Control Domains

MCSB Control Domains

The Microsoft Cloud Security Benchmark organizes security controls into 12 domains. Each domain represents a security design pattern applicable across all Azure services. Use these as your architecture review checklist — walk through each domain for every service in your design.

Pattern-Oriented Approach

Each domain below is presented as a security design pattern — not just what controls exist, but how to apply them in your architecture. Each includes the security principle, key controls, an architecture pattern with Terraform example, and cross-framework mappings.

MCSB Domain Map

graph LR Foundation["Foundation
NS · IM · PA"] Data["Data & Assets
DP · AM"] Ops["Operations
LT · IR · PV · ES"] Resilience["Resilience
BR · DS · GS"] Foundation --> Data --> Ops --> Resilience Resilience -.->|GS governs all| Foundation style Foundation stroke:#4ade80,stroke-width:2px style Data stroke:#22d3ee,stroke-width:2px style Ops stroke:#a855f7,stroke-width:2px style Resilience stroke:#ec4899,stroke-width:2px

NS Network Security

Security Principle: Isolate workloads on private networks, control traffic flows at every boundary, and ensure no service endpoint is unnecessarily exposed to the public internet. Think of the network as your first physical wall — everything inside should be segmented, inspected, and encrypted.

ID	Control	Design Pattern
NS-1	Network Segmentation	Deploy into VNets, apply NSGs per subnet, use ASGs for role-based grouping
NS-2	Secure Cloud Services	Private Link for PaaS, disable public access, IP ACLs as backup
NS-3	Edge Firewall	Azure Firewall Premium at hub VNet for north-south inspection
NS-4	IDS/IPS	Azure Firewall Premium IDPS in Alert+Deny mode
NS-5	DDoS Protection	DDoS Protection Standard on VNets with public endpoints
NS-6	WAF	Front Door or App Gateway WAF in Prevention mode with OWASP 3.2 ruleset
NS-7	Simplify Config	Azure Firewall Manager for centralized policy across hub/spoke
NS-8	Disable Insecure Protocols	Disable TLS 1.0/1.1, SMBv1, unencrypted HTTP at service level
NS-9	Private Connectivity	ExpressRoute or VPN Gateway with IPsec for on-prem links
NS-10	DNS Security	Azure DNS Private Zones, DNS forwarding rules, DNSSEC

Architecture Pattern: Hub-Spoke Network Isolation

hcl

# Terraform — Hub VNet with Firewall + Spoke with Private Endpoints
resource "azurerm_virtual_network" "hub" {
  name                = "vnet-hub-prod"
  address_space       = ["10.0.0.0/16"]
  resource_group_name = azurerm_resource_group.hub.name
  location            = azurerm_resource_group.hub.location
}

resource "azurerm_subnet" "firewall" {
  name                 = "AzureFirewallSubnet"    # Required name
  virtual_network_name = azurerm_virtual_network.hub.name
  resource_group_name  = azurerm_resource_group.hub.name
  address_prefixes     = ["10.0.1.0/26"]
}

resource "azurerm_firewall" "hub" {
  name                = "fw-hub-prod"
  sku_name            = "AZFW_VNet"
  sku_tier            = "Premium"                 # Required for IDPS
  threat_intel_mode   = "Deny"
  location            = azurerm_resource_group.hub.location
  resource_group_name = azurerm_resource_group.hub.name

  ip_configuration {
    name                 = "fw-ipconfig"
    subnet_id            = azurerm_subnet.firewall.id
    public_ip_address_id = azurerm_public_ip.fw.id
  }
}

# Spoke VNet with NSG-protected private endpoint subnet
resource "azurerm_network_security_group" "pe_subnet" {
  name                = "nsg-pe-subnet"
  location            = azurerm_resource_group.spoke.location
  resource_group_name = azurerm_resource_group.spoke.name

  security_rule {
    name                       = "DenyInternetOutbound"
    priority                   = 100
    direction                  = "Outbound"
    access                     = "Deny"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "*"
    destination_address_prefix = "Internet"
  }
}
# Terraform — Hub VNet with Firewall + Spoke with Private Endpoints
resource "azurerm_virtual_network" "hub" {
  name                = "vnet-hub-prod"
  address_space       = ["10.0.0.0/16"]
  resource_group_name = azurerm_resource_group.hub.name
  location            = azurerm_resource_group.hub.location
}

