Alibaba Cloud
AWS
Google Cloud
Microsoft Azure
Microsoft Entra IDOverview
#Statement
CIS Microsoft Azure Foundations Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. The scope of this benchmark is to establish the foundation level of security for anyone adopting Microsoft Azure Cloud. The benchmark is, however, not an exhaustive list of all possible security configurations and architecture. The benchmark should be understood as a starting point. Site-specific tailoring will almost certainly be required. The CIS Azure Foundations Benchmark provides recommendations for the following Azure Services:
- App Service
- Application Gateway
- Azure Active Directory
- Azure Advisor
- Azure Cosmos DB
- Azure Disk Storage
- Azure Files
- Azure Monitor
- Azure Policy
- Azure Private Link
- Azure Resource Manager
- Azure Service Health
- Azure SQL
- Azure SQL Database
- Key Vault
- Microsoft Azure portal
- Microsoft Defender for Cloud
- Static Web Apps
- Storage Accounts
- Virtual Machines
- Virtual Network
#Intended Audience
This document is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Microsoft Azure.
#Recommendations
Procedures and mapped controls
Identity and Access Management
This section covers security recommendations to set identity and access management policies on an Azure Subscription.
Mapped controls
Ensure Security Defaults is enabled on Microsoft Entra ID
Ensure 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
Ensure 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
Ensure 'Allow users to remember multi-factor authentication on devices they trust' is Disabled (Manual)
Ensure Trusted Locations Are Defined
Ensure an exclusionary Geographic Access Policy is considered
Ensure an exclusionary Device code flow policy is considered
Ensure A Multi-factor Authentication Policy Exists for Administrative Groups
Ensure A Multi-factor Authentication Policy Exists for All Users
Ensure Multi-factor Authentication is Required for Risky Sign-ins
Ensure Multifactor Authentication is Required for Windows Azure Service Management API
Ensure Multifactor Authentication is Required to access Microsoft Admin Portals
Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
Ensure Guest Users Are Reviewed on a Regular Basis (Manual)
Ensure 'Number of methods required to reset' is set to '2' (Manual)
Ensure account 'Lockout Threshold' is less than or equal to '10'
Ensure account 'Lockout duration in seconds' is greater than or equal to '60'
Ensure a Custom Bad Password List is set to 'Enforce' for your Organization
Ensure 'Number of days before users are asked to reconfirm their authentication information' is not set to '0'
Ensure 'Notify users on password resets?' is set to 'Yes'
Ensure 'Notify all admins when other admins reset their password?' is set to 'Yes'
Ensure 'User consent for applications' is set to 'Do not allow user consent'
Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
Ensure 'Users Can Register Applications' Is Set to 'No'
Ensure 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
Ensure 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
Ensure 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
Ensure 'Restrict user ability to access groups features in My Groups' is Set to 'Yes'
Ensure 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
Ensure 'Owners can manage group membership requests in My Groups' is set to 'No'
Ensure 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
Ensure 'Require Multi-Factor Authentication to register or join devices with Microsoft Entra ID' is set to 'Yes'
Ensure No Custom Subscription Administrator Roles Exist
Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
Ensure 'Subscription leaving Microsoft Entra ID directory' and 'Subscription entering Microsoft Entra ID directory' Is Set To 'Permit No One'
Ensure Fewer Than 5 Users Have Global Administrator Assignment
Security
This section covers security best practice recommendations for products in the Azure Security services category.
Mapped controls
[Deprecated] Ensure Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
Ensure Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is selected
Ensure Microsoft Defender for Servers is set to 'On'
Ensure 'Vulnerability assessment for machines' component status is set to 'On'
Ensure 'Endpoint protection' component status is set to 'On'
Ensure Microsoft Defender for Containers is set to 'On'
Ensure Microsoft Defender for Storage is set to 'On'
Ensure Microsoft Defender for App Services is set to 'On`
Ensure Microsoft Defender for Azure Cosmos DB is set to 'On'
Ensure Microsoft Defender for Open-Source Relational Databases is set to 'On'
Ensure Microsoft Defender for Azure SQL databases is set to 'On'
Ensure Microsoft Defender for SQL Servers on machines is set to 'On'
Ensure Microsoft Defender for Key Vault is set to 'On'
Ensure Microsoft Defender for Resource Manager is set to 'On'
Ensure security alert emails for subscription owners are enabled
Ensure 'Additional email addresses' is configured with a security contact email
Ensure that 'Notify about alerts with the following severity' is set to 'High'
[LEGACY] Ensure Microsoft Defender for DNS Is Set To 'On'
Ensure the Expiration Date is set for Key Vaults Keys
Ensure the Expiration Date is set for Key Vault Secrets
Ensure Key Vaults are Recoverable
Enable Role Based Access Control for Azure Key Vaults
Ensure Private Endpoints are Used for Azure Key Vault
Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
Storage Accounts
This section covers security recommendations to follow to set storage account policies on an Azure Subscription.
