Penetration testing

One of the benefits of using Azure for application testing and deployment is that you can quickly get environments created. You don't have to worry about requisitioning, acquiring, and "racking and stacking" your own on-premises hardware.

Quickly creating environments is great but you still need to make sure you perform your normal security due diligence. One of the things you likely want to do is penetration test the applications you deploy in Azure. We don't perform penetration testing of your application for you, but we do understand that you want and need to perform testing on your own applications. That's a good thing, because when you enhance the security of your applications you help make the entire Azure ecosystem more secure.

As of June 15, 2017, Microsoft no longer requires pre-approval to conduct a penetration test against Azure resources. This process is only related to Microsoft Azure, and not applicable to any other Microsoft Cloud Service.


While notifying Microsoft of pen testing activities is no longer required customers must still comply with the Microsoft Cloud Unified Penetration Testing Rules of Engagement.

Standard tests you can perform include:

One type of pen test that you can't perform is any kind of Denial of Service (DoS) attack. This test includes initiating a DoS attack itself, or performing related tests that might determine, demonstrate, or simulate any type of DoS attack.


You may only simulate attacks using Microsoft approved testing partners:

  • BreakingPoint Cloud: A self-service traffic generator where your customers can generate traffic against DDoS Protection-enabled public endpoints for simulations.
  • Red Button: Work with a dedicated team of experts to simulate real-world DDoS attack scenarios in a controlled environment.
  • RedWolf a self-service or guided DDoS testing provider with real-time control.

To learn more about these simulation partners, see testing with simulation partners.

Next steps