Auto Checks: Azure
Auto Checks for Azure enable automated detection of misconfigurations across key Microsoft Azure services — mapped directly to ISO 27001:2022 controls. Built in close collaboration with auditors and aligned with the CIS Microsoft Azure Foundations Benchmark, these checks help your organization continuously monitor and improve your security and compliance posture.
How It Works
How to activate Auto Checks for Azure in Kertos?
First, you need to enable Auto Checks on the Integration Setup Page of Azure.
If you haven’t set up the Azure integration yet, you must complete this first — Auto Checks won’t work without it.
If you’ve already connected Azure before Auto Checks were released, you’ll need to reconfigure the integration, as additional permissions are required beyond those used for the initial discovery setup.
⚠️ Admin rights in your Azure Cloud environment are mandatory.
Without them, you won’t be able to assign the necessary roles, enable required APIs, or create service accounts.
First-Time Setup Instructions
To set up Auto Checks for Azure:
- Go to the Integration page
- Click on Setup in Azure Integration Card
- Click Start Setup (for first-time setup)
- Choose your preferred setup method:
- Quick Setup – Complete setup in just a few clicks
- Self Setup – Step-by-step guided configuration by following the setup guide here:
→ Full Setup Guide
- Toggle Enable Auto Checks to
ON
- Click Save
- Click Start Sync to run Auto Checks on your cloud environment
Reconfiguring the Integration
To set up Auto Checks for Azure:
- Go to the Integrations page in Kertos
- Click on Setup in Azure Integration Card
- Toggle Enable Auto Checks to
ON
- Grant the permissions in your Azure Environment following these Instructions
- Click Save
- Click Start Sync to run Auto Checks on your cloud environment
What Are the Azure Auto Checks Based On?
Azure Auto Checks are based on the CIS Microsoft Azure Foundations Benchmark v4.0.0 - 03-23-2025. This an industry-standard security framework developed by the Center for Internet Security, which outlines best-practice configurations to reduce risk across core Azure services.
In collaboration with auditors, Kertos curated a selection of the most relevant checks for ISO 27001:2022, ensuring that each Auto Check contributes to audit readiness with actionable remediation guidance.
What Azure services are currently supported?
We currently support Auto Checks for the following Azure services:
- PostgreSQL
- Monitor (Azure Monitor & Log Analytics)
- App Service
- Key Vault
- Virtual Network
- Storage Accounts
- Cosmos DB
- MySQL
- SQL Server
- Application Insights
- Microsoft Entra ID (Azure AD)
- Microsoft Defender for Cloud
Which Auto Checks are available for Azure, and how are they mapped to ISO 27001:2022 controls?
Each Auto Check is mapped to a specific ISO 27001:2022 control, helping to demonstrate technical implementation of key requirements. Below is the full list of our supported Azure Auto Checks and their control mappings:
ISO Control ID | ISO Control Title | Auto Check Title |
---|---|---|
A.5.15 | Access control | Enable Role Based Access Control for Azure Key Vault |
A.5.15 | Access control | Verify that 'Restrict non-admin users from creating tenants' is set to 'Yes' |
A.5.15 | Access control | Verify that That 'Users Can Register Applications' Is Set to 'No' |
A.5.15 | Access control | Verify that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' |
A.5.15 | Access control | Verify that That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' |
A.5.24 | Information security incident management planning and preparation | Verify that 'Additional email addresses' is Configured with a Security Contact Email |
A.5.24 | Information security incident management planning and preparation | Verify that That 'All users with the following roles' is set to 'Owner'. |
A.5.25 | Assessment and decision on information security events | Verify that That 'Notify about alerts with the following severity' is Set to 'High' |
A.5.33 | Protection of records | Verify that 'Auditing' Retention is 'greater than 90 days' |
A.5.33 | Protection of records | Verify that Network Security Group Flow Log retention period is 'greater than 90 days' |
A.8.13 | Information backup | Verify that the Key Vault is Recoverable |
A.8.15 | Logging | Verify that Activity Log Alert exists for Delete Network Security Group |
A.8.15 | Logging | Verify that logging for Azure Key Vault is 'Enabled' |
A.8.15 | Logging | Verify that a 'Diagnostic Setting' exists for Subscription Activity Logs |
A.8.15 | Logging | Verify that logging for Azure AppService 'HTTP logs' is enabled |
A.8.15 | Logging | Verify that Activity Log Alert exists for Delete Security Solution |
A.8.15 | Logging | Verify that Diagnostic Setting captures appropriate categories |
