Azure Security Baselines

Azure Security Baselines

Security design patterns based on the Microsoft Cloud Security Benchmark (MCSB). Use these baselines as reusable patterns when designing Azure architectures — each service baseline maps security features to 12 control domains with configuration guidance, Terraform examples, and framework cross-mappings to NIST, CIS, PCI-DSS, and ISO 27001.

Design Patterns, Not Compliance Checklists

These baselines are reframed from Microsoft's official security baselines as architecture decision aids. For each Azure service, you get: what security controls are available, which are on by default, who is responsible for enabling them, and how to configure them in your design. Use them during architecture reviews, threat modeling sessions, and design documentation.

How to Use Baselines in Design

Baseline-Driven Architecture Review

graph LR A[Select Azure Service] --> B[Identify Applicable\nControl Domains] B --> C{Check Feature\nSupport} C -->|Supported| D[Review Default\nConfiguration] C -->|Not Supported| E[Document Gap\n& Compensating Control] D --> F{Enabled by\nDefault?} F -->|Yes| G[Verify & Document] F -->|No| H[Define Responsibility\n& Configuration] H --> I[Add to Design Doc\nwith Terraform/Bicep] G --> I E --> I I --> J[Architecture Review\nChecklist Complete] style A stroke:#22d3ee,stroke-width:2px style B stroke:#22d3ee,stroke-width:2px style C stroke:#a855f7,stroke-width:2px style D stroke:#22d3ee,stroke-width:2px style E stroke:#ec4899,stroke-width:2px style F stroke:#a855f7,stroke-width:2px style G stroke:#4ade80,stroke-width:2px style H stroke:#22d3ee,stroke-width:2px style I stroke:#4ade80,stroke-width:2px style J stroke:#4ade80,stroke-width:2px

1. Pick Your Services

Start with the Azure services in your architecture. Each has a security baseline mapping features to the 12 MCSB control domains.

2. Walk the Controls

For each domain (Network, Identity, Data Protection…) check what's supported, what's on by default, and what needs explicit configuration.

3. Document Decisions

Capture each decision in your design doc — enabled controls, gaps with compensating controls, and IaC code to enforce in deployment.

12 MCSB Control Domains

Every Azure service baseline is organized around these 12 security control domains from the Microsoft Cloud Security Benchmark. Each domain represents a category of security controls that applies across services. Deep-dive into all 12 domains →

NS

Network Security

Foundation

 IM

Identity Management

Foundation

 PA

Privileged Access

Foundation

 DP

Data Protection

Data & Assets

 AM

Asset Management

Data & Assets

 LT

Logging & Threat Detection

Operations

 IR

Incident Response

Operations

 PV

Posture & Vulnerability Mgmt

Operations

 ES

Endpoint Security

Operations

 BR

Backup & Recovery

Resilience & DevOps

 DS

DevOps Security

Resilience & DevOps

 GS

Governance & Strategy

Resilience & DevOps

Service Categories

Baselines are organized by Azure service category. Each page covers all services in that category with full control-by-control security guidance reframed as design patterns.

Compute

App Service • Virtual Machines • Azure Functions • Container Apps • Virtual Desktop

Security baselines for web apps, VMs, serverless functions, container microservices, and virtual desktop infrastructure — covering network isolation, identity, encryption, and runtime protection.
🌐

Networking

Front Door • Azure Firewall • VPN Gateway • Application Gateway • Bastion • ExpressRoute

Network edge and connectivity patterns for WAF, DDoS protection, traffic inspection, VPN encryption, private access, and hybrid connectivity.
🗄️

Data & Storage

SQL Database • Cosmos DB • Storage Account • Key Vault • Redis Cache • PostgreSQL • Data Factory

Data protection patterns for encryption at rest and in transit, private endpoints, threat detection, classification, backup, and data integration pipelines.
📨

Messaging & Events

Service Bus • Event Hubs

Secure messaging and event streaming patterns — private endpoints, Entra ID authentication, CMK encryption, and operational logging.
🔐

Identity & Security

Entra ID • Defender for Cloud • Sentinel

Foundational security services for identity governance, CSPM, and SIEM/SOAR operations.
📦

Containers

AKS • Container Registry

Container platform baselines for private clusters, workload identity, image trust, runtime detection, and supply chain security.
🔗

Integration

API Management

API gateway and integration service baselines — internal VNet deployment, mTLS, JWT validation, rate limiting, and backend protection.
📊

Management

Log Analytics Workspace

Operational management baselines for centralized logging, AMPLS private link, resource-context RBAC, CMK encryption, and retention policies.

