Using Active Directory Smart Queries
AD Smart Queries ship as part of the Active Directory Assessment License. The AD Smart
Read MoreAlmost all CIS tests are automated with SmartProfiler for Azure CIS Assessment.
Detailed reporting includes information about each CIS Test and Step-By-Step Recommendations to fix the issues.
Other than CIS, SmartProfiler for Azure Entra ID/Azure-Infra and CIS includes other tests. We offer 236 tests that cover every facet of Microsoft Azure.
SmartProfiler for Microsoft Azure includes assessment tests for Azure-Infra and Azure Entra ID to ensure all aspects of Azure is covered and tested.
SmartProfiler for Microsoft Azure CIS Assessment is an automated Risk & Compliance assessment solution to help you significantly improve your Microsoft Azure security posture. SmartProfiler for Microsoft Azure CIS Assessment follows CIS-Workbench controls (Version 2.1.0) and other tests designed by our Microsoft Azure Experts. The Azure CIS Assessment tool also covers tests designed for Microsoft Entra ID, Azure Infrastructure and Syncronization.
The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model. SmartProfiler is designed to support CIS Standards designed for Microsoft 365 and Azure Assessments.
SmartProfiler for Microsoft Azure CIS requires a Service Principal Account with necessary read-only permissions to execute all tests.
SmartProfiler needs to use an Azure Service Principal in order to read information from Azure Tenant and be able to provide results to each test in the Assessment Dashboard. The SPN can be pre-configured. However, all required permissions need to be assigned to SPN.
PowerShell modules are already included in the product, so installing them is not necessary before running the assessment. Before beginning the assessment, the product automatically imports PowerShell modules.
SmartProfiler is a read-only product, and no write operation is ever made to the target while it is being assessed.
SmartProfiler for Microsoft 365 CIS Assessment is simple to use and execute in four-steps.
It depends on the number of resources in the Microsoft Azure Tenant. It typically takes 1-2 hours to perform CIS Assessment for a Tenant having 800 resources.
SmartProfiler for Azure CIS Assessment is a read-only product.
Since SmartProfiler generates reports in Microsoft Word format, you can re-brand reports.
SmartProfiler is designed to support multiple Microsoft Azure Tenants. You can add unlimited Azure Tenants in the tool. However, each Azure Tenant requires a license before the assessment can be done.
Here is the list of tests included with SmartProfiler for Microsoft Azure CIS Assessment. SmartProfiler offers additional tests which are not included in CIS V2.1.0 list.
| Category | CISWB | Test |
| Identity and Access Management-Security Defaults | CIS v2.1.0 | Ensure Security Defaults is enabled on Microsoft Entra ID |
| Identity and Access Management-Security Defaults | CIS v2.1.0 | Ensure that Multi-Factor Auth Status is Enabled for all Privileged Users |
| Identity and Access Management-Security Defaults | CIS v2.1.0 | Ensure that Multi-Factor Auth Status is Enabled for all Non-Privileged Users |
| Identity and Access Management-Security Defaults | CIS v2.1.0 | Ensure that Allow users to remember multi-factor authentication on devices they trust is Disabled |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure Trusted Locations Are Defined |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that an exclusionary Geographic Access Policy is considered |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that A Multi-factor Authentication Policy Exists for All Users |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure Multi-factor Authentication is Required for Risky Sign-ins |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure Multifactor Authentication is Required for Windows Azure Service Management API |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure Multifactor Authentication is Required to access Microsoft Admin Portals |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that Restrict non-admin users from creating tenants is set to Yes |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure