Security baselines for Azure

Security baselines are standardized documents for Azure product offerings, describing the available security capabilities and the optimal security configurations to help you strengthen security through improved tooling, tracking, and security features.

Security baselines for Azure focus on cloud-centric control areas. These controls are consistent with well-known industry standards such as: Center for Internet Security (CIS) or National Institute for Standards in Technology (NIST). Our baselines provide guidance for the control areas listed in the Azure Security Benchmark version 3.0.

Each baseline consists of the following components:

  • How does a service behave?
  • Which security features are available?
  • What configurations are recommended to secure the service?

What's new in the version 3.0 baselines?

The v3 baselines will follow the latest Azure Security Benchmark v3 control requirements which also map to newer industry frameworks such as NIST and PCI.

The new v3 baseline will be security feature driven, which is more intuitive and easier to use than previous baseline versions.

Each Security Benchmark control includes the following information, except where noted:

  • Control ID: The Azure Security Benchmark ID that corresponds to the control.
  • Feature: Security feature(s) that can help you meet that control requirement.
  • Feature Description: A high-level description of the feature and how it fits into the product offering.
  • Supported: A true/false value indicating if this feature is supported to secure this product offering.
  • Enabled by Default: A true/false value indicating if this feature is enabled in a default deployment by Microsoft.
  • Configuration Responsibility: Who is responsible for implementing the configuration guidance (where possible scenarios are Customer responsibility, Microsoft responsibility, or Shared responsibility).
  • Configuration Guidance: Actionable guidance to implement the configurations.
  • Microsoft Defender for Cloud monitoring Note: Microsoft Defender for Cloud policy / monitoring information. (Note: If a feature is not monitored by Microsoft Defender for Cloud for the service, this section is omitted.)
  • Reference: A reference link to dive deeper into how to implement the configuration guidance.

Anatomy of a v3 feature listing

Feature Legend:

  True False Not Applicable
Supported This feature is supported to secure this product offering. This feature is not supported to secure this product offering. This feature has no use cases in this product offering.
Enabled by Default This feature’s security configuration is enabled or deployed by default. (Note: some default configurations can be changed or managed by customers.) This feature’s security configurations are not enabled or deployed by default. The customer is responsible for implementing configuration guidance. This feature is either not supported or not applicable to secure the product, so the feature's 'Enabled by Default' value is also marked as 'Not Applicable'.

To access a list of all Security Benchmark controls, including controls that are not applicable to this specific service, see the full security baseline mapping file. There may occasionally be controls that are not applicable for various reasons—for example, IaaS/compute-centric controls (such as controls specific to OS configuration management) may not be applicable to PaaS services.

We welcome your feedback on the security baselines for Azure services. We encourage you to provide comments in the feedback area below. Or, if you prefer to share your input more privately with the Azure Security Benchmark team, you are welcome to fill out the form at https://aka.ms/AzSecBenchmark.

Next steps