Services Capabilities Industries Cloud Audit Free Scanner Case Studies Use Cases Book a Consultation
Home Use Cases AzureVault Analytics
Azure Cloud Infrastructure Security Assessment

90/100 Risk Score.
25 Azure Misconfigurations. One Audit.

A full-spectrum Azure cloud infrastructure security assessment of AzureVault Analytics — a data analytics and business intelligence platform running entirely on Microsoft Azure. We found everything from publicly accessible Blob Storage containers leaking customer datasets to a Global Admin account with no MFA. CIS Azure Foundations Benchmark compliance: 9%. SOC2 coverage: 12%.

8 Critical Active exposure
9 High Urgent remediation
8 Medium Address promptly
90 Risk Score Out of 100

AzureVault Analytics operates a fully Azure-native BI and data analytics platform serving 180 enterprise customers across financial services and retail. Their stack runs on Azure subscriptions managed through Azure DevOps, with data workloads in Azure SQL, Blob Storage, and Azure Functions — all orchestrated through AKS. The engagement began with a read-only Azure AD role handoff. Within 3 hours, we had identified customer analytics datasets leaking from a public Blob Storage container with anonymous read access enabled.

The most alarming discovery wasn't a single misconfiguration — it was the complete absence of identity controls and detection infrastructure. Zero Conditional Access policies in Azure AD. Microsoft Defender for Cloud disabled at the subscription level. No Azure Activity Log forwarded to any SIEM. AzureVault's Global Admin account — the highest-privilege identity in the tenant — had no MFA configured. A single phishing email to the right address would hand an attacker irrecoverable full tenant control.

Across three days of assessment, we mapped every misconfiguration, demonstrated live data exposure from the public Blob container, and documented the Service Principal privilege escalation path: a service principal with Owner rights on the subscription could trivially modify any resource, exfiltrate any secret from Key Vault, and delete production infrastructure. The Key Vault had soft-delete disabled — meaning accidental or malicious key deletion would be permanent and unrecoverable.

Client AzureVault Analytics
Industry Data Analytics / BI
Infrastructure Azure subscriptions + AKS + DevOps
Monthly Azure Spend $35,000 — no budget alerts
Engagement Date April 2026
Duration 3 days assessment
Risk Score 90 / 100
AZ

Why Azure misconfigurations are high-stakes for data companies: Azure is Microsoft's cloud — and for data analytics platforms, the blast radius of a misconfiguration is amplified. A public Blob Storage container doesn't just leak files — it leaks the structured datasets that are AzureVault's core product. Azure AD is the identity spine of the entire tenant: one compromised privileged account cascades to every resource, subscription, and DevOps pipeline. The Microsoft Shared Responsibility Model puts identity and access management, data encryption, and network controls squarely on the customer. AzureVault had none of these configured correctly.

Attack Surface

Azure Services with Findings

Every major Azure service in the AzureVault stack had at least one critical misconfiguration. This is what the infrastructure looked like from an attacker's perspective.

Azure Blob Storage
Public anonymous access, access keys never rotated, no service endpoint
3 findings
Azure Active Directory
No Conditional Access, Global Admin no MFA, no password expiration policy
3 findings
Azure SQL
Public endpoint + no firewall rules, Transparent Data Encryption disabled
2 findings
Network / NSGs
0.0.0.0/0 on SSH/RDP, VMs with public IPs and no NSG, no VNet service endpoints
3 findings
Azure AD / IAM
Service Principal with Owner role on subscription, no Conditional Access enforcement
2 findings (shared with AD)
Azure Key Vault
Soft-delete disabled — permanent data loss risk on any key deletion
1 finding
Azure Functions
Connection strings hardcoded in app settings, deprecated runtime stacks
2 findings
Defender for Cloud
Microsoft Defender for Cloud disabled — zero threat detection or security posture scoring
1 finding
App Gateway / Front Door
Outdated TLS 1.0/1.1, no WAF policy on Front Door
2 findings
ACR / App Config / DevOps
ACR admin enabled, no image scanning; secrets in App Config; no Azure Policy
3 findings
All 25 Findings

Every Misconfiguration, Explained

8 Critical, 9 High, 8 Medium. Every finding maps to CIS Azure Foundations Benchmark controls, SOC2 trust service criteria, and NIST 800-53 control families.

8 Critical
9 High
8 Medium
25 Total Findings
Critical C-01
Blob Storage Containers with Public Anonymous Access
The azurevault-customer-exports and azurevault-analytics-reports containers had anonymous access set to Blob, allowing any unauthenticated HTTP request to enumerate and download every analytics report, dashboard export, and customer dataset. 180 enterprise customers' proprietary BI data was publicly readable.
CIS Azure 3.1 SOC2 CC6.1 NIST 800-53 AC-3
Remediation

Set anonymous access to None on all storage containers immediately. Enable the "Allow Blob public access" block at the storage account level. Use Shared Access Signatures (SAS) with expiry or Azure AD-based authorization for all application access.

