TOC & Recently Viewed

Recently Viewed Topics

Audit Azure

Tenable offers the ability to audit the Microsoft Azure Cloud environment to detect misconfigurations in the cloud environment and account settings using Tenable.io. Complete the following steps to configure Microsoft Azure for successful Audit Cloud Infrastructure assessments with Tenable.io.

Before you Begin:

  • No pre-authorization is needed from Microsoft to perform the audit, but a Microsoft Azure account is required.
  • To perform an audit of the Microsoft Azure cloud environment, Tenable.io needs a Microsoft Azure Client ID (now known as the Application ID).

To audit the Microsoft Azure Cloud environment:

Note: An Azure Active Directory App Registration is required to complete these steps. Active Directory Federation Services (ADFS), SSO, and custom domains are not supported.

  1. Log in to the Microsoft Azure portal.

  2. In the left-hand menu, click Azure Active Directory.

  3. Click App Registrations.


  4. To add a new application, click New registration.


  5. In the Name box, enter a descriptive name for the application.

  6. In the Supported Account types section, choose one of the three options to specify the type of accounts that can access the API.
  7. (Optional) In the Redirect URI section, select either Web or Public client (mobile & desktop) from the drop-down, and then enter the URI in the text box.
  1. Click Register to finalize the settings and create the application.

    A success message appears at the top of the page stating that the new application has been created, and the page is redirected to the Overview page for the application.

  2. Copy the Application (client) ID. This information is used to configure Microsoft Azure with the Tenable.io Web Application Scanner.

  1. In the Manage section, click Certificates & secrets.


  1. In the Client Secrets section, click + New client secret.
  2. In the Description box, type a description for the client secret.
  3. For the Expires option, select an expiration date.
  4. Click the Add button.

    The new client secret is added.

In the Tenable.io Interface

  1. Log in to Tenable.io.
  2. Click New Scan.

    The My Scans page appears.

  3. Select the Audit Cloud Infrastructure template.

    The Audit Cloud Infrastructure page appears.

  4. In the Name box, type a descriptive name for the scan.
  5. Click Credentials.

  6. Click Microsoft Azure.

    Note: See the Required User Privileges section in the Nessus User Guide for the required Microsoft Azure privileges.

  7. In the appropriate boxes, enter your Microsoft Azure Username and Password, Client ID (Application ID), and Subscription IDs.

    Note: Leave the Subscription IDs box blank if you want to audit all of your Azure subscriptions.

  8. Click Compliance.

  9. Click Microsoft Azure.

    The Microsoft Azure options appear.

    Tenable offers three pre-configured compliance checks and provides the ability to upload a custom Azure audit file.

    • Microsoft Azure Best Practices – Infrastructure: This audit file implements a set of general best practices for Microsoft Azure infrastructure items including Principals, Virtual Networks, Certificates, and Virtual Machines.
    • Microsoft Azure Best Practices – Websites: This audit file implements a set of general best practices for Microsoft Azure Website items including Website Status, SSL Status, and recent Site modifications.
    • Microsoft Azure Best Practices – Databases: This audit file implements a set of general best practices for Microsoft Azure items including Database Configuration, Audit Events, and Recoverable Databases.

  10. Click each compliance check you want to add to the scan.
  11. If you choose to add a custom audit file, click Add File and select the file to upload.

  12. Do one of the following:

    • Click Save.
    • Click the drop-down arrow next to Save and select Launch to initiate the scan.

Note: For additional information on configuring Tenable.io scans, please refer to the Tenable.io User Guide.

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.