Mapped controls
Ensure 'Secure transfer required' is set to 'Enabled'
Ensure 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
Ensure 'Enable key rotation reminders' is enabled for each Storage Account
Ensure Storage Account Access Keys are Periodically Regenerated
Ensure Shared Access Signature Tokens Expire Within One Hour
Ensure 'Public Network Access' is 'Disabled' for storage accounts
Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
Ensure Private Endpoints are used to access Storage Accounts
Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
Ensure Storage for Critical Data Is Encrypted with Customer Managed Keys
Ensure Storage logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
Ensure 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
Ensure 'Cross Tenant Replication' is not enabled
Ensure 'Allow Blob Anonymous Access' is set to 'Disabled'
Database Services
This section covers security recommendations to follow to set general database services policies on an Azure Subscription.
Mapped controls
Ensure 'Auditing' is set to 'On' for SQL Servers
Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure SQL server's TDE protector is encrypted with Customer Managed Keys (CMK)
Ensure Microsoft Entra authentication is Configured for SQL Servers
Ensure 'Data encryption' is set to 'On' on SQL Databases
Ensure 'Auditing' Retention is greater than 90 days for SQL Servers
Ensure Public Network Access is Disabled for SQL Servers
Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible servers
Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible servers
Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible servers
Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible servers
Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
[LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
[LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible servers
Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible servers
Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server
Ensure 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks for Cosmos DB
Ensure Private Endpoints Are Used To Access Cosmos DB Accounts
Use Entra ID Client Authentication and Azure RBAC for Cosmos DB
Logging and Monitoring
This section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.
Mapped controls
Ensure a 'Diagnostic Setting' exists for Subscription Activity Logs
Ensure Diagnostic Setting captures appropriate categories
Ensure the storage account storing activity logs is encrypted with Customer Managed Key (CMK)
Ensure logging for Azure Key Vault is 'Enabled'
Ensure Network Security Group Flow logs are captured and sent to Log Analytics
Ensure logging for Azure AppService 'HTTP logs' is enabled
Ensure that Activity Log Alert exists for Create Policy Assignment
Ensure that Activity Log Alert exists for Delete Policy Assignment
Ensure that Activity Log Alert exists for Create or Update Network Security Group
Ensure that Activity Log Alert exists for Delete Network Security Group
Ensure that Activity Log Alert exists for Create or Update Security Solution
Ensure that Activity Log Alert exists for Delete Security Solution
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
Ensure that Activity Log Alert exists for Delete Public IP Address rule
Ensure Application Insights are Configured
Networking
This section covers security recommendations to follow in order to set networking policies on an Azure subscription.
Mapped controls
Ensure management ports are restricted from the internet
Ensure UDP access from the Internet is evaluated and restricted
Ensure HTTP(S) access from the Internet is evaluated and restricted
Ensure Network Security Group Flow Log retention period is 'greater than 90 days'
Ensure Network Watchers are 'Enabled' for in-use Azure regions
Ensure Public IP addresses are Evaluated on a Periodic Basis (Manual)
Virtual Machines
This section covers security recommendations to follow for the configuration of Virtual Machines on an Azure subscription.
Mapped controls
Ensure an Azure Bastion Host Exists
Ensure Virtual Machines are utilizing Managed Disks
Ensure that 'OS and Data' disks are encrypted with Customer Managed Keys (CMK)
Ensure that 'Unattached disks' are encrypted with Customer Managed Keys (CMK)
Ensure 'Disk Network Access' is NOT set to 'Enable public access from all networks'
Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
Ensure Only Approved Extensions Are Installed (Manual)
Ensure that Endpoint Protection for all Virtual Machines is installed
[Legacy] Ensure that VHDs are Encrypted
Ensure only MFA enabled identities can access privileged Virtual Machine
Ensure Trusted Launch is enabled on Virtual Machines
AppService
This section covers security recommendations for Azure AppService.
Mapped controls
Ensure 'HTTPS Only' is set to 'On' for App Service
Ensure App Service Authentication is set up for apps in Azure App Service
Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
Ensure Web App is using the latest version of TLS encryption
Ensure Managed Identities Are Used for App Service
Ensure Basic SCM/FTP Authentication is 'Disabled' for App Service
Ensure that 'PHP version' is currently supported (if in use)
Ensure that 'Python version' is currently supported (if in use)
Ensure that 'Java version' is currently supported (if in use)
Ensure Web App Uses HTTP 2.0
Ensure Azure Key Vaults are used to store secrets
Ensure 'Remote debugging' is set to 'Off' for App Service
Miscellaneous
This section covers security recommendations for miscellaneous.
