CIS Azure Foundations Benchmark, continuously evidenced.
The CIS Microsoft Azure Foundations Benchmark v5.0.0 defines 155 security controls covering Azure subscription configuration: Identity and Access Management, Microsoft Defender for Cloud, Storage Accounts, Database services, Logging and Monitoring, Networking, Virtual Machines, and Key Vault. CISGuard scans Azure subscriptions agentlessly via the Azure Resource Manager API, with per-subscription posture reporting and cross-subscription rollup.
Azure Foundations benchmark at a glance.
- Benchmark version
- v5.0.0
- Total controls
- 155
- Scan type
- Agentless
- Available tier
- Pro and above
- Category
- Cloud
- Drift detection
- Yes, between every scheduled scan
What this benchmark actually covers.
- Identity + Access Management (Entra ID)
- Microsoft Defender for Cloud configuration
- Storage Accounts (encryption, access, network)
- Database services (Azure SQL, Cosmos DB, etc.)
- Logging + Monitoring (Activity Log, Diagnostic Settings)
- Networking (NSG, Firewall, DDoS Protection)
- Virtual Machines + Azure Disk Encryption
- Key Vault configuration
Azure Foundations questions, answered directly.
How does CISGuard scan Azure agentlessly?
CISGuard uses a service principal with read-only permissions across the Azure subscriptions in scope. It queries the Azure Resource Manager API for configuration evidence; no agents deployed to Azure resources. Scans typically complete in 5-15 minutes per subscription depending on resource count.
Can CISGuard scan multiple Azure subscriptions and tenants?
Yes. CISGuard supports management group hierarchies with multiple Azure subscriptions. Cross-subscription rollup aggregates posture for enterprise-wide reporting. Multi-tenant Azure environments (common after acquisitions) can be configured with per-tenant service principals.
Does CISGuard support Azure Government and Azure Sovereign Cloud?
Yes. CISGuard supports Azure Commercial, Azure Government (USGov), Azure China, and Azure UAE North as sovereign deployments. The benchmark applies uniformly across clouds; endpoints differ. Azure Government and sovereign-cloud customers get the same Framework Coverage Reports as commercial customers.
Often deployed together with Azure Foundations.
Want a Azure Foundations scan of your environment?
Our compliance engineers will scope your environment and quote within one business day of an initial briefing.