This chapter covers the implementation and assessment of NIST, CIS, and PCI-DSS compliance frameworks within Microsoft Azure. Understanding how to map Azure controls to these frameworks is critical for the AZ-500 exam, as approximately 10-15% of Security Operations questions involve compliance assessment and enforcement using Azure Policy, Defender for Cloud, and Blueprints. You will learn the specific controls, assessment tools, and remediation techniques required to demonstrate compliance for each framework, along with common pitfalls and exam-specific patterns.
Jump to a section
Think of NIST, CIS, and PCI-DSS as different building codes for a skyscraper. NIST is like the International Building Code (IBC) — a comprehensive, risk-based framework that specifies structural requirements based on the building's use, height, and location. It doesn't prescribe exactly how to build every wall, but it requires that the building withstands certain loads and provides fire safety. CIS is like a set of best-practice checklists for electricians and plumbers — specific, actionable controls like 'install GFCI outlets in bathrooms' or 'use 12-gauge wire for 20-amp circuits.' PCI-DSS is like the fire code for a casino that handles cash — it mandates surveillance cameras, secure vaults, and dual-control access because the business involves high-value assets. In Azure, NIST maps to Azure Policy initiatives (e.g., NIST SP 800-53), CIS maps to Azure Security Benchmark and built-in CIS benchmarks, and PCI-DSS maps to Azure Policy for PCI v3.2.1. Just as a building inspector checks compliance against these codes, Azure Policy and Defender for Cloud continuously assess your resources against the chosen framework. You can apply multiple codes simultaneously, but each has different scopes and enforcement levels — NIST is broad, CIS is prescriptive, and PCI-DSS is narrow but strict.
Overview of Compliance Frameworks in Azure
Compliance frameworks provide standardized sets of controls that organizations must implement to meet regulatory, security, or industry requirements. In Azure, three frameworks are frequently tested on the AZ-500 exam: NIST SP 800-53 (National Institute of Standards and Technology), CIS (Center for Internet Security) Benchmarks, and PCI-DSS (Payment Card Industry Data Security Standard). Each framework has a different purpose and scope:
NIST SP 800-53: A comprehensive catalog of security and privacy controls for federal information systems. It is risk-based and covers 18 control families (e.g., Access Control, Audit and Accountability). Azure provides built-in policy initiatives for NIST SP 800-53 Rev. 4 and Rev. 5.
CIS Benchmarks: Prescriptive, consensus-based best practices for securing operating systems, cloud services, and applications. Azure offers built-in Azure Policy definitions for CIS Microsoft Azure Foundations Benchmark (currently version 1.3.0).
PCI-DSS: A set of 12 requirements for organizations that handle credit card data. Azure provides an Azure Policy initiative for PCI-DSS v3.2.1 (the version tested on AZ-500 as of 2025).
How Azure Implements Compliance Assessment
Azure uses three primary mechanisms to assess and enforce compliance:
Azure Policy: Evaluates resource configurations against policy rules. Compliance is reported per policy assignment. For frameworks, Microsoft publishes built-in initiatives (groups of policies) that map to specific controls.
Microsoft Defender for Cloud (formerly Security Center): Provides regulatory compliance dashboards that show the compliance score against selected frameworks. It continuously assesses your environment and highlights non-compliant resources.
Azure Blueprints: (Legacy but still tested) Can be used to deploy a compliant environment by assigning policies and RBAC roles together. However, for exam purposes, Azure Policy is the primary tool.
Step-by-Step: Mapping NIST to Azure
NIST SP 800-53 controls are mapped to Azure Policy definitions. For example, control AC-2 (Account Management) is mapped to policies that enforce MFA for Azure AD accounts. The built-in initiative 'NIST SP 800-53 Rev. 5' includes hundreds of policies. To assess compliance:
Assign the initiative to a management group, subscription, or resource group.
Azure Policy evaluates resources and reports compliance status.
