This chapter covers the Azure Security Benchmark (ASB) and its critical role in architecture reviews for the AZ-305 exam. Understanding ASB is essential for designing secure workloads that meet Microsoft's best practices and compliance requirements. Approximately 15-20% of AZ-305 questions touch on security governance and compliance, with the Azure Security Benchmark being a key reference. You will learn how to apply ASB controls during architecture reviews, identify gaps, and recommend remediations to align with the benchmark's security principles.
Jump to a section
Imagine a large office building with multiple tenants. The city publishes a building code (the Azure Security Benchmark) that specifies safety requirements: fire doors must close automatically, emergency exits must be clearly marked, and sprinkler systems must be tested monthly. When an architect designs a new floor plan, they must review it against the building code. They check each requirement: Are there enough exits? Are the fire doors installed correctly? Are the sprinklers covering the right areas? This review is not a one-time event; the building is inspected annually to ensure compliance. If a tenant installs a new partition wall, the architect must recheck that the fire rating is maintained. Similarly, in Azure, the Azure Security Benchmark provides a set of security controls and best practices. An architect reviews the workload architecture against these controls, ensuring that configurations like network security groups, encryption, and identity management align with the benchmark. Regular reviews are needed as the environment changes. Just as a building inspector uses a checklist, the architect uses the benchmark's control framework to identify gaps and recommend remediations. The analogy is mechanistic: the building code is the benchmark, the architect is the solution architect, the inspection is the architecture review, and the checklist is the control framework.
What is the Azure Security Benchmark?
The Azure Security Benchmark (ASB) is a collection of security best practices and recommendations provided by Microsoft to help you secure your Azure workloads. It is based on common compliance frameworks like NIST SP 800-53 and CIS Controls, and it provides a consistent set of security controls that can be applied across Azure services. The ASB is not a compliance certification itself but a prescriptive framework that helps you meet the security requirements of various standards.
Why Does the ASB Exist?
The ASB exists to address the challenge of securing complex cloud environments. Without a standardized set of security controls, architects would rely on ad-hoc decisions, leading to inconsistent security postures. The ASB provides a common language and a structured approach to security, enabling organizations to measure their security posture against industry best practices. It also helps in demonstrating compliance with regulatory requirements by mapping to frameworks like SOC 2, ISO 27001, and FedRAMP.
How Does the ASB Work Internally?
The ASB is organized into security domains, each containing a set of controls. Each control has a unique identifier (e.g., NS-1, IM-1) and includes:
Control title
Description
Guidance (how to implement)
Azure Policy definitions that can enforce the control
Links to relevant documentation
The ASB is versioned (currently v3.0 at the time of writing). Microsoft updates it periodically to reflect new threats and capabilities. The benchmark is available as a downloadable Excel file and as an integrated experience in Azure Security Center (now Microsoft Defender for Cloud) and Azure Policy.
When you perform an architecture review, you map your workload's design decisions against each relevant control. For example, if your workload uses Azure SQL Database, you check if you have enabled Transparent Data Encryption (TDE) and are using Azure Active Directory authentication, as recommended by the ASB.
Key Components, Values, Defaults, and Timers
Security Domains: The ASB is divided into 6 domains: Network Security (NS), Identity Management (IM), Privileged Access (PA), Data Protection (DP), Asset Management (AM), and Logging and Threat Detection (LT). Each domain contains multiple controls.
Controls: There are over 100 controls in the latest version. Each control has a unique ID like NS-1 (implement network segmentation), IM-2 (manage application identities), etc.
Azure Policy Initiatives: Microsoft provides built-in Policy initiatives that map to ASB controls. For example, the "Azure Security Benchmark" initiative includes policies that enforce ASB recommendations. When you assign this initiative to a scope, Azure Policy evaluates resources for compliance.
Compliance Score: In Microsoft Defender for Cloud, you can see a compliance score based on the ASB. The score is calculated as the percentage of controls that are satisfied. Each control can have a weight (e.g., critical controls have higher weight).
Default Values: There are no default values per se, but the ASB guidance often specifies default configurations. For example, NS-1 recommends using Azure Firewall or Network Security Groups (NSGs) to segment networks. The default for a new VNet is to allow all outbound traffic, which is not compliant with NS-1. You must explicitly configure NSGs.
Configuration and Verification Commands
To assess your workload against the ASB, you can use Azure Policy and Microsoft Defender for Cloud.
Assign the ASB Initiative via Azure CLI:
az policy assignment create --name "ASB-Assignment" --scope "/subscriptions/{subscriptionId}" --policy-set-definition "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"The policy set definition ID corresponds to the built-in "Azure Security Benchmark" initiative.
