Tutorial: Improve your regulatory compliance
Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance dashboard. Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in the standards that you've applied to your subscriptions. The dashboard reflects the status of your compliance with these standards.
When you enable Defender for Cloud on an Azure subscription, the Azure Security Benchmark is automatically assigned to that subscription. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security.
The regulatory compliance dashboard shows the status of all the assessments within your environment for your chosen standards and regulations. As you act on the recommendations and reduce risk factors in your environment, your compliance posture improves.
In this tutorial you'll learn how to:
- Evaluate your regulatory compliance using the regulatory compliance dashboard
- Improve your compliance posture by taking action on recommendations
- Download PDF/CSV reports as well as certification reports of your compliance status
- Setup alerts on changes to your compliance status
- Export your compliance data as a continuous stream and as weekly snapshots
If you don’t have an Azure subscription, create a free account before you begin.
To step through the features covered in this tutorial:
- Enable enhanced security features. You can enable these for free for 30 days.
- You must be signed in with an account that has reader access to the policy compliance data. The Global reader for the subscription has access to the policy compliance data, but the Security Reader role does not. At a minimum, you'll need to have Resource Policy Contributor and Security Admin roles assigned.
Assess your regulatory compliance
The regulatory compliance dashboard shows your selected compliance standards with all their requirements, where supported requirements are mapped to applicable security assessments. The status of these assessments reflects your compliance with the standard.
Use the regulatory compliance dashboard to help focus your attention on the gaps in compliance with your chosen standards and regulations. This focused view also enables you to continuously monitor your compliance over time within dynamic cloud and hybrid environments.
From Defender for Cloud's menu, select Regulatory compliance.
At the top of the screen, is a dashboard with an overview of your compliance status and the set of supported compliance regulations. You'll see your overall compliance score, and the number of passing vs. failing assessments associated with each standard.
Select a tab for a compliance standard that is relevant to you (1). You'll see which subscriptions the standard is applied on (2), and the list of all controls for that standard (3). For the applicable controls, you can view the details of passing and failing assessments associated with that control (4), and the number of affected resources (5). Some controls are grayed out. These controls don't have any Defender for Cloud assessments associated with them. Check their requirements and assess them in your environment. Some of these might be process-related and not technical.
Improve your compliance posture
Using the information in the regulatory compliance dashboard, improve your compliance posture by resolving recommendations directly within the dashboard.
Select any of the failing assessments that appear in the dashboard to view the details for that recommendation. Each recommendation includes a set of remediation steps to resolve the issue.
Select a particular resource to view more details and resolve the recommendation for that resource.
For example, in the Azure CIS 1.1.0 standard, select the recommendation Disk encryption should be applied on virtual machines.
In this example, when you select Take action from the recommendation details page, you arrive in the Azure Virtual Machine pages of the Azure portal, where you can enable encryption from the Security tab:
For more information about how to apply recommendations, see Implementing security recommendations in Microsoft Defender for Cloud.
After you take action to resolve recommendations, you'll see the result in the compliance dashboard report because your compliance score improves.
Assessments run approximately every 12 hours, so you will see the impact on your compliance data only after the next run of the relevant assessment.
Generate compliance status reports and certificates
To generate a PDF report with a summary of your current compliance status for a particular standard, select Download report.
The report provides a high-level summary of your compliance status for the selected standard based on Defender for Cloud assessments data. The report's organized according to the controls of that particular standard. The report can be shared with relevant stakeholders, and might provide evidence to internal and external auditors.
To download Azure and Dynamics certification reports for the standards applied to your subscriptions, use the Audit reports option.
Select the tab for the relevant reports types (PCI, SOC, ISO, and others) and use filters to find the specific reports you need:
For example, from the PCI tab you can download a ZIP file containing a digitally signed certificate demonstrating Microsoft Azure, Dynamics 365, and Other Online Services' compliance with ISO22301 framework, together with the necessary collateral to interpret and present the certificate.
