Auto Checks: Azure
Auto Checks for Azure enable automated detection of misconfigurations across key Microsoft Azure services — mapped directly to ISO 27001:2022 controls. Built in close collaboration with auditors and aligned with the CIS Microsoft Azure Foundations Benchmark, these checks help your organization continuously monitor and improve your security and compliance posture.
How It Works
How to activate Auto Checks for Azure in Kertos?
You must have admin rights in your Azure Cloud environment to complete the setup.
Without sufficient permissions, you won’t be able to assign the necessary roles, enable APIs, or create service accounts.
If you have admin rights proceed as follows:
- Go to the Integrations page
- Click Start Setup (for first-time setup) or Reconfigure (if Azure is already connected)
- Choose one of the setup methods:
- Quick Setup – Fast setup via a few clicks in Kertos, but you need to manually grant the required permissions in your Azure environment
- Self Setup – A guided setup flow that includes steps to adjust Azure permissions directly
Granting the correct permissions in Azure is required in all cases — both for Quick Setup and for Reconfigure.
You can find the detailed permission instructions here:
https://docs.kertos.io/en/article/auto-checks-integration-guide-for-azure
- Toggle Enable Auto Checks to ON
- Click Save
- Click Start Sync to begin a discovery run
What Are the Azure Auto Checks Based On?
Azure Auto Checks are based on the CIS Microsoft Azure Foundations Benchmark v4.0.0 - 03-23-2025. This an industry-standard security framework developed by the Center for Internet Security, which outlines best-practice configurations to reduce risk across core Azure services.
In collaboration with auditors, Kertos curated a selection of the most relevant checks for ISO 27001:2022, ensuring that each Auto Check contributes to audit readiness with actionable remediation guidance.
What Azure services are currently supported?
We currently support Auto Checks for the following Azure services:
- PostgreSQL
- Monitor (Azure Monitor & Log Analytics)
- App Service
- Key Vault
- Virtual Network
- Storage Accounts
- Cosmos DB
- MySQL
- SQL Server
- Application Insights
- Microsoft Entra ID (Azure AD)
- Microsoft Defender for Cloud
Which Auto Checks are available for Azure, and how are they mapped to ISO 27001:2022 controls?
Each Auto Check is mapped to a specific ISO 27001:2022 control, helping to demonstrate technical implementation of key requirements. Below is the full list of our supported Azure Auto Checks and their control mappings:
| ISO Control ID | ISO Control Title | Auto Check Title |
|---|---|---|
| A.5.15 | Access control | Enable Role Based Access Control for Azure Key Vault |
| A.5.15 | Access control | Verify that 'Restrict non-admin users from creating tenants' is set to 'Yes' |
| A.5.15 | Access control | Verify that That 'Users Can Register Applications' Is Set to 'No' |
| A.5.15 | Access control | Verify that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' |
| A.5.15 | Access control | Verify that That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' |
| A.5.24 | Information security incident management planning and preparation | Verify that 'Additional email addresses' is Configured with a Security Contact Email |
| A.5.24 | Information security incident management planning and preparation | Verify that That 'All users with the following roles' is set to 'Owner'. |
| A.5.25 | Assessment and decision on information security events | Verify that That 'Notify about alerts with the following severity' is Set to 'High' |
| A.5.33 | Protection of records | Verify that 'Auditing' Retention is 'greater than 90 days' |
| A.5.33 | Protection of records | Verify that Network Security Group Flow Log retention period is 'greater than 90 days' |
| A.8.13 | Information backup | Verify that the Key Vault is Recoverable |
| A.8.15 | Logging | Verify that Activity Log Alert exists for Delete Network Security Group |
| A.8.15 | Logging | Verify that logging for Azure Key Vault is 'Enabled' |
| A.8.15 | Logging | Verify that a 'Diagnostic Setting' exists for Subscription Activity Logs |
| A.8.15 | Logging | Verify that logging for Azure AppService 'HTTP logs' is enabled |
| A.8.15 | Logging | Verify that Activity Log Alert exists for Delete Security Solution |
| A.8.15 | Logging | Verify that Diagnostic Setting captures appropriate categories |
| A.8.15 | Logging | Verify that server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server |
| A.8.15 | Logging | Verify that server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server |
