About this program
Tenant-wide hardening for Azure subscriptions — identity, networking, logging and Defender for Cloud baseline.
Risks addressed
- Critical Permanent Global Administrator role abused
- Critical Storage accounts left publicly accessible
- High No central monitoring across subscriptions
Controls (6)
-
Privileged Identity Management for admin roles
CriticalPrivileged Identity Management for admin roles
How to test + evidence
Testing procedure: No permanent Global / Privileged Role Admins. JIT via PIM with approval.
Evidence to collect: PIM config + last 90-day activations.
-
Conditional Access baseline policies
HighConditional Access baseline policies
How to test + evidence
Testing procedure: MFA-on-every-sign-in + block legacy auth policies on.
Evidence to collect: CA policy export.
-
Defender for Cloud enabled (Standard)
HighDefender for Cloud enabled (Standard)
How to test + evidence
Testing procedure: Defender for Cloud Standard tier on critical workloads.
Evidence to collect: Defender pricing tier screenshot.
-
Storage accounts: public access disabled
CriticalStorage accounts: public access disabled
How to test + evidence
Testing procedure: Tenant policy denies "Allow Blob public access" by default.
Evidence to collect: Azure Policy + scan results.
-
Activity log streamed to Log Analytics
HighActivity log streamed to Log Analytics
How to test + evidence
Testing procedure: Diagnostic settings push activity log + key services to Log Analytics / SIEM.
Evidence to collect: Diagnostic settings export.
-
Resource locks on production resources
MediumResource locks on production resources
How to test + evidence
Testing procedure: Critical resources have CanNotDelete locks.
Evidence to collect: Lock list export.