Defender for Cloud aggregates the results in the Regulatory Compliance dashboard.
Key exam point: NIST is risk-based — the organization can choose which controls to implement based on risk assessment. However, the Azure built-in initiative includes all controls; you can exclude specific policies if needed.
Step-by-Step: Mapping CIS to Azure
The CIS Microsoft Azure Foundations Benchmark provides specific configuration recommendations. For example:
CIS Control 1.1: Ensure that multi-factor authentication is enabled for all privileged users.
CIS Control 2.1: Ensure that standard pricing tier is selected for Azure Defender.
Azure Policy includes a built-in initiative 'CIS Microsoft Azure Foundations Benchmark v1.3.0' that contains policies for each control. The exam expects you to know that CIS is prescriptive — it defines exact configuration values (e.g., 'Audit Log Retention should be at least 365 days').
Step-by-Step: Mapping PCI-DSS to Azure
PCI-DSS v3.2.1 has 12 requirements, each with sub-requirements. Azure provides a built-in initiative 'PCI v3.2.1:2018' that maps to Azure Policy. For example:
Requirement 1: Install and maintain a firewall configuration. This maps to policies that enforce Network Security Group (NSG) rules.
Requirement 7: Restrict access to cardholder data by business need-to-know. This maps to RBAC policies.
Key exam point: PCI-DSS is narrowly scoped to systems that handle credit card data. In Azure, you must scope the policy assignment to only those resources that are in scope for PCI (e.g., a specific subscription or resource group). Assigning PCI policies to all resources may cause false positives.
Common Tools and Commands
- Azure Policy CLI:
az policy assignment create --name 'nist-sp80053' --policy-set-definition '/providers/Microsoft.Authorization/policySetDefinitions/...' --scope '/subscriptions/...'- Defender for Cloud API:
az security regulatory-compliance-standard list- PowerShell:
Get-AzPolicyAssignment -PolicySetDefinitionId '/providers/Microsoft.Authorization/policySetDefinitions/...'Interaction with Related Technologies
Azure Blueprints: Can be used to assign NIST/CIS/PCI initiatives as part of an environment deployment. However, Blueprints are being deprecated in favor of deployment stacks; the exam may still ask about Blueprints.
Azure Security Benchmark (ASB): Microsoft's own security baseline. It is the foundation for many built-in policies and is aligned with NIST and CIS. The exam often asks to differentiate between ASB and CIS.
Exam Trap: Scope and Exemptions
A common exam scenario: You assign a PCI-DSS policy initiative to an entire subscription. Resources that are not in scope for PCI (e.g., a development environment) will show as non-compliant. The correct approach is to exclude those resources from the policy assignment using the --not-scopes parameter or create an exemption (waiver) at the resource level. Exemptions can be either 'Waiver' (temporary) or 'Mitigated' (risk accepted).
Exam Trap: Default Values
CIS requires 365 days of log retention for Azure Activity Logs.
NIST AC-2 requires MFA for all privileged users.
PCI-DSS Requirement 10.2.1 requires audit trails for all access to cardholder data.
Summary of Key Controls
| Framework | Key Control Example | Azure Policy Effect |
|-----------|--------------------|-------------------|
| NIST AC-2 | MFA for privileged users | auditIfNotExists or deny |
| CIS 1.1 | MFA for privileged users | auditIfNotExists |
| CIS 2.1 | Standard tier for Defender | auditIfNotExists |
| PCI-DSS Req. 1 | NSG with deny-all inbound | audit or deny |
| PCI-DSS Req. 7 | RBAC least privilege | audit |
Advanced: Custom Initiatives
If the built-in initiatives do not exactly match your organization's compliance requirements, you can create a custom initiative by grouping existing or custom policy definitions. The exam may test the ability to create a custom initiative for a specific framework version not yet supported by Microsoft.
