Detections
Analytics

CIS Microsoft Azure Foundations v3.0.0 L2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Microsoft Azure Foundations v3.0.0 L2

Updated: 6/24/2025

Authority: CIS

Plugin: microsoft_azure

Revision: 1.1

Estimated Item Count: 68

Audit Items

DescriptionCategories
2.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
2.2.1 Ensure Trusted Locations Are Defined
2.2.2 Ensure that an exclusionary Geographic Access Policy is considered
2.2.3 Ensure that an exclusionary Device code flow policy is considered
2.2.4 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
2.2.5 Ensure that A Multi-factor Authentication Policy Exists for All Users
2.2.6 Ensure Multi-factor Authentication is Required for Risky Sign-ins
2.2.7 Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
2.2.8 Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
2.13 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
2.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
2.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
2.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
2.20 Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
2.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
2.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
2.25 Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
3.1.1.2 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
3.1.3.1 Ensure That Microsoft Defender for Servers Is Set to 'On'
3.1.3.2 Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
3.1.3.3 Ensure that 'Endpoint protection' component status is set to 'On'
3.1.3.4 Ensure that 'Agentless scanning for machines' component status is set to 'On'
3.1.3.5 Ensure that 'File Integrity Monitoring' component status is set to 'On'
3.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On'
3.1.4.2 Ensure that 'Agentless discovery for Kubernetes' component status 'On'
3.1.4.3 Ensure that 'Agentless container vulnerability assessment' component status is 'On'
3.1.5.1 Ensure That Microsoft Defender for Storage Is Set To 'On'
3.1.6.1 Ensure That Microsoft Defender for App Services Is Set To 'On'
3.1.7.1 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
3.1.7.2 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
3.1.7.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
3.1.7.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
3.1.8.1 Ensure That Microsoft Defender for Key Vault Is Set To 'On'
3.1.9.1 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
3.1.15 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
3.1.16 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
3.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
3.3.6 Enable Role Based Access Control for Azure Key Vault
3.3.7 Ensure that Private Endpoints are Used for Azure Key Vault
3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
4.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
4.8 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
4.9 Ensure Private Endpoints are used to access Storage Accounts
4.11 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
4.12 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
4.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
4.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
5.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
5.3.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
5.3.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server