resource "azurerm_subnet" "firewall" {
  name                 = "AzureFirewallSubnet"    # Required name
  virtual_network_name = azurerm_virtual_network.hub.name
  resource_group_name  = azurerm_resource_group.hub.name
  address_prefixes     = ["10.0.1.0/26"]
}

resource "azurerm_firewall" "hub" {
  name                = "fw-hub-prod"
  sku_name            = "AZFW_VNet"
  sku_tier            = "Premium"                 # Required for IDPS
  threat_intel_mode   = "Deny"
  location            = azurerm_resource_group.hub.location
  resource_group_name = azurerm_resource_group.hub.name

  ip_configuration {
    name                 = "fw-ipconfig"
    subnet_id            = azurerm_subnet.firewall.id
    public_ip_address_id = azurerm_public_ip.fw.id
  }
}

# Spoke VNet with NSG-protected private endpoint subnet
resource "azurerm_network_security_group" "pe_subnet" {
  name                = "nsg-pe-subnet"
  location            = azurerm_resource_group.spoke.location
  resource_group_name = azurerm_resource_group.spoke.name

  security_rule {
    name                       = "DenyInternetOutbound"
    priority                   = 100
    direction                  = "Outbound"
    access                     = "Deny"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "*"
    destination_address_prefix = "Internet"
  }
}

Framework mapping: NIST SP 800-53 SC-7, SC-8, AC-4 • CIS v8 9.2, 9.3, 12.1 • PCI-DSS v4 1.2–1.4 • ISO 27001 A.8.20–A.8.22

IM Identity Management

Security Principle: Every access decision must be identity-driven. Centralize on Entra ID, eliminate local authentication methods, use managed identities for all service-to-service communication, and enforce MFA with phishing-resistant methods. Identity is your new perimeter.

ID	Control	Design Pattern
IM-1	Centralized Identity	Entra ID as sole auth provider; disable SQL auth, SAS keys, local accounts
IM-2	Protect Identity Systems	Harden Entra ID Connect, monitor identity logs, protect sync accounts
IM-3	Managed Identities	System-assigned MI for single-resource, user-assigned MI for shared identity patterns
IM-6	Strong Authentication	Enforce phishing-resistant MFA (FIDO2, Windows Hello, certificate-based)
IM-7	Conditional Access	Block access from untrusted locations, require compliant devices, risk-based policies
IM-8	Credential Protection	Key Vault for all secrets; scan repos with CredScan; auto-rotate keys

Architecture Pattern: Managed Identity Chain

hcl

# Terraform — App Service with Managed Identity accessing Key Vault & SQL
resource "azurerm_linux_web_app" "api" {
  name                = "app-api-prod"
  resource_group_name = azurerm_resource_group.app.name
  location            = azurerm_resource_group.app.location
  service_plan_id     = azurerm_service_plan.main.id

  identity {
    type = "SystemAssigned"    # MI for downstream access
  }

  site_config {
    minimum_tls_version = "1.2"
  }

  app_settings = {
    # Key Vault references — no secrets in config
    "ConnectionStrings__DefaultConnection" = "@Microsoft.KeyVault(VaultName=kv-prod;SecretName=sql-conn)"
  }
}

# Grant MI access to Key Vault via RBAC (not access policy)
resource "azurerm_role_assignment" "app_kv_secrets" {
  scope                = azurerm_key_vault.main.id
  role_definition_name = "Key Vault Secrets User"
  principal_id         = azurerm_linux_web_app.api.identity[0].principal_id
}

# Grant MI access to SQL Database
resource "azurerm_role_assignment" "app_sql" {
  scope                = azurerm_mssql_database.main.id
  role_definition_name = "Contributor"
  principal_id         = azurerm_linux_web_app.api.identity[0].principal_id
}
# Terraform — App Service with Managed Identity accessing Key Vault & SQL
resource "azurerm_linux_web_app" "api" {
  name                = "app-api-prod"
  resource_group_name = azurerm_resource_group.app.name
  location            = azurerm_resource_group.app.location
  service_plan_id     = azurerm_service_plan.main.id

  identity {
    type = "SystemAssigned"    # MI for downstream access
  }

  site_config {
    minimum_tls_version = "1.2"
  }

  app_settings = {
    # Key Vault references — no secrets in config
    "ConnectionStrings__DefaultConnection" = "@Microsoft.KeyVault(VaultName=kv-prod;SecretName=sql-conn)"
  }
}