Guest Users Are Reviewed on a Regular Basis |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure That Number of methods required to reset is set to 2 |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that a Custom Bad Password List is set to Enforce for your Organization |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that Number of days before users are asked to reconfirm their authentication information is not set to 0 |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that Notify users on password resets is set to Yes |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure That Notify all admins when other admins reset their password is set to Yes |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure User consent for applications is set to Do not allow user consent |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure User consent for applications Is Set To Allow for Verified Publishers |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that Users can add gallery apps to My Apps is set to No |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure That Users Can Register Applications Is Set to No |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure That Guest users access restrictions is set to Guest user access is restricted to properties and memberships of their own directory objects |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that Guest invite restrictions is set to Only users assigned to specific admin roles can invite guest users |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure That Restrict access to Microsoft Entra admin center is Set to Yes |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that Restrict user ability to access groups features in the Access Pane is Set to Yes |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that Users can create security groups in Azure portals API or PowerShell is set to No |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that Owners can manage group membership requests in the Access Panel is set to No |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that Users can create Microsoft 365 groups in Azure portals API or PowerShell is set to No |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure that Require Multi-Factor Authentication to register or join devices with Microsoft Entra ID is set to Yes |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure That No Custom Subscription Administrator Roles Exist |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure That Subscription leaving Microsoft Entra ID directory and Subscription entering Microsoft Entra ID directory Is Set To Permit No One |
| Identity and Access Management-Conditional Access | CIS v2.1.0 | Ensure fewer than 5 users have global administrator assignment |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That Microsoft Defender for Servers Is Set to On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That Microsoft Defender for App Services Is Set To On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That Microsoft Defender for -Managed Instance- Azure SQL Databases Is Set To On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That Microsoft Defender for Azure Cosmos DB Is Set To On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That Microsoft Defender for Storage Is Set To On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That Microsoft Defender for Containers Is Set To On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That Microsoft Defender for Key Vault Is Set To On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That Microsoft Defender for DNS Is Set To On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That Microsoft Defender for Resource Manager Is Set To On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure that Microsoft Defender Recommendation for Apply system updates status is Completed |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure that Microsoft Cloud Security Benchmark policies are not set to Disabled |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure that Auto provisioning of Log Analytics agent for Azure VMs is Set to On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure that Auto