Microsoft Azure
      Back to home
      1. Knowledge Base
      2. Cloud Scanning (CSPM)
      3. Microsoft Azure

      What cloud services are supported for Azure?

      Holm Security Cloud Scanner can verify security best practices and security misconfigurations that contribute to the most common causes of security breaches within a vast list of Azure services.

      There is also a set of plugins highlighting unused or misused services that could help save monthly Azure costs. Read more about these plugins in this article:

      https://support.holmsecurity.com/hc/en-us/articles/7478410504476

      Supported services

      Here's the list of services that we currently support:

      • Active Directory
      • Advisor
      • App Service
      • Application Gateway
      • Azure Policy
      • Bastion
      • Blob Service
      • CDN Profiles
      • Container Registry
      • Cosmos DB
      • Defender
      • Event Grid
      • Event Hubs
      • File Service
      • Front Door
      • Key Vaults
      • Key vaults
      • Kubernetes Service
      • Load Balancer
      • Log Alerts
      • Monitor
      • MySQL Server
      • Network Security Groups
      • Network Watcher
      • PostgreSQL Server
      • Queue Service
      • Recovery Service Vault
      • Redis Cache
      • Resource Group
      • Resources
      • SQL Databases
      • SQL Server
      • Security Center
      • Storage Accounts
      • Subscription
      • Table Service
      • Virtual Machines
      • Virtual Networks

      Supported policies

      Across the services, the following policies are scanned for: 