# Grant MI access to Key Vault via RBAC (not access policy)
resource "azurerm_role_assignment" "app_kv_secrets" {
  scope                = azurerm_key_vault.main.id
  role_definition_name = "Key Vault Secrets User"
  principal_id         = azurerm_linux_web_app.api.identity[0].principal_id
}

# Grant MI access to SQL Database
resource "azurerm_role_assignment" "app_sql" {
  scope                = azurerm_mssql_database.main.id
  role_definition_name = "Contributor"
  principal_id         = azurerm_linux_web_app.api.identity[0].principal_id
}

Framework mapping: NIST SP 800-53 AC-2, AC-3, IA-2, IA-5 • CIS v8 5.1–5.3, 6.1 • PCI-DSS v4 7.1–8.3 • ISO 27001 A.5.15, A.8.2

PA Privileged Access

Security Principle: No standing privileged access. Use just-in-time elevation via PIM, separate admin accounts from daily-use accounts, enforce PAW for sensitive operations, and audit every privileged action. Assume breach — limit the blast radius an attacker gets from any single compromised identity.

ID	Control	Design Pattern
PA-1	Separate Privileged Users	Dedicated admin accounts; no Global Admin for daily work
PA-2	No Standing Access	PIM for JIT elevation; max 4-hour activation windows
PA-5	Emergency Access	2+ break-glass accounts excluded from CA policies; monitored with alerts
PA-7	Least Privilege	Azure RBAC with built-in roles; custom roles only when built-in insufficient
PA-8	Cloud Provider Support	Customer Lockbox for all Microsoft data access requests

Framework mapping: NIST SP 800-53 AC-2(7), AC-6, AC-6(5) • CIS v8 5.4, 6.5, 6.8 • PCI-DSS v4 7.2, 8.2, 8.6 • ISO 27001 A.5.15, A.8.18

DP Data Protection

Security Principle: Encrypt everything at rest and in transit. Know where your sensitive data lives, classify it, and protect it proportionally. Use platform-managed keys by default, customer-managed keys for regulated workloads, and Key Vault for all key lifecycle management.

ID	Control	Design Pattern
DP-1	Data Discovery & Classification	Microsoft Purview for cross-service sensitive data discovery and labeling
DP-2	Threat Monitoring for Data	Defender for SQL/Storage/CosmosDB for anomalous data access detection
DP-3	Encrypt Data in Transit	TLS 1.2+ mandatory; HTTPS-only mode; disable insecure ciphers
DP-4	Encryption at Rest (PMK)	Platform-managed keys — on by default for most Azure services
DP-5	Encryption at Rest (CMK)	Customer-managed keys via Key Vault for regulated workloads; auto-rotate
DP-6	Key Management	Key Vault Premium (HSM-backed); rotation policies; separate DEK/KEK
DP-7	Certificate Management	Key Vault certificates with auto-renewal; monitor expiry alerts
DP-8	Secure Key/Cert Repository	Soft delete + purge protection; RBAC; private endpoint for Key Vault

Architecture Pattern: CMK Encryption with Key Vault

hcl

# Terraform — Key Vault with CMK for SQL Database and Storage
resource "azurerm_key_vault" "main" {
  name                       = "kv-prod-001"
  resource_group_name        = azurerm_resource_group.security.name
  location                   = azurerm_resource_group.security.location
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "premium"          # HSM-backed
  soft_delete_retention_days = 90
  purge_protection_enabled   = true               # Required for CMK
  enable_rbac_authorization  = true               # RBAC over access policies

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
  }
}

resource "azurerm_key_vault_key" "sql_cmk" {
  name         = "sql-tde-cmk"
  key_vault_id = azurerm_key_vault.main.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = ["unwrapKey", "wrapKey"]

  rotation_policy {
    automatic {
      time_before_expiry = "P30D"
    }
    expire_after = "P365D"
  }
}
# Terraform — Key Vault with CMK for SQL Database and Storage
resource "azurerm_key_vault" "main" {
  name                       = "kv-prod-001"
  resource_group_name        = azurerm_resource_group.security.name
  location                   = azurerm_resource_group.security.location
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "premium"          # HSM-backed
  soft_delete_retention_days = 90
  purge_protection_enabled   = true               # Required for CMK
  enable_rbac_authorization  = true               # RBAC over access policies

