Auditing in Microsoft Azure

With Microsoft’s rebranding, we enter a complex phase of understanding cloud services, focusing on Microsoft Entra, formerly Azure Active Directory. This section will look into Entra’s architectural elements and some of the other Microsoft Azure tools, which are essential tools for auditors to assess the security measures within a Microsoft cloud environment.

Auditing tools in Microsoft Azure

Microsoft recently updated some of their product names and combined some tools. The recent name change of Azure Active Directory to Microsoft Entra ID is a great example of why auditors must always stay updated on any changes to major IT providers. Let’s take a look at some of the tools available to the auditor in Microsoft Azure:

• Azure Policy: This tool allows auditors to create, assign, and manage policies that enforce rules and effects for resources. It helps ensure resources stay compliant with corporate standards and SLAs.
• Microsoft Defender for Cloud: This provides unified security management and advanced threat protection across hybrid cloud workloads. Auditors can use this tool to get a centralized view of the security state of all Azure resources.
• Azure Monitor: This collects, analyzes, and acts on telemetry data from Azure and on-premises environments. It helps auditors track the performance and health of resources through a comprehensive view.
• Azure Resource Graph: This enables the exploration of Azure resources across subscriptions for effective inventory management. This is essential for auditors to query and discover all Azure resources.
• Azure Log Analytics: Part of Azure Monitor, it helps auditors collect and analyze data generated by resources in Azure. This tool can query logs and create custom dashboards for auditing purposes.
• Azure Blueprints: This provides templates for setting up governed subscriptions, allowing auditors to track and manage policies and security requirements effectively. (Note that Microsoft has planned to deprecate this tool in 2026.)

Now that we have explored the different auditing tools available in Microsoft Azure, it’s important to consider how the overarching security architecture supports these tools. In the next section, we will begin building up our understanding of how this architecture is vital for shaping robust audit strategies, ensuring that our assessments are thorough and well aligned with the security mechanisms Azure employs.

Security architecture’s impact on auditing

While names change, the concept of a defense-in-depth strategy does not. Auditors should still focus on the following:

• Network security groups (NSGs) and application security groups (ASGs): Their usage in micro-segmentation and network traffic protection needs careful examination
• Identity and access management (IAM): It is necessary to enforce the least privilege across Microsoft Entra’s services
• Data protection: Encryption practices, both at rest and in transit, and key management must be rigorously audited to ensure compliance with security standards

Microsoft Entra’s architecture is engineered for robust security, with various components and services to prevent, detect, and respond to threats. For security auditors, adopting the updated terminology and understanding any new features or changes in service offerings is a fine example of why auditing remains dynamic. Auditors can ensure they effectively evaluate the security architecture’s strengths and weaknesses within the modernized Microsoft cloud by reading up on any tool changes or updates.

Azure security tools and features

Microsoft Azure provides a suite of built-in tools and features designed to enhance the security posture of your cloud environment. As an auditor, you must be familiar with these tools and proficient in leveraging them to conduct thorough and effective security audits.

Microsoft Defender for Cloud

Microsoft Defender for Cloud offers a unified security management system that strengthens the security posture of your data centers and provides advanced threat protection across your Azure and hybrid workloads. As an auditor, you should do the following:

• Assess security scores: Review the secure score to identify the current security situation and track improvements
• Analyze recommendations: Scrutinize the security recommendations for mitigating potential vulnerabilities
• Audit policy compliance: Evaluate compliance against industry standards and regulations facilitated by Azure’s Policy Compliance feature

In 2021, Microsoft rebranded Azure Defender and combined the solutions into Microsoft Defender for Cloud, which includes the ability to do the following:

• Threat protection: Monitor resources for suspicious activities across Azure, hybrid, and on-premises environments
• Security alerts: Utilize the alerts to investigate threats using integrated analysis and understand the action needed
• Vulnerability scans: To identify potential weaknesses, execute vulnerability scans on your virtual machines, SQL databases, and container images