Query logic
These are the stored checks tied to this framework.
Entra connectors with security defaults disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { cloudProvider: "entra", securityDefaultsEnabled: false }) {
...AssetFragment
}
}
Entra users with privileged Azure assignmnets
Connectors
Covered asset types
Expected check: eq []
{
users(
where: {
mfaActive: false
OR: [
{
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
{
groups_SOME: {
iamRoleAssignments_SOME: {
OR: [
{ internalName_IN: ["Owner", "Contributor"] }
{ isClassicAdministratorAssignment: true }
]
}
}
}
]
}
) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}All Entra tenants
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: {cloudProvider: "entra"}) {
...AssetFragment
}
}Entra tenants without trusted IP Named Locations
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { namedLocations_NONE: { type: "ipNamedLocation", isTrusted: true } }
) {
...AssetFragment
}
}Entra Exclusionary Geographic Access Policy
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
conditionalAccessPolicies_NONE: {
conditions: {
includeUsers: ["All"]
includeApplications: ["All"]
clientAppTypes: ["all"]
NOT: { includeLocations: [] }
}
grantControls: { builtInControls: ["block"] }
}
}
) {
...AssetFragment
}
}Entra Connectors Without Device Code Flow Exclusion Policy
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
conditionalAccessPolicies_NONE: {
conditions: {
includeUsers: ["All"]
includeApplications: ["All"]
clientAppTypes: ["all"]
authenticationFlowsTransferMethods_INCLUDES: "deviceCodeFlow"
}
grantControls: { builtInControls: ["block"] }
}
}
) {
...AssetFragment
}
}Entra Conditional Access Policies - Admin MFA
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
cloudProvider: "entra"
conditionalAccessPolicies_NONE: {
conditions: {
NOT: {
excludeUsers: []
OR: { includeUsers: [], includeGroups: [], includeRoles: [] }
}
includeApplications: ["All"]
clientAppTypes: ["all"]
}
grantControls: { builtInControls: ["mfa"] }
}
}
) {
...AssetFragment
}
}Entra Conditional Access Policies - MFA For All Users
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
conditionalAccessPolicies_NONE: {
conditions: {
includeUsers: ["All"]
NOT: { excludeUsers: [] }
includeApplications: ["All"]
clientAppTypes: ["all"]
}
grantControls: { builtInControls: ["mfa"] }
}
}
) {
...AssetFragment
}
}Entra Conditional Access - MFA for Risky Sign-Ins
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
conditionalAccessPolicies_NONE: {
conditions: {
includeUsers: ["All"]
NOT: { excludeUsers: [] }
includeApplications: ["All"]
clientAppTypes: ["all"]
signInRiskLevels_INCLUDES: "high"
}
grantControls: { builtInControls: ["mfa"] }
sessionControls: {
signInFrequencyIsEnabled: true
signInFrequencyInterval: "everytime"
}
}
}
) {
...AssetFragment
}
}Entra Conditional Access - MFA for Windows Azure Service Management API
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
conditionalAccessPolicies_NONE: {
conditions: {
includeUsers: ["All"]
NOT: { OR: { excludeUsers: [], excludeGroups: [], excludeRoles: [] } }
includeApplications: ["797f4846-ba00-4fd7-ba43-dac1f8f63013"]
clientAppTypes: ["all"]
}
grantControls: { builtInControls: ["mfa"] }
}
}
) {
...AssetFragment
}
}Entra Conditional Access - MFA for Microsoft Admin Portals
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
conditionalAccessPolicies_NONE: {
conditions: {
includeUsers: ["All"]
NOT: { OR: { excludeUsers: [], excludeGroups: [], excludeRoles: [] } }
includeApplications: ["MicrosoftAdminPortals"]
clientAppTypes: ["all"]
}
grantControls: { builtInControls: ["mfa"] }
}
}
) {
...AssetFragment
}
}Entra Non-Admin Users Can Create Tenants
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { authorizationPolicy: { defaultUserAllowedToCreateTenants: true } }
) {
...AssetFragment
}
}Entra Guest Users
Connectors
Covered asset types
Expected check: eq []
{
users(where: { userType: "Guest" }) {
...AssetFragment
}
}Entra tenants allowing too many login attempts
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { passwordRuleSettings: { lockoutThreshold_GT: 10 } }) {
...AssetFragment
}
}Entra tenants with low lockout duration
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { passwordRuleSettings: { lockoutDurationInSeconds_LT: 60 } }) {
...AssetFragment
}
}Entra Tenants without custom password policies
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { passwordRuleSettings: { enableBannedPasswordCheck: false } }
) {
...AssetFragment
}
}Entra tenants that do not block user consent
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
authorizationPolicy: {
OR: [
{
defaultUserPermissionGrantPoliciesAssigned_INCLUDES: "ManagePermissionGrantsForSelf.microsoft-user-default-low"