View Compliance in Defender for Cloud:
az security regulatory-compliance-standards list --resource-group {rg}Or in the portal, navigate to Microsoft Defender for Cloud > Regulatory compliance > Azure Security Benchmark.
Check Specific Control Compliance: You can use Azure Policy's compliance view to see which resources are non-compliant for a given control.
How the ASB Interacts with Related Technologies
Microsoft Defender for Cloud: Provides continuous assessment of your environment against the ASB. It shows a compliance score and recommendations mapped to controls.
Azure Policy: Enforces ASB controls by evaluating resources against policy definitions. You can automate remediation of non-compliant resources.
Azure Blueprints: Can include ASB policy assignments and RBAC roles to create compliant environments.
Azure Advisor: Offers security recommendations that align with ASB best practices.
Azure Security Documentation: The ASB is the foundation for many security guides and reference architectures.
How to Use the ASB in Architecture Reviews
During an architecture review, you should: 1. Identify the applicable security domains based on the workload's components. 2. For each control in those domains, evaluate whether the design meets the control's guidance. 3. Document any gaps and propose remediations. 4. Use Azure Policy to enforce controls where possible. 5. Continuously monitor compliance via Defender for Cloud.
For example, if your workload includes a web application with a public endpoint, you should check:
NS-1: Is the web application behind a WAF (Azure Application Gateway WAF or Azure Front Door WAF)?
NS-2: Are NSGs configured to restrict inbound traffic to only necessary ports?
IM-1: Is Azure AD used for authentication? Are MFA policies applied?
DP-1: Is data encrypted at rest using customer-managed keys?
LT-1: Are diagnostic logs enabled and sent to a Log Analytics workspace?
Common Pitfalls in Architecture Reviews
Assuming compliance is automatic: Just because a resource is deployed doesn't mean it's compliant. You must explicitly configure security settings.
Ignoring control dependencies: Some controls depend on others. For example, IM-1 (use Azure AD) is a prerequisite for IM-2 (manage application identities).
Overlooking network segmentation: Many architects focus on identity and data but neglect network security controls like NS-1.
Not using Azure Policy: Manual reviews are error-prone. Azure Policy can automatically assess and enforce compliance.
Deep Dive into a Specific Control: NS-1 (Implement Network Segmentation)
NS-1 states: "Implement network segmentation by using virtual network (VNet) peering, network security groups (NSGs), application security groups (ASGs), Azure Firewall, and Azure Virtual Network NAT."
Mechanism:
Use VNets to isolate workloads. Each VNet is a boundary. Peering allows connectivity but does not merge security boundaries.
NSGs act as stateful firewalls at the subnet or NIC level. They contain rules that allow or deny traffic based on source/destination IP, port, and protocol.
ASGs enable grouping of VMs by application role, and NSG rules can reference ASGs as sources or destinations.
Azure Firewall provides centralized network and application-level filtering.
Virtual Network NAT allows outbound connectivity without exposing inbound ports.
Default Values:
A new NSG has no inbound rules (except deny all by default) and one outbound rule allowing all traffic.
By default, all traffic within a VNet is allowed. To segment, you must create NSGs and apply them.
Verification:
Use Azure Network Watcher's IP flow verify to test if traffic is allowed.
Review NSG effective rules.
Common Misconfigurations:
Allowing 0.0.0.0/0 for SSH or RDP.
Not using ASGs, leading to complex NSG rule management.
Not planning for Azure Firewall when many VNets are involved.
Conclusion
Mastering the Azure Security Benchmark is crucial for the AZ-305 exam and real-world architecture. You must be able to map controls to specific design decisions, use Azure Policy to enforce them, and continuously monitor compliance. The exam will test your ability to identify which controls apply to a given scenario and what remediation steps are needed.
Identify applicable security domains
Begin by reviewing the workload architecture diagram and listing all Azure services used. Map each service to the relevant ASB security domains. For example, a virtual machine falls under Network Security (NS), Identity Management (IM), Data Protection (DP), and Logging (LT). Use the ASB control matrix to identify which controls are applicable. This step is critical because missing a domain can leave security gaps. In the exam, you might be given a scenario with specific services and asked which controls are most relevant.
Evaluate each control against design
For each applicable control, examine the current design decisions. For instance, if the control is DP-1 (data at rest encryption), check if all storage accounts, SQL databases, and disks have encryption enabled. If encryption is enabled, verify the key type (platform-managed vs. customer-managed). Document any deviations from the control's guidance. In the exam, you may be asked to identify whether a design meets a specific control requirement.
