WL-03 | Virtual Machines & Workloads | Endpoint protection | Verify endpoint protection/EDR status for servers and workload protection coverage. | EDR inventory, Defender plan status, agent health, unprotected asset list | Microsoft Defender for Endpoint; Defender for Cloud; Azure Arc | Critical | High | Not Started | Deploy endpoint protection to all servers and monitor agent health and coverage gaps. |
| AZ-WL-04 | Virtual Machines & Workloads | Disk encryption | Verify managed disk encryption, OS disk/data disk controls, and sensitive workload encryption requirements. | Disk encryption status, VM disk list, key management settings | Managed Disks; Key Vault; Defender for Cloud | High | Medium | Not Started | Apply encryption requirements for sensitive workloads and document key ownership. |
| AZ-WL-05 | Virtual Machines & Workloads | Local administrator controls | Review local admin accounts, password management, SSH keys, and administrative access paths. | Local admin review, SSH key inventory, password rotation evidence, access logs | VM settings; Azure Bastion; Entra login; Key Vault | High | Medium | Not Started | Reduce local admin usage, rotate credentials, and move administration to controlled access paths. |
| AZ-WL-06 | Virtual Machines & Workloads | Container and AKS security | Review AKS clusters, container registries, image scanning, RBAC, secrets, network policy, and workload identity. | AKS cluster settings, ACR settings, image scan reports, network policy, secrets review | AKS; Azure Container Registry; Defender for Containers | High | Medium | Not Started | Enable image scanning, restrict cluster access, use workload identity, and protect secrets. |
| AZ-LOG-01 | Logging & Monitoring | Activity logs | Review Azure Activity Log collection, retention, export, and alerting for critical administrative activity. | Activity Log settings, diagnostic settings, alert rules, retention configuration | Azure Activity Log; Monitor; Log Analytics | Critical | High | Not Started | Export Activity Logs to Log Analytics or SIEM and alert on privileged and policy changes. |
| AZ-LOG-02 | Logging & Monitoring | Diagnostic settings | Review diagnostic settings for critical Azure resources and destinations. | Diagnostic settings export, resource coverage report, destination validation | Azure Monitor; Log Analytics; Event Hub; Storage | High | High | Not Started | Enable diagnostic settings for critical resources and centralize logs for investigation. |
| AZ-LOG-03 | Logging & Monitoring | Log Analytics | Review Log Analytics workspaces, retention, access, data collection, and workspace design. | Workspace list, retention settings, access assignments, data collection rules | Log Analytics Workspaces; Azure Monitor; Data Collection Rules | High | Medium | Not Started | Define log workspace strategy, retention, RBAC, and data collection ownership. |
| AZ-LOG-04 | Logging & Monitoring | Microsoft Sentinel | Review Sentinel enablement, data connectors, analytics rules, incidents, workbooks, automation, and coverage. | Connector list, analytics rule list, incident examples, automation playbooks | Microsoft Sentinel; Log Analytics | High | Medium | Not Started | Enable relevant connectors, create analytics rules, tune incidents, and define triage ownership. |
| AZ-LOG-05 | Logging & Monitoring | Alert routing and escalation | Assess alert notifications, ticketing, escalation paths, and response SLAs. | Alert rules, action groups, tickets, escalation matrix, SLA documentation | Azure Monitor Alerts; Action Groups; Defender for Cloud; Sentinel | Critical | High | Not Started | Create action groups, routing logic, escalation procedures, and ticket integration. |
| AZ-BCDR-01 | Backup & Resilience | Backup coverage | Review backup coverage for VMs, databases, storage, and critical workloads. | Backup policy list, protected item report, coverage matrix, workload inventory | Azure Backup Center; Recovery Services vaults; SQL backups | Critical | High | Not Started | Define critical workload backup requirements and remediate unprotected assets. |
| AZ-BCDR-02 | Backup & Resilience | Backup retention | Review retention settings, long-term retention, immutability, soft delete, and delete protection. | Vault settings, policy retention, soft delete, immutability settings, delete events | Backup Center; Recovery Services vaults; Storage backup settings | High | High | Not Started | Enable soft delete and immutability where applicable and align retention with recovery requirements. |
| AZ-BCDR-03 | Backup & Resilience | Restore testing | Verify restore tests, recovery procedures, and documented recovery time results. | Restore test records, screenshots, lessons learned, recovery runbooks | Backup Center; Recovery Services vaults; DR documentation | High | High | Not Started | Schedule recurring restore tests for critical workloads and document results. |