      • Active Directory - Allow Only Administrators to Create Security Groups
      • Active Directory - Azure AD App Organisational Directory Access
      • Active Directory - Enable Multi-Factor Authentication for Non-Privileged Users
      • Active Directory - Enable Multi-Factor Authentication for Privileged Users
      • Active Directory - Enforce multi-factor authentication for B2B guest users
      • Active Directory - Ensure No Guest User
      • Active Directory - Ensure that legacy authentication methods policies are not supported
      • Active Directory - Ensure trust location based on IP Policies are used
      • Active Directory - Follow AD Recommendations
      • Active Directory - Limit Guest User Permissions
      • Active Directory - MFA Enabled for all users
      • Active Directory - Minimum Password Length
      • Active Directory - No Custom Owner Roles
      • Active Directory - Password Requires Lowercase
      • Active Directory - Password Requires Numbers
      • Active Directory - Password Requires Symbols
      • Active Directory - Password Requires Uppercase
      • Active Directory - Restrict Application Registration for Non-Privileged Users
      • Active Directory - Restrict Guest User Invitations
      • Active Directory - Restrict Invitations to Administrators Only
      • Active Directory - Restrict Office 365 Group Creation to Administrators Only
      • Advisor - Active Advisor Recommendations
      • App Service - .NET Framework Version
      • App Service - App Service Access Restriction
      • App Service - App Service Certificates Expiry
      • App Service - App Service SCM Site Access Restriction
      • App Service - Authentication Enabled
      • App Service - Azure Keyvault is used to store secretes
      • App Service - Client Certificates Enabled
      • App Service - Disable FTP Deployments
      • App Service - FTPS Only Access Enabled
      • App Service - HTTP 2.0 Enabled
      • App Service - HTTPS Only Enabled
      • App Service - Identity Enabled
      • App Service - Java Version
      • App Service - PHP Version
      • App Service - Python Version
      • App Service - TLS Version Check
      • App Service - Web Apps Active Directory Enabled
      • App Service - Web Apps Always On Enabled
      • App Service - Web Apps Backup Enabled
      • App Service - Web Apps Backup Retention Period
      • App Service - Web Apps Insights Enabled
      • App Service - Web Apps Remote Debugging Disabled
      • Application Gateway - Application Gateway WAF Enabled
      • Application Gateway - Application Gateway WAF Prevention Mode Enabled
      • Application Gateway - WAF Policy Has Tags
      • Azure Policy - Resource Location Matches Resource Group
      • Azure Policy - Resources Allowed Locations
      • Bastion - Azure Bastion Host Exists
      • Blob Service - Blob Container Private Access
      • Blob Service - Blob Service Immutable
      • CDN Profiles - Detect Insecure Custom Origin
      • CDN Profiles - Endpoint Logging Enabled
      • Container Registry - ACR Admin User
      • Container Registry - ACR Anonymous Pull Access Enabled
      • Container Registry - ACR CMK Encryption
      • Container Registry - ACR Has Tags
      • Container Registry - ACR Log Analytics Enabled
      • Container Registry - ACR Public Access
      • Cosmos DB - Advanced Threat Protection Enabled
      • Cosmos DB - Automatic Failover Enabled
      • Cosmos DB - Cosmos DB Has Tags
      • Cosmos DB - Cosmos DB Public Access Disabled
      • Defender - Admin Security Alerts Enabled
      • Defender - All Parameters for Microsoft Defender for Cloud Default Policy Enabled
      • Defender - Application Whitelisting Enabled
      • Defender - Auto Provisioning Enabled
      • Defender - Enable Defender Endpoint Integration
      • Defender - Enable Defender For Containers
      • Defender - Enable Defender For DNS
      • Defender - Enable Defender For Key Vaults
      • Defender - Enable Defender For SQL Servers
      • Defender - Enable Defender For Storage
      • Defender - Enable Defender for App Services
      • Defender - Enable Defender for SQL Server Virtual Machines
      • Defender - High Severity Alerts Enabled
      • Defender - Monitor Adaptive Application Safe listing
      • Defender - Monitor Blob Encryption
      • Defender - Monitor Disk Encryption
      • Defender - Monitor Endpoint Protection
      • Defender - Monitor External Accounts with Write Permissions
      • Defender - Monitor IP Forwarding