When you download one of these certification reports, you'll be shown the following privacy notice:
By downloading this file, you are giving consent to Microsoft to store the current user and the selected subscriptions at the time of download. This data is used in order to notify you in case of changes or updates to the downloaded audit report. This data is used by Microsoft and the audit firms that produce the certification/reports only when notification is required.
Configure frequent exports of your compliance status data
If you want to track your compliance status with other monitoring tools in your environment, Defender for Cloud includes an export mechanism to make this straightforward. Configure continuous export to send select data to an Azure Event Hub or a Log Analytics workspace. Learn more in continuously export Defender for Cloud data.
Use continuous export data to an Azure Event Hub or a Log Analytics workspace:
Export all regulatory compliance data in a continuous stream:
Export weekly snapshots of your regulatory compliance data:
You can also manually export reports about a single point in time directly from the regulatory compliance dashboard. Generate these PDF/CSV reports or Azure and Dynamics certification reports using the Download report or Audit reports toolbar options. See Assess your regulatory compliance
Run workflow automations when there are changes to your compliance
Defender for Cloud's workflow automation feature can trigger Logic Apps whenever one of your regulatory compliance assessments change state.
For example, you might want Defender for Cloud to email a specific user when a compliance assessment fails. You'll need to create the logic app first (using Azure Logic Apps) and then set up the trigger in a new workflow automation as explained in Automate responses to Defender for Cloud triggers.
FAQ - Regulatory compliance dashboard
- Tutorial: Improve your regulatory compliance
- Assess your regulatory compliance
- Improve your compliance posture
- Generate compliance status reports and certificates
- Configure frequent exports of your compliance status data
- Run workflow automations when there are changes to your compliance
- FAQ - Regulatory compliance dashboard
- What standards are supported in the compliance dashboard?
- Why do some controls appear grayed out?
- How can I remove a built-in standard, like PCI-DSS, ISO 27001, or SOC2 TSP from the dashboard?
- I made the suggested changes based on the recommendation, but it isn't being reflected in the dashboard?
- What permissions do I need to access the compliance dashboard?
- The regulatory compliance dashboard isn't loading for me
- How can I view a report of passing and failing controls per standard in my dashboard?
- How can I download a report with compliance data in a format other than PDF?
- How can I create exceptions for some of the policies in the regulatory compliance dashboard?
- What Microsoft Defender plans or licenses do I need to use the regulatory compliance dashboard?
- How do I know which benchmark or standard to use?
- Next steps
What standards are supported in the compliance dashboard?
By default, the regulatory compliance dashboard shows you the Azure Security Benchmark. The Azure Security Benchmark is the Microsoft-authored, Azure-specific guidelines for security, and compliance best practices based on common compliance frameworks. Learn more in the Azure Security Benchmark introduction.
To track your compliance with any other standard, you'll need to explicitly add them to your dashboard.
You can add other standards such as Azure CIS 1.3.0, NIST SP 800-53, NIST SP 800-171, SWIFT CSP CSCF-v2020, UK Official and UK NHS, HIPAA, Canada Federal PBMM, ISO 27001, SOC2-TSP, and PCI-DSS 3.2.1.
More standards will be added to the dashboard and included in the information on Customize the set of standards in your regulatory compliance dashboard.
Why do some controls appear grayed out?
For each compliance standard in the dashboard, there's a list of the standard's controls. For the applicable controls, you can view the details of passing and failing assessments.
Some controls are grayed out. These controls don't have any Defender for Cloud assessments associated with them. Some may be procedure or process-related, and so can't be verified by Defender for Cloud. Some don't have any automated policies or assessments implemented yet, but will have in the future. And some controls may be the platform's responsibility as explained in Shared responsibility in the cloud.
How can I remove a built-in standard, like PCI-DSS, ISO 27001, or SOC2 TSP from the dashboard?