provisioning of Vulnerability assessment for machines is Set to On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure that Auto provisioning of Microsoft Defender for Containers components is Set to On |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That All users with the following roles is set to Owner |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure Additional email addresses is Configured with a Security Contact Email |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure That Notify about alerts with the following severity is Set to High |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected |
| Microsoft Defender -Microsoft Defender for Cloud | CIS v2.1.0 | Ensure that Microsoft Defender External Attack Surface Monitoring -EASM- is enabled |
| Microsoft Defender -Microsoft Defender for IoT | CIS v2.1.0 | Ensure That Microsoft Defender for IoT Hub Is Set To On |
| Storage Accounts | CIS v2.1.0 | Ensure that Secure transfer required is set to Enabled |
| Storage Accounts | CIS v2.1.0 | Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled |
| Storage Accounts | CIS v2.1.0 | Ensure that Enable key rotation reminders is enabled for each Storage Account |
| Storage Accounts | CIS v2.1.0 | Ensure that Storage Account Access Keys are Periodically Regenerated |
| Storage Accounts | CIS v2.1.0 | Ensure Storage Logging is Enabled for Queue Service for Read Write and Delete requests |
| Storage Accounts | CIS v2.1.0 | Ensure that Shared Access Signature Tokens Expire Within an Hour |
| Storage Accounts | CIS v2.1.0 | Ensure that Public Network Access is Disabled for storage accounts |
| Storage Accounts | CIS v2.1.0 | Ensure Default Network Access Rule for Storage Accounts is Set to Deny |
| Storage Accounts | CIS v2.1.0 | Ensure Allow Azure services on the trusted services list to access this storage account is Enabled for Storage Account Access |
| Storage Accounts | CIS v2.1.0 | Ensure Private Endpoints are used to access Storage Accounts |
| Storage Accounts | CIS v2.1.0 | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage |
| Storage Accounts | CIS v2.1.0 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys -CMK- |
| Storage Accounts | CIS v2.1.0 | Ensure Storage logging is Enabled for Blob Service for Read Write and Delete requests |
| Storage Accounts | CIS v2.1.0 | Ensure Storage Logging is Enabled for Table Service for Read Write and Delete Requests |
| Storage Accounts | CIS v2.1.0 | Ensure the Minimum TLS version for storage accounts is set to Version 1.2 |
| Storage Accounts | CIS v2.1.0 | Ensure Cross Tenant Replication is not enabled |
| Storage Accounts | CIS v2.1.0 | Ensure that Allow Blob Anonymous Access is set to Disabled |
| Database Services-SQL Server – Auditing | CIS v2.1.0 | Ensure that Auditing is set to On |
| Database Services-SQL Server – Auditing | CIS v2.1.0 | Ensure no Azure SQL Databases allow ingress from 0.0.0.0_0 -ANY IP- |
| Database Services-SQL Server – Auditing | CIS v2.1.0 | Ensure SQL servers Transparent Data Encryption -TDE- protector is encrypted with Customer-managed key |
| Database Services-SQL Server – Auditing | CIS v2.1.0 | Ensure that Microsoft Entra authentication is Configured for SQL Servers |
| Database Services-SQL Server – Auditing | CIS v2.1.0 | Ensure that Data encryption is set to On on a SQL Database |
| Database Services-SQL Server – Auditing | CIS v2.1.0 | Ensure that Auditing Retention is greater than 90 days |
| Database Services-SQL Server – PostgreSQL Database Server | CIS v2.1.0 | Ensure Enforce SSL connection is set to ENABLED for PostgreSQL Database Server |
| Database Services-SQL Server – PostgreSQL Database Server | CIS v2.1.0 | Ensure Server Parameter log_checkpoints is set to ON for PostgreSQL Database Server |
| Database Services-SQL Server – PostgreSQL Database Server | CIS v2.1.0 | Ensure server parameter log_connections is set to ON for PostgreSQL Database Server |
| Database Services-SQL Server – PostgreSQL Database Server | CIS v2.1.0 | Ensure server parameter log_disconnections is set to ON for PostgreSQL Database Server |
| Database Services-SQL Server – PostgreSQL Database Server | CIS v2.1.0 | Ensure server parameter connection_throttling is set to ON for PostgreSQL Database Server |