      • Defender - Monitor JIT Network Access
      • Defender - Monitor NSG Enabled
      • Defender - Monitor Next Generation Firewall
      • Defender - Monitor SQL Auditing
      • Defender - Monitor SQL Encryption
      • Defender - Monitor System Updates
      • Defender - Monitor Total Number of Subscription Owners
      • Defender - Monitor VM Vulnerability
      • Defender - Security Configuration Monitoring
      • Defender - Security Contacts Enabled
      • Defender - Standard Pricing Enabled
      • Defender - Web Application Firewall Monitoring Enabled
      • Event Grid - Event Grid Domain Public Access
      • Event Hubs - Event Hubs Minimum TLS Version
      • File Service - File Service All Access ACL
      • Front Door - Front Door Access Logs Enabled
      • Front Door - Front Door Minimum TLS Version
      • Key Vaults - Allowed Certificates Key Types
      • Key Vaults - App Tier CMK In Use
      • Key Vaults - Database Tier CMK In Use
      • Key Vaults - Enable Certificate Transparency
      • Key Vaults - Key Expiration Enabled
      • Key Vaults - Key Vault Has Tags
      • Key Vaults - Key Vault In Use
      • Key Vaults - Key Vault Key Expiry
      • Key Vaults - Key Vault Recovery Enabled
      • Key Vaults - Key Vault Restrict Default Network Access
      • Key Vaults - Key Vault Secret Expiry
      • Key Vaults - KeyVault Trusted Services Enabled
      • Key Vaults - Manage Key Access and Permissions
      • Key Vaults - RSA Certificate Allowed Key Size
      • Key Vaults - SSL Certificate Auto Renewal
      • Key Vaults - Secret Expiration Enabled
      • Key vaults - Enable Audit Event Logging for Azure Key Vaults
      • Kubernetes Service - AKS Cluster Has Tags
      • Kubernetes Service - AKS Cluster Private
      • Kubernetes Service - AKS Encryption At Rest with BYOK
      • Kubernetes Service - Kubernetes Latest Version
      • Kubernetes Service - Kubernetes RBAC Enabled
      • Kubernetes Service - Kubernetes Version For Agent Pools
      • Load Balancer - Application Gateway Has Tags
      • Load Balancer - LB HTTPS Only
      • Load Balancer - LB No Instances
      • Load Balancer - Load Balancer Has Tags
      • Log Alerts - Key Vault Logging Enabled
      • Log Alerts - Load Balancers Logging Enabled
      • Log Alerts - Network Security Groups Logging Enabled
      • Log Alerts - Network Security Groups Rule Logging Enabled
      • Log Alerts - Policy Assignment Alerts Enabled
      • Log Alerts - PostgreSQL Server Database Logging Enabled
      • Log Alerts - Public Ip Address Logging Enabled
      • Log Alerts - SQL Server Database Logging Enabled
      • Log Alerts - SQL Server Database Rename Alert Enabled
      • Log Alerts - SQL Server Firewall Rule Alerts Monitor
      • Log Alerts - Security Policy Alerts Enabled
      • Log Alerts - Security Solution Logging
      • Log Alerts - Storage Account Logging Enabled
      • Log Alerts - Virtual Machine Deallocate Alert Enabled
      • Log Alerts - Virtual Machine Logging Enabled
      • Log Alerts - Virtual Machine Power Off Alert Enabled
      • Log Alerts - Virtual Network Alerts Monitor
      • Monitor - Azure Monitor Logs Enabled
      • Monitor - Diagnostics Captured Categories
      • Monitor - Diagnostics Settings Enabled
      • Monitor - Key Vault Log Analytics Enabled
      • Monitor - Load Balancer Log Analytics Enabled
      • Monitor - Log Profile Archive Data
      • Monitor - Log Profile Retention Policy
      • Monitor - NSG Log Analytics Enabled
      • MySQL Server - Enforce MySQL SSL Connection
      • MySQL Server - MySQL Flexible Server Minimum TLS Version
      • MySQL Server - MySQL Server Has Tags
      • Network Security Groups - Check for Unrestricted ICMP Access
      • Network Security Groups - Default Security Group
      • Network Security Groups - Excessive Security Groups
      • Network Security Groups - Network Watcher Enabled
      • Network Security Groups - Open All Ports
      • Network Security Groups - Open CIFS
      • Network Security Groups - Open Cassandra Client
      • Network Security Groups - Open Cassandra Internode
      • Network Security Groups - Open Cassandra Monitoring
      • Network Security Groups - Open Cassandra Thrift
      • Network Security Groups - Open DNS
      • Network Security Groups - Open Docker
      • Network Security Groups - Open Elasticsearch
      • Network Security Groups - Open FTP
      • Network Security Groups - Open HTTP
      • Network Security Groups - Open HTTPS
      • Network Security Groups - Open Hadoop HDFS NameNode Metadata Service
