Help Center
Go back to application
Help Center
Go back to application
Platform Terms GlossaryContacting Support and Reporting Bugs
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainingsGuidance
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations
Azure Auto Checks Detailed Explanations

Auto Checks: Azure

Auto Checks is a feature that verifies technical configurations in your cloud environment against ISO 27001 requirements. These checks are run automatically and linked to your implementation steps within Kertos.

Auto Checks for Azure enable automated detection of misconfigurations across key Microsoft Azure services — mapped directly to ISO 27001:2022 controls. Built in close collaboration with auditors and aligned with the CIS Microsoft Azure Foundations Benchmark, these checks help your organization continuously monitor and improve your security and compliance posture.

How It Works

How to activate Auto Checks for Azure in Kertos? 
First, you need to enable Auto Checks on the Integration Setup Page of Azure. 

If you haven’t set up the Azure integration yet, you must complete this first — Auto Checks won’t work without it.
If you’ve already connected Azure before Auto Checks were released, you’ll need to reconfigure the integration, as additional permissions are required beyond those used for the initial discovery setup.

⚠️ Admin rights in your Azure Cloud environment are mandatory.
Without them, you won’t be able to assign the necessary roles, enable required APIs, or create service accounts.

First-Time Setup Instructions

To set up Auto Checks for Azure:

  • Go to the Integration page 
  • Click on Setup in Azure Integration Card
  • Click Start Setup (for first-time setup)
  • Choose your preferred setup method:
    • Quick Setup – Complete setup in just a few clicks
    • Self Setup – Step-by-step guided configuration by following the setup guide here: 
      → Full Setup Guide
  • Toggle Enable Auto Checks to ON
  • Click Save
  • Click Start Sync to run Auto Checks on your cloud environment

Reconfiguring the Integration

To set up Auto Checks for Azure:

  • Go to the Integrations page in Kertos
  • Click on Setup in Azure Integration Card
  • Toggle Enable Auto Checks to ON
  • Grant the permissions in your Azure Environment following these Instructions
  • Click Save
  • Click Start Sync to run Auto Checks on your cloud environment

What Are the Azure Auto Checks Based On?

Azure Auto Checks are based on the CIS Microsoft Azure Foundations Benchmark v4.0.0 - 03-23-2025. This an industry-standard security framework developed by the Center for Internet Security, which outlines best-practice configurations to reduce risk across core Azure services.

In collaboration with auditors, Kertos curated a selection of the most relevant checks for ISO 27001:2022, ensuring that each Auto Check contributes to audit readiness with actionable remediation guidance.

What Azure services are currently supported?

We currently support Auto Checks for the following Azure services:

  • PostgreSQL
  • Monitor (Azure Monitor & Log Analytics)
  • App Service
  • Key Vault
  • Virtual Network
  • Storage Accounts
  • Cosmos DB
  • MySQL
  • SQL Server
  • Application Insights
  • Microsoft Entra ID (Azure AD)
  • Microsoft Defender for Cloud

Which Auto Checks are available for Azure, and how are they mapped to ISO 27001:2022 controls?

Each Auto Check is mapped to a specific ISO 27001:2022 control, helping to demonstrate technical implementation of key requirements. Below is the full list of our supported Azure Auto Checks and their control mappings:

