Security baselines for Azure

Security baselines for Azure help you strengthen security through improved tooling, tracking, and security features. They also provide you a consistent experience when securing your environment.

Security baselines for Azure focus on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS). Our baselines provide guidance for the control areas listed in the Azure Security Benchmark.

Each recommendation includes the following information:

  • Azure ID: The Azure Security Benchmark ID that corresponds to the recommendation.
  • Recommendation: Following directly after the Azure ID, the recommendation provides a high-level description of the control.
  • Guidance: The rationale for the recommendation and links to guidance on how to implement it. If the recommendation is supported by Microsoft Defender for Cloud, that information will also be listed.
  • Responsibility: Who is responsible for implementing the control. Possible scenarios are customer responsibility, Microsoft responsibility, or shared responsibility.
  • Microsoft Defender for Cloud monitoring: Whether the control is monitored by Microsoft Defender for Cloud, with link to reference.

All recommendations, including recommendations that are not applicable to this specific service, are included in the baseline to provide you a complete picture of how the Azure Security Benchmark relates to each service. There may occasionally be controls that are not applicable for various reasons—for example, IaaS/compute-centric controls (such as controls specific to OS configuration management) may not be applicable to PaaS services.

We welcome your feedback on the security baselines for Azure services. We encourage you to provide comments in the feedback area below. Or, if you prefer to share your input more privately with the Azure Security Benchmark team, you are welcome to fill out the form at