This chapter covers the Microsoft Cloud Security Benchmark (MCSB), the foundational framework for securing Azure environments and a core topic in AZ-500 Security Operations. MCSB is the successor to the Azure Security Benchmark and is directly referenced in exam objectives under Security Operations (4.3). Approximately 10-15% of AZ-500 questions involve applying MCSB controls, interpreting compliance reports, or integrating with Azure Policy and Defender for Cloud. Mastery of MCSB is essential for understanding how Azure security baselines are defined, monitored, and enforced.
Jump to a section
The Microsoft Cloud Security Benchmark (MCSB) is like a comprehensive building code for constructing and operating a secure skyscraper. Just as a building code specifies minimum requirements for fire exits, load-bearing walls, and electrical wiring to ensure safety, MCSB provides a set of security controls and best practices across domains like identity, network, and data protection. An architect (security architect) uses the code to design the building (cloud environment), while inspectors (auditors) verify compliance. The code is not a blueprint but a set of rules that must be interpreted and applied to each unique building. Similarly, MCSB is not a specific configuration but a framework of controls that you implement using Azure Policy, Defender for Cloud, and other services. The code is updated periodically to address new threats, just as MCSB evolves with the threat landscape. A building that meets code is not invulnerable—it is designed to withstand expected stresses and provide safe egress. Likewise, an environment that follows MCSB is not unhackable but achieves a known baseline of security hygiene. The analogy is mechanistic because, like building codes, MCSB defines specific requirements (e.g., 'enable MFA for all users') that are measured and enforced through automated tools (e.g., Azure Policy), and failure to comply can be flagged and remediated. Understanding this helps you see MCSB as a prescriptive, actionable set of controls rather than abstract guidance.
What is the Microsoft Cloud Security Benchmark?
The Microsoft Cloud Security Benchmark (MCSB) is a set of security best practices and controls that Microsoft publishes as a framework for securing cloud workloads on Azure, Microsoft 365, and other Microsoft cloud services. It replaces the Azure Security Benchmark (ASB) and provides a unified, comprehensive set of security recommendations. MCSB is aligned with industry standards such as NIST SP 800-53, CIS Controls, and PCI DSS, but it is tailored to the Microsoft cloud environment. The benchmark is organized into security domains (e.g., Identity Management, Network Security, Data Protection) and includes specific control IDs, descriptions, and implementation guidance.
Why MCSB Exists
MCSB exists to provide a consistent, authoritative baseline for cloud security. Before MCSB, organizations had to piece together guidance from multiple sources. MCSB simplifies compliance by offering a single source of truth that maps to multiple regulatory frameworks. For example, an organization subject to both NIST and PCI DSS can use MCSB to meet both requirements simultaneously because Microsoft has mapped each MCSB control to the relevant controls in those frameworks. This reduces duplication of effort and ensures a comprehensive security posture.
How MCSB Works Internally
MCSB is not a tool but a document (JSON/PDF) that defines controls. However, it is operationalized through Azure services:
Azure Policy: MCSB controls are encoded as Azure Policy definitions (built-in initiatives). The built-in initiative "Microsoft Cloud Security Benchmark" includes over 200 policy definitions that enforce or audit specific configurations. For example, the control "Enable MFA" maps to a policy that audits whether MFA is enabled for all users with owner permissions.
Microsoft Defender for Cloud: Defender for Cloud uses MCSB as its compliance dashboard. When you enable Defender for Cloud, it automatically assesses your environment against MCSB controls and provides a compliance score. Each control is tested, and results are shown as passed/failed resources.
Regulatory Compliance Dashboard: In Defender for Cloud, you can select MCSB as a compliance standard. The dashboard shows the percentage of controls satisfied and provides remediation steps for failed controls.
Key Components, Values, Defaults, and Timers
Control Domains: MCSB covers 6 domains: Network Security (NS), Identity Management (IM), Privileged Access (PA), Data Protection (DP), Asset Management (AM), and Logging and Threat Detection (LT). Each domain contains multiple controls.
Control ID Format: Each control has a unique ID like "NS-1" (Network Security control 1). The exam expects you to recognize these IDs and their domain.