Baseline Explorer

🔍

Interactive Baseline Explorer

Search and compare security baselines across Azure services. Select a service, filter by control domain, compare side-by-side, and export to PDF for your design documentation.

Open Baseline Explorer

Framework Alignment

MCSB control domains map directly to industry frameworks. Use these cross-mappings when your design needs to demonstrate compliance coverage.

MCSB Domain NIST 800-53 CIS v8 PCI-DSS v4 ISO 27001 NIST CSF 2.0
NS – Network Security SC-7, SC-8, AC-4 9.2, 9.3, 12.1 1.2, 1.3, 1.4 A.8.20, A.8.21 PR.DS-2, PR.IR-1
IM – Identity Management AC-2, AC-3, IA-2, IA-5 5.1, 5.2, 6.1 7.1, 7.2, 8.1 A.5.15, A.8.2 PR.AA-1, PR.AA-3
PA – Privileged Access AC-2(7), AC-6, AC-6(5) 5.4, 6.5, 6.8 7.2, 8.2, 8.6 A.5.15, A.8.18 PR.AA-5
DP – Data Protection SC-12, SC-13, SC-28 3.1, 3.5, 3.6 3.1, 3.5, 4.1 A.8.24, A.8.25 PR.DS-1, PR.DS-2
AM – Asset Management CM-8, CM-7, PM-5 1.1, 2.1, 2.5 2.1, 6.3, 12.5 A.5.9, A.8.1 ID.AM-1, ID.AM-2
LT – Logging & Detection AU-3, AU-6, SI-4 8.2, 8.5, 13.1 10.1, 10.2, 10.7 A.8.15, A.8.16 DE.CM-1, DE.AE-2
IR – Incident Response IR-1, IR-4, IR-5 17.1, 17.2, 17.4 12.10 A.5.24, A.5.25 RS.MA-1, RS.AN-3
PV – Posture & Vuln Mgmt CA-2, RA-5, SI-2 4.1, 7.1, 7.5 6.1, 6.3, 11.3 A.8.8, A.8.9 ID.RA-1, PR.PS-1
ES – Endpoint Security SI-3, SI-4 10.1, 10.2 5.1, 5.2 A.8.7 DE.CM-4
BR – Backup & Recovery CP-9, CP-10 11.1, 11.2, 11.4 9.4, 12.10 A.8.13, A.8.14 RC.RP-1
DS – DevOps Security SA-11, SA-15 16.1, 16.4 6.2, 6.3, 6.5 A.8.25, A.8.28 PR.DS-8
GS – Governance & Strategy PM-1, PM-2, PL-1 1.1, 15.1 12.1, 12.4 A.5.1, A.5.2 GV.OC-1, GV.RM-1

What Each Baseline Tells You

Per Control Domain

  • Feature Name — Which security feature maps to the control
  • Supported — Whether the feature is available for the service
  • Enabled by Default — Whether it's on out of the box
  • Responsibility — Customer, Microsoft, or Shared
  • Configuration Guidance — How to implement as a design pattern
  • Terraform / Bicep Example — IaC to enforce the configuration

Per Service

  • Security Profile — Category, host access level, VNet support, data at rest
  • Network Security — VNet, Private Link, WAF, DDoS patterns
  • Identity & Access — Entra ID, managed identity, conditional access
  • Data Protection — Encryption at rest (PMK/CMK) and in transit
  • Threat Detection — Defender plans, logging, monitoring
  • Backup & Recovery — Backup support, immutability options

Related Sections

Secure Architecture & Design

Threat modeling, design patterns, Zero Trust, and cloud-native security frameworks

Azure Cloud Pentesting

Offensive testing techniques for Azure — complementary to defensive baselines

Security Frameworks

NIST CSF, ISO 27001, CIS Controls — the standards MCSB maps to

Reference Architectures

Production-ready Terraform and YAML for hub-spoke, Zero Trust, and CI/CD