}
{
defaultUserPermissionGrantPoliciesAssigned_INCLUDES: "ManagePermissionGrantsForSelf.microsoft-user-default-legacy"
}
]
}
}
) {
...AssetFragment
}
}Entra tenants without consent allowed for verified publishers
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
authorizationPolicy: {
NOT: {
defaultUserPermissionGrantPoliciesAssigned_INCLUDES: "ManagePermissionGrantsForSelf.microsoft-user-default-low"
}
}
}
) {
...AssetFragment
}
}Entra Tenants allowing users to register apps
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { directoryProperties: { usersCanRegisterApps: true } }) {
...AssetFragment
}
}Entra with permissive guest user restrictions
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
authorizationPolicy: {
NOT: { guestUserRoleId: "2af84b1e-32c8-42b7-82bc-daa82404023b" }
}
}
) {
...AssetFragment
}
}Entra with permissive guest invite restrictions
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
authorizationPolicy: {
NOT: { allowInvitesFrom: "adminsAndGuestInviters" }
}
}
) {
...AssetFragment
}
}Entra tenants allowing users to create security groups
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
authorizationPolicy: { defaultUserAllowedToCreateSecurityGroups: true }
}
) {
...AssetFragment
}
}Entra Tenants allowing Microsoft 365 group creation
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { groupUnifiedSettings: { enableGroupCreation: true } }) {
...AssetFragment
}
}Entra tenants allowing device registration/join without MFA
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
deviceRegistrationPolicy: {
NOT: { multiFactorAuthConfiguration: "required" }
}
}
) {
...AssetFragment
}
}Azure Custom Subscription Administrator Roles
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
iamRoles(
where: {
type: "CustomRole"
permissions_INCLUDES: "*"
assignableScopes_INCLUDES: $subscriptionResourceId
}
) {
...AssetFragment
}
}Azure IAM Custom roles with lock permission
Connectors
Covered asset types
Expected check: eq []
{
AzureConnectorsWithoutCustomLockRoles{
...AssetFragment
}
}Azure connectors letting subscription into/out of the tenant
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ blockSubscriptionsIntoTenant: false }
{ blockSubscriptionsLeavingTenant: false }
]
}
) {
...AssetFragment
}
}Entra Tenants with too many global administrators
Connectors
Covered asset types
Expected check: eq []
{
EntraMultipleGlobalAdministrators {
...AssetFragment
}
}Azure subscriptions with MCAS disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { dataExportSettings_SOME: { name: "MCAS", enabled: false } }
) {
...AssetFragment
}
}Azure subscriptions without Microsoft Defender for Servers
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "VirtualMachines", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Connectors without server vulnerability providers
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { azureServersSettings_SOME: null }) {
...AssetFragment
}
}Azure subscriptions with WDATP (endpoint protection) disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { dataExportSettings_SOME: { name: "WDATP", enabled: false } }
) {
...AssetFragment
}
}Azure subscriptions without Microsoft Defender for Containers
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Containers", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Storage
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "StorageAccounts", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for App Services
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "AppServices", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Cosmos DB
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "CosmosDbs", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Open-Source Relational Databases
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
pricing_SOME: {
name: "OpenSourceRelationalDatabases"
pricingTier: "Free"
}
}
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Azure SQL
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "SqlServers", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for SQL Servers on Machines
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
pricing_SOME: { name: "SqlServerVirtualMachines", pricingTier: "Free" }
}
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Key Vault
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "KeyVaults", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for Resource Manager
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Arm", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure connectors without subscription owner notifications
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { notificationByRoleState: "Off" } }
{
NOT: {
securityContacts_SOME: { notificationRoles_INCLUDES: "Owner" }