Built-in Initiative: The Azure Policy initiative for MCSB has a specific ID: /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8. You can assign it at any scope (management group, subscription, resource group).
Assessment Frequency: Defender for Cloud scans resources continuously but refreshes compliance state every 24 hours by default. You can trigger on-demand assessment using Azure Policy compliance scan.
Default Score: When you first enable Defender for Cloud, your initial compliance score is typically low because many controls are not met. The score is calculated as (passed controls / total applicable controls) * 100.
Configuration and Verification Commands
To assign the MCSB initiative via Azure CLI:
az policy assignment create --name "MCSB-Assignment" --policy-set-definition "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8" --scope /subscriptions/{subscriptionId}To view compliance state:
az policy state list --resource "/subscriptions/{subscriptionId}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{vmName}" --query "[?policySetDefinitionName=='1f3afdf9-d0c9-4c3d-847f-89da613e70a8']"In Defender for Cloud, navigate to Regulatory compliance blade, select Microsoft Cloud Security Benchmark, and review the compliance score and control details.
How MCSB Interacts with Related Technologies
Azure Policy: MCSB controls are implemented as policy definitions. Assigning the MCSB initiative enables automatic auditing of resources.
Microsoft Defender for Cloud: Provides the compliance dashboard, security alerts, and recommendations based on MCSB.
Azure Blueprints: Can include the MCSB initiative as part of a blueprint to enforce compliance at deployment time.
Microsoft Sentinel: Can ingest compliance data from Defender for Cloud to create custom workbooks and alerts.
Microsoft 365 Defender: MCSB also covers Microsoft 365 services; controls for Exchange Online, SharePoint, etc., are assessed via Microsoft Secure Score.
Detailed Control Example: NS-1 (Implement Security for Internal Traffic)
Control NS-1 requires restricting network access to resources based on business need. The associated policy checks for:
Network Security Groups (NSGs) with rules that allow 'Any' source or destination.
Azure Firewall policies that permit unrestricted egress.
Virtual network peering that is not encrypted.
If a resource fails, Defender for Cloud provides a recommendation like "All network ports should be restricted on network security groups." Remediation involves modifying NSG rules to be more restrictive.
Exam-Relevant Details
MCSB is the only benchmark that Microsoft recommends for Azure security baseline. It supersedes ASB.
The exam may ask which service is used to monitor compliance with MCSB: answer is Defender for Cloud (formerly Azure Security Center).
The built-in policy initiative name is exactly "Microsoft Cloud Security Benchmark" (not "Azure Security Benchmark").
MCSB supports multiple regulatory frameworks: CIS, NIST, PCI DSS, etc. It provides a unified view.
Controls are categorized by domain; you may need to identify which domain a control belongs to (e.g., IM-1 is Identity Management).
Common Misconfigurations
Assigning the MCSB initiative at resource group level instead of subscription: Policies should be assigned at a higher scope for comprehensive coverage.
Not enabling Defender for Cloud: Without Defender for Cloud, you cannot view the compliance score or get recommendations.
Ignoring failed controls: The exam emphasizes that you should remediate failed controls to improve security posture.
Confusing MCSB with Azure Policy: MCSB is the benchmark; Azure Policy is the enforcement mechanism.
Summary of Mechanism
Microsoft publishes MCSB as a set of controls.
Azure Policy defines built-in policies that map to each control.
Defender for Cloud evaluates resources against these policies and provides a compliance score.
Administrators review the dashboard, identify failed controls, and implement remediation.
Compliance is continuously monitored and updated every 24 hours.
This cycle ensures that Azure environments remain aligned with Microsoft's security best practices.
Access the MCSB Dashboard
Navigate to Microsoft Defender for Cloud in the Azure portal. Under the 'Regulatory compliance' section, select 'Microsoft Cloud Security Benchmark' from the list of available standards. This dashboard shows the overall compliance score, broken down by control domain. The score is calculated as the percentage of passed controls out of total applicable controls. For example, if 150 controls apply to your environment and 120 are compliant, the score is 80%. The dashboard also lists each control with its status (Passed/Failed) and the number of affected resources.