Document gaps and propose remediations
For each deviation, create a finding that describes the gap and a remediation plan. For example, if a storage account does not have encryption enabled, the remediation is to enable encryption. Prioritize based on control severity. Critical controls (e.g., IM-1: use Azure AD for authentication) should be addressed immediately. In the exam, you might be asked to recommend a remediation for a non-compliant resource.
Assign Azure Policy to enforce controls
To automate compliance, assign the built-in Azure Security Benchmark policy initiative to the subscription or management group. This initiative includes policies that evaluate resources against ASB controls. You can configure remediation tasks to automatically fix non-compliant resources. For example, a policy can automatically enable encryption on storage accounts. In the exam, you may be asked how to enforce ASB controls at scale.
Monitor compliance continuously
Use Microsoft Defender for Cloud's regulatory compliance dashboard to track the workload's compliance score against the ASB. Set up alerts for when the score drops below a threshold. Regularly review recommendations and address new non-compliant resources. In the exam, you might be asked how to monitor ASB compliance or what tool provides the compliance score.
Enterprise Scenario 1: Financial Services Workload
A large bank deploys a multi-tier application on Azure, including web servers, application servers, and a SQL database. The compliance team requires alignment with the Azure Security Benchmark to meet regulatory obligations. The architect reviews the design: the web servers are in a public subnet with an NSG allowing HTTPS from the internet. However, the NSG also allows SSH from a wide IP range (0.0.0.0/0) for management. This violates NS-1 (network segmentation) and IM-1 (identity management). The architect recommends using Azure Bastion for management (IM-1) and restricting NSG rules to only necessary IPs (NS-1). The database uses TDE but with platform-managed keys; DP-1 recommends customer-managed keys for sensitive data. The architect proposes using Azure Key Vault and customer-managed keys. After implementing these changes, the workload achieves an ASB compliance score of 95%. The remaining 5% is due to a known limitation in a legacy component. Continuous monitoring via Defender for Cloud alerts the team if the score drops.
Enterprise Scenario 2: Healthcare Application with HIPAA
A healthcare provider deploys an API service that processes patient data. They must comply with HIPAA, and the ASB provides a mapping to HIPAA controls. During the architecture review, the architect checks: are all storage accounts encrypted? Yes. Is Azure AD used for authentication? Yes, but MFA is not enforced for all users. This violates IM-1. The architect recommends conditional access policies to enforce MFA. Also, diagnostic logs are not enabled for the API Management service, violating LT-1. The architect enables diagnostic settings and streams logs to a Log Analytics workspace. The architect also assigns the ASB policy initiative and sets up automatic remediation for encryption. After remediation, the workload passes internal audit.
Common Misconfigurations in Production
Overuse of NSGs: Some architects create too many NSGs without using ASGs, leading to rule explosion. Best practice is to use ASGs to group VMs by role and reference them in NSG rules.
Ignoring Azure Policy: Many organizations rely on manual reviews, which are inconsistent. Azure Policy can enforce ASB controls automatically.
Not updating the ASB version: The ASB is updated; using an outdated version may miss new controls. Always use the latest version.
Not mapping to compliance frameworks: The ASB maps to many frameworks. Architects should leverage these mappings to satisfy multiple requirements simultaneously.
What AZ-305 Tests on the Azure Security Benchmark
AZ-305 objective 1.2 (Design Identity Governance) includes evaluating security posture using the Azure Security Benchmark. Specifically, you must be able to:
Identify the components of the Azure Security Benchmark.
Map security controls to architecture decisions.
Recommend Azure Policy and Defender for Cloud to enforce compliance.
Interpret compliance scores and remediation recommendations.
Common Wrong Answers and Why Candidates Choose Them
Choosing Azure Policy as a security framework instead of a tool: Candidates often think Azure Policy is the benchmark itself. Wrong: Azure Policy is the enforcement engine; the ASB is the framework.
Thinking ASB is a compliance certification: Some believe achieving ASB compliance means the workload is certified (e.g., SOC 2). Wrong: ASB is a set of best practices, not a certification.
Ignoring network controls: Many exam questions focus on identity and data, but network controls like NS-1 are equally important. Candidates may overlook them.
Assuming all controls are mandatory: The ASB provides guidance; some controls may not apply based on the workload. Candidates often mark all controls as required.
Specific Numbers and Terms on the Exam
The ASB has 6 domains and over 100 controls.
The built-in policy initiative ID for ASB is 1f3afdf9-d0c9-4c3d-847f-89da613e70a8.
Compliance score is a percentage.
Controls have unique IDs like NS-1, IM-1, etc.
The ASB is updated periodically; v3.0 is current.
Edge Cases and Exceptions
Hybrid workloads: ASB applies to Azure resources, but for on-premises components, you must use other frameworks.