| Database Services-SQL Server – PostgreSQL Database Server | CIS v2.1.0 | Ensure Server Parameter log_retention_days is greater than 3 days for PostgreSQL Database Server |
| Database Services-SQL Server – PostgreSQL Database Server | CIS v2.1.0 | Ensure Allow access to Azure services for PostgreSQL Database Server is disabled |
| Database Services-SQL Server – PostgreSQL Database Server | CIS v2.1.0 | Ensure Infrastructure double encryption for PostgreSQL Database Server is Enabled |
| Database Services-SQL Server – MySQL Database | CIS v2.1.0 | Ensure Enforce SSL connection is set to Enabled for Standard MySQL Database Server |
| Database Services-SQL Server – MySQL Database | CIS v2.1.0 | Ensure TLS Version is set to TLSV1.2 -or higher- for MySQL flexible Database Server |
| Database Services-SQL Server – MySQL Database | CIS v2.1.0 | Ensure server parameter audit_log_enabled is set to ON for MySQL Database Server |
| Database Services-SQL Server – MySQL Database | CIS v2.1.0 | Ensure server parameter audit_log_events has CONNECTION set for MySQL Database Server |
| Database Services-SQL Server – Cosmos DB | CIS v2.1.0 | Ensure That Firewalls-Networks Is Limited to Use Selected Networks Instead of All Networks |
| Database Services-SQL Server – Cosmos DB | CIS v2.1.0 | Ensure That Private Endpoints Are Used Where Possible |
| Database Services-SQL Server – Cosmos DB | CIS v2.1.0 | Use Entra ID Client Authentication and Azure RBAC where possible |
| Logging and Monitoring-Configuring Diagnostic Settings | CIS v2.1.0 | Ensure that a Diagnostic Setting exists for Subscription Activity Logs |
| Logging and Monitoring-Configuring Diagnostic Settings | CIS v2.1.0 | Ensure Diagnostic Setting captures appropriate categories |
| Logging and Monitoring-Configuring Diagnostic Settings | CIS v2.1.0 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key -CMK- |
| Logging and Monitoring-Configuring Diagnostic Settings | CIS v2.1.0 | Ensure that logging for Azure Key Vault is Enabled |
| Logging and Monitoring-Configuring Diagnostic Settings | CIS v2.1.0 | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics |
| Logging and Monitoring-Configuring Diagnostic Settings | CIS v2.1.0 | Ensure that logging for Azure AppService HTTP logs is enabled |
| Logging and Monitoring-Monitoring using Activity Log Alerts | CIS v2.1.0 | Ensure that Activity Log Alert exists for Create Policy Assignment |
| Logging and Monitoring-Monitoring using Activity Log Alerts | CIS v2.1.0 | Ensure that Activity Log Alert exists for Delete Policy Assignment |
| Logging and Monitoring-Monitoring using Activity Log Alerts | CIS v2.1.0 | Ensure that Activity Log Alert exists for Create or Update Network Security Group |
| Logging and Monitoring-Monitoring using Activity Log Alerts | CIS v2.1.0 | Ensure that Activity Log Alert exists for Delete Network Security Group |
| Logging and Monitoring-Monitoring using Activity Log Alerts | CIS v2.1.0 | Ensure that Activity Log Alert exists for Create or Update Security Solution |
| Logging and Monitoring-Monitoring using Activity Log Alerts | CIS v2.1.0 | Ensure that Activity Log Alert exists for Delete Security Solution |
| Logging and Monitoring-Monitoring using Activity Log Alerts | CIS v2.1.0 | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule |
| Logging and Monitoring-Monitoring using Activity Log Alerts | CIS v2.1.0 | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
| Logging and Monitoring-Monitoring using Activity Log Alerts | CIS v2.1.0 | Ensure that Activity Log Alert exists for Create or Update Public IP Address rule |
| Logging and Monitoring-Monitoring using Activity Log Alerts | CIS v2.1.0 | Ensure that Activity Log Alert exists for Delete Public IP Address rule |
| Logging and Monitoring-Configuring Application Insights | CIS v2.1.0 | Ensure Application Insights are Configured |
| Logging and Monitoring-Configuring Application Insights | CIS v2.1.0 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it |
| Logging and Monitoring-Configuring Application Insights | CIS v2.1.0 | Ensure that SKU Basic_Consumption is not used on artifacts that need to be monitored -Particularly for Production Workloads- |
