Managing Security Posture with Azure Security Benchmark

06/14/2025

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in using the Azure Security Benchmark (ASB) to manage and improve the security posture of their Azure environments. In an ever-evolving cloud landscape, ensuring resources are configured securely and in compliance with best practices is an ongoing challenge. ASB, in conjunction with Microsoft Defender for Cloud, provides a comprehensive framework to assess, monitor, and improve the security of your cloud workloads [1].

Introduction

Cloud security is a shared responsibility between the cloud provider (Microsoft) and the customer. Although Microsoft protects the underlying infrastructure, the security of data, applications, and network configurations within your environment is your responsibility. The complexity of cloud services and the speed of change can make it difficult to maintain a robust and consistent security posture. Misconfigurations, unpatched vulnerabilities, and lack of visibility are common attack vectors that can lead to security breaches [2].

The Azure Security Benchmark (ASB) is a set of security guidelines specific to Azure, developed by Microsoft, that incorporates security best practices and compliance recommendations from industry-leading frameworks such as CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology). It provides a foundation for protecting your cloud resources, covering areas such as network security, identity management, data protection, vulnerability management, and more. Microsoft Defender for Cloud (formerly Azure Security Center) is the primary tool for assessing and monitoring ASB compliance [3].

This practical guide will cover prerequisites, ASB concepts, how to use Microsoft Defender for Cloud to assess ASB compliance, interpret security recommendations, remediate failures, configure exceptions, and monitor Secure Score. Step-by-step instructions, practical examples, and concise explanations will be provided so that the reader can implement, test, and validate these features. Additionally, security tips, compliance checking, and best practices will be discussed to ensure that your security posture in Azure is continually improved, autonomously, professionally, and reliably.

Why is the Azure Security Benchmark crucial to your security posture?

• Comprehensive Guidelines: Provides a detailed set of security recommendations for Azure services, covering all aspects of cloud security.
• Alignment with Industry Standards: Based on globally recognized security frameworks, ensuring that your security practices are aligned with best practices.
• Continuous Assessment: Integrated with Microsoft Defender for Cloud, offers continuous assessment of ASB compliance and identifies deviations.
• Actionable Recommendations: Provides clear recommendations and remediation steps to resolve security issues and improve posture.
• Secure Score Monitoring: Helps visualize and track progress in improving security through a quantifiable metric (Secure Score).
• Regulatory Compliance: Facilitates compliance with various compliance requirements by mapping ASB controls to regulatory standards.

Prerequisites

To manage your security posture with Azure Security Benchmark, you'll need the following items:

1. Active Azure Subscription: An Azure subscription with deployed resources.
2. Administrative Access: An account with the role of Owner, Contributor or Security Administrator on the subscription or resource group.
3. Microsoft Defender for Cloud Enabled: Defender for Cloud must be enabled in your subscription to provide security assessments and recommendations. The free plan already offers ASB [4].

Step by Step: Managing Security Posture with Azure Security Benchmark

Let's enable Security Center, assess ASB compliance, and remediate recommendations.

1. Enabling Microsoft Defender for Cloud and Azure Security BenchmarkASB is automatically included in Security Center. If you already have Defender for Cloud enabled, ASB is already being evaluated.

1. Open your browser and navigate to the Azure portal: https://portal.azure.com.
2. Log in with an account that has the necessary permissions.
3. In the top search field, type Microsoft Defender for Cloud and select it from the results.
4. On the Security Center overview page, verify that your subscription is integrated. If not, follow the instructions to integrate your subscription.
5. In the left navigation pane, select Environment Settings.
6. Select the signature you want to protect.

7. On the Defender plans page, make sure the 'Basic Cloud Security' plan (which includes ASB) is 'On'.

   • Explanation: Defender for Cloud basic plan provides security posture assessment, including Azure Security Benchmark recommendations, for free. Paid plans (such as Defender for Servers, Defender for Storage) add workload protection (CWPP).

2. Assessing Compliance with the Azure Security Benchmark

Defender for Cloud displays ASB compliance through the regulatory compliance dashboard.

1. In the Defender for Cloud left navigation pane, select Regulatory Compliance.
2. On the dashboard, you will see Azure Security Benchmark listed as one of the compliance standards.

3. Click Azure Security Benchmark to view your compliance details.

   • Explanation: This dashboard shows an overview of your ASB compliance, including how many controls passed, how many failed, and how many require manual intervention. You can drill down into controls to see specific recommendations.

3. Interpreting and Remediating Security Recommendations

Recommendations are the foundation for improving your security posture.

1. In the Defender for Cloud left navigation pane, select Recommendations.
2. Recommendations are grouped by Security Control. You can filter by Standard = Azure Security Benchmark.
3. Find a recommendation with Status = Unhealthy (e.g. Management ports should be restricted to trusted IP ranges).

4. Click on the recommendation to see details:

   • Description: Explains the security issue.
   • Remediation Steps: Provides step-by-step instructions to correct the issue. Many recommendations offer a single-click Fix option or an automation script.
   • Affected Resources: Lists all resources (VMs, storage accounts, networks, etc.) that are not in compliance.
   • Compliance Standards: Shows which ASB controls (and other standards) this recommendation addresses.

5. Remediating a recommendation (example: Restrict management ports):

   • For the recommendation Management ports should be restricted to trusted IP ranges, click on the affected resources.
   • For each feature, you can click Fix or follow the manual instructions to configure a Network Security Group (NSG) that restricts access to RDP/SSH ports to only specific, trusted IPs.

