Detections
Analytics

CIS Microsoft Azure Foundations v3.0.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Microsoft Azure Foundations v3.0.0 L1

Updated: 6/24/2025

Authority: CIS

Plugin: microsoft_azure

Revision: 1.1

Estimated Item Count: 91

File Details

Filename: CIS_Microsoft_Azure_Foundations_v3.0.0_L1.audit

Size: 227 kB

MD5: 891b44e35160da0642b0998844c62851
SHA256: 75f4060022d0be5e3bf776def751cdf2853ae6ccdeb6b17bbc701b293d1d9982

Audit Items

DescriptionCategories
2.1.1 Ensure Security Defaults is enabled on Microsoft Entra ID
2.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
2.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
2.3 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
2.4 Ensure Guest Users Are Reviewed on a Regular Basis
2.5 Ensure That 'Number of methods required to reset' is set to '2'
2.6 Ensure that account 'Lockout Threshold' is less than or equal to '10'
2.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
2.8 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
2.9 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
2.10 Ensure that 'Notify users on password resets?' is set to 'Yes'
2.11 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
2.12 Ensure 'User consent for applications' is set to 'Do not allow user consent'
2.14 Ensure That 'Users Can Register Applications' Is Set to 'No'
2.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
2.17 Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
2.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
2.23 Ensure That No Custom Subscription Administrator Roles Exist
2.26 Ensure fewer than 5 users have global administrator assignment
3.1.1.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
3.1.10 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
3.1.11 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
3.1.12 Ensure That 'All users with the following roles' is set to 'Owner'
3.1.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email
3.1.14 Ensure That 'Notify about alerts with the following severity' is Set to 'High'
3.3.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
3.3.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.
3.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
3.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
3.3.5 Ensure the Key Vault is Recoverable
4.1 Ensure that 'Secure transfer required' is set to 'Enabled'
4.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
4.4 Ensure that Storage Account Access Keys are Periodically Regenerated
4.5 Ensure that Shared Access Signature Tokens Expire Within an Hour
4.6 Ensure that 'Public Network Access' is 'Disabled' for storage accounts
4.7 Ensure Default Network Access Rule for Storage Accounts is Set to Deny
4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
4.16 Ensure 'Cross Tenant Replication' is not enabled
4.17 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
5.1.1 Ensure that 'Auditing' is set to 'On'
5.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers
5.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database
5.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
5.1.7 Ensure Public Network Access is Disabled
5.2.1 Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
5.2.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
5.2.3 Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
5.2.4 Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server