}
}
]
}
) {
...AssetFragment
}
}Azure connectors without security contact additional email addresses
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { email: null } }
{ securityContacts_SOME: { email: "" } }
]
}
) {
...AssetFragment
}
}Azure connectors without notifications for high alerts
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ securityContacts_SOME: null }
{ securityContacts_SOME: { alertNotifications: false } }
]
}
) {
...AssetFragment
}
}Azure Subscriptions without Microsoft Defender for DNS
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { pricing_SOME: { name: "Dns", pricingTier: "Free" } }
) {
...AssetFragment
}
}Azure Key Vault Keys without expiration date
Connectors
Covered asset types
Expected check: eq []
{
kmsKeys(where: { expiration: "0000-01-01T00:00:00.000Z" }) {
...AssetFragment
}
}Azure Key Vault secrets without expiration date
Connectors
Covered asset types
Expected check: eq []
{
kmsSecrets(where: { expires: "0000-01-01T00:00:00.000Z" }) {
...AssetFragment
}
}The key vault is recoverable
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where:
{
OR: [
{enableSoftDelete_NOT: true }
{enablePurgeProtection_NOT: true }
] }
) {...AssetFragment}
}Azure key vaults not using RBAC
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(where: { enableRbacAuthorization: false }) {
...AssetFragment
}
}Azure key vaults without private endpoints
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(where: { privateEndpoints_SOME: null }) {
...AssetFragment
}
}Azure Key Vault keys without automatic rotation
Connectors
Covered asset types
Expected check: eq []
{
kmsKeys(where: { automaticRotationEnabled: false }) {
...AssetFragment
}
}Azure storage accounts not enforcing HTTPS
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { supportsHttpsTrafficOnly: true } }) {
...AssetFragment
}
}Azure Storage Accounts Without Infrastructure Encryption
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { requireInfrastructureEncryption: false }) {
...AssetFragment
}
}Azure Storage Accounts Without Key Rotation Reminders
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { keyExpirationPeriodInDays: 0 }) {
...AssetFragment
}
}Storage account access keys are periodically regenerated
Connectors
Covered asset types
Expected check: eq []
{StorageAccountsWithOldKeys{...AssetFragment}}Azure Storage Accounts Without SAS Expiration Policy
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ sasPolicyExpirationAction: "" }
{
AND: [
{ NOT: { sasPolicySasExpirationPeriod_STARTS_WITH: "0.00" } }
{ NOT: { sasPolicySasExpirationPeriod: "0.01:00:00" } }
]
}
]
}
) {
...AssetFragment
}
}Azure Storage Accounts Allowing Public Network Access
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { publicNetworkAccess: "Disabled" } }) {
...AssetFragment
}
}Storage accounts with the default action not set to Deny
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { NOT: { networkRuleSetDefaultAction: "Deny" } }) {
...AssetFragment
}
}Storage accounts not allowing access from trusted Azure Services
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ AND: [{ networkRuleSetDefaultAction_CONTAINS: "Allow" }] }
{
AND: [
{ networkRuleSetDefaultAction_CONTAINS: "Deny" }
{ NOT: { networkRuleSetBypass_CONTAINS: "AzureServices" } }
]
}
]
}
) {
...AssetFragment
}
}Azure Storage Accounts Without Private Endpoints
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
privateEndpoints_NONE: {
type: "Microsoft.Storage/storageAccounts/privateEndpointConnections"
}
}
) {
...AssetFragment
}
}Azure Storage Accounts Without Soft Delete
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ blobServiceDeletePolicyEnabled: false }
{ blobServiceDeletePolicyDays: 0 }
{ containerDeleteRetentionPolicyEnabled: false }
{ containerDeleteRetentionPolicyDays: 0 }
]
}
) {
...AssetFragment
}
}Storage for critical data is encrypted with Customer Managed Key
Connectors
Covered asset types
Expected check: eq []
{storageAccounts(where:{byokEncrypted_NOT:true}){...AssetFragment}}Azure storage accounts without queue service diagnostic settings logging
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isQueueServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/queueServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/queueServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}Storage Accounts without Blob Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
OR: [
{ isBlobServicesDiagnosticsSettingsEnabled: false }
{
AND: [
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
AND: [
{ logs_SINGLE: { enabled: true, category: "StorageRead" } }
{ logs_SINGLE: { enabled: true, category: "StorageWrite" } }
{ logs_SINGLE: { enabled: true, category: "StorageDelete" } }
]
}