Critical C-02
Global Admin Account Without MFA
The Global Administrator account in AzureVault's Azure AD tenant had no multi-factor authentication configured. Global Admin is the highest-privilege role in Azure — it has irrevocable control over every subscription, every resource, every user account, and every Azure DevOps pipeline in the tenant. A single successful phishing attack against the Global Admin email address would give an attacker permanent full control of AzureVault's entire cloud infrastructure.
CIS Azure 1.1 SOC2 CC6.1 NIST 800-53 IA-5
Remediation

Enable MFA on the Global Admin account immediately — use Microsoft Authenticator app or a hardware FIDO2 key. Create a Conditional Access policy requiring MFA for all privileged roles. Consider creating a dedicated break-glass account with hardware key stored physically, and remove the Global Admin role from daily-use accounts.

Critical C-03
Network Security Groups Open to World on SSH and RDP
11 Network Security Groups had inbound rules permitting 0.0.0.0/0 on TCP port 22 (SSH) and 9 NSGs allowed 0.0.0.0/0 on TCP port 3389 (RDP). Every associated VM is directly reachable from the internet for brute-force and credential-stuffing attacks around the clock.
CIS Azure 6.1 CIS Azure 6.2 SOC2 CC6.6
Remediation

Remove all inbound rules allowing 0.0.0.0/0 on ports 22 and 3389. Use Azure Bastion for all VM administrative access — it provides browser-based SSH/RDP over TLS 443 without exposing management ports. If direct SSH is required, restrict source IPs to specific corporate NAT ranges.

Critical C-04
Azure SQL Databases — Public Endpoint with No Firewall Rules
Three Azure SQL databases — including the production analytics data warehouse — had the public endpoint enabled and no server-level or database-level firewall rules configured. The databases were reachable from any IP address globally on port 1433. Combined with the absence of Azure AD authentication enforcement, the only barrier to the production database was a single password.
CIS Azure 4.1 SOC2 CC6.6 NIST 800-53 SC-7
Remediation

Disable the public endpoint on all Azure SQL servers and switch to Private Endpoint access via Azure Private Link. Add a firewall rule denying all public IP access (Deny all). Enforce Azure AD-only authentication and disable SQL authentication. Use Managed Identity for application connections.

Critical C-05
Service Principal with Owner Role on Subscription
A service principal used by the Azure DevOps deployment pipeline had the built-in Owner role assigned directly on the production subscription. Owner provides full control — read and write to all resources, manage role assignments, and modify identity configurations. Any compromise of the DevOps pipeline (e.g., via a supply chain attack or malicious commit) would grant an attacker subscription-level administrative access.
CIS Azure 1.21 SOC2 CC6.3 NIST 800-53 AC-6
Remediation

Replace the Owner role assignment with a custom role scoped to the minimum permissions the pipeline actually requires (e.g., deploy to specific resource groups, not the entire subscription). Use Azure RBAC conditions where available. Rotate the service principal credentials and enable Managed Identity for Azure-hosted pipeline agents.

Critical C-06
Key Vault Soft-Delete Disabled — Permanent Data Loss Risk
Azure Key Vault soft-delete was disabled on AzureVault's primary Key Vault, which stores all application secrets, TLS certificates, and encryption keys. With soft-delete off, any secret, key, or certificate deletion is permanent and immediate — there is no recovery window. A malicious insider, a misconfigured automation script, or an attacker who gains Key Vault write access can destroy all encryption keys and secrets with zero possibility of recovery, potentially causing a permanent loss of access to all encrypted data.
CIS Azure 8.4 SOC2 A1.2 NIST 800-53 SC-12
Remediation

Enable soft-delete (90-day retention) and purge protection on all Key Vault instances immediately. Purge protection prevents permanent deletion even by administrators during the retention window. Note: these settings cannot be disabled once enabled — which is intentional by design.

Critical C-07
Azure AD — No Conditional Access Policies
AzureVault's Azure AD tenant had zero Conditional Access policies configured. Conditional Access is the primary defense against compromised credentials in Azure: it enforces MFA, restricts sign-ins from non-compliant devices, blocks sign-ins from risky locations, and controls access based on user role and risk signal. Without it, any valid password — regardless of sign-in location, device health, or user risk score — grants full access to all Azure resources, applications, and data.
CIS Azure 1.2 SOC2 CC6.1 NIST 800-53 AC-17
Remediation

Create baseline Conditional Access policies: (1) Require MFA for all users, (2) Require MFA for all privileged roles, (3) Block legacy authentication protocols, (4) Require compliant device for access to sensitive data. Use Azure AD Identity Protection risk-based policies to automatically require step-up auth on anomalous sign-ins.

Critical C-08
VMs with Public IP Addresses and No NSG Attached
Seven virtual machines had public IP addresses assigned and no Network Security Group attached at either the NIC or subnet level. These machines are fully exposed to the internet — all ports, all protocols, no filtering. Any service running on these VMs (SSH, RDP, web servers, admin panels, internal APIs) is directly internet-accessible with no network-layer restriction whatsoever.
CIS Azure 6.3 SOC2 CC6.6 NIST 800-53 SC-7
Remediation

Attach an NSG to every VM NIC and every subnet with a default-deny inbound rule. Remove public IP assignments from VMs that do not need direct internet access — use Azure Load Balancer or Application Gateway for inbound traffic. Audit all public IP assignments using Azure Policy.

