• Cloud Adoption Framework
• Microsoft Azure Well-Architected Framework
• https://docs.microsoft.com/en-us/azure/security/
• Azure Security Benchmark
• Microsoft Defender for Cloud
  • Secure Score

• The minimum ARM roles/permissions needed to do an Azure security assessment are Reader and Security Reader. The Global Reader role is needed on Azure AD.

In addition, a custom role with the following permission is needed for certain storage account checks.

{
    "Name": "Azure Assessor",
    "Description": "A role temporarily used to assess the security posture of an Azure tenant.",
    "AssignableScopes": [
        "/providers/Microsoft.Management/managementGroups/<tenant id>"
    ],
    "Actions": [
        "Microsoft.Storage/storageAccounts/listkeys/action"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": []
}

• Are endpoints hybrid domain joined?

Get list of all resources in the current subscription.

Get-AzResource | select Name,Type,ResourceGroupName,SubscriptionId | Export-Csv resources.csv

• https://github.com/turbot/steampipe-mod-azure-compliance
• https://github.com/AzureAD/AzureADAssessment

• Automated/programmatic deployment/configuration is recommended over manual processes

• https://parveensingh.com/az-500-study-guide/
• https://charbelnemnom.com/passed-exam-az-500-microsoft-certified-azure-security-engineer/