Compliance Score Calculation
Defender for Cloud calculates a compliance score based on the percentage of compliant resources. Each control has a weight. The exam expects you to understand that a score of 100% means all resources are compliant, but this does not guarantee actual security — it only means the policies are satisfied.
Remediation
When a resource is non-compliant, you can either:
Manual remediation: Change the resource configuration directly.
Auto-remediation: Use deployIfNotExists policy effect to automatically fix the resource (e.g., enable MFA). This effect is available for many policies.
Exam Focus: Specific Objective Codes
AZ-500 objective 4.3: 'Configure and manage security compliance' includes:
Implement compliance frameworks (NIST, CIS, PCI-DSS)
Use Azure Policy to enforce compliance
Manage compliance scores in Defender for Cloud
Create custom policy initiatives
Common wrong answers:
Wrong: 'Assign a single Azure Policy definition to cover the entire framework.' Reality: Frameworks are represented as initiatives (set of policies), not single definitions.
Wrong: 'CIS and NIST are interchangeable.' Reality: NIST is risk-based and broad; CIS is prescriptive and specific to Azure.
Wrong: 'PCI-DSS applies to all resources in a subscription.' Reality: Only resources that process, store, or transmit cardholder data are in scope.
Edge Cases
Multiple frameworks: You can assign multiple initiatives to the same scope. Defender for Cloud will show separate compliance scores.
Policy conflicts: If two policies have conflicting effects (e.g., one requires MFA, another does not), the most restrictive effect applies (deny overrides audit).
Initiative versioning: Built-in initiatives are updated by Microsoft. You can track changes via the 'version' property.
Identify applicable compliance framework
Determine which compliance framework(s) your organization must adhere to. For AZ-500, this is typically NIST SP 800-53, CIS Microsoft Azure Foundations Benchmark, or PCI-DSS v3.2.1. Each framework has a specific scope: NIST is broad for federal systems, CIS is best-practice for Azure, and PCI-DSS is for cardholder data environments. In the exam, you may be given a scenario (e.g., 'a company that processes credit card payments') and must select the correct framework. Note that multiple frameworks can apply simultaneously; you will assign multiple initiatives.
Assign built-in policy initiative
In Azure Policy, navigate to 'Assignments' and select 'Assign Initiative'. Choose the built-in initiative corresponding to your framework (e.g., 'NIST SP 800-53 Rev. 5', 'CIS Microsoft Azure Foundations Benchmark v1.3.0', or 'PCI v3.2.1:2018'). Set the scope to the management group, subscription, or resource group that contains the resources in scope. For PCI-DSS, scope is critical: only assign to subscriptions/resource groups that contain cardholder data. Use the Azure CLI: `az policy assignment create --policy-set-definition '<initiative-id>' --scope '<scope>'`.
Configure parameters and exclusions
Some initiatives have parameters (e.g., list of allowed locations for NIST). Adjust these to match your environment. Use the `--not-scopes` parameter to exclude specific child scopes that are out of scope for the framework (e.g., a development subscription for PCI-DSS). Alternatively, create **exemptions** at the resource level for resources that cannot comply due to business reasons. Exemptions can be 'Waiver' (temporary) or 'Mitigated' (risk accepted). In the Azure portal, go to Policy > Compliance > select resource > Create Exemption.
Assess compliance in Defender for Cloud
After assigning the initiative, open Microsoft Defender for Cloud's Regulatory Compliance dashboard. It automatically aggregates compliance data from Azure Policy. The dashboard shows a compliance score (0-100%) per framework, broken down by control. For example, under NIST, you see each control family (AC, AU, etc.) and the number of compliant vs. non-compliant resources. The exam expects you to know that the score is a weighted average based on the number of controls. Non-compliant resources are listed with a recommendation to remediate.
