Secure an Azure Subscription
Scan a Microsoft Azure subscription against security and compliance best practices with cnspec.
Scan your Microsoft Azure subscription to find security risks before they become incidents. cnspec evaluates subscription-level settings such as storage account encryption, SQL Database auditing policies, network security group rules, Key Vault access controls, and AKS cluster configurations. All you need is your existing Azure CLI credentials.
Prerequisites
To scan Azure with cnspec, you must have:
-
The Azure CLI installed and logged in:
az login
Verify with a quick Azure check
Confirm that cnspec can reach your Azure environment:
cnspec run azure -c 'azure.subscription.name != empty'If cnspec connects, it returns the subscription name and confirms the check passed:
[ok] value: "my-subscription"If the command fails, verify that you are logged in with az login.
Scan Azure
Scan every subscription available to your logged-in account:
cnspec scan azureTo scan a single subscription:
cnspec scan azure --subscription YOUR-SUBSCRIPTION-IDAdd the -o full flag to see results in detail:
cnspec scan azure -o fullScan with the Mondoo Azure Security policy
Mondoo maintains an out-of-the-box Azure Security policy that checks storage account encryption, SQL Database auditing, network security group rules, Key Vault access controls, AKS cluster configurations, and more.
Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "Azure", and add the policy. All future scans of your Azure subscriptions automatically evaluate against it. To learn more, read Manage Policies.
Open source users: Pass the policy bundle URL directly to cnspec:
cnspec scan azure \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-azure-security.mql.yamlScan using a registered app
You can also scan through an Azure registered app to control which resources cnspec has permission to access. To learn how to register and configure the app, read Continuously Scan with an Azure Integration.
After you register the app, authenticate with a certificate:
cnspec scan azure --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --certificate-path certificate.combo.pemOr authenticate with a client secret:
cnspec scan azure --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --client-secret YOUR-CLIENT-SECRETExplore and test checks interactively
Open a cnspec shell to discover resources and try out checks:
cnspec shell azureList storage accounts
cnspec> azure.subscription.storage.accounts { id type properties }Filter storage accounts by kind
cnspec> azure.subscription.storage.accounts.where(kind == "BlobStorage") { id name type }Get full details for any resource
cnspec> azure.subscription.storage.accounts { * }Example security checks
Ensure SQL Database auditing is enabled
cnspec> azure.subscription.sql.servers { auditingPolicy['state'] == "Enabled" }
azure.subscription.sql.servers: [
0: {
auditingPolicy.state == "Enabled": true
}
]Ensure no storage accounts allow public access
cnspec> azure.subscription.storage.accounts { containers { properties['publicAccess'] == "None" } }
azure.subscription.storage.accounts: [
0: {
containers: [
0: {
properties.publicAccess == "None": true
}
]
}
]Ensure network security groups don't allow inbound SSH from the internet
cnspec> azure.subscription.network.securityGroups.all(securityRules.none(destinationPortRange == "22" && access == "Allow" && direction == "Inbound" && sourceAddressPrefix == "*"))
[ok] value: trueLearn more
- Mondoo Azure Resource Pack Reference — every Azure resource and field cnspec can query
- Write Effective MQL — guide to authoring checks and queries
- Continuously Scan Azure — set up the Mondoo Azure integration for ongoing assessment