Security controls for Azure Resource Manager

This article documents the security controls built into Azure Resource Manager.

A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. We might also provide a note or links to more information about an attribute.

Data protection

Security control Yes/No Notes
Server-side encryption at rest: Microsoft-managed keys Yes
Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption) Yes HTTPS/TLS.
Server-side encryption at rest: customer-managed keys (BYOK) N/A Azure Resource Manager stores no customer content, only control data.
Column level encryption (Azure Data Services) Yes
API calls encrypted Yes

Network

Security control Yes/No Notes
Service endpoint support No
VNet injection support Yes
Network isolation and firewalling support No
Forced tunneling support No

Monitoring & logging

Security control Yes/No Notes
Azure monitoring support (Log analytics, App insights, etc.) No
Control and management plane logging and audit Yes Activity logs expose all write operations (PUT, POST, DELETE) performed on your resources; see View activity logs to audit actions on resources.
Data plane logging and audit N/A

Identity

Security control Yes/No Notes
Authentication Yes Azure Active Directory based.
Authorization Yes

Configuration management

Security control Yes/No Notes
Configuration management support (versioning of configuration, etc.) Yes

Next steps