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
  }
}

resource "azurerm_key_vault_key" "sql_cmk" {
  name         = "sql-tde-cmk"
  key_vault_id = azurerm_key_vault.main.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = ["unwrapKey", "wrapKey"]

  rotation_policy {
    automatic {
      time_before_expiry = "P30D"
    }
    expire_after = "P365D"
  }
}

AM Asset Management

Security Principle: You can't protect what you don't know about. Maintain a current inventory of all Azure resources, restrict what can be deployed via Azure Policy, tag everything for governance, and ensure security teams have visibility into all assets.

ID	Control	Design Pattern
AM-1	Track Asset Inventory	Azure Resource Graph queries; enforce tagging via Policy
AM-2	Approved Services Only	Azure Policy deny rules for unapproved resource types and regions
AM-3	Secure Asset Lifecycle	Security policies enforced at creation; secure decommissioning procedures
AM-4	Limit Management Access	Separate subscriptions for sensitive workloads; management group hierarchy
AM-5	Approved VM Applications	Adaptive Application Controls or AppLocker for VM application whitelisting

LT Logging and Threat Detection

Security Principle: Enable threat detection on every service that offers it, collect all logs centrally, and ensure your SIEM has enough retention and correlation capabilities. The question isn't if you'll be attacked — it's whether you'll detect and respond fast enough.

ID	Control	Design Pattern
LT-1	Threat Detection	Enable all Defender plans; Defender for Cloud CSPM for security posture
LT-2	Identity Threat Detection	Entra ID Protection risk policies; sign-in risk + user risk triggers
LT-3	Resource Logging	DiagnosticSettings on every resource → Log Analytics workspace
LT-4	Network Logging	NSG flow logs v2, VNet flow logs, Traffic Analytics
LT-5	Centralize Logs	Microsoft Sentinel as SIEM; DCR-based data collection
LT-6	Log Retention	90-day interactive, 2-year archive; cold tier for compliance
LT-7	Time Sync	All Azure resources use Microsoft NTP; verify custom VMs

IR Incident Response

Security Principle: Prepare before incidents happen. Have playbooks, automation, and contact chains ready. When an incident occurs, leverage Sentinel's investigation graph, automated containment playbooks, and systematic post-incident review to continuously improve.

ID	Control	Design Pattern
IR-1	Update IR Plan	Cloud-specific playbooks for each service in the architecture
IR-2	Notification Setup	Security contacts in Defender for Cloud; automated alert routing
IR-3	High-Quality Incidents	Sentinel analytics rules with proper entity mapping and severity
IR-4	Investigation	Sentinel investigation graph, UEBA, threat hunting workbooks
IR-5	Automated Response	SOAR playbooks: isolate VM, revoke token, block IP, notify SOC
IR-6	Lessons Learned	Post-incident reviews, updated runbooks, detection coverage verification

PV Posture and Vulnerability Management

Security Principle: Know your security posture at all times. Define baselines, enforce them with policy, scan continuously for vulnerabilities, and remediate rapidly. Combine CSPM, vulnerability assessment, and regular red team testing for comprehensive coverage.

ID	Control	Design Pattern
PV-1	Secure Configurations	Azure Policy initiative aligned to MCSB; Defender for Cloud secure score
PV-2	Audit & Enforce	Azure Policy compliance dashboard; auto-remediation for critical findings
PV-5	Vulnerability Assessment	Defender for Cloud VA; Qualys integration; container image scanning
PV-6	Auto-Remediate	Defender workflow automation; Azure Update Manager for patching
PV-7	Red Team Operations	Regular pentesting per Microsoft rules of engagement; test cloud attack paths

ES Endpoint Security

Security Principle: Every VM and server in your cloud environment needs EDR and anti-malware. Deploy MDE via auto-provisioning, keep signatures current, and monitor endpoint health centrally.

ID	Control	Design Pattern
ES-1	EDR	Defender for Endpoint on all servers; auto-provisioned via Defender for Cloud
ES-2	Anti-Malware	Microsoft Antimalware or MDE real-time protection on all Windows/Linux VMs
ES-3	Signature Updates	Automated signature and platform updates; Defender for Cloud health monitoring

BR Backup and Recovery

Security Principle: Backups are your last line of defense against ransomware and data destruction. Automate backups, protect them with immutability, test restores regularly, and ensure recovery meets your RPO/RTO commitments.