}
{
diagnosticSettings_NONE: {
resourceType: "Microsoft.Storage/storageAccounts/blobServices"
logs_SOME: {
enabled: true
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
]
}
) {
...AssetFragment
}
}Azure Storage Accounts Without Minimum TLS 1.2
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { minimumTlsVersion_IN: ["TLS1_0", "TLS1_1"] }) {
...AssetFragment
}
}Azure Storage Accounts Allowing Cross Tenant Replication
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { allowCrossTenantReplication: true }) {
...AssetFragment
}
}Azure Storage Accounts Allowing Blob Public Access
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(where: { allowBlobPublicAccess: true }) {
...AssetFragment
}
}Azure SQL Servers without auditing
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(where: { blobAuditingPolicies_NONE: { state: "Enabled" } }) {
...AssetFragment
}
}No Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Connectors
Covered asset types
Expected check: eq []
{sqlServers(where:{firewallRules_SOME:{startIpAddress_CONTAINS:"0.0.0.0"}}){...AssetFragment}}Azure SQL Servers without TDE protector key encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
OR: [
{ encryptionProtector: null }
{ encryptionProtector: { serverKeyType: "ServiceManaged" } }
]
}
) {
...AssetFragment
}
}Azure SQL Servers without Entra admin
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
NOT: { entraAdministrator: { administratorType: "ActiveDirectory" } }
}
) {
...AssetFragment
}
}'Data encryption' is set to 'On' on a SQL Database
Connectors
Covered asset types
Expected check: eq []
{sqlDatabases(where: {encrypted: false}){...AssetFragment}}Azure SQL Servers with audit retention lesser than 90 days
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(
where: {
blobAuditingPolicies_NONE: {
state: "Enabled"
OR: [{ retentionDays: 0 }, { retentionDays_GT: 90 }]
}
}
) {
...AssetFragment
}
}Azure SQL Servers allowing public access
Connectors
Covered asset types
Expected check: eq []
{
sqlServers(where: { publicNetworkAccess: "Enabled" }) {
...AssetFragment
}
}Azure PostgreSQL Flex Servers Without Secure Transport
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers(
where: {
configurations_SOME: {
name: "require_secure_transport"
value_MATCHES: "(?i)off"
}
}
) {
...AssetFragment
}
}Azure PostgreSQL Flex Servers Without Log Checkpoints
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers(
where: {
configurations_SOME: {
name: "log_checkpoints"
value_MATCHES: "(?i)off"
}
}
) {
...AssetFragment
}
}Azure PostgreSQL Flex Servers Without Connection Throttling
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers(
where: {
configurations_SOME: {
name: "connection_throttle.enable"
value_MATCHES: "(?i)off"
}
}
) {
...AssetFragment
}
}Azure PostgreSQL Flex Servers with low logfiles retention days
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers(
where: {
configurations_SOME: {
name: "logfiles.retention_days"
value_MATCHES: "[0-3]"
}
}
) {
...AssetFragment
}
}'Allow access to Azure services' for PostgreSQL Database Server is disabled
Connectors
Covered asset types
Expected check: eq []
{postgreSqlServers(where:{firewallRules_SOME:,{OR:[{name_MATCHES:"(?i)allowallwindowsazureips"},{name_MATCHES:"(?i)allowallazureips"},{AND:[{startIPAddress:"0.0.0.0"},{endIPAddress:"0.0.0.0"}]}]}}){...AssetFragment}}Ensure 'Allow access to Azure services' for PostgreSQL Database Flexible Server is disabled
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlFlexibleServers (where: {
firewallRules_SOME: {
OR: [
{ name_MATCHES: "(?i)allowallwindowsazureips" }
{ name_MATCHES: "(?i)allowallazureips" }
{ AND: [{ startIPAddress: "0.0.0.0" }, { endIPAddress: "0.0.0.0" }] }
]
}
}) {...AssetFragment}
}
Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers(
where: {
configurations_SOME: { name: "log_connections", value_MATCHES: "(?i)off" }
}
) {
...AssetFragment
}
}Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Connectors
Covered asset types
Expected check: eq []
{
postgreSqlServers(
where: {
configurations_SOME: {
name: "log_disconnections"
value_MATCHES: "(?i)off"
}
}
) {
...AssetFragment
}
}Azure MySQL Flex Servers Without Secure Transport
Connectors
Covered asset types
Expected check: eq []
{
mySqlFlexibleServers(
where: {
configurations_SOME: {
name: "require_secure_transport"
value_MATCHES: "(?i)off"
}
}
) {
...AssetFragment
}
}Azure MySQL Flexible Servers allowing old TLS versions
Connectors
Covered asset types
Expected check: eq []
{
mySqlFlexibleServers(
where: {
configurations_SOME: {
name: "tls_version"
OR: [{ value_CONTAINS: "TLSv1.0" }, { value_CONTAINS: "TLSv1.1" }]
}
}
) {
...AssetFragment
}
}Azure MySQL Flex Servers without audit log
Connectors
Covered asset types