Review Failed Controls and Resources
Click on a failed control to see which specific resources are non-compliant. For instance, control 'NS-1: Implement security for internal traffic' might show that a particular NSG allows inbound traffic from 'Any' on port 3389. The dashboard provides a list of resources with the failing policy evaluation. Each resource is linked to its Azure resource page for further investigation. The compliance state is updated every 24 hours, but you can trigger an on-demand scan using Azure Policy's 'Trigger evaluation' action.
Identify Remediation Steps
For each failed control, Defender for Cloud offers a 'Remediation steps' link. This opens a detailed guide specific to the control. For example, for NS-1, the remediation might be to modify the NSG rule to restrict source IP addresses to a specific range or use Azure Firewall. The steps include Azure CLI commands, PowerShell scripts, or manual portal instructions. The exam expects you to know that remediation is guided but not automated unless you use 'Quick Fix' or Azure Policy's 'DeployIfNotExists' effect.
Implement Remediation
Apply the recommended changes to the non-compliant resources. This could involve editing NSG rules, enabling encryption, or configuring diagnostic settings. For example, to fix a failed 'DP-1: Data at rest encryption' control, you might need to enable Azure Disk Encryption on a virtual machine. After making changes, the compliance state will update on the next scan (up to 24 hours). You can expedite by running 'az policy state trigger-scan' for the subscription.
Verify Compliance Improvement
After remediation, return to the MCSB dashboard and verify that the control status changes to 'Passed'. The overall compliance score should increase. If the control remains failed, check if the policy evaluation has been refreshed (use 'az policy state list' to check current state). Also ensure that the remediation was applied correctly—for example, if you changed an NSG rule but the resource is still showing as non-compliant, the policy might be checking a different property. Use the 'View policy definition' link to understand the exact condition.
Scenario 1: Financial Services Compliance
A large bank migrating to Azure must comply with PCI DSS and NIST SP 800-53. They use MCSB as a single baseline that maps to both frameworks. The security team assigns the MCSB Azure Policy initiative at the management group level to cover all subscriptions. In Defender for Cloud, they enable the regulatory compliance dashboard and select MCSB. Initially, they have a 45% compliance score. The biggest gaps are in network security (NS-1, NS-2) and identity controls (IM-1, IM-2). The team prioritizes remediation: they implement Azure Firewall to restrict egress traffic, enable MFA for all privileged users, and configure NSGs with least-privilege access. After two months, the score rises to 92%. The bank's auditor accepts MCSB compliance reports as evidence for PCI DSS, reducing audit effort by 60%. The key lesson: MCSB provides a single source of truth that satisfies multiple regulatory requirements, but it requires continuous monitoring and remediation.
Scenario 2: SaaS Provider with Multi-Tenant Environment
A SaaS company runs hundreds of customer environments in separate Azure subscriptions. They need to enforce a consistent security baseline across all tenants. They use Azure Policy with the MCSB initiative assigned at the management group level, with exclusions for specific subscriptions that require custom controls. They also use Azure Blueprints to deploy new subscriptions with the MCSB initiative pre-assigned. Defender for Cloud alerts them when a new subscription has a low compliance score. They have automated remediation using Azure Policy's 'DeployIfNotExists' effect for common controls like enabling diagnostic logs. However, they discovered that not all controls can be auto-remediated—for example, enabling MFA requires user interaction. They built a custom workflow using Logic Apps to notify subscription owners when MFA is missing. Performance considerations: with over 500 subscriptions, the compliance dashboard can be slow to load; they use Azure Resource Graph to query compliance data efficiently.
Scenario 3: Healthcare Organization with Hybrid Environment
A hospital uses Azure for patient data storage and must comply with HIPAA. They adopt MCSB but find that some controls (e.g., LT-6: Enable logging for Azure resources) require additional configuration like enabling Azure Activity Log diagnostics. They also have on-premises servers that are not covered by MCSB. To bridge the gap, they use Azure Arc to project on-premises resources into Azure and apply Azure Policy with MCSB controls to those resources as well. This gives a unified compliance view. A common mistake: they initially assigned the MCSB initiative only to the subscription containing the SQL databases, but forgot to include the subscription hosting the VMs. This led to a false sense of security. After reassigning at the management group level, they achieved full coverage. The lesson: always assign at the highest scope necessary.