Remediate non-compliant resources
For each non-compliant resource, you can either manually change the configuration (e.g., enable MFA in Azure AD) or use auto-remediation via the **deployIfNotExists** policy effect. Many built-in policies include a remediation task that can be triggered from the dashboard. In the Azure portal, go to Policy > Compliance > select non-compliant resource > 'Create Remediation Task'. The exam may ask about the difference between 'audit' (only logs non-compliance) and 'deny' (blocks creation of non-compliant resources). Note: Some policies, like those requiring specific NSG rules, cannot auto-remediate and require manual action.
Monitor and report continuously
Compliance is not a one-time activity. Defender for Cloud continuously evaluates resources against the assigned initiatives. You can export compliance data to Log Analytics for custom reporting or integrate with Azure Sentinel for alerting. The exam may ask about exporting compliance data using Azure Policy's 'Export' feature or via API. Also, be aware that if a resource is deleted or created, it will be re-evaluated. The compliance score updates every few hours. For continuous monitoring, ensure that the policy assignment is not accidentally deleted.
Enterprise Scenario 1: Financial Institution Implementing NIST SP 800-53
A large bank must comply with NIST SP 800-53 for its Azure-based customer portal. The bank assigns the built-in NIST initiative to the production subscription. However, the initiative includes a policy requiring encryption at rest for all storage accounts. The bank has legacy storage accounts that use Azure Storage Service Encryption (SSE) with Microsoft-managed keys, which satisfies the policy. But a new policy in Rev. 5 requires customer-managed keys (CMK) for high-impact systems. The bank must either update the storage accounts to use CMK or create an exemption if the risk is accepted. Performance impact: CMK adds latency for key rotation. The bank uses Defender for Cloud's compliance dashboard to track progress and exports reports weekly for auditors. Misconfiguration: If the policy is assigned to the entire management group instead of just the production subscription, development environments become non-compliant, causing false alarms.
Enterprise Scenario 2: SaaS Company Using CIS Benchmark
A SaaS startup uses Azure and wants to follow CIS Microsoft Azure Foundations Benchmark. They assign the CIS initiative to their subscription. The initiative includes a policy that requires 'Audit Log Retention' to be at least 365 days. The startup had set retention to 90 days to save costs. The policy flags this as non-compliant. The startup must either increase retention to 365 days (increasing storage costs) or create an exemption if they accept the risk. Another policy requires 'Standard tier' for Azure Defender, which costs more than Free tier. The startup must budget for this. Common issue: The CIS initiative is updated periodically (e.g., v1.3.0 to v1.4.0). The startup must reassign the new initiative to stay current. The exam may test that CIS is prescriptive and does not allow custom deviations without exemptions.
Enterprise Scenario 3: E-commerce Company Meeting PCI-DSS
An e-commerce company processes credit card payments in Azure. They assign the PCI-DSS v3.2.1 initiative to the subscription hosting the payment application. The initiative includes a policy that requires 'no inbound RDP from Internet' on NSGs. The company has a jumpbox VM with RDP enabled for admin access. They must either restrict the source IP to a specific range (e.g., corporate VPN) or create an exemption explaining the business need. Another policy requires 'audit logs for all access to cardholder data'. They use Azure SQL Database auditing. The policy checks if auditing is enabled. If not, it flags non-compliance. Remediation: Enable auditing via deployIfNotExists. The company also uses Defender for Cloud's adaptive network hardening to tighten NSG rules. Misconfiguration: If the PCI initiative is assigned to the entire subscription including a non-production environment, the non-prod resources will show as non-compliant, wasting time. The correct approach is to scope the assignment to only the production resource group.
Exactly What AZ-500 Tests on This Topic
AZ-500 objective 4.3 (Configure and manage security compliance) specifically tests your ability to:
Select the appropriate compliance framework for a given scenario (e.g., federal agency -> NIST, general Azure best practice -> CIS, credit card processing -> PCI-DSS).
Assign built-in policy initiatives for these frameworks using Azure portal, CLI, or PowerShell.