      • Network Security Groups - Open Hadoop HDFS NameNode WebUI
      • Network Security Groups - Open Internal Web
      • Network Security Groups - Open Kibana
      • Network Security Groups - Open LDAP
      • Network Security Groups - Open LDAPS
      • Network Security Groups - Open Memcached
      • Network Security Groups - Open MongoDB
      • Network Security Groups - Open MySQL
      • Network Security Groups - Open NetBIOS
      • Network Security Groups - Open Oracle
      • Network Security Groups - Open Oracle Auto Data Warehouse
      • Network Security Groups - Open PostgreSQL
      • Network Security Groups - Open RDP
      • Network Security Groups - Open RPC
      • Network Security Groups - Open Redis
      • Network Security Groups - Open SMBoTCP
      • Network Security Groups - Open SMTP
      • Network Security Groups - Open SNMP
      • Network Security Groups - Open SQLServer
      • Network Security Groups - Open SSH
      • Network Security Groups - Open Salt
      • Network Security Groups - Open Telnet
      • Network Security Groups - Open UDP Ports
      • Network Security Groups - Open VNC Client
      • Network Security Groups - Open VNC Server
      • Network Security Groups - Review Network Interfaces with IP Forwarding Enabled
      • Network Watcher - NSG Flow Logs Retention Period
      • PostgreSQL Server - Azure Active Directory Admin Configured
      • PostgreSQL Server - Connection Throttling Enabled
      • PostgreSQL Server - Enable Geo-Redundant Backups
      • PostgreSQL Server - Enforce PostgreSQL SSL Connection
      • PostgreSQL Server - Log Checkpoints Enabled
      • PostgreSQL Server - Log Connections Enabled
      • PostgreSQL Server - Log Disconnections Enabled
      • PostgreSQL Server - Log Duration Enabled
      • PostgreSQL Server - Log Retention Period
      • PostgreSQL Server - PostgreSQL Infrastructure Double Encryption
      • PostgreSQL Server - PostgreSQL Server Has Tags
      • PostgreSQL Server - PostgreSQL Server Services Access Disabled
      • PostgreSQL Server - Storage Auto-Growth Enabled
      • Queue Service - Queue Service All Access ACL
      • Recovery Service Vault - Recovery Services Vault BYOK Encrypted
      • Redis Cache - Minimum TLS Version
      • Redis Cache - Redis Cache Has Tags
      • Redis Cache - SSL Access Only Enabled
      • Resource Group - Resource Group Has Tags
      • Resources - Management Lock Enabled
      • Resources - Monitor Resource SKU
      • Resources - Resources Usage Limits
      • SQL Databases - DB Restorable
      • SQL Databases - Database Auditing Enabled
      • SQL Databases - Point in Time Restore Backup Retention
      • SQL Databases - SQL DB Multiple AZ
      • SQL Server - Advanced Data Security Enabled
      • SQL Server - Audit Action Groups Enabled
      • SQL Server - Audit Retention Policy
      • SQL Server - Auto-Failover Groups Enabled
      • SQL Server - Azure Active Directory Admin Enabled
      • SQL Server - Email Account Admins Enabled
      • SQL Server - SQL Server Advanced Threat Protection Enabled
      • SQL Server - SQL Server Automatic Tuning Enabled
      • SQL Server - SQL Server Has Tags
      • SQL Server - SQL Server Minimum TLS Version
      • SQL Server - SQL Server Private Endpoints Configured
      • SQL Server - SQL Server Public Access
      • SQL Server - SQL Server Recurring Scans Enabled
      • SQL Server - SQL Server Send Scan Reports
      • SQL Server - Send Alerts Enabled
      • SQL Server - Server Auditing Enabled
      • SQL Server - Server Send Email to Admin and Owners
      • SQL Server - TDE Protector Encrypted
      • Security Center - Security Contact Additional Email
      • Security Center - Security Contact Enabled for Subscription Owner
      • Storage Accounts - Blob Service Encryption
      • Storage Accounts - Blob Storage Lifecycle Management Enabled
      • Storage Accounts - Blobs Soft Deletion Enabled
      • Storage Accounts - Disable Shared Key authorization
      • Storage Accounts - Enable Secure Transfer in Storage Accounts
      • Storage Accounts - Ensure that Logging for Azure Storage Queue Service is Enabled
      • Storage Accounts - Expire Shared Access Signature Tokens
      • Storage Accounts - File Service Encryption
      • Storage Accounts - Infrastructure Encryption Enabled
      • Storage Accounts - Limit Storage Account Access by IP Address
      • Storage Accounts - Log Container Public Access
      • Storage Accounts - Log Storage Encryption
