TOC & Recently Viewed

Recently Viewed Topics

Auditing the Microsoft Azure Cloud Environment

Tenable offers the ability to audit the Microsoft Azure Cloud environment to detect misconfigurations within the cloud environment and with account settings. Audits can be performed using, Nessus Manager, or a standalone Nessus scanner. No pre-authorization is needed from Microsoft to perform the audit, but a Microsoft Azure account is required.

In order to perform an audit of the Microsoft Azure cloud environment, Nessus will need a Microsoft Azure Client ID. To obtain a Client ID, navigate to Microsoft Azure ( and log in.

  1. Once logged in to the Microsoft Azure portal, click Azure Active Directory in the left-hand menu.

  2. Click App registrations.

  3. To add a new application, click New Application Registration.

  4. Under the Create section, enter a descriptive Name for the application.

  5. Click the Application Type drop-down and select Native.

  6. Enter aRedirect URL.
  7. Click Create to finalize the settings.

  8. A success message will display at the top of the page stating that the new Application has been created.

  9. Double-click on the newly created application to display its details. Copy the Application ID. This information will be used to complete the audit configuration with Nessus.

  10. Click Settings under the Test Application section and then click Required permissions (highlighted below).

  11. Under the Required Permissions section click + Add.

  12. Click Select an API (highlighted below) from within the Add API access section. Once selected, the Select an API options will appear. Highlight Windows Azure Service Management API and click Select.

  13. Check the box next to Access Azure Service Management as organization users (preview) to enable the permissions. Once enabled, click Select.

  14. Once the permissions have been enabled, click Done to finalize the settings.

  15. Log in to Nessus and click New Scan.

  16. Select the Audit Cloud Infrastructure template.

  17. Enter a descriptive name for the scan and then click Credentials.

  18. Click the + next to Microsoft Azure to open the Credentials options.

    Note: See the Required User Privileges section in the Nessus User Guide for the required Microsoft Azure privileges.

  19. Enter your Microsoft Azure Username and Password, Client ID (Application ID), and Subscription IDs into the appropriate boxes. Leave the Subscription IDs box blank if you want to audit all of your Azure subscriptions.

  20. Tenable offers three pre-configured compliance checks and also provides the ability to upload a custom Azure audit file.

    Note: Descriptions of the pre-configured compliance checks.

    Microsoft Azure Best Practices – Infrastructure: This audit file implements a set of general best practices for Microsoft Azure infrastructure items including Principals, Virtual Networks, Certificates, and Virtual Machines.

    Microsoft Azure Best Practices – Websites: This audit file implements a set of general best practices for Microsoft Azure Website items including Website Status, SSL Status, and recent Site modifications.

    Microsoft Azure Best Practices – Databases: This audit file implements a set of general best practices for Microsoft Azure items including Database Configuration, Audit Events, and Recoverable Databases.

    Click Compliance to expand the Microsoft Azure option.

  21. Click the + next to each compliance check you want to add to the scan.

    Note: If you choose to add a custom audit file, click Add File and select the file to upload.

  22. Click Save or click the drop-down arrow next to Save and select Launch to initiate the scan.

For additional information on configuring Nessus scans, please refer to the Nessus User Guide.

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable,, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.