Azure Security Assessment: Audit Your Azure Environment

The Challenge: Azure Identity and Sprawl Are Hard to See Into

Azure spreads security across two planes that most teams struggle to hold in their head at once: the resource plane (subscriptions, Storage, Key Vault, VMs, SQL) and the identity plane (Microsoft Entra ID, formerly Azure AD). A single weak spot in either, an overprivileged Entra role, a Storage account with public blob access, a network security group open to the internet, or a Key Vault without soft delete, is enough to turn into an incident.

Azure is also where a large and growing share of workloads live. In Prowler's State of Cloud Security 2026 report, a survey of 633 security professionals, 28% named Azure as their primary cloud provider, second only to AWS. That same report found security teams handle an average of 71 incidents per week, over 3,600 a year, and most of that time goes to manual triage rather than fixing root causes.

Visibility is the core problem. Only 31% of teams rate their cloud visibility as better than "average," and identity is the hardest part. Entra ID role assignments, group memberships, conditional access policies, and subscription RBAC layer on top of each other, so working out who can actually do what takes real time. Most environments have hundreds of identities and dozens of subscriptions. You cannot assess that by hand.

What Is an Azure Security Assessment?

An Azure security assessment is a systematic review of your Azure environment against security best practices and compliance requirements. It inventories your resources and identities and checks each one for misconfigurations, excessive permissions, missing encryption, disabled logging, and exposure to the public internet.

A thorough Azure assessment covers these areas:

• Identity and access (Microsoft Entra ID) Overprivileged directory roles, missing MFA on privileged accounts, guest user sprawl, stale credentials, and weak conditional access policies.
• Storage exposure Storage accounts allowing public blob or container access, missing encryption, insecure transfer disabled, and shared key access left on.
• Secrets and key management Key Vaults without soft delete or purge protection, missing access policies, and secrets without expiration.
• Network configuration Network security groups allowing 0.0.0.0/0 on sensitive ports like SSH (22) and RDP (3389), unrestricted inbound rules, and public IPs on sensitive resources.
• Data services SQL Server and database firewalls open to all, auditing disabled, transparent data encryption off, and Cosmos DB or MySQL without restricted access.
• Logging, monitoring, and Defender Activity and diagnostic logs disabled, Microsoft Defender for Cloud plans turned off, and missing alerting, leaving you blind to activity.
• Compliance posture Whether your environment meets the controls required by the CIS Azure Foundations Benchmark, SOC 2, ISO 27001, PCI DSS, HIPAA, and other frameworks.

How to Run an Azure Security Assessment with Prowler Cloud

Here is the full process, start to finish. Prowler Cloud uses a read-only service principal, so it can assess your environment but never change anything. You can get your first results in minutes.

1. Create a free Prowler Cloud account Sign up at cloud.prowler.com. Prowler Cloud is free to try and needs no credit card.
2. Get your Azure Subscription ID In the Azure Portal, search for "Subscriptions," then locate and copy the Subscription ID you want to assess. Prowler scans within the subscription scope, so this is what defines the boundary of the assessment.
3. Create a Prowler service principal in Microsoft Entra ID In Microsoft Entra ID, open "App registrations," choose "New registration," name it (for example "ProwlerApp"), and click "Register." Then go to "Certificates & secrets," add a "New client secret," and copy its value. You now have the three credentials Prowler needs: Client ID, Tenant ID, and Client Secret.
4. Grant read-only Microsoft Graph permissions for Entra ID checks On the app registration, open "API permissions," add "Microsoft Graph" application permissions AuditLog.Read.All, Directory.Read.All, and Policy.Read.All, then grant admin consent. These are read-only and let Prowler run the Entra ID identity checks.
5. Assign Reader and ProwlerRole at the subscription level In your subscription's "Access control (IAM)," assign the built-in Reader role to the service principal. Then create and assign the custom ProwlerRole, a minimal read-only role that adds a couple of permissions the Reader role does not include for specific checks. Both are read-only, so Prowler can read your configuration but cannot modify, create, or delete resources.
6. Add the subscription and credentials to Prowler Cloud In Prowler Cloud, choose "Add Provider," select "Microsoft Azure," enter the Subscription ID and an optional alias, then paste the Tenant ID, Client ID, and Client Secret from your service principal.
7. Launch your first scan Click "Launch Scan." Prowler runs hundreds of Azure security checks across Entra ID, Storage, Key Vault, networking, VMs, SQL, Defender for Cloud, AKS, and more. There are no agents to install and no impact on your workloads. First results appear in minutes.
8. Review and prioritize the findings Open the findings dashboard, sort by severity, and filter by framework such as the CIS Microsoft Azure Foundations Benchmark, SOC 2, ISO 27001, or PCI DSS. Use attack paths to see how an exposed Storage account plus an over-privileged Entra role becomes a real route to your data, so you spend your time on the handful of issues that actually matter rather than the full backlog.
9. Remediate the findings For each issue, Prowler Cloud shows the affected resource and the fix. Use Lighthouse AI to generate remediation as an Infrastructure as Code change (Bicep or Terraform), an Azure CLI command, a cloud-native control, or guided manual steps, so you go from "here is the problem" to "here is the fix." To automate it end to end, the Prowler plugin for Claude Code finds the misconfigurations, prioritizes them by blast radius from the attack-path graph, opens the pull requests that fix them, and re-scans to confirm each one cleared.
10. Rescan and prove it Re-run the scan to confirm each issue is closed, capture before and after posture, and export audit-ready evidence mapped to the CIS Microsoft Azure Foundations Benchmark, SOC 2, ISO 27001, and PCI DSS. The Prowler plugin for Claude Code keeps a versioned audit trail of every fix under .prowler/ in your repo, so every change is reproducible when your auditor asks.
11. Track ownership and schedule recurring scans Assign owners and SLAs to findings, set exceptions for accepted risks, and turn on daily scheduled scans that route findings to Slack, Jira, email, or your SIEM. Accountability stays clear and drift gets caught within hours across all your subscriptions.

Automate Your Azure SecOps Workflow with Claude Code

Detection is solved. What eats your team's time is the glue work between a finding and a verified fix. The Prowler plugin for Claude Code automates the entire DART-P loop: it pulls findings across your connected Azure subscriptions, prioritizes them by severity, framework relevance, and blast radius from the attack-path graph, proposes fixes with exact Terraform, Azure CLI, or console steps and their reversibility, opens pull requests, tracks progress in versioned markdown reports under .prowler/, and re-scans to confirm each check cleared.

Install it from the Claude Code plugin marketplace:

/plugin marketplace add prowler-cloud/prowler
/plugin install prowler@prowler-plugins

It needs a Prowler Cloud account and an API key from cloud.prowler.com/profile. Then drive it with a high-level goal like "Make my Azure subscription compliant with CIS Azure." Because it grounds recommendations in Prowler's open-source check logic and Prowler Hub remediation, every fix is auditable and reproducible. You can run it Claude-assisted to review each fix, or autonomous for one consolidated plan grouped by root cause.

Compliance Frameworks for Azure

Most teams run an Azure security assessment because an auditor is asking for evidence. Prowler maps your Azure findings to dozens of frameworks automatically, so you can prove your posture instead of assembling spreadsheets the night before.

The CIS Microsoft Azure Foundations Benchmark is the most common starting point, and Prowler supports multiple versions through v5.0. Need to go deeper on a single framework? See the guide to automated SOC 2 cloud compliance or browse the full list of frameworks in the Prowler documentation.

Frequently Asked Questions