Microsoft Sentinel

Microsoft Sentinel is a scalable, cloud-native, SIEM and SOAR solution. For auditing purposes, it is essential to do the following:

• Analyze logs: Collect data at scale from all users, devices, applications, and infrastructure, both from Azure and on-premises networks
• Detect threats: Utilize built-in analytics to detect unusual behaviors and potential threats
• Investigate incidents: Dig into incidents with powerful search and query tools to determine the scope and impact

Azure Key Vault

Handling cryptographic keys and other sensitive information is critical, and Azure Key Vault enables the following:

• Secrets management: Audit the use of secrets, keys, and certificates
• Access policies: Verify that access policies enforce least privilege access to secrets and keys
• Logging and monitoring: Review logs for unauthorized access attempts or other anomalies

Azure Policy and Blueprints

Maintaining governance and compliance is a top priority, and with Azure Policy and Blueprints, auditors can do the following:

• Assess assignments: Confirm that Azure policies are correctly assigned and enforced across resources
• Review compliance data: Regularly review the compliance data provided by Azure Policy for non-compliant resources
• Audit Blueprints: Ensure Azure Blueprints are properly applied to maintain consistency and compliance in resource setups

Azure Monitor

Azure Monitor is a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments, which aids in the following:

• Activity logging: Examine activity logs for a timeline of changes or attempted changes in Azure resources
• Performance metrics: Monitor performance metrics to ensure that resources operate within the expected thresholds and identify any anomalies that could indicate security issues
• Alert Management: Configure alerts to notify you of critical conditions that could imply security breaches or configuration issues

Note

The alerts provided by Azure Network Watcher are different from the alerts managed by Alert Management.

Azure Network Watcher

Network security is essential in Azure, and Azure Network Watcher provides tools to monitor, diagnose, and gain insights into network performance and health. Auditors should make it a point to review the following items:

• Flow logs: Review NSG flow logs to understand the traffic flow to and from Azure virtual networks
• Topology: The topology feature’s ability to visualize network resources and their interconnections is crucial for identifying potential security gaps
• Connection monitor: Check the monitor for network performance and connectivity issues affecting security

Microsoft Entra ID (formerly Azure Active Directory)

Microsoft Entra ID tools remain a major component in managing user identities and access. As an auditor, you need to do the following:

• Sign-in logs: Inspect sign-in logs to audit successful and failed authentication attempts, which can help identify potential breach attempts
• Conditional access policies: Examine conditional access policies to ensure they are correctly configured to secure resources based on user, location, device, and application
• Identity secure score: Use the identity secure score to assess the organization’s identity configuration’s effectiveness against a baseline established by Microsoft

Now that we have the foundation of some of the items we would check during an Azure-based audit, we can see what a “day in the life” would look like for an auditor.

Case Study – auditing in an Azure environment

Let’s learn the background of the case study. LittleCricket Inc. has recently migrated its infrastructure to Microsoft Azure. The company wants to ensure that its cloud environment is secure and compliant with industry standards. As part of its audit process, LittleCricket Inc. needs to review its Azure governance, compliance, and security controls.

Audit objective

The primary objective is to assess the effectiveness of LittleCricket Inc.’s governance, compliance, and security controls in its Azure environment. The audit will focus on verifying role assignments, compliance with ISO/IEC 27017:2015, and the implementation of security controls such as NSGs, firewalls, and data encryption.

Audit steps

To ensure a comprehensive assessment, the audit steps are divided into governance and compliance.

Governance

Governance involves reviewing role assignments and ensuring that policies are in place to minimize excessive privileges and maintain security:

• Review Role Assignments in Microsoft Entra ID: Use the Get-AzureADDirectoryRole command to list roles and verify their appropriateness. This involves using specific actions and criteria to ensure roles are properly assigned and managed.
• Action: Use the following commands to list roles and verify their appropriateness:
  • Gather a list of all directory roles with template IDs:

    Get-MgRoleManagementDirectoryRoleDefinition

  • Gather a specific directory role by ID:

    $root = Get-MgRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId d8e7e233-3e74-41b7-8f55-421ad6cce15a