To customize the regulatory compliance dashboard, and focus only on the standards that are applicable to you, you can remove any of the displayed regulatory standards that aren't relevant to your organization. To remove a standard, follow the instructions in Remove a standard from your dashboard.
After you take action to resolve recommendations, wait 12 hours to see the changes to your compliance data. Assessments are run approximately every 12 hours, so you'll see the effect on your compliance data only after the assessments run.
What permissions do I need to access the compliance dashboard?
To view compliance data, you need to have at least Reader access to the policy compliance data as well; so Security Reader alone won’t suffice. If you're a global reader on the subscription, that will be enough too.
The minimum set of roles for accessing the dashboard and managing standards is Resource Policy Contributor and Security Admin.
The regulatory compliance dashboard isn't loading for me
To use the regulatory compliance dashboard, Defender for Cloud must be enabled at the subscription level. If the dashboard isn't loading correctly, try the following steps:
- Clear your browser's cache.
- Try a different browser.
- Try opening the dashboard from different network location.
How can I view a report of passing and failing controls per standard in my dashboard?
On the main dashboard, you can see a report of passing and failing controls for (1) the 'top 4' lowest compliance standards in the dashboard. To see all the passing/failing controls status, select (2) Show all x (where x is the number of standards you're tracking). A context plane displays the compliance status for every one of your tracked standards.
How can I download a report with compliance data in a format other than PDF?
When you select Download report, select the standard and the format (PDF or CSV). The resulting report will reflect the current set of subscriptions you've selected in the portal's filter.
- The PDF report shows a summary status for the standard you selected
- The CSV report provides detailed results per resource, as it relates to policies associated with each control
Currently, there's no support for downloading a report for a custom policy; only for the supplied regulatory standards.
How can I create exceptions for some of the policies in the regulatory compliance dashboard?
For policies that are built into Defender for Cloud and included in the secure score, you can create exemptions for one or more resources directly in the portal as explained in Exempting resources and recommendations from your secure score.
For other policies, you can create an exemption directly in the policy itself, by following the instructions in Azure Policy exemption structure.
What Microsoft Defender plans or licenses do I need to use the regulatory compliance dashboard?
If you've got any of the Microsoft Defender plan enabled on any of your Azure resources, you can access Defender for Cloud's regulatory compliance dashboard and all of its data.
How do I know which benchmark or standard to use?
Azure Security Benchmark (ASB) is the canonical set of security recommendations and best practices defined by Microsoft, aligned with common compliance control frameworks including CIS Microsoft Azure Foundations Benchmark and NIST SP 800-53. ASB is a comprehensive benchmark, and is designed to recommend the most up-to-date security capabilities of a wide range of Azure services. We recommend ASB to customers who want to maximize their security posture and align their compliance status with industry standards.
The CIS Benchmark is authored by an independent entity – Center for Internet Security (CIS) – and contains recommendations on a subset of core Azure services. We work with CIS to try to ensure that their recommendations are up to date with the latest enhancements in Azure, but they do sometimes fall behind and become outdated. Nonetheless, some customers like to use this objective, third-party assessment from CIS as their initial and primary security baseline.
Since we’ve released the Azure Security Benchmark, many customers have chosen to migrate to it as a replacement for CIS benchmarks.
In this tutorial, you learned about using Defender for Cloud’s regulatory compliance dashboard to:
- View and monitor your compliance posture regarding the standards and regulations that are important to you.
- Improve your compliance status by resolving relevant recommendations and watching the compliance score improve.
The regulatory compliance dashboard can greatly simplify the compliance process, and significantly cut the time required for gathering compliance evidence for your Azure, hybrid, and multicloud environment.
To learn more, see these related pages:
- Customize the set of standards in your regulatory compliance dashboard - Learn how to select which standards appear in your regulatory compliance dashboard.
- Managing security recommendations in Defender for Cloud - Learn how to use recommendations in Defender for Cloud to help protect your Azure resources.
Submit and view feedback for