Azure Compliance Monitoring

Continuous Azure compliance across tenants, subscriptions and resources

Continuously assess identity, governance, networking, compute, database, storage and data protection configurations across your Microsoft Azure environment.

Microsoft Azure
Tenant · subscription · resource
245
API-auditable controls
4
CIS benchmark families
23
Azure SDK and ARM collector families
3
Assessment levels: tenant, subscription, resource

Benchmark coverage

Automated coverage across four Azure benchmark families

Foundations

89 API-auditable controls

Microsoft Entra ID, RBAC, governance, monitoring, networking, Defender and Key Vault.

Compute Services

77 API-auditable controls

App Service, Function Apps, Batch, virtual machines, managed disks and compute networking.

Database Services

32 API-auditable controls

Azure SQL, PostgreSQL, MySQL, Cosmos DB, Redis and database audit configuration.

Storage Services

47 API-auditable controls

Backup Vaults, Recovery Services, Storage Accounts, Azure Files, NetApp Files and storage encryption.

What we assess

What we assess in Azure

One Azure assessment across identity, control plane and resource configuration

Results stay tied to subscription, resource group and resource ID — not vague tenant summaries.

Microsoft Entra ID

MFA, privileged roles, identity configuration and access controls

Azure RBAC

Role assignments, custom roles and excessive privileges

Governance

Azure Policy, resource locks, subscriptions and management configuration

Logging & Monitoring

Activity Logs, diagnostic settings, alerts and retention

Network Security

NSGs, VNets, public access, private endpoints, WAF and DDoS

Compute Security

App Service, Functions, VMs, managed disks and encryption

Database Security

Authentication, auditing, TLS, private access and encryption

Storage & Backup

Public access, soft delete, immutability, CMK and recovery

Secrets & Keys

Key Vault access, private endpoints, rotation and expiry

Defender & Security

Defender plans, security contacts and security configuration

Automation coverage

What we can collect — and what we refuse to guess

Azure coverage is presented by benchmark family. Trusteed reports 245 API-auditable controls — not a padded total that mixes uncollected manual process checks.

89
Foundation checks

Identity, governance, monitoring, network and security services.

77
Compute checks

Applications, functions, virtual machines and disks.

32
Database checks

Authentication, public exposure, audit logging and encryption.

47
Storage checks

Backup, recovery, private access, retention and encryption.

Trusteed combines Azure Resource Graph, typed ARM service clients, Microsoft Graph, Azure Policy and data-plane metadata to produce resource-level assessment evidence.

Example findings

What assessments actually surface

Public Storage Exposure

7 storage accounts allow public network access.

Key Vault Network Protection Gap

5 Key Vaults do not have an approved private endpoint connection.

Subscription Logging Gap

3 subscriptions do not send all required Activity Log categories to the approved destination.

Database Public Access

11 Azure database resources allow public network connectivity.

Virtual Machine Encryption Gap

9 virtual machines do not have encryption at host enabled.

App Service Authentication Risk

6 App Service applications allow basic publishing credentials.

Example findings shown for demonstration purposes.

How it works

Connect, discover, collect, remediate

01

Connect your Azure tenant

Use a read-only service principal or managed identity with least-privilege roles.

Read-only by default
02

Discover subscriptions and resources

Azure Resource Graph creates a tenant-wide inventory across subscriptions and resource groups.

Multi-subscription inventory
03

Collect authoritative evidence

Trusteed uses Microsoft Graph, ARM APIs, Azure Policy and service-specific SDK clients.

23 collector families
04

Generate resource-level results

Every result includes subscription, resource group, resource ID, observed configuration and expected state.

PASS · FAIL · N/A · UNKNOWN

Secure by design

Least privilege. Read-only. No guessed Pass.

Read-only by default
No Microsoft passwords stored
Multi-subscription inventory
Microsoft Graph and ARM permissions separated
Azure request IDs retained
SDK and ARM API versions recorded
403, exhausted retries and incomplete responses become Unknown
Missing resources are not automatically treated as Not Applicable
0 incomplete API responses converted into a Pass

Azure collector decisions explicitly separate PASS, FAIL, NOT_APPLICABLE and UNKNOWN — permission gaps are never interpreted as PASS.

Benchmark reference

Version and coverage details

BenchmarkVersionControls
CIS Microsoft Azure Foundations Benchmarkv6.0.089
CIS Microsoft Azure Compute Services Benchmarkv2.0.077
CIS Microsoft Azure Database Services Benchmarkv2.0.032
CIS Microsoft Azure Storage Services Benchmarkv2.0.047

Source benchmark families: Azure Foundations v6.0.0, Compute Services v2.0.0, Database Services v2.0.0 and Storage Services v2.0.0.

Turn complex Azure configuration into clear, evidence-backed compliance results.

Connect your tenant and continuously assess security controls across subscriptions, services and individual resources.