Foundations
Microsoft Entra ID, RBAC, governance, monitoring, networking, Defender and Key Vault.
Azure Compliance Monitoring
Continuously assess identity, governance, networking, compute, database, storage and data protection configurations across your Microsoft Azure environment.

Benchmark coverage
Automated coverage across four Azure benchmark families
Microsoft Entra ID, RBAC, governance, monitoring, networking, Defender and Key Vault.
App Service, Function Apps, Batch, virtual machines, managed disks and compute networking.
Azure SQL, PostgreSQL, MySQL, Cosmos DB, Redis and database audit configuration.
Backup Vaults, Recovery Services, Storage Accounts, Azure Files, NetApp Files and storage encryption.
What we assess
One Azure assessment across identity, control plane and resource configuration
Results stay tied to subscription, resource group and resource ID — not vague tenant summaries.
MFA, privileged roles, identity configuration and access controls
Role assignments, custom roles and excessive privileges
Azure Policy, resource locks, subscriptions and management configuration
Activity Logs, diagnostic settings, alerts and retention
NSGs, VNets, public access, private endpoints, WAF and DDoS
App Service, Functions, VMs, managed disks and encryption
Authentication, auditing, TLS, private access and encryption
Public access, soft delete, immutability, CMK and recovery
Key Vault access, private endpoints, rotation and expiry
Defender plans, security contacts and security configuration
Automation coverage
Azure coverage is presented by benchmark family. Trusteed reports 245 API-auditable controls — not a padded total that mixes uncollected manual process checks.
Identity, governance, monitoring, network and security services.
Applications, functions, virtual machines and disks.
Authentication, public exposure, audit logging and encryption.
Backup, recovery, private access, retention and encryption.
Trusteed combines Azure Resource Graph, typed ARM service clients, Microsoft Graph, Azure Policy and data-plane metadata to produce resource-level assessment evidence.
Example findings
7 storage accounts allow public network access.
5 Key Vaults do not have an approved private endpoint connection.
3 subscriptions do not send all required Activity Log categories to the approved destination.
11 Azure database resources allow public network connectivity.
9 virtual machines do not have encryption at host enabled.
6 App Service applications allow basic publishing credentials.
Example findings shown for demonstration purposes.
How it works
Use a read-only service principal or managed identity with least-privilege roles.
Azure Resource Graph creates a tenant-wide inventory across subscriptions and resource groups.
Trusteed uses Microsoft Graph, ARM APIs, Azure Policy and service-specific SDK clients.
Every result includes subscription, resource group, resource ID, observed configuration and expected state.
Secure by design
Azure collector decisions explicitly separate PASS, FAIL, NOT_APPLICABLE and UNKNOWN — permission gaps are never interpreted as PASS.
Benchmark reference
Source benchmark families: Azure Foundations v6.0.0, Compute Services v2.0.0, Database Services v2.0.0 and Storage Services v2.0.0.
Connect your tenant and continuously assess security controls across subscriptions, services and individual resources.