| AZ-BCDR-04 | Backup & Resilience | DR architecture | Assess disaster recovery architecture for critical Azure applications and dependencies. | Architecture diagrams, ASR settings, dependency map, DR plan, RTO/RPO documentation | Azure Site Recovery; Backup Center; Architecture diagrams | High | Medium | Not Started | Create or update DR architecture, dependency mapping, and recovery runbooks. |
| AZ-DEV-01 | DevOps & Deployment Security | IaC governance | Review Infrastructure as Code repositories, approval workflow, secrets handling, and policy checks. | Repository list, pull request history, pipeline approvals, policy scan results | Azure DevOps; GitHub; Terraform/Bicep; Azure Policy | Medium | Medium | Not Started | Implement PR review, policy-as-code checks, secret scanning, and deployment approvals. |
| AZ-DEV-02 | DevOps & Deployment Security | Pipeline access | Review service connections, pipeline identities, secrets, permissions, and environment approvals. | Service connection list, pipeline permissions, secret variables, approvals | Azure DevOps; GitHub Actions; Entra app registrations | High | Medium | Not Started | Restrict deployment identities, require approvals, and rotate or remove pipeline secrets. |
| AZ-DEV-03 | DevOps & Deployment Security | Secret scanning | Review whether code repositories and pipelines are scanned for secrets and credentials. | Secret scan reports, repository settings, incident records, rotation evidence | GitHub Advanced Security; Azure DevOps; Defender for DevOps | High | High | Not Started | Enable secret scanning, remove exposed secrets, and rotate affected credentials. |
| AZ-TP-01 | Third-Party & Vendor Access | Vendor inventory | Identify MSPs, vendors, contractors, external administrators, and delegated access. | Vendor list, account list, contracts/SOWs, access approvals | Entra ID users/guests; RBAC; PIM; Enterprise applications | High | High | Not Started | Maintain vendor access inventory and require periodic access recertification. |
| AZ-TP-02 | Third-Party & Vendor Access | Delegated administration | Review delegated admin relationships, partner access, and external management arrangements. | Partner relationships, delegated access evidence, admin roles, sign-in logs | Partner Center; Entra ID; Azure RBAC; Sign-in logs | High | Medium | Not Started | Limit partner roles, require MFA/PIM where possible, and monitor delegated admin activity. |
| AZ-TP-03 | Third-Party & Vendor Access | Offboarding | Test vendor and employee offboarding for Azure, Entra, app registrations, groups, and secrets. | Offboarding tickets, disabled accounts, group removals, secret rotation records | Entra ID; RBAC; Access Reviews; App registrations; Key Vault | High | High | Not Started | Create offboarding checklist covering users, groups, RBAC, apps, secrets, and vendor portals. |
| AZ-COMP-01 | Compliance & Reporting | Control mapping | Map audit findings to MCSB, NIST CSF, CIS Controls, HIPAA, PCI-DSS, SOC 2, ISO/IEC 27000, and CMMC readiness where applicable. | Framework mapping worksheet, control matrix, finding-to-framework mapping | Azure Policy; Defender regulatory compliance; audit report | Medium | Medium | Not Started | Map each finding to relevant frameworks and distinguish readiness support from certification. |
| AZ-COMP-02 | Compliance & Reporting | Executive reporting | Prepare executive summary with business risk themes, high-impact gaps, and remediation priorities. | Executive summary, risk register, heat map, remediation roadmap | Audit report; dashboard; risk register | Medium | High | Not Started | Create executive report with business risk, top priorities, timeline, and ownership. |
| AZ-COMP-03 | Compliance & Reporting | Evidence package | Organize screenshots, exports, reports, and supporting evidence for each finding. | Evidence index, screenshots, exports, timestamps, reviewer notes | Evidence repository; audit checklist; risk register | Medium | Medium | Not Started | Maintain an evidence log with owner, date, source, and related checklist ID. |
| AZ-COMP-04 | Compliance & Reporting | Remediation governance | Create remediation plan with owners, dates, dependencies, quick wins, and long-term projects. | Remediation roadmap, owner list, due dates, status updates, risk acceptance records | Risk register; project plan; ticketing system | High | High | Not Started | Create a remediation roadmap with owners, deadlines, validation, and executive reporting. |
| AZ-COMP-05 | Compliance & Reporting | Risk acceptance | Review whether accepted Azure risks are documented, approved, time-bound, and reviewed. | Risk acceptance forms, approvals, expiration dates, compensating controls | Risk register; governance records; ticketing system | Medium | Medium | Not Started | Implement formal risk acceptance with expiration dates and compensating controls. |