Interpret compliance scores in Defender for Cloud and understand the difference between 'compliant' and 'non-compliant'.
Remediate non-compliant resources using auto-remediation or manual changes.
Create custom initiatives when built-in ones don't match the exact framework version.
Common Wrong Answers and Why Candidates Choose Them
'Assign a single Azure Policy definition to comply with NIST.' Candidates confuse policy definitions (individual rules) with initiatives (groups of rules). The exam tests that frameworks require initiatives.
'CIS and NIST are the same framework.' Candidates think both are just 'security baselines.' In reality, NIST is risk-based and broad; CIS is prescriptive and Azure-specific.
'PCI-DSS compliance must be applied to all Azure resources.' Candidates forget that PCI-DSS scope is limited to cardholder data environments. Assigning it broadly causes false positives.
'Compliance score of 100% means the environment is secure.' Candidates equate compliance with security. The exam emphasizes that compliance only checks policy adherence, not overall security posture.
Specific Numbers, Values, and Terms That Appear Verbatim
CIS Control 1.1: MFA for privileged users.
CIS Control 2.1: Standard pricing tier for Azure Defender.
CIS Control 5.1.4: Ensure that 'Audit Log Retention' is set to at least 365 days.
PCI-DSS Requirement 1.1: Install and maintain firewall configuration.
PCI-DSS Requirement 10.2.1: Audit trails for all access to cardholder data.
NIST AC-2: Account management.
NIST AU-3: Content of audit records.
Default retention for Activity Logs: 90 days (CIS requires 365).
Initiative naming: 'CIS Microsoft Azure Foundations Benchmark v1.3.0', 'NIST SP 800-53 Rev. 5', 'PCI v3.2.1:2018'.
Edge Cases and Exceptions
Multiple assignments: You can assign both CIS and NIST initiatives to the same scope. Defender for Cloud shows separate compliance scores.
Policy effects: 'deny' blocks non-compliant resource creation; 'audit' only logs; 'deployIfNotExists' auto-remediates. The exam may ask which effect to use for a control that requires automatic fixing.
Exemptions: Can be 'Waiver' (temporary, e.g., until next patch) or 'Mitigated' (permanent risk acceptance).
Initiative versioning: Built-in initiatives are updated by Microsoft. The exam may ask you to reassign to a newer version.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When faced with a question about compliance, ask:
What is the scope? If the scenario involves credit card data, PCI-DSS is likely. If it's a federal agency, NIST. If it's general Azure best practice, CIS.
Is it a single policy or a set? If the question says 'comply with NIST', you need an initiative, not a single policy definition.
What is the compliance score? A score below 100% means some resources are non-compliant. The remedy is to either fix resources or create exemptions.
Can the resource be auto-remediated? If the policy has 'deployIfNotExists' effect, you can use remediation tasks.
NIST SP 800-53 is a risk-based framework; CIS is prescriptive; PCI-DSS is for cardholder data.
Use built-in policy initiatives (not single definitions) to assess compliance with these frameworks.
CIS requires 365 days of Activity Log retention; PCI-DSS requires firewall and access controls.
Scope policy assignments correctly: PCI-DSS only to cardholder data environments.
Compliance score in Defender for Cloud is a weighted average; 100% does not equal security.
Exemptions can be 'Waiver' (temporary) or 'Mitigated' (permanent) for non-compliant resources.
Auto-remediation uses deployIfNotExists effect; manual remediation may be needed for some controls.
These come up on the exam all the time. Here's how to tell them apart.
NIST SP 800-53
Risk-based framework with 18 control families
Broad scope, applicable to any information system
Controls are high-level (e.g., 'Access Control')
Built-in initiative: 'NIST SP 800-53 Rev. 5'
Used primarily by US federal agencies
CIS Microsoft Azure Foundations Benchmark
Prescriptive benchmark with specific configuration checks
Narrow scope, specific to Azure
Controls are detailed (e.g., 'Ensure MFA is enabled for privileged users')
Built-in initiative: 'CIS Microsoft Azure Foundations Benchmark v1.3.0'
Used by organizations following industry best practices
Mistake
Compliance score of 100% means the environment is fully secure.