ISO Control IDISO Control TitleAuto Check Title
A.5.15Access controlEnable Role Based Access Control for Azure Key Vault
A.5.15Access controlVerify that 'Restrict non-admin users from creating tenants' is set to 'Yes'
A.5.15Access controlVerify that That 'Users Can Register Applications' Is Set to 'No'
A.5.15Access controlVerify that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
A.5.15Access controlVerify that That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
A.5.24Information security incident management planning and preparationVerify that 'Additional email addresses' is Configured with a Security Contact Email
A.5.24Information security incident management planning and preparationVerify that That 'All users with the following roles' is set to 'Owner'.
A.5.25Assessment and decision on information security eventsVerify that That 'Notify about alerts with the following severity' is Set to 'High'
A.5.33Protection of recordsVerify that 'Auditing' Retention is 'greater than 90 days'
A.5.33Protection of recordsVerify that Network Security Group Flow Log retention period is 'greater than 90 days'
A.8.13Information backupVerify that the Key Vault is Recoverable
A.8.15LoggingVerify that Activity Log Alert exists for Delete Network Security Group
A.8.15LoggingVerify that logging for Azure Key Vault is 'Enabled'
A.8.15LoggingVerify that a 'Diagnostic Setting' exists for Subscription Activity Logs 
A.8.15LoggingVerify that logging for Azure AppService 'HTTP logs' is enabled
A.8.15LoggingVerify that Activity Log Alert exists for Delete Security Solution
A.8.15LoggingVerify that Diagnostic Setting captures appropriate categories
A.8.15LoggingVerify that server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
A.8.15LoggingVerify that server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
A.8.15LoggingVerify that Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
A.8.15LoggingVerify that Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
A.8.16Monitoring activitiesVerify that Activity Log Alert exists for Delete SQL Server Firewall Rule
A.8.16Monitoring activitiesVerify that Activity Log Alert exists for Create Policy Assignment
A.8.16Monitoring activitiesVerify that Activity Log Alert exists for Create or Update Security Solution
A.8.16Monitoring activitiesVerify that Activity Log Alert exists for Create or Update Network Security Group
A.8.16Monitoring activitiesVerify that That Microsoft Defender for Containers Is Set To 'On' 
A.8.16Monitoring activitiesVerify that That Microsoft Defender for SQL Servers on Machines Is Set To 'On' 
A.8.16Monitoring activitiesVerify that Activity Log Alert exists for Create or Update Public IP Address rule
A.8.16Monitoring activitiesVerify that Activity Log Alert exists for Delete Policy Assignment
A.8.16Monitoring activitiesVerify that That Microsoft Defender for Storage Is Set To 'On' 
A.8.16Monitoring activitiesVerify that That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' 
A.8.16Monitoring activitiesVerify that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
A.8.16Monitoring activitiesVerify that That Microsoft Defender for IoT Hub Is Set To 'On'
A.8.16Monitoring activitiesVerify that Application Insights are Configured.
A.8.16Monitoring activitiesVerify that That Microsoft Defender for App Services Is Set To 'On' 
A.8.20Networks securityVerify that Network Watcher is 'Enabled' for all locations in the Azure subscription
A.8.20Networks securityVerify that That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
A.8.20Networks securityVerify that Private Endpoints are Used for Azure Key Vault
A.8.20Networks securityVerify that server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
A.8.20Networks securityVerify that Activity Log Alert exists for Delete Public IP Address rule
A.8.20Networks securityVerify that SSH access from the Internet is evaluated and restricted
A.8.23Web filteringVerify that no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
A.8.23Web filteringVerify that HTTP(S) access from the Internet is evaluated and restricted
A.8.23Web filteringVerify that RDP access from the Internet is evaluated and restricted
A.8.23Web filteringVerify that 'Allow access to Azure services' for PostgreSQL Database Server is disabled
A.8.23Web filteringVerify that That Private Endpoints Are Used Where Possible
A.8.24Use of cryptographyVerify that 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
A.8.24Use of cryptographyVerify that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys
A.8.24Use of cryptographyVerify that 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
A.8.24Use of cryptographyVerify that the Expiration Date is set for all Secrets in RBAC Key Vaults
A.8.24Use of cryptographyVerify that the Expiration Date is set for all Keys in RBAC Key Vaults
A.8.24Use of cryptographyVerify that the storage account containing the container with activity logs is encrypted with Customer Managed Key
A.8.24Use of cryptographyVerify that 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
A.8.24Use of cryptographyVerify that SQL server's Transparent Data Encryption (TDE) protector is encrypted

FAQs

Do I need to modify anything in Azure to activate Auto Checks?
No additional configuration is required if your Azure integration is set up correctly. Just toggle on Auto Checks in Kertos.

What Azure services are currently supported?
We currently support Auto Checks for the following Azure services:

  • IAM 
  • Cloud Storage
  • API Keys
  • BigQuery
  • Compute Engine
  • VPC Networking
  • Cloud SQL
  • Cloud Logging

Can I disable Auto Checks for Azure?
Yes. Go to the Azure integration in Kertos, click Reconfigure, and toggle Auto Checks off.

Do I need to update permissions if I already set up the Azure integration in the past?
Yes. If you're reconfiguring an existing Azure integration to enable Auto Checks, it's essential that the required permissions are correctly granted in your Azure environment.
Even if you previously connected Azure to Kertos, Auto Checks require specific additional scopes and roles.

See the full list of required permissions here:
https://docs.kertos.io/en/article/auto-checks-integration-guide-for-azure 

Was this article helpful?

Powered by Product Fruits