Beyond the tenant

Azure security assessment and configuration review

Most businesses running Microsoft 365 also run something in Azure: a few VMs, a line-of-business app, storage nobody remembers creating. The Azure security assessment reviews that estate's configuration against the CIS Azure Foundations Benchmark, with the same fixed pricing and the same expert-led method as the tenant assessment.

Assessment scope

What the Azure security review covers

Six areas of your Azure estate, from the identity layer it shares with Microsoft 365 down to workload configuration.

Entra ID and identity

The identity layer your subscriptions share with Microsoft 365: privileged roles, PIM usage, service principals, app registrations and the consent settings attackers abuse.

Subscription governance

Management groups, RBAC assignments, owner sprawl and the orphaned resources that accumulate around every real Azure estate.

Network configuration

NSGs, public endpoints, exposed storage accounts and management ports open to the internet, reviewed against CIS Azure Foundations.

Workload configuration

Key Vault access, storage encryption and access tiers, database firewall rules and the diagnostic settings that decide whether anything is logged at all.

Defender for Cloud

Plans, coverage gaps and your Azure secure score, interpreted rather than recited: which recommendations genuinely reduce risk versus inflate licensing.

Logging and response

Activity log retention, diagnostic routing and alerting, so an incident in the estate is something you detect rather than get told about.

One identity layer

Why Azure and Microsoft 365 assess best together

Your Azure subscriptions and your Microsoft 365 tenant hang off the same Entra ID directory. The account that administers your mailboxes can often reach your infrastructure, and the app registration granted in one place works in the other. Assessing them separately means assessing the join twice, or worse, not at all.

The combined engagement reviews the shared identity layer once and each estate's own configuration on top, which is faster and cheaper than two disconnected exercises. The pricing page shows the Azure scope as a published addition to any tenant band.

Quick answers

Azure assessment questions, answered

Is this a cloud penetration test?

No. This is a configuration review: the expert examination of how your Azure estate is set up, benchmarked against CIS Azure Foundations. Configuration review finds most real-world cloud weaknesses without offensive testing. Where a pentest is genuinely warranted, CyPro's testing team quotes it separately.

Can the Azure review run alongside the Microsoft 365 assessment?

Yes, and it usually should: the two share the Entra ID identity layer, so the combined review avoids assessing the join twice. The pricing page shows the Azure scope as an addition to any Microsoft 365 band.

See combined pricing

What is an Azure secure score, and is ours good?

Defender for Cloud's percentage rating of your estate against Microsoft's recommendations. Like its Microsoft 365 sibling it needs interpretation: some points genuinely matter, some are licensing prompts. Our Secure Score guide explains both scores and what good looks like.

Secure Score, explained

We only have a small Azure footprint. Is a review worth it?

Small footprints carry outsized risk precisely because nobody owns them: one storage account of client data with a public endpoint is a breach regardless of how little else you run. The review scales to the estate; a small one is quick and priced accordingly.

3D illustration of a rocket launching, representing a Microsoft 365 security assessment getting started

The estate behind the tenant

Scope your Azure security assessment

A free 45 minute call maps what you run in Azure, confirms the published price and books the review, with or without the tenant assessment alongside.