Azure Security Benchmark introduction

New services and features are released daily in Azure, developers are rapidly publishing new cloud applications built on these services, and attackers are always seeking new ways to exploit misconfigured resources. The cloud moves fast, developers move fast, and attackers are always on the move. How do you keep up and make sure that your cloud deployments are secure? How are security practices for cloud systems different from on-premises systems? How do you monitor for consistency across many independent development teams?

Microsoft has found that using security benchmarks can help you quickly secure cloud deployments. Benchmark recommendations from your cloud service provider give you a starting point for selecting specific security configuration settings in your environment and allow you to quickly reduce risk to your organization.

The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure the services you use in Azure:

  • Security controls: These recommendations are generally applicable across your Azure tenant and Azure services. Each recommendation identifies a list of stakeholders that are typically involved in planning, approval, or implementation of the benchmark.
  • Service baselines: These apply the controls to individual Azure services to provide recommendations on that service‚Äôs security configuration.

Implement the Azure Security Benchmark

Common Use Cases

Azure Security Benchmark is frequently used to address these common challenges for customers or service partners who are:

  • New to Azure and are looking for security best practices to ensure a secure deployment of Azure services and your own application workload.
  • Looking to improve security posture of existing Azure deployments to prioritize top risks and mitigations.
  • Evaluating the security features/capabilities of Azure services before onboarding/approving an Azure service(s) into the cloud service catalog.
  • Having the need to meet compliance requirements in highly regulated industries like government, finance and healthcare. These customers need to ensure their service configurations of Azure meet the security specification defined in framework such as CIS, NIST, or PCI. Azure Security Benchmark provides an efficient approach with the controls already pre-mapped to these industry benchmarks.


The terms "control" and "baseline" are used often in the Azure Security Benchmark documentation and it's important to understand how Azure Security Benchmark uses those terms.

Term Description Example
Control A control is a high-level description of a feature or activity that needs to be addressed and is not specific to a technology or implementation. Data Protection is one of the security control families. Data Protection contains specific actions that must be addressed to help ensure data is protected.
Baseline A baseline is the implementation of the control on the individual Azure service. Each organization decides benchmark recommendation and corresponding configurations are needed in the Azure implementation scope. The Contoso company looks to enabling Azure SQL security features by following the configuration recommended in Azure SQL security baseline.

We welcome your feedback on the Azure Security Benchmark! We encourage you to provide comments in the feedback area below. If you prefer to share your input more privately with the Azure Security Benchmark team, you are welcome to fill out the form at