What AZ-500 Tests on MCSB
The AZ-500 exam objective 4.3 (Security Operations) explicitly includes: 'Interpret Microsoft Cloud Security Benchmark recommendations.' Expect questions that test your ability to:
Identify which Azure service provides MCSB compliance monitoring (Defender for Cloud).
Recognize the name of the built-in policy initiative ('Microsoft Cloud Security Benchmark').
Understand that MCSB replaces the Azure Security Benchmark.
Map a given control to its domain (e.g., 'NS-1' belongs to Network Security).
Know the remediation steps for common failed controls (e.g., enabling MFA, restricting network access).
Differentiate between MCSB and other compliance standards (CIS, NIST, PCI DSS).
Common Wrong Answers and Why
1. Wrong Answer: 'Azure Policy is used to monitor compliance with MCSB.' Why Chosen: Candidates know Azure Policy enforces rules, but they miss that Defender for Cloud provides the compliance dashboard and monitoring. The correct answer is 'Microsoft Defender for Cloud.' Azure Policy is the enforcement mechanism, not the monitoring tool.
2. Wrong Answer: 'The Azure Security Benchmark (ASB) is the current benchmark.' Why Chosen: ASB was the previous name. Microsoft rebranded to MCSB in 2022. The exam uses the new name. If you see 'ASB' in an answer, it is likely a distractor.
3. Wrong Answer: 'MCSB controls are automatically remediated.' Why Chosen: Some controls have 'DeployIfNotExists' policies that auto-remediate, but not all. The exam tests that remediation is often manual or requires custom automation.
4. Wrong Answer: 'MCSB only applies to Azure workloads.' Why Chosen: MCSB also covers Microsoft 365 and other Microsoft cloud services. The exam may include a question about MCSB for Office 365.
Specific Numbers and Terms
Initiative ID: /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8
Domains: NS, IM, PA, DP, AM, LT (remember the acronym NIP-DAL or similar).
Compliance score refresh: 24 hours (default).
Number of built-in policies in MCSB initiative: over 200.
Supported frameworks: NIST SP 800-53, CIS Controls, PCI DSS, ISO 27001, etc.
Edge Cases and Exceptions
MCSB controls are not all applicable to every resource type. For example, a control about SQL auditing only applies to SQL databases. The exam may ask which resources are affected by a specific control.
If you assign the MCSB initiative at a scope, resources at that scope and below are evaluated. Resources in a different subscription are not affected unless the initiative is assigned there.
The compliance score can be misleading if some controls are not applicable. Defender for Cloud automatically filters out non-applicable controls.
How to Eliminate Wrong Answers
Use the underlying mechanism: MCSB is a framework of controls; Azure Policy enforces them; Defender for Cloud monitors compliance. If a question asks about 'monitoring,' the answer must involve Defender for Cloud. If it asks about 'enforcement,' think Azure Policy. Also, remember that MCSB is not a tool—it is a document/standard. So answers that say 'MCSB is a tool' are incorrect.
MCSB is the official Microsoft security baseline framework, replacing Azure Security Benchmark (ASB).
Defender for Cloud provides the compliance dashboard for MCSB; Azure Policy enforces the controls.
The built-in Azure Policy initiative is named 'Microsoft Cloud Security Benchmark' with ID 1f3afdf9-d0c9-4c3d-847f-89da613e70a8.
MCSB covers 6 domains: Network Security (NS), Identity Management (IM), Privileged Access (PA), Data Protection (DP), Asset Management (AM), and Logging and Threat Detection (LT).
Compliance score is updated every 24 hours by default; on-demand scans are possible.
MCSB maps to multiple regulatory standards (NIST, CIS, PCI DSS, ISO 27001), providing a unified compliance view.
Remediation is not automatic; you must manually apply changes or use Azure Policy 'DeployIfNotExists' effects.
On the exam, remember that MCSB is a framework, not a tool; monitoring is done via Defender for Cloud.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Cloud Security Benchmark (MCSB)
Published by Microsoft, aligned with multiple regulatory frameworks (NIST, PCI, etc.).