  • Find membership by role:

    Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"

• Verify: Ensure roles are appropriately assigned and scoped to minimize excessive privileges.
  • Example output (role and description added for clarity):

    PrincipalID	Role	Description
    d8e7e233-3e74-41b7-8f55-421ad6cce15a	Company Administrator	Full access to manage the company
    7f54e8ec-b8d1-4c0f-b731-67275a6e3c29	User Administrator	Manage user accounts and groups
    3c04c5c7-2e6f-4d65-8e3a-87b7ad9e5dbf	Security Reader	View security-related information
    5d6f5678-9e7d-44c5-8d3c-4a5dbe8e9d0a	Billing Administrator	Manage billing and subscription invoices

Table 5.1 – Example Output - Management Directory Role Assignment Filter

• Appropriateness criteria: The appropriateness criteria involve several specific checks to ensure roles are properly assigned and managed:
  • Role purpose: Each role should have a clear and necessary purpose aligned with job responsibilities
  • Scope: Ensure that the roles do not have broader permissions than necessary
  • Least privilege: Verify that roles adhere to the principle of least privilege, meaning users have the minimum level of access necessary to perform their job functions
  • Documentation: Ensure that each role is documented with a description of its purpose and the responsibilities of its members

• Documentation: Document findings and ensure that role assignments adhere to the principle of least privilege.

Compliance

Compliance with standards such as ISO/IEC 27017:2015 ensures that cloud-specific security controls are in place and effective:

• ISO/IEC 27017:2015 Compliance: Use Azure Compliance Manager to assess adherence to ISO/IEC 27017:2015 by following these specific steps:
  • Action: Navigate through Azure Compliance Manager to assess adherence to ISO/IEC 27017:2015 using the following steps:
    1. Log in to the Azure portal and go to Azure Compliance Manager.
    2. Select the ISO/IEC 27017:2015 compliance framework from the list of available frameworks.
    3. Review the control assessments provided by Azure Compliance Manager for ISO/IEC 27017:2015.
    4. Conduct a gap analysis by comparing your current cloud security practices against the compliance requirements outlined in the framework.
    5. Document any deficiencies or gaps identified during the assessment and create a remediation plan to address these issues.
• Key controls: Ensuring compliance involves focusing on several key controls to meet ISO/IEC 27017:2015 standards:
  • Shared responsibilities: Ensure responsibilities between the cloud provider and LittleCricket Inc. are clearly defined.
    • Example: Confirm that both Microsoft Azure and LittleCricket Inc. understand their roles in data protection and incident response.
  • Asset management: Confirm that all assets are identified and managed according to their risk profile.
    • Example: Use Azure Resource Graph to query and discover all Azure resources across subscriptions and management groups. Utilize Azure Policy to enforce organizational standards and assess compliance at scale.
  • Access control: Verify that strict access controls are in place to prevent unauthorized access.
    • Example: Check that multi-factor authentication (MFA) is enabled for all administrative accounts within LittleCricket Inc.’s Azure environment.
  • Data protection: Ensure data is encrypted at rest and in transit.
    • Example: Verify that encryption settings are enabled for Azure Storage and Azure SQL databases used by LittleCricket Inc.
  • Monitoring and logging: Maintain comprehensive logs of all activities and regularly review them for suspicious activity.
    • Example: Use Azure Monitor and Azure Log Analytics to review logs for any unusual login attempts or access patterns within LittleCricket Inc.’s cloud infrastructure.
• Documentation: Record compliance status and any gaps identified during the assessment for LittleCricket Inc.

Auditors can conduct a thorough and effective audit of Microsoft Azure environments, ensuring they meet organizational and regulatory requirements by following a similar approach we just reviewed with LittleCricket Inc.. This approach balances high-level understanding with actionable audit steps and integrates detailed compliance with a compliance framework such as ISO/IEC 27017:2015.

You can find a full list of regulations available in the Microsoft Azure Compliance Manager here: https://learn.microsoft.com/en-us/purview/compliance-manager-regulations-list.