A.8.15 | Logging | Verify that server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server |
A.8.15 | Logging | Verify that server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server |
A.8.15 | Logging | Verify that Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server |
A.8.15 | Logging | Verify that Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server |
A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Delete SQL Server Firewall Rule |
A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Create Policy Assignment |
A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Create or Update Security Solution |
A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Create or Update Network Security Group |
A.8.16 | Monitoring activities | Verify that That Microsoft Defender for Containers Is Set To 'On' |
A.8.16 | Monitoring activities | Verify that That Microsoft Defender for SQL Servers on Machines Is Set To 'On' |
A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Create or Update Public IP Address rule |
A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Delete Policy Assignment |
A.8.16 | Monitoring activities | Verify that That Microsoft Defender for Storage Is Set To 'On' |
A.8.16 | Monitoring activities | Verify that That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' |
A.8.16 | Monitoring activities | Verify that Activity Log Alert exists for Create or Update SQL Server Firewall Rule |
A.8.16 | Monitoring activities | Verify that That Microsoft Defender for IoT Hub Is Set To 'On' |
A.8.16 | Monitoring activities | Verify that Application Insights are Configured. |
A.8.16 | Monitoring activities | Verify that That Microsoft Defender for App Services Is Set To 'On' |
A.8.20 | Networks security | Verify that Network Watcher is 'Enabled' for all locations in the Azure subscription |
A.8.20 | Networks security | Verify that That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks |
A.8.20 | Networks security | Verify that Private Endpoints are Used for Azure Key Vault |
A.8.20 | Networks security | Verify that server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server |
A.8.20 | Networks security | Verify that Activity Log Alert exists for Delete Public IP Address rule |
A.8.20 | Networks security | Verify that SSH access from the Internet is evaluated and restricted |
A.8.23 | Web filtering | Verify that no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
A.8.23 | Web filtering | Verify that HTTP(S) access from the Internet is evaluated and restricted |
A.8.23 | Web filtering | Verify that RDP access from the Internet is evaluated and restricted |
A.8.23 | Web filtering | Verify that 'Allow access to Azure services' for PostgreSQL Database Server is disabled |
A.8.23 | Web filtering | Verify that That Private Endpoints Are Used Where Possible |
A.8.24 | Use of cryptography | Verify that 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
A.8.24 | Use of cryptography | Verify that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys |
A.8.24 | Use of cryptography | Verify that 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server |
A.8.24 | Use of cryptography | Verify that the Expiration Date is set for all Secrets in RBAC Key Vaults |
A.8.24 | Use of cryptography | Verify that the Expiration Date is set for all Keys in RBAC Key Vaults |
A.8.24 | Use of cryptography | Verify that the storage account containing the container with activity logs is encrypted with Customer Managed Key |
A.8.24 | Use of cryptography | Verify that 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server |
A.8.24 | Use of cryptography | Verify that SQL server's Transparent Data Encryption (TDE) protector is encrypted |
FAQs
Do I need to modify anything in Azure to activate Auto Checks?
No additional configuration is required if your Azure integration is set up correctly. Just toggle on Auto Checks in Kertos.
What Azure services are currently supported?
We currently support Auto Checks for the following Azure services:
- IAM
- Cloud Storage
- API Keys
- BigQuery
- Compute Engine
- VPC Networking
- Cloud SQL
- Cloud Logging
Can I disable Auto Checks for Azure?
Yes. Go to the Azure integration in Kertos, click Reconfigure, and toggle Auto Checks off.
Do I need to update permissions if I already set up the Azure integration in the past?
Yes. If you're reconfiguring an existing Azure integration to enable Auto Checks, it's essential that the required permissions are correctly granted in your Azure environment.
Even if you previously connected Azure to Kertos, Auto Checks require specific additional scopes and roles.
See the full list of required permissions here:
https://docs.kertos.io/en/article/auto-checks-integration-guide-for-azure