Correct
Compliance score only reflects adherence to the specific policies in the initiative. It does not cover all security threats (e.g., zero-day exploits). Security is broader than compliance.
Mistake
CIS and NIST are interchangeable frameworks.
Correct
NIST is a broad, risk-based framework for federal systems. CIS is a prescriptive benchmark specific to Azure configurations. They are not interchangeable; organizations often use both.
Mistake
PCI-DSS compliance applies to all resources in a subscription.
Correct
PCI-DSS scope is limited to systems that process, store, or transmit cardholder data. Assigning the initiative to an entire subscription may flag non-production resources as non-compliant incorrectly.
Mistake
You can comply with a framework by assigning a single Azure Policy definition.
Correct
Frameworks consist of multiple controls, each mapped to multiple policies. You must assign the built-in initiative (a group of policies) to cover all controls.
Mistake
Once assigned, compliance is static and does not need monitoring.
Correct
Azure Policy and Defender for Cloud continuously evaluate resources. New resources may be non-compliant, and policy updates may change requirements. Continuous monitoring is essential.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Go to Azure Policy > Assignments > Assign Initiative. Search for the framework name (e.g., 'NIST SP 800-53 Rev. 5'), select it, set the scope (management group, subscription, or resource group), and configure parameters if needed. Click 'Review + create'. You can also use CLI: `az policy assignment create --policy-set-definition '<initiative-id>' --scope '<scope>'`. The initiative ID is in the format `/providers/Microsoft.Authorization/policySetDefinitions/...`.
NIST is a broad, risk-based framework for federal systems. CIS is a prescriptive benchmark specific to Azure. On the exam, if a scenario involves a US federal agency, choose NIST. If it involves following best practices for Azure, choose CIS. Both can be used together. The exam expects you to know that CIS has specific numeric controls (e.g., 1.1, 2.1) while NIST uses alphanumeric control IDs (e.g., AC-2, AU-3).
When assigning the initiative, use the 'Exclusions' tab to specify child scopes (e.g., a resource group) that should not be evaluated. Alternatively, after assignment, you can create an **exemption** for a specific resource. Exemptions can be 'Waiver' (temporary) or 'Mitigated' (permanent). In the Azure portal, go to Policy > Compliance > select the resource > 'Create Exemption'. This is important for PCI-DSS to exclude non-production resources.
It means that 85% of the controls in the assigned initiative are satisfied across all assessed resources. The score is weighted, so some controls count more than others. A score below 100% indicates non-compliant resources. You can drill down to see which controls are failing and which resources are affected. The goal is to remediate or exempt all non-compliant resources to reach 100%.
Yes. In Azure Policy, go to 'Definitions' > 'Initiative' > '+ Initiative Definition'. You can add existing policy definitions (built-in or custom) and set parameters. For example, if you need to comply with a newer version of PCI-DSS not yet available as built-in, you can create a custom initiative by selecting the relevant policies. The exam may test that custom initiatives are possible.
Azure Blueprints (being deprecated) allow you to deploy a complete environment with pre-configured policies, RBAC roles, and resource templates. For compliance, you can include a policy initiative within a blueprint. This ensures that any subscription created from the blueprint is compliant from the start. However, for exam purposes, Azure Policy is the primary tool. Blueprints may appear in legacy questions.
Azure Policy evaluates resources continuously. Changes trigger a re-evaluation within minutes. Defender for Cloud updates the compliance score every few hours. You can also trigger an on-demand evaluation using the 'Evaluate' button in the Policy compliance blade or via API: `az policy state trigger-scan`.
You've just covered NIST, CIS, PCI-DSS Compliance in Azure — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?