Skip to content

The 64 Azure security checks Black Cat runs

Black Cat SSPM evaluates 64 security policies against your Azure configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

mediumOwner Count Exceeded

Reduce the number of subscription Owners to three or fewer

mediumCustom Admin Roles

Replace custom admin roles with built-in RBAC roles scoped to least privilege

mediumClassic Administrators

Remove classic Co-Administrator and Service Administrator role assignments

highGuest Privileged Role

Remove privileged role assignments from guest (external) user accounts

highKey Vault RBAC Not Enabled

Switch the Key Vault permission model to Azure RBAC for centralized access control

highSQL AD Admin Not Configured

Configure a Microsoft Entra ID administrator for the Azure SQL Server

highApp Service Managed Identity Disabled

Enable a system-assigned or user-assigned managed identity on the App Service

highApp Service Auth Disabled

Enable App Service Authentication to require identity provider login for the application

audit

highNSG Flow Logs Disabled

Enable NSG flow logs to capture network traffic metadata for security analysis

mediumKey Vault Diagnostic Logging Disabled

Enable diagnostic settings on the Key Vault to capture audit and request logs

highSQL Auditing Disabled

Enable auditing on the Azure SQL Server to log all database events

mediumSQL Audit Retention Short

Extend the SQL Server audit log retention period to at least 90 days

highApp Service Logging Disabled

Enable application and HTTP logging on the App Service

mediumDiagnostic Retention Short

Set the diagnostic setting log retention period to at least 365 days

mediumAlert Policy Assignment Missing

Create an activity log alert for Azure Policy assignment create and update operations

mediumAlert NSG Create Missing

Create an activity log alert for NSG create and update operations

mediumAlert NSG Delete Missing

Create an activity log alert for NSG delete operations

mediumAlert Security Solution Create Missing

Create an activity log alert for security solution create and update operations

mediumAlert Security Solution Delete Missing

Create an activity log alert for security solution delete operations

mediumAlert SQL Firewall Missing

Create an activity log alert for SQL Server firewall rule create, update, and delete operations

mediumAlert Disabled

Enable the disabled activity log alert rule so it fires on matching events

configuration

criticalNSG Unrestricted SSH

Restrict inbound SSH (port 22) in the NSG to specific trusted IP ranges

criticalNSG Unrestricted RDP

Restrict inbound RDP (port 3389) in the NSG to specific trusted IP ranges

criticalNSG All Ports Open

Remove or restrict NSG inbound rules that allow all ports from any source

highNSG UDP Open

Restrict or remove NSG inbound rules that allow UDP traffic from internet sources

highNSG Permissive Outbound

Restrict overly permissive outbound NSG rules to only necessary destinations and ports

mediumNetwork Watcher Disabled

Enable Azure Network Watcher in all regions where virtual networks are deployed

highStorage HTTPS Not Required

Enable Secure transfer required on the storage account to enforce HTTPS-only access

highStorage Network Default Allow

Restrict storage account network access to selected virtual networks or disable public access

highStorage Minimum TLS

Set the minimum TLS version to 1.2 on the storage account

highStorage Infrastructure Encryption Disabled

Create a new storage account with infrastructure encryption enabled (cannot be enabled post-creation)

highStorage Shared Key Enabled

Disable shared key (storage account key) access and require Azure AD authentication

highStorage Blob Soft Delete Disabled

Enable soft delete for blobs to allow recovery of accidentally deleted or overwritten data

highStorage Container Soft Delete Disabled

Enable soft delete for containers to allow recovery of accidentally deleted containers

highKey Vault Soft Delete Disabled

Enable soft delete on the Key Vault to allow recovery of deleted secrets, keys, and certificates

highKey Vault Purge Protection Disabled

Enable purge protection on the Key Vault to prevent permanent deletion during the soft-delete retention period

highKey Vault Network ACLs Allow

Set the Key Vault network default action to Deny and allow only specific networks

mediumKey Vault No Private Endpoint

Add a private endpoint to the Key Vault to restrict access to within the virtual network

highDefender Servers Disabled

Enable Microsoft Defender for Servers on the subscription

highDefender App Service Disabled

Enable Microsoft Defender for App Service on the subscription

highDefender SQL Disabled

Enable Microsoft Defender for SQL on the subscription

highDefender Storage Disabled

Enable Microsoft Defender for Storage on the subscription

highDefender Containers Disabled

Enable Microsoft Defender for Containers on the subscription

highDefender Key Vault Disabled

Enable Microsoft Defender for Key Vault on the subscription

highDefender Resource Manager Disabled

Enable Microsoft Defender for Resource Manager on the subscription

highSecurity Contact Email Missing

Configure a security contact email address in Microsoft Defender for Cloud

lowSecurity Contact Phone Missing

Configure a security contact phone number in Microsoft Defender for Cloud

highSecurity Alert Notifications Disabled

Enable email alert notifications for security contacts in Defender for Cloud

mediumSecurity Auto-Provisioning Disabled

Enable automatic provisioning of the Log Analytics agent for Azure VMs

highSQL Threat Detection Disabled

Enable Microsoft Defender for SQL to activate Advanced Threat Protection on the SQL Server

highSQL TDE Disabled

Enable Transparent Data Encryption (TDE) on the Azure SQL Database

mediumSQL Firewall Allow Azure Services

Remove the firewall rule that allows all Azure services to connect to the SQL Server

criticalSQL Firewall Unrestricted

Remove or restrict the SQL Server firewall rule that allows all IP addresses

highSQL Minimum TLS

Set the minimum TLS version to 1.2 on the Azure SQL Server

highSQL Vulnerability Assessment Disabled

Enable SQL Vulnerability Assessment on the Azure SQL Server

highApp Service HTTPS Disabled

Enable HTTPS Only on the App Service to redirect all HTTP traffic to HTTPS

highApp Service Minimum TLS

Set the minimum TLS version to 1.2 on the App Service

highApp Service FTP Enabled

Disable plain FTP or restrict to FTPS only on the App Service

highApp Service Remote Debugging Enabled

Disable remote debugging on the App Service to remove the open debug port

lowApp Service HTTP/2 Disabled

Enable HTTP/2 on the App Service for improved performance and security

data exposure

highStorage Public Blob Access

Disable public blob access on the storage account to prevent anonymous data exposure

key management

highStorage Key Not Rotated

Rotate storage account access keys that are older than 90 days

highKey Vault Key No Expiry

Set an expiration date on all Key Vault keys to enforce key rotation

highKey Vault Secret No Expiry

Set an expiration date on all Key Vault secrets to enforce secret rotation

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial