Skip to main content

Assess Azure Security with cnspec

cnspec assesses your full Microsoft Azure environment for misconfigurations that put your organization at risk. You can scan your Azure tenant for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.

cnspec can test any aspect of your Azure configuration. For a list of Azure resources you can test, read Mondoo Azure Resource Pack Reference and Mondoo Core Resource Pack Reference.

Connect cnspec with your Azure environment


To test your Azure environment with cnspec, you must have:

Log into Azure

Using the Azure CLI, log into your subscription:

az login

Verify with a quick Azure check

To quickly confirm that cnspec has access to your Azure environment, run this check from your terminal:

cnspec run azure -c 'azure.subscription.resources  { id!="foo" }'

It asserts that none of your Azure resources have the ID foo.

cnspec lists your resources and indicates that the check is true, none of them has foo as its ID:

azure.subscription.resources: [
0: {
id != "foo": true
1: {
id != "foo": true
2: {
id != "foo": true
3: {
id != "foo": true
4: {
id != "foo": true

You've successfully used cnspec to run your first check on your Azure environment. Now you're ready to explore. The method you choose depends on your goals:

  • For widescale assessment of your Azure infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your Azure security posture.

  • To run ad hoc checks against your Azure environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.

Assess Azure security with policy-based scanning

The Azure Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental Azure security best practices. It checks for misconfigurations across your entire Azure infrastructure.

To scan using the Azure Security by Mondoo policy, run:

cnspec scan azure

This scans all the subscriptions available under your account when you're logged in using az login. You can also scan a specific subscription. For ID, substitute your subscription ID:

cnspec scan azure --subscription YOUR-SUBSCRIPTION-ID

cnspec follows these steps to load policies on which it bases the scan:

  • cnspec tries to read a config file, mondoo.yml, which includes the certificate and private key for authenticating with Mondoo Platform. If it finds the config, it loads the policies enabled for the Azure integration in the Mondoo space this Azure environment belongs to. You can enter cnspec status to see if the config file exists and cnspec is registered.
  1. If there is no config file (you have not registered cnspec or you've removed the mondoo.yml file), then cnspec loads Mondoo's open source policies and scans based on those.

If cnspec is registered but you want to use the open source policies (and not share results with Mondoo Platform), you can scan in incognito mode:

cnspec scan azure --incognito

You can also specify a particular policy bundle. cnspec uses only the bundle you specify:

cnspec scan azure --policy-bundle mondoo-azure-security.mql.yaml

You can download open source policy bundles from the GitHub repo.

It is also possible to scan the Azure environment through an Azure registered app and fully control what resources the cnspec has permission to scan. To learn how to register and configure the app, read Continuously Scan with an Azure Integration.

After you register the app, you can use either of these commands to scan, depending on how you configured the app to authenticate with the Azure portal:

cnspec scan azure --subscription YOUR-SUBSCRIPTION-ID --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID  --certificate-path certificate.combo.pem --policy-bundle mondoo-azure-security.mql.yaml


cnspec scan azure --subscription YOUR-SUBSCRIPTION-ID --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID  --client-secret YOUR-CLIENT-SECRET-VALUE  --policy-bundle mondoo-azure-security.mql.yaml

Assess the security of Azure VM instances, snapshots, and disks

Use cnspec to evaluate the security of your Azure virtual machines. You can scan managed disks, instances, and snapshots.

To scan an Azure VM instance, run this command, substituting the instance name, client ID, tenant ID, and client secret:

cnspec scan azure compute instance NAME --client-id YOUR-CLIENT-ID --tenant-id YOUR-TENANT-ID --client-secret YOUR-CLIENT-SECRET-VALUE

To scan an Azure compute snapshot, run this command, substituting the snapshot name, client ID, tenant ID, and client secret:

cnspec scan azure compute snapshot NAME --client-id YOUR-CLIENT-ID --tenant-id YOUR-TENANT-ID --client-secret YOUR-CLIENT-SECRET-VALUE

To scan an Azure compute disk, run this command, substituting the snapshot name, client ID, tenant ID, and client secret:

cnspec scan azure compute disk NAME --client-id YOUR-CLIENT-ID --tenant-id YOUR-TENANT-ID --client-secret YOUR-CLIENT-SECRET-VALUE

Test Azure with the cnspec shell

The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.

To launch a shell into your Azure environment, enter:

cnspec shell azure

Discover capabilities with the help command

Once inside the shell, use the help command to learn what Azure resources you can test. This command lists all the Azure resources:

help azure

From the resulting list, you can drill down further. For example, enter this command to list all the Azure Compute resources you can test:

help azure.subscription.compute

From the resulting list, you can drill down even further. You can also learn about available Azure resources in the Mondoo Azure Resource Pack Reference.

Run tests in the cnspec shell

Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.

Assess SQL server auditing

This test assures that auditing is turned on for your SQL servers:

azure.subscription.sql.servers { auditingPolicy['state'] == "Enabled" }

If the test passes (all SQL servers have auditing enabled) then cnspec returns ok:

[ok] value: true

If the test fails, (one or more Cloud Storage buckets don't use uniform bucket-level access) then cnspec provides details about the failure.

Assess public access to storage

This test asserts that no storage accounts allow public access: { containers { properties['publicAccess'] == "None" } }

If one or more storage accounts allow public access, cnspec lists them. Otherwise, cnspec indicates that the test passed.

Exit the cnspec shell

To exit the cnspec shell, either press Ctrl + D or type exit.

Learn more about querying Azure