Expected check: eq []
{
mySqlFlexibleServers(
where: {
configurations_SOME: {
name: "audit_log_enabled"
value_MATCHES: "(?i)off"
}
}
) {
...AssetFragment
}
}Azure MySQL Flex Servers not logging connections
Connectors
Covered asset types
Expected check: eq []
{
mySqlFlexibleServers(
where: {
configurations_SOME: {
name: "audit_log_events"
NOT: { value_CONTAINS: "CONNECTION" }
}
}
) {
...AssetFragment
}
}Azure Cosmos DB Accounts Allowing All Networks
Connectors
Covered asset types
Expected check: eq []
{
cosmosDbAccounts(where: { isVirtualNetworkFilterEnabled: false }) {
...AssetFragment
}
}Azure Cosmos DB accounts without private endpoints
Connectors
Covered asset types
Expected check: eq []
{
cosmosDbAccounts(where: { privateEndpoints_SOME: null }) {
...AssetFragment
}
}Azure Cosmos DB Accounts allowing local auth
Connectors
Covered asset types
Expected check: eq []
{
cosmosDbAccounts(where: { disableLocalAuth: false }) {
...AssetFragment
}
}Azure subscriptions without diagnostic settings
Connectors
Covered asset types
Expected check: eq []
{
subscriptionDiagnosticSettings(
where: {
OR: [
{ logSettings_SOME: null }
{
logSettings_SOME: {
category_IN: ["Administrative", "Alert", "Policy", "Security"]
enabled: false
}
}
]
}
) {
...AssetFragment
}
}Diagnostic Setting captures appropriate categories
Connectors
Covered asset types
Expected check: eq []
{subscriptionDiagnosticSettings(where:{logSettings_SOME:{category_IN:["Administrative","Alert","Policy","Security"],enabled:false}},){...AssetFragment}}Azure Subscription Diagnostic Settings Without CMK
Connectors
Covered asset types
Expected check: eq []
{
storageAccounts(
where: {
NOT: { destinationForSubscriptionDiagnosticSettings_SOME: null }
byokEncrypted: false
}
) {
...AssetFragment
}
}Key Vaults without Diagnostic Settings
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where: {
OR: [
{ loggingEnabled: false }
{
diagnosticSettings_SOME: {
resourceType: "Microsoft.KeyVault/vaults"
logs_SOME: {
enabled: false
categoryGroup_IN: ["audit", "allLogs"]
}
}
}
]
}
) {
...AssetFragment
}
}Azure Flow Logs for NSGs without Log Analytics
Connectors
Covered asset types
Expected check: eq []
{
flowLogs(
where: {
targetResourceID_CONTAINS: "networkSecurityGroups"
trafficAnalyticsEnabled: false
}
) {
...AssetFragment
}
}Azure App Services (Sites) without HTTP logging
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: {
diagnosticSettings_SOME: {
logs_SOME: { enabled: false, category: "AppServiceHTTPLogs" }
}
}
) {
...AssetFragment
}
}Activity Log Alert exists for Create Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/write"){...AssetFragment}}Activity Log Alert exists for Delete Policy Assignment
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.authorization/policyassignments/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/write"){...AssetFragment}}Activity Log Alert exists for Delete Network Security Group
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.network/networksecuritygroups/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/write"){...AssetFragment}}Activity Log Alert exists for Delete Security Solution
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.security/securitysolutions/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/write"){...AssetFragment}}Activity Log Alert exists for Delete SQL Server Firewall Rule
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals:"microsoft.sql/servers/firewallrules/delete"){...AssetFragment}}Activity Log Alert exists for Create or Update Public IP Address
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals: "microsoft.network/publicIPAddresses/write") {
...AssetFragment
}
}Activity Log Alert exists for Delete Public IP Address
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
AzureActivityLogAlertsForAction(
subscriptionResourceId: $subscriptionResourceId
equals: "microsoft.network/publicIPAddresses/delete") {
...AssetFragment
}
}Azure Connectors without Application Insights
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { cloudProvider: "azure", applicationInsights_SOME: null }) {
...AssetFragment
}
}Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
Azure NSGs allowing UDP traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
protocol: "UDP"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 53, destToPort_GTE: 53 }
{ destFromPort_LTE: 123, destToPort_GTE: 123 }
{ destFromPort_LTE: 161, destToPort_GTE: 161 }
{ destFromPort_LTE: 389, destToPort_GTE: 389 }
{ destFromPort_LTE: 1900, destToPort_GTE: 1900 }
]
}
]
}
}
) {
...AssetFragment
}
}Azure NSGs allowing HTTP(S) traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
protocol: "TCP"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 80, destToPort_GTE: 80 }