Includes over 200 controls organized into 6 domains.
Integrated natively into Defender for Cloud and Azure Policy.
Covers Azure, Microsoft 365, and other Microsoft cloud services.
Recommended by Microsoft as the primary security baseline.
CIS Microsoft Azure Foundations Benchmark
Published by the Center for Internet Security (CIS), a third-party organization.
Contains fewer controls (around 150) focused specifically on Azure.
Available as a separate Azure Policy initiative but also in Defender for Cloud.
Only covers Azure, not Microsoft 365.
Often used for specific compliance requirements (e.g., CIS controls).
Mistake
MCSB is the same as the Azure Security Benchmark (ASB).
Correct
MCSB supersedes ASB. While similar, MCSB includes additional controls and covers Microsoft 365 and other cloud services. The exam uses the term 'Microsoft Cloud Security Benchmark' exclusively.
Mistake
MCSB automatically fixes non-compliant resources.
Correct
MCSB itself does not fix anything. It is a set of recommendations. Remediation must be performed manually or via Azure Policy with 'DeployIfNotExists' or 'Modify' effects, but these are not automatic for all controls.
Mistake
MCSB compliance score is updated in real-time.
Correct
The compliance score is refreshed every 24 hours by default. You can trigger an on-demand scan using Azure Policy's evaluation trigger, but continuous real-time updates are not available.
Mistake
MCSB only applies to Azure IaaS resources.
Correct
MCSB covers PaaS, SaaS, and Microsoft 365 services as well. For example, controls exist for Azure SQL Database, Storage Accounts, and Exchange Online.
Mistake
You need to purchase a separate license to use MCSB.
Correct
MCSB is free and built into Microsoft Defender for Cloud. However, some advanced features of Defender for Cloud (like continuous export) require a paid tier (Defender for Cloud Plan 1 or 2).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
MCSB is the successor to the Azure Security Benchmark (ASB). Microsoft rebranded ASB to MCSB in 2022 to reflect that it covers not only Azure but also Microsoft 365 and other Microsoft cloud services. The controls are largely similar, but MCSB includes additional controls for Microsoft 365 and aligns with more regulatory frameworks. On the AZ-500 exam, always refer to 'Microsoft Cloud Security Benchmark' as the current framework.
Enable Microsoft Defender for Cloud (formerly Azure Security Center) at the subscription level. Then navigate to the 'Regulatory compliance' blade, click 'Manage compliance standards,' and add 'Microsoft Cloud Security Benchmark.' Defender for Cloud will automatically start assessing your resources against the MCSB controls. You can also assign the built-in Azure Policy initiative 'Microsoft Cloud Security Benchmark' to enforce the controls.
Yes, MCSB covers Microsoft 365 services. Controls for identity, data protection, and logging apply to Microsoft 365. However, the compliance assessment for Microsoft 365 is done via Microsoft Secure Score, not Defender for Cloud. The MCSB document includes separate guidance for Microsoft 365 workloads.
MCSB itself is a fixed set of controls published by Microsoft. However, you can create custom Azure Policy initiatives that extend or modify the controls. For example, you can duplicate the built-in MCSB initiative and add additional policies. But the official MCSB compliance score in Defender for Cloud only reflects the built-in controls. Custom initiatives are tracked separately.
The compliance score is the percentage of passed controls out of the total applicable controls. For example, if 200 controls apply to your environment and 150 are compliant, the score is 75%. Controls that are not applicable (e.g., SQL-related controls when no SQL databases exist) are excluded from the calculation. The score is updated every 24 hours.
In Defender for Cloud, click on the failed control to see the list of affected resources. Each resource has a 'Remediation steps' link that provides specific instructions. For example, for control 'NS-1: Implement security for internal traffic,' you might need to modify an NSG rule. You can also use Azure Policy's 'DeployIfNotExists' effect to automatically remediate some controls, but not all are auto-remediable.
The built-in initiative ID is `/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8`. You can use this ID when assigning the initiative via CLI, PowerShell, or ARM templates.
You've just covered Microsoft Cloud Security Benchmark — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?