Third-party services: If a workload uses a third-party service (e.g., a SaaS application), the ASB may not cover it. You must rely on the vendor's compliance.
Unsupported resources: Some Azure resources are not yet covered by ASB controls. In that case, use general security best practices.
How to Eliminate Wrong Answers
If a question asks for a tool to enforce ASB, the answer is Azure Policy (or Defender for Cloud for monitoring).
If a question asks for a framework to guide security, the answer is Azure Security Benchmark.
If a question mentions compliance score, the answer is Defender for Cloud.
Eliminate answers that suggest manual processes when automation exists.
The Azure Security Benchmark (ASB) is a set of security best practices organized into 6 domains: Network Security, Identity Management, Privileged Access, Data Protection, Asset Management, and Logging & Threat Detection.
ASB controls have unique IDs like NS-1, IM-1, etc. You must be able to map these to specific architectural decisions.
Azure Policy and Microsoft Defender for Cloud are the primary tools to enforce and monitor ASB compliance.
The built-in Azure Security Benchmark policy initiative ID is 1f3afdf9-d0c9-4c3d-847f-89da613e70a8.
ASB compliance score is a percentage shown in Defender for Cloud. A high score does not guarantee absolute security.
During architecture reviews, evaluate each applicable control and document gaps with remediation plans.
The ASB is versioned; always use the latest version for reviews.
Common exam traps include confusing ASB with Azure Policy or thinking it's a certification.
These come up on the exam all the time. Here's how to tell them apart.
Azure Security Benchmark
Focuses on Azure-specific controls
Organized into 6 domains
Includes over 100 controls
Maps to compliance frameworks like NIST, CIS
Used for architecture reviews and compliance
Microsoft Cloud Security Benchmark (MCSB)
Broader: covers Microsoft 365, Dynamics 365, and Azure
Organized into security principles and capabilities
Includes controls for multi-cloud and hybrid environments
Maps to the same frameworks but more comprehensive
Used for overall Microsoft cloud security posture
Mistake
The Azure Security Benchmark is the same as Azure Policy
Correct
The Azure Security Benchmark is a framework of security controls. Azure Policy is a service that can enforce those controls through built-in initiatives. They are not the same.
Mistake
Achieving 100% ASB compliance means the workload is fully secure
Correct
ASB compliance indicates adherence to best practices, but no framework covers all threats. A workload can be compliant yet still vulnerable to zero-day attacks or misconfigurations not covered by the benchmark.
Mistake
ASB controls are mandatory for all Azure workloads
Correct
ASB controls are recommendations. Some controls may not apply to a workload (e.g., if the workload does not use a particular service). You should apply only relevant controls.
Mistake
The ASB is only for security teams, not architects
Correct
Architects must integrate ASB controls into the design phase. Waiting until after deployment leads to costly rework. The exam tests architects on applying ASB during design.
Mistake
ASB compliance can only be checked manually
Correct
Microsoft Defender for Cloud and Azure Policy automate compliance assessment and enforcement. Manual checks are not scalable.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Azure Security Benchmark (ASB) is a framework of security controls and best practices. Azure Policy is a service that enforces rules on Azure resources. Microsoft provides a built-in policy initiative that maps to ASB controls, allowing you to automatically assess and enforce compliance. In short, ASB defines what to do; Azure Policy helps you do it.
First, identify which ASB domains apply to your workload (e.g., Network Security for VMs, Data Protection for storage). Then, for each control in those domains, evaluate whether your design meets the control's guidance. Document gaps and propose remediations. Use Azure Policy to enforce controls and Defender for Cloud to monitor compliance. The exam expects you to know this process.
It is possible but may not be practical for all workloads. Some controls may not apply, and some legacy services may not support certain controls. Additionally, compliance is a point-in-time assessment; new resources or changes can reduce the score. Aim for high compliance but prioritize critical controls.
No. ASB covers many best practices but cannot protect against all threats, such as zero-day exploits or insider threats. It is a baseline; you should supplement with additional security measures like threat detection, incident response, and regular penetration testing.
Microsoft updates the ASB periodically to reflect new threats, services, and best practices. Major versions are released approximately yearly. Always check for the latest version when performing architecture reviews.
ASB is Azure-specific, while MCSB covers the entire Microsoft cloud (Azure, Microsoft 365, Dynamics 365). MCSB is broader and includes controls for multi-cloud and hybrid scenarios. For AZ-305, focus on ASB as it is Azure-specific.
Microsoft provides mapping documents that show how ASB controls correspond to controls in frameworks like NIST SP 800-53, CIS Controls, ISO 27001, and FedRAMP. This helps organizations satisfy multiple compliance requirements with a single set of controls.
You've just covered Azure Security Benchmark in Architecture Reviews — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?