| Networking | CIS v2.1.0 | Ensure that RDP access from the Internet is evaluated and restricted |
| Networking | CIS v2.1.0 | Ensure that SSH access from the Internet is evaluated and restricted |
| Networking | CIS v2.1.0 | Ensure that UDP access from the Internet is evaluated and restricted |
| Networking | CIS v2.1.0 | Ensure that HTTP-S- access from the Internet is evaluated and restricted |
| Networking | CIS v2.1.0 | Ensure that Network Security Group Flow Log retention period is greater than 90 days |
| Networking | CIS v2.1.0 | Ensure that Network Watcher is Enabled |
| Networking | CIS v2.1.0 | Ensure that Public IP addresses are Evaluated on a Periodic Basis |
| Virtual Machines | CIS v2.1.0 | Ensure an Azure Bastion Host Exists |
| Virtual Machines | CIS v2.1.0 | Ensure Virtual Machines are utilizing Managed Disks |
| Virtual Machines | CIS v2.1.0 | Ensure that OS and Data disks are encrypted with Customer Managed Key -CMK- |
| Virtual Machines | CIS v2.1.0 | Ensure that Unattached disks are encrypted with Customer Managed Key -CMK- |
| Virtual Machines | CIS v2.1.0 | Ensure that Only Approved Extensions Are Installed |
| Virtual Machines | CIS v2.1.0 | Ensure that Endpoint Protection for all Virtual Machines is installed |
| Virtual Machines | CIS v2.1.0 | [Legacy] Ensure that VHDs are Encrypted |
| Virtual Machines | CIS v2.1.0 | Ensure only MFA enabled identities can access privileged Virtual Machine |
| Virtual Machines | CIS v2.1.0 | Ensure Trusted Launch is enabled on Virtual Machines |
| Key Vault | CIS v2.1.0 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults |
| Key Vault | CIS v2.1.0 | Ensure that the Expiration Date is set for all Keys in NonRBAC Key Vaults |
| Key Vault | CIS v2.1.0 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults |
| Key Vault | CIS v2.1.0 | Ensure that the Expiration Date is set for all Secrets in NonRBAC Key Vaults |
| Key Vault | CIS v2.1.0 | Ensure the Key Vault is Recoverable |
| Key Vault | CIS v2.1.0 | Enable Role Based Access Control for Azure Key Vault |
| Key Vault | CIS v2.1.0 | Ensure that Private Endpoints are Used for Azure Key Vault |
| Key Vault | CIS v2.1.0 | Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services |
| AppService | CIS v2.1.0 | Ensure App Service Authentication is set up for apps in Azure App Service |
| AppService | CIS v2.1.0 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service |
| AppService | CIS v2.1.0 | Ensure Web App is using the latest version of TLS encryption |
| AppService | CIS v2.1.0 | Ensure that Register with Entra ID is enabled on App Service |
| AppService | CIS v2.1.0 | Ensure That PHP version is the Latest If Used to Run the Web App |
| AppService | CIS v2.1.0 | Ensure that Python version is the Latest Stable Version if Used to Run the Web App |
| AppService | CIS v2.1.0 | Ensure that Java version is the latest if used to run the Web App |
| AppService | CIS v2.1.0 | Ensure that HTTP Version is the Latest if Used to Run the Web App |
| AppService | CIS v2.1.0 | Ensure FTP deployments are Disabled |
| AppService | CIS v2.1.0 | Ensure Azure Key Vaults are Used to Store Secrets |
| Miscellaneous | CIS v2.1.0 | Ensure that Resource Locks are set for Mission-Critical Azure Resources |
Below tests, as recommended by Microsoft Azure globally, are not included in the Azure CIS Version 2.1.0 tests list. We recommend executing below tests as part of Microsoft Azure security & Compliance Assessment.
| Azure-Infra | SP v1.0 | Ensure On-Prem AD Users are not Privileged Users in Azure Entra ID |
| Azure-Infra | SP v1.0 | Ensure Azure Administrative Units are used |
| Azure-Infra | SP v1.0 | Ensure Azure Guests cannot invite other Guests |
| Azure-Infra | SP v1.0 | Ensure privileged accounts have MFA Configured |
| Azure-Infra | SP v1.0 | Ensure non-Admins cannot register custom applications |
| Azure-Infra | SP v1.0 | Ensure no Guest Accounts in Azure Privileged groups |
| Azure-Infra | SP v1.0 | Ensure Security Defaults is enabled |
| Azure-Infra | SP v1.0 | Ensure Normal Azure Users do not have Permissions to provide unrestricted user Consent |
| Azure-Infra | SP v1.0 | Ensure Conditional Access Policy with signin user-risk location as Factor |
