====== Azure Security ======
  * [[https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/|Cloud Adoption Framework]]
  * [[https://docs.microsoft.com/en-us/azure/architecture/framework/|Microsoft Azure Well-Architected Framework]]
  * [[https://docs.microsoft.com/en-us/azure/security/]]
  * [[https://docs.microsoft.com/en-us/security/benchmark/azure/introduction|Azure Security Benchmark]]
  * [[https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction|Microsoft Defender for Cloud]]
      * Secure Score

====== Assessments ======
  * The minimum ARM roles/permissions needed to do an Azure security assessment are //Reader// and //Security Reader//. The //Global Reader// role is needed on Azure AD.

In addition, a custom role with the following permission is needed for certain storage account checks.
<code json>
{
    "Name": "Azure Assessor",
    "Description": "A role temporarily used to assess the security posture of an Azure tenant.",
    "AssignableScopes": [
        "/providers/Microsoft.Management/managementGroups/<tenant id>"
    ],
    "Actions": [
        "Microsoft.Storage/storageAccounts/listkeys/action"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": []
}
</code>

====== General Checks ======
  * Are endpoints hybrid domain joined?

====== Getting Inventory ======
Get list of all resources in the current subscription.
<code powershell>
Get-AzResource | select Name,Type,ResourceGroupName,SubscriptionId | Export-Csv resources.csv
</code>

====== Tools ======
  * [[https://github.com/turbot/steampipe-mod-azure-compliance]]
  * [[https://github.com/AzureAD/AzureADAssessment]]

====== Best Practices ======
  * Automated/programmatic deployment/configuration is recommended over manual processes


====== Training ======
  * [[https://parveensingh.com/az-500-study-guide/]]
  * [[https://charbelnemnom.com/passed-exam-az-500-microsoft-certified-azure-security-engineer/]]