| A.8.15 | Logging | Verify that Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server |
| A.8.15 | Logging | Verify that Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server |
| A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Delete SQL Server Firewall Rule |
| A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Create Policy Assignment |
| A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Create or Update Security Solution |
| A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Create or Update Network Security Group |
| A.8.16 | Monitoring activities | Verify that That Microsoft Defender for Containers Is Set To 'On' |
| A.8.16 | Monitoring activities | Verify that That Microsoft Defender for SQL Servers on Machines Is Set To 'On' |
| A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Create or Update Public IP Address rule |
| A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Delete Policy Assignment |
| A.8.16 | Monitoring activities | Verify that That Microsoft Defender for Storage Is Set To 'On' |
| A.8.16 | Monitoring activities | Verify that That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' |
| A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Create or Update SQL Server Firewall Rule |
| A.8.16 | Monitoring activities | Verify that That Microsoft Defender for IoT Hub Is Set To 'On' |
| A.8.16 | Monitoring activities | Verify that Application Insights are Configured. |
| A.8.16 | Monitoring activities | Verify that That Microsoft Defender for App Services Is Set To 'On' |
| A.8.20 | Networks security | Verify that Network Watcher is 'Enabled' for all locations in the Azure subscription |
| A.8.20 | Networks security | Verify that That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks |
| A.8.20 | Networks security | Verify that Private Endpoints are Used for Azure Key Vault |
| A.8.20 | Networks security | Verify that server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server |
| A.8.20 | Networks security | Verify that Activity Log Alert exists for Delete Public IP Address rule |
| A.8.20 | Networks security | Verify that SSH access from the Internet is evaluated and restricted |
| A.8.23 | Web filtering | Verify that no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
| A.8.23 | Web filtering | Verify that HTTP(S) access from the Internet is evaluated and restricted |
| A.8.23 | Web filtering | Verify that RDP access from the Internet is evaluated and restricted |
| A.8.23 | Web filtering | Verify that 'Allow access to Azure services' for PostgreSQL Database Server is disabled |
| A.8.23 | Web filtering | Verify that That Private Endpoints Are Used Where Possible |
| A.8.24 | Use of cryptography | Verify that 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
| A.8.24 | Use of cryptography | Verify that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys |
| A.8.24 | Use of cryptography | Verify that 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server |
| A.8.24 | Use of cryptography | Verify that the Expiration Date is set for all Secrets in RBAC Key Vaults |
| A.8.24 | Use of cryptography | Verify that the Expiration Date is set for all Keys in RBAC Key Vaults |
| A.8.24 | Use of cryptography | Verify that the storage account containing the container with activity logs is encrypted with Customer Managed Key |
| A.8.24 | Use of cryptography | Verify that 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server |
| A.8.24 | Use of cryptography | Verify that SQL server's Transparent Data Encryption (TDE) protector is encrypted |
FAQs
Do I need to modify anything in Azure to activate Auto Checks?
No additional configuration is required if your Azure integration is set up correctly. Just toggle on Auto Checks in Kertos.
What Azure services are currently supported?
We currently support Auto Checks for the following Azure services:
- IAM
- Cloud Storage
- API Keys
- BigQuery
- Compute Engine
- VPC Networking
- Cloud SQL
- Cloud Logging
Can I disable Auto Checks for Azure?
Yes. Go to the Azure integration in Kertos, click Reconfigure, and toggle Auto Checks off.
Do I need to update permissions if I already set up the Azure integration in the past?
Yes. If you're reconfiguring an existing Azure integration to enable Auto Checks, it's essential that the required permissions are correctly granted in your Azure environment.
Even if you previously connected Azure to Kertos, Auto Checks require specific additional scopes and roles.
See the full list of required permissions here:
https://docs.kertos.io/en/article/auto-checks-integration-guide-for-azure