| Azure-Infra | SP v1.0 | Ensure no Guest accounts that are inactive for more than 45 days |
| Azure-Infra | SP v1.0 | Conditional Access policy with Continuous Access Evaluation disabled |
| Azure-Infra | SP v1.0 | AAD Connect sync account password reset |
| Azure-Infra | SP v1.0 | Ensure Guest users are restricted |
| Azure-Infra | SP v1.0 | Ensure user are configured with MFA |
| Azure-Infra | SP v1.0 | Conditional Access Policy that disables admin token persistence |
| Azure-Infra | SP v1.0 | Conditional Access Policy that does not require a password change from high risk users |
| Azure-Infra | SP v1.0 | Conditional Access Policy that does not require MFA when sign-in risk has been identified |
| Azure-Infra | SP v1.0 | Ensure Guest invites not accepted in last 30 days are identified |
| Azure-Infra | SP v1.0 | Ensure Synced AAD Users not privileged Users in Azure |
| Azure-Infra | SP v1.0 | Ensure No Private IP Addresses in Conditional Access policies |
| Azure-Infra | SP v1.0 | Ensure Number Matching enabled in MFA |
| Azure-Infra | SP v1.0 | Ensure AD privileged users are not synced to AAD |
| Azure-Infra | SP v1.0 | Ensure no more than 5 Global Administrators |
| Azure-Infra | SP v1.0 | Ensure SSO computer account with latest password |
| Azure-Infra | SP v1.0 | Ensure RBCD is not applied to AZUREADSSOACC account |
| Azure Entra ID | SP v1.0 | Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra |
| Azure Entra ID | SP v1.0 | Ensure Phishing-resistant MFA strength is required for Administrators |
| Azure Entra ID | SP v1.0 | Ensure custom banned passwords lists are used |
| Azure Entra ID | SP v1.0 | Ensure Restrict non-admin users from creating tenants is set to Yes |
| Azure Entra ID | SP v1.0 | Ensure a dynamic group for guest users is created |
| Azure Entra ID | SP v1.0 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue |
| Azure Entra ID | SP v1.0 | Ensure that password hash sync is enabled for hybrid deployments |
| Azure Entra ID | SP v1.0 | Ensure Privileged Identity Management is used to manage roles |
| Azure Entra ID | SP v1.0 | Ensure Security Defaults is disabled on Azure Active Directory |
| Azure Entra ID | SP v1.0 | Enable Azure AD Identity Protection user risk policies |
| Azure Entra ID | SP v1.0 | Ensure the admin consent workflow is enabled |
| Azure Entra ID | SP v1.0 | Ensure Microsoft Azure Management is limited to administrative roles |
| Azure Entra ID | SP v1.0 | Ensure LinkedIn account connections is disabled |
| Azure Entra ID | SP v1.0 | Ensure password protection is enabled for on-prem Active Directory |
| Azure Entra ID | SP v1.0 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users |
| Azure Entra ID | SP v1.0 | Ensure third party integrated applications are not allowed |
| Azure Entra ID | SP v1.0 | Ensure user consent to apps accessing company data on their behalf is not allowed |
| Azure Entra ID | SP v1.0 | Enable Conditional Access policies to block legacy authentication |
| Azure Entra ID | SP v1.0 | Ensure Self service password reset enabled is set to All |
| Azure Entra ID | SP v1.0 | Enable Azure AD Identity Protection sign-in risk policies |
| Azure Entra ID | SP v1.0 | Ensure multifactor authentication is enabled for all users in administrative roles |
| Azure Entra ID | SP v1.0 | Ensure multifactor authentication is enabled for all users |
| Database Services-SQL Server – MySQL Database | SP v1.0 | Ensure to Enable In-Transit Encryption for MySQL Servers |
| Virtual Machines | SP v1.0 | Approved Azure Machine Image in Use |
| Virtual Machines | SP v1.0 | Azure Disk Encryption for Boot Disk Volumes |
| Virtual Machines | SP v1.0 | Azure Disk Encryption for Non-Boot Disk Volumes |
| Virtual Machines | SP v1.0 | Ensure Associated Load Balancers are configured |
| Virtual Machines | SP v1.0 | Ensure Desired VM SKU Size are configured |
| Virtual Machines | SP v1.0 | Ensure Virtual Machine Scale Sets are not empty |
| Virtual Machines | SP v1.0 | Ensure Virtual Machines are configured with SSH Authentication Type |
