Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
A security baseline policy assignment enables continuous compliance tracking, with results surfaced in the Azure portal to validate that your custom configurations are correctly applied across all target Windows and Linux machines. Policy assignments apply to Azure and non-Azure virtual machines (that are Azure Arc-enabled servers), extending security and compliance management across hybrid, multicloud, and edge environments. The following Policy definitions support customization:
Linux machines should meet requirements for the Azure compute security baseline
Windows machines should meet requirements for the Azure compute security baseline
[Preview] Official CIS Security Benchmarks for Linux Workloads
Assignment of a security baseline policy is managed through Machine Configuration, which enforces compliance by auditing machine settings against your chosen security baseline.
You can assign baselines via the Azure portal, Azure CLI, or automate the process in CI/CD pipelines for consistent rollout.
Important
Before assigning any security baseline policy, make sure you deploy the Machine Configuration prerequisite initiative. This initiative installs the extension on virtual machines and enables secure communication with a managed identity.
Deploy via the Azure portal
The portal provides the most direct path to create or test a baseline assignment.
Step 1—Open Machine Configuration Policies
Go to Azure portal > Policy > Machine Configuration.
Under Definitions, choose your desired baseline—for example:
[Preview] Official CIS Security Benchmarks for Linux Workloads
Azure Security Baseline for Windows
Azure Security Baseline for Linux
Step 2—Select and Customize
Choose Modify settings to tailor which benchmarks and versions you want to include.
Review and optionally edit parameters for individual rules.
When satisfied, click Review + download to generate your customized settings JSON.
Press Download All Baselines to save the file.
Each JSON file encapsulates all selected parameters and metadata.
Use this file later when creating the assignment.
Step 3—Create the Assignment
Select Create audit Policy Assignment.
In the page, define:
Scope (subscription or management group)
Assignment name and optional description
Under the Parameters tab, locate Baseline Settings. You may need to uncheck "Only show parameters that need input or review"
Click Browse → Upload the JSON file you downloaded earlier.
Confirm Effect = AuditIfNotExists for compliance tracking.
Review and create.
This upload step passes your custom configuration to the BaselineSettings parameter within the relevant built-in policies.
For full assignment options (scope, remediation, noncompliance messages, managed identities), refer to Assign a policy definition in the Azure portal.
Deploy via Azure CLI or CI/CD Pipeline
For automated policy deployment, you can create the same assignment programmatically using the Policy-as-code SDK.
Step 1—Prepare your JSON file
Ensure you download the baseline settings JSON generated from the portal. Example path:
baselineFile="./CustomizedBaselineSettings.json"
Step 2—Assign the Policy
Use the Azure CLI to deploy the assignment:
az policy assignment create \
--name "CIS-Linux-Baseline-Custom" \
--display-name "CIS Linux Baseline (Customized)" \
--policy "/providers/Microsoft.Authorization/policyDefinitions/cis-linux-baseline" \
--params @"$baselineFile" \
--scope "/subscriptions/<subscription-id>" \
--identity
You can find other examples in Assign policy with Azure CLI.
View Existing Security Baseline Assignments
After deploying your customized baseline, you can verify its status and scope in the Assignments tab under Policy → Machine Configuration in the Azure portal.
This view lists all baseline policy assignments, including their policy definition, management group or subscription, and resource group. You can use filters (for example, by policy name, subscription, or scope) to quickly locate your assignment. Selecting a specific assignment opens its details, where you can review parameter input (such as your imported JSON file), scope, and compliance status once evaluations complete.
Note
The compliance results in this view correspond to the same audit configuration surfaced in Azure Policy Compliance, ARG, and Guest Assignments—helping you validate that your custom baselines are applied correctly across all target machines.