ID	Control	Design Pattern
BR-1	Automated Backups	Azure Backup or native backup with defined retention and schedules
BR-2	Protect Backup Data	Immutable vaults, soft delete, RBAC on backup stores, MUA
BR-3	Monitor Backups	Backup Center dashboard; Azure Monitor alerts for backup failures
BR-4	Test Recovery	Quarterly restore drills; validate RTO/RPO; document results

DS DevOps Security

Security Principle: Security at the speed of DevOps. Embed threat modeling, SAST, DAST, dependency scanning, and secrets detection into your pipelines. Harden build infrastructure. Sign artifacts and verify the supply chain.

ID	Control	Design Pattern
DS-1	Threat Modeling	STRIDE per sprint; Threagile in CI/CD; architecture review gates
DS-2	Supply Chain Security	Dependabot/Renovate; pin versions; verify signatures; SBOM generation
DS-3	Secure Infrastructure	Ephemeral build agents; limited service connections; environment separation
DS-4	SAST in Pipeline	Semgrep/CodeQL on every PR; quality gates block merges on Critical/High
DS-5	DAST in Pipeline	ZAP/Burp scans against staging in release pipeline
DS-6	Workload Security	Signed commits; branch protection; approval gates; deploy from trusted pipelines only
DS-7	Pipeline Monitoring	Audit pipeline runs; track secret access; alert on anomalous deployments

GS Governance and Strategy

Security Principle: Security doesn't happen by accident. Define roles, document strategy, set policies, and align the organization. Governance is the glue that makes all other domains work together consistently across teams and time.

ID	Control	Design Pattern
GS-1	Roles & Responsibilities	RACI matrix for cloud security functions; all roles staffed and accountable
GS-2	Segmentation Strategy	Management group hierarchy; subscription vending; separation of duties
GS-3	Data Protection Strategy	Classification taxonomy, encryption standards, data handling procedures
GS-4	Network Security Strategy	Hub-spoke model, connectivity policies, firewall rules baseline
GS-5	Posture Management Strategy	Defender for Cloud CSPM, remediation SLAs per severity, secure score targets
GS-6	Identity Strategy	Identity governance, authentication standards, PAM policies
GS-7	Logging & IR Strategy	SIEM architecture, retention requirements, detection coverage targets
GS-8	Backup Strategy	RPO/RTO targets, frequency, immutability, restore testing schedule

Architecture Review Checklist

Use This in Design Reviews

Walk through this checklist for every Azure service in your architecture. For each control, document: Is it supported? Is it on by default? Who's responsible? What's the Terraform config?

Foundation

☐ VNet integration or private endpoints configured
☐ Public access disabled or restricted to known IPs
☐ NSGs applied to all subnets with deny-all default
☐ WAF in front of all web-facing services
☐ Entra ID as sole authentication provider
☐ Local auth / SAS keys disabled where possible
☐ Managed identities for all service-to-service comms
☐ MFA enforced for all human identities
☐ PIM configured for all privileged roles
☐ Customer Lockbox enabled

Data & Assets

☐ Data classification applied to all data stores
☐ TLS 1.2+ enforced on all connections
☐ Encryption at rest verified (PMK minimum)
☐ CMK configured for regulated workloads
☐ Key Vault with purge protection for all secrets
☐ Certificates in Key Vault with auto-rotation
☐ Resource tagging policy enforced
☐ Allowed service types restricted via Azure Policy

Operations

☐ Defender enabled for all applicable services
☐ Diagnostic settings enabled → Log Analytics
☐ Sentinel connected with analytics rules active
☐ IR playbooks created for each service
☐ Automated containment playbooks deployed
☐ Vulnerability assessment scans scheduled
☐ Azure Policy compliance reviewed weekly
☐ EDR deployed on all VMs and servers

Resilience & DevOps

☐ Azure Backup configured with defined retention
☐ Immutable backup vaults enabled
☐ Restore drills scheduled quarterly
☐ SAST integrated in CI/CD pipelines
☐ Dependency scanning active (Dependabot/Renovate)
☐ Signed commits and branch protection enforced
☐ Security roles and RACI documented
☐ Posture management SLAs defined