| Virtual Machines | SP v1.0 | Ensure Sufficient Daily Backup Retention Period is configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Sufficient Instant Restore Retention Period is configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure No Unused Load Balancers are identified to reduce cost |
| Virtual Machines | SP v1.0 | Ensure No Zone-Redundant Virtual Machine Scale Sets are present |
| Virtual Machines | SP v1.0 | Ensure Premium SSD are disabled to reduce cost |
| Virtual Machines | SP v1.0 | Ensure Accelerated Networking for Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure Auto-Shutdown of Virtual Machine is enabled to reduce cost |
| Virtual Machines | SP v1.0 | Ensure Automatic Instance Repairs is enabled for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Automatic OS Upgrades is enabled for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Autoscale Notifications are configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Backups for Azure Virtual Machines are configured |
| Virtual Machines | SP v1.0 | Ensure Encryption for App-Tier Disk Volumes are configured |
| Virtual Machines | SP v1.0 | Ensure Encryption for Web-Tier Disk Volumes are configured |
| Virtual Machines | SP v1.0 | Ensure Guest-Level Diagnostics for Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure Instance Termination Notifications for Virtual Machine Scale Sets is configured |
| Virtual Machines | SP v1.0 | Ensure Just-In-Time Access for Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure Performance Diagnostics for Azure Virtual Machines is enabled |
| Virtual Machines | SP v1.0 | Ensure System-Assigned Managed Identities are enabled |
| Virtual Machines | SP v1.0 | Ensure Virtual Machine Boot Diagnostics is enabled |
| Virtual Machines | SP v1.0 | Ensure Health Monitoring is configured for Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure Old Virtual Machine Disk Snapshots are removed |
| Virtual Machines | SP v1.0 | Ensure Unattached Virtual Machine Disk Volumes are removed from Virtual Machines |
| Virtual Machines | SP v1.0 | Ensure BYOK for Disk Volumes Encryption is used |
| Virtual Machines | SP v1.0 | Enable Virtual Machine Access using Microsoft Entra ID Authentication |
| Azure Subscription | SP v1.0 | Ensure Basic and Consumption SKU Should are not Used in Production |
| Azure Subscription | SP v1.0 | Ensure Azure Cloud Budget Alerts are configured |
| Azure Subscription | SP v1.0 | Ensure more than one Subscription Owners are assigned |
| Azure Subscription | SP v1.0 | Ensure Not Allowed Resource Types Policy Assignment is in Use |
| Azure Subscription | SP v1.0 | Ensure Tags are configured on the Resources |
| Azure Subscription | SP v1.0 | Ensure to remove Custom Owner Roles from Subscriptions |
| Azure Subscription | SP v1.0 | Ensure Resource Locking Administrator Role is configured |
| Azure Subscription | SP v1.0 | Ensure no Subscription Administrator Custom Role are not configured |
Instead of manually gathering data, which could take a significant amount of time, SmartProfiler for Azure CIS Assessment has automated all the tests to ensure that the assessment is completed in a matter of hours.
If you’re really looking for an Active Directory security assessment tool, download SmartProfiler and perform an assessment. This will assist you in identifying security, health, and configuration problems.
The health and misconfiguration assessment feature of SmartProfiler can be very useful in demonstrating that your environment does not use Microsoft’s suggested settings.
The best feature of SmartProfiler is that it can perform the assessment without a Global Admin account and without needing the registration of an Azure AD application. Because it only required a Global Reader Account, we were able to use the tool effectively for our clients and clients could allow us to conduct the assessment!
SmartProfiler's advanced assessment parameters really gives you insights about your Active Directory environment and make sure every risk is mitigated.
AD Smart Queries ship as part of the Active Directory Assessment License. The AD Smart
Read MoreBefore you can start performing Active Directory security assessment you are required to perform an
Read MoreMicrosoft Azure Virtual Desktop has been deployed in production by businesses. However, many AVD environments
Read More