   • Example Azure CLI command to update NSG: bash az network nsg rule update\ --resource-group <resource_group_name> \ --nsg-name <nsg_name> \ --name <rdp_ssh_rule_name> \ --source-address-prefixes <your_trust_ips> \ --destination-port-ranges 3389 # or 22

   • Explanation: After remediation, Security Center will reevaluate the resource. If the fix is ​​successful, the resource's status will change to Healthy and its safe score will be updated.

4. Configuring Exceptions for Recommendations

In some cases, a recommendation may not be applicable to a specific resource, or there may be a business justification for not immediately remediating it. You can create an exception.

1. On the details page of a recommendation, click ... (more options) and select Create exception.
2. Create exception:
   • Scope: Select whether the exception applies to the entire subscription, a group of resources, or a specific resource.
   • Reason: Select the reason for the exception (e.g. Accepted risk, Mitigated by third party control).
   • Expiration date: Set an expiration date for the exception.
   • Comment: Provide a detailed justification for the exception.

3. Click Create.

   • Explanation: Exceptions should be used with caution and documented. They remove the recommendation from your safe score, but the underlying risk still exists. Review exceptions regularly.

5. Monitoring the Secure Score

The secure score is a quantifiable measure of your security posture.

1. In the Defender for Cloud left navigation pane, select Overview.
2. Secure Score is prominently displayed, showing your current score and potential for improvement.

3. Click on Secure Score to view details, including recommendations that contribute most to score improvement.

   • Explanation: Secure score is calculated based on the percentage of security recommendations that you have resolved. Prioritize recommendations that have a greater impact on your score and that are most critical for your environment.

Validation and Testing

It's crucial to validate that remediation actions are working and that your security posture is improving.

1. Verifying Recommendation Remediation

1. Scenario: After applying a remediation for a recommendation (e.g. restricting management ports), wait a few minutes for Security Center to re-evaluate the resource.
2. Expected Action: The resource status for that recommendation should change from Unhealthy to Healthy.
3. Verification:
   • Navigate to Microsoft Defender for Cloud > Recommendations.
   • Filter by the recommendation you remediated and check the status of affected resources.

2. Monitoring the Evolution of the Secure Score

1. Scenario: After remediating several recommendations, observe how your safe score evolves over time.
2. Expected Action: Your secure score should increase, reflecting the improvement in your security posture.
3. Verification:
   • Navigate to Microsoft Defender for Cloud > Overview and look at the Secure Score trend graph.

Security Tips and Best Practices

• Prioritize Critical Recommendations: Focus first on the recommendations that have the greatest impact on your secure score and that address the most critical risks for your environment.
• Automate Remediation: Use one-click Remediate options or automation scripts (Azure Policy, Azure Automation) to remediate recommendations at scale.
• Integrate with Azure Policy: Use Azure Policy to enforce ASB compliance, ensuring that new resources are deployed already in compliance and that existing resources do not deviate from policies.
• Regular Review: Regularly review security recommendations, exceptions, and secure scoring to maintain a proactive security posture.
• Team Awareness: Ensure development and operations teams are aware of ASB recommendations and how their actions affect security posture.
• Defend the Cloud with Paid Plans: Although ASB is free, consider enabling paid Defender for Cloud plans (e.g. Defender for Servers, Defender for Storage, Defender for SQL) to get workload protection (CWPP) and advanced threat detection.

Common Troubleshooting

• Recommendations are not updated after remediation:
  • It may take some time for Security Center to re-evaluate the resources and update the status. Wait a few minutes and refresh the page.
  • Verify that the remediation was applied correctly. Sometimes remediation instructions may have specific details that need to be followed precisely.
  • Check the Azure activity logs to confirm that the change was applied to the resource.
• Safe score does not increase:
  • Secure score reflects the percentage of recommendations resolved. If you only remedied a few low-impact recommendations, the increase may be minimal.
  • Make sure there are no new Unhealthy recommendations that are offsetting your remediations.
• Resources do not appear in recommendations:
  • Verify that Security Center is enabled for the subscription where the resources are located.
  • Make sure the features are supported by Security Center and ASB.
  • There may be a delay in discovering new resourcescourses through Defender for Cloud.
• Questions about a specific recommendation:
  • See the official Azure Security Benchmark documentation on Microsoft Learn for additional details about each control and recommendation.
  • Use the Feedback option in the Azure portal to send questions or comments to Microsoft.

Conclusion

The Azure Security Benchmark, in conjunction with Microsoft Defender for Cloud, is an indispensable tool for any organization looking to maintain a robust and compliant security posture in Azure. By providing a clear framework of best practices and a platform for continuous assessment and remediation, it empowers security teams to proactively identify and resolve security breaches. Adopting and actively maintaining ASB is critical to protecting your cloud assets against cyber threats and ensuring the integrity of your operations. With this practical guide, security professionals and IT administrators will be well equipped to configure, validate, and manage the security posture of their Azure environments autonomously, professionally, and reliably.

References:

[1] Microsoft Learn. Overview of Azure Security Benchmark v3. Available at: https://learn.microsoft.com/pt-br/security/benchmark/azure/overview-v3 [2] Microsoft Learn. Security Control v3: Posture and vulnerability management. Available at: https://learn.microsoft.com/pt-br/security/benchmark/azure/security-controls-v3-posture-vulnerability-management [3] Microsoft Learn. What is Microsoft Defender for Cloud?. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/defender-for-cloud-introduction [4] Microsoft Learn. Improve regulatory compliance - Azure. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/regulatory-compliance-dashboard [5] Microsoft Learn. Defender for Cloud security score. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/secure-score-security-controls [6] Microsoft Learn. Remediate recommendations - Microsoft Defender for Cloud. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/implement-security-recommendations [7] Microsoft Learn. Review security recommendations - Azure. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/review-security-recommendations