{ destFromPort_LTE: 443, destToPort_GTE: 443 }
]
}
]
}
}
) {
...AssetFragment
}
}Azure NSG Flow Logs with retention shorter than 90 days
Connectors
Covered asset types
Expected check: eq []
{
flowLogs(
where: {
targetResourceID_CONTAINS: "networkSecurityGroups"
retentionPolicyDays_LT: 90
}
) {
...AssetFragment
}
}Azure Connectors without network watchers in all used regions
Connectors
Covered asset types
Expected check: eq []
{
AzureRegionsWithoutNetworkWatcher {
...AssetFragment
}
}Azure Public IP addresses
Connectors
Covered asset types
Expected check: eq []
{
staticIps {
...AssetFragment
}
}Azure connectors without Bastion Hosts
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { cloudProvider: "azure", bastionHosts_SOME: null }) {
...AssetFragment
}
}Azure VMs with unmanaged disks
Connectors
Covered asset types
Expected check: eq []
{
vms(where: { diskAttachments_SOME: { NOT: { vhdURI: "" } } }) {
...AssetFragment
}
}'OS and Data' disks are encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{vms(where:{diskAttachments_SOME:{disk:{,encryptionKey:null}}}){...AssetFragment}}'Unattached disks' are encrypted with CMK
Connectors
Covered asset types
Expected check: eq []
{disks(where:{diskState_MATCHES:"(?i)unattached",encryptionKey:null}){...AssetFragment}}Azure Disks allowing public access from all networks
Connectors
Covered asset types
Expected check: eq []
{
disks(where: { networkAccessPolicy: "AllowAll" }) {
...AssetFragment
}
}Azure disks without data access authentication mode
Connectors
Covered asset types
Expected check: eq []
{
disks(where: { dataAccessAuthMode: "None" }) {
...AssetFragment
}
}Azure VMs with extensions
Connectors
Covered asset types
Expected check: eq []
{
vms(where: { NOT: { extensions_SOME: null } }) {
...AssetFragment
}
}Azure unmanaged disks
Connectors
Covered asset types
Expected check: eq []
{
disks(where: { diskAttachments: { NOT: { vhdURI: "" } } }) {
...AssetFragment
}
}Azure Privileged VMs accessible by users without MFA
Connectors
Covered asset types
Expected check: eq []
{
PrivilegedVMsAccessibleByUsersWithoutMFA {
...AssetFragment
}
}Azure VMs without boot security settings
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
OR: [
{ securityProfileUefiSettingsSecureBootEnabled: false }
{ securityProfileUefiSettingsVTpmEnabled: false }
]
}
) {
...AssetFragment
}
}Azure app services allowing plain HTTP
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { httpsOnly: false }) {
...AssetFragment
}
}Azure App Services without authentication
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { authSettings: { enabled: true } }) {
...AssetFragment
}
}Azure App Services allowing plain FTP deployments
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { ftpsState: "AllAllowed" } }) {
...AssetFragment
}
}Azure app services allowing old TLS
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { NOT: { minTlsVersion_IN: ["1.2", "1.3"] } } }) {
...AssetFragment
}
}Azure App Service apps without managed identity
Connectors
Covered asset types
Expected check: eq true
{
sites(where: { managedIdentities_SOME: null }) {
...AssetFragment
}
}Azure App Service sites allowing basic publishing auth
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: {
basicPublishingCredentials_SOME: {
OR: [{ name: "ftp", allowed: true }, { name: "scm", allowed: true }]
}
}
) {
...AssetFragment
}
}Azure app services running unsupported PHP versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { phpVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services running unsupported Python versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { pythonVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure app services running unsupported Java versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { javaVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}Azure App Service apps without HTTP 2.0
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { http20Enabled: false } }) {
...AssetFragment
}
}FunctionApps with secrets that are not keyvault references
Connectors
Covered asset types
Expected check: eq []
{
functionApps(
where: {
applicationConfig: {
settings_SOME: {
type: "AppService"
key_MATCHES: "(.*)(_*?)(key|pass|secret|salt|connectionstring|connection_string)(.*)"
}
}
}
) {...AssetFragment}
}Sites with secrets that are not keyvault references
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: {
applicationConfig: {
settings_SOME: {
type: "AppService"
key_MATCHES: "(.*)(_*?)(key|pass|secret|salt|connectionstring|connection_string)(.*)"
}
}
}
) {...AssetFragment}
}
Azure App Services with remote debugging enabled
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { siteConfig: { remoteDebuggingEnabled: true } }) {
...AssetFragment
}
}
