SecFrame Explorer
3/3
// Level 3 · Controls

Azure

CIS Microsoft Azure Foundations Benchmark

1.1.1High

Ensure Security Defaults is enabled on Microsoft Entra ID

Enable Microsoft Entra Security Defaults to enforce baseline identity protections including MFA for admins.

1.1.3Medium

Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'

Prevent shadow tenants by restricting tenant creation to administrators.

1.1.4Medium

Ensure 'Restrict access to Microsoft Entra ID administration portal' is set to 'Yes'

Block standard users from accessing the Entra admin portal.

1.2.1High

Ensure Security Defaults is enabled on Microsoft Entra ID

Provides baseline security across all users and apps.

2.1.1Critical

Ensure that Microsoft Defender for Servers is set to 'On'

Enable Microsoft Defender for Cloud to protect VMs against threats.

2.1.2High

Ensure that Microsoft Defender for App Service is set to 'On'

Detect web app attacks against App Services.

2.1.3High

Ensure that Microsoft Defender for Databases is set to 'On'

Identify anomalous database activities.

2.1.4High

Ensure that Microsoft Defender for Storage is set to 'On'

Detect anomalous and potentially harmful Storage account activity.

3.1High

Ensure that 'Secure transfer required' is set to 'Enabled'

Require HTTPS for all data transfers to Azure Storage.

3.6Critical

Ensure that 'Public access level' is set to Private for blob containers

Prevent anonymous access to blob storage.

4.1.1High

Ensure that 'Auditing' is set to 'On' for SQL servers

Track database events for forensics and compliance.

4.4.1High

Ensure 'Transparent Data Encryption' is enabled on SQL Database

Encrypt data at rest in SQL DB.

5.1.2Medium

Ensure Diagnostic Setting captures appropriate categories

Forward control-plane logs to Log Analytics or storage.

5.5High

Ensure that logging for Azure Key Vault is 'Enabled'

Track all access and changes to Key Vault.

6.1Critical

Ensure that RDP (3389) and SSH (22) are restricted from the Internet

Block direct internet exposure on management ports.

6.5Medium

Ensure that Network Watcher is 'Enabled'

Required for diagnostics, flow logs, and topology visibility.

8.1Medium

Ensure that the expiration date is set for all Keys in Key Vault

Force key rotation by enforcing expirations.

8.2Medium

Ensure that the expiration date is set for all Secrets in Key Vault

Force secret rotation.

9.1High

Ensure App Service Authentication is set on Azure App Service

Require auth for App Service apps.

9.2High

Ensure web app redirects all HTTP traffic to HTTPS

Enforce TLS for web traffic.