      • Storage Accounts - Logging for Azure Storage Blob Service Enabled
      • Storage Accounts - Logging for Azure Storage Table Service Enabled
      • Storage Accounts - Network Access Default Action
      • Storage Accounts - Publicly Accessible Web Containers
      • Storage Accounts - Regenerate Storage Account Access Keys Periodically
      • Storage Accounts - Storage Account Blob Service Logging Enabled
      • Storage Accounts - Storage Account Has Tags
      • Storage Accounts - Storage Account Private Endpoints
      • Storage Accounts - Storage Account Queue Service Logging Enabled
      • Storage Accounts - Storage Account Table Service Logging Enabled
      • Storage Accounts - Storage Accounts AAD Enabled
      • Storage Accounts - Storage Accounts Encryption
      • Storage Accounts - Storage Accounts HTTPS
      • Storage Accounts - Storage Accounts Minimum TLS Version
      • Storage Accounts - Storage Accounts with Static Website Configuration
      • Storage Accounts - Sufficient Soft Deleted Data Retention Period
      • Storage Accounts - Trusted MS Access Enabled
      • Subscription - Azure Subscription Has Tags
      • Table Service - Table Service All Access ACL
      • Virtual Machines - Accelerated Networking Enabled
      • Virtual Machines - Associated Load Balancers
      • Virtual Machines - Automatic Instance Repairs Enabled
      • Virtual Machines - Automatic OS Upgrades Enabled
      • Virtual Machines - Classic Instances
      • Virtual Machines - Disk Volumes BYOK Encryption Enabled
      • Virtual Machines - Guest Level Diagnostics Enabled
      • Virtual Machines - Managed VM Machine Image
      • Virtual Machines - No Empty Scale Sets
      • Virtual Machines - No Unattached Disk Volumes
      • Virtual Machines - Old VM Disk Snapshots
      • Virtual Machines - Password Authentication Disabled
      • Virtual Machines - Premium SSD Disabled
      • Virtual Machines - Scale Set Multi Az
      • Virtual Machines - Scale Sets Autoscale Enabled
      • Virtual Machines - Scale Sets Autoscale Notifications Enabled
      • Virtual Machines - Scale Sets Health Monitoring Enabled
      • Virtual Machines - Server-Side Encryption for Non-Boot Disk using CMK
      • Virtual Machines - Server-Side Encryption for VM Boot Disk using CMK
      • Virtual Machines - Server-Side Encryption for unattached disk is using CMK
      • Virtual Machines - Snapshot Has Tags
      • Virtual Machines - Unattached Disk Volumes with Default Encryption
      • Virtual Machines - VM Active Directory (AD) Authentication Enabled
      • Virtual Machines - VM Agent Enabled
      • Virtual Machines - VM Approved Extensions
      • Virtual Machines - VM Auto Update Enabled
      • Virtual Machines - VM Auto-Shutdown Enabled
      • Virtual Machines - VM Availability Set Enabled
      • Virtual Machines - VM Availability Set Limit
      • Virtual Machines - VM Backups Enabled
      • Virtual Machines - VM Daily Backup Retention Period
      • Virtual Machines - VM Data Disk Encryption
      • Virtual Machines - VM Desired SKU Size
      • Virtual Machines - VM Disk Has Tags
      • Virtual Machines - VM Disk Snapshot BYOK Encryption Enabled
      • Virtual Machines - VM Disk Snapshot Public Access Disabled
      • Virtual Machines - VM Endpoint Protection
      • Virtual Machines - VM Image Has Tags
      • Virtual Machines - VM Instance Limit
      • Virtual Machines - VM Instance Termination Notifications for Virtual Machine Scale Sets Enabled
      • Virtual Machines - VM Instant Restore Backup Retention Period
      • Virtual Machines - VM Just-In-Time Access for Virtual Machines Enabled
      • Virtual Machines - VM Managed Disks Enabled
      • Virtual Machines - VM OS Disk Encryption
      • Virtual Machines - VM Scale Set Has Tags
      • Virtual Machines - VM System Managed Identity Enabled
      • Virtual Machines - VM System-Assigned Identity Enabled
      • Virtual Machines - Virtual Machine Boot Diagnostics Enabled
      • Virtual Machines - Virtual Machine Has Tags
      • Virtual Machines - Virtual Machine Performance Diagnostics Enabled
      • Virtual Networks - DDoS Standard Protection Enabled
      • Virtual Networks - Managed NAT Gateway In Use
      • Virtual Networks - Multiple Subnets
      • Virtual Networks - No Network Gateways Connections
      • Virtual Networks - No Network Gateways In Use
      • Virtual Networks - Route Table Has Tags
      • Virtual Networks - Virtual Network Has Tags
      • Virtual Networks - Virtual Network Peering