High H-01
No Azure Activity Log Forwarded to SIEM
AzureVault had no diagnostic settings configured to export the Azure Activity Log to a Log Analytics Workspace, Event Hub, or any external SIEM. The Activity Log is the primary audit trail for every control-plane action in Azure — role assignments, resource creation/deletion, policy changes, and Key Vault access. Without it, any administrative action taken by an attacker, a malicious insider, or a misconfigured automation script is undetectable and unauditable.
CIS Azure 5.1 SOC2 CC7.2 NIST 800-53 AU-2
High H-02
Azure Functions — Connection Strings Hardcoded in App Settings
14 Azure Functions apps stored database connection strings, Azure Storage access keys, and third-party API credentials as plaintext App Settings. App Settings are visible in clear text in the Azure portal to any user with Contributor or Reader access to the resource group. These values are also included in ARM template exports, deployment logs, and may be captured in Application Insights telemetry on exceptions.
CIS Azure 9.4 SOC2 CC6.7 NIST 800-53 IA-5
High H-03
Microsoft Defender for Cloud Not Enabled
Microsoft Defender for Cloud — Azure's primary threat detection and security posture management service — was not enabled at the subscription level. Defender for Cloud provides real-time threat detection for Azure SQL injection attempts, anomalous storage access, compromised identity behavior, AKS container escapes, and VM-level malware. Without it, active attacks in the environment generate no alerts, no security score baseline, and no compliance visibility.
CIS Azure 2.1 SOC2 CC7.2 NIST 800-53 SI-4
High H-04
Storage Account Access Keys Never Rotated
Access keys for all 6 storage accounts were generated at account creation and had never been rotated. Azure storage access keys provide full read/write/delete access to all data in the storage account — equivalent to root credentials. Long-lived static keys that are never rotated dramatically extend the blast radius of any key exposure (through leaked logs, compromised CI/CD pipelines, or insider access).
CIS Azure 3.2 SOC2 CC6.7 NIST 800-53 IA-5
Remediation

Rotate both access keys for all storage accounts immediately. Enable Azure Key Vault key rotation policy for automatic rotation. Migrate all applications to use Managed Identity or SAS tokens with expiry instead of storage account keys. Azure Policy can flag storage accounts using key-based auth.

High H-05
Azure Disk Encryption Not Enabled on VMs
18 of 24 virtual machines had Azure Disk Encryption (ADE) disabled. While Azure platform-managed encryption protects against physical hardware theft, ADE with customer-managed keys in Key Vault provides an additional layer: the encrypted disk is useless without the Key Vault key. For VMs processing customer analytics data, unencrypted OS and data disks represent a data confidentiality risk if a snapshot is shared, copied, or the underlying hardware is reused.
CIS Azure 7.2 SOC2 CC9.9 NIST 800-53 SC-28
High H-06
Terraform State in Azure Blob Without Lock or Versioning
The Terraform state file (terraform.tfstate) was stored in an Azure Blob container with no blob versioning enabled and no state locking via Azure Cosmos DB or equivalent. Terraform state contains a plaintext map of all infrastructure: resource IDs, managed identity client IDs, Key Vault URIs, database FQDNs, and any sensitive output values. Without locking, concurrent pipeline runs can corrupt state. Without versioning, corrupted or deleted state is unrecoverable.
CIS Azure 3.3 NIST 800-53 CM-7 IaC Security
Remediation

Enable blob versioning and soft-delete on the state storage container. Implement state locking using an Azure Cosmos DB backend or Terraform Cloud remote state. Store the state storage account access key in Key Vault — never in pipeline environment variables or source code.

High H-07
Azure SQL — Transparent Data Encryption Disabled
Transparent Data Encryption (TDE) was disabled on two of the three Azure SQL databases. TDE encrypts the physical storage files of the database, ensuring that if a data file, backup, or transaction log is exfiltrated, it cannot be read without the encryption key. Disabling TDE on a database containing customer analytics data is a direct violation of SOC2 Confidentiality criteria and the CIS Azure Foundations Benchmark.
CIS Azure 4.5 SOC2 C1.1 NIST 800-53 SC-28
Remediation

Enable TDE on all Azure SQL databases immediately — it can be toggled in the Azure portal with no downtime. Migrate from service-managed keys to customer-managed keys (CMK) stored in Key Vault for full cryptographic control. Enable TDE by default on all new databases via Azure Policy.

High H-08
Application Gateway — Outdated TLS 1.0 and 1.1
The Azure Application Gateway fronting AzureVault's customer-facing analytics portal was configured with an SSL policy that permitted TLS 1.0 and TLS 1.1 connections. Both protocols are deprecated — TLS 1.0 is vulnerable to BEAST and POODLE attacks; TLS 1.1 was formally deprecated by RFC 8996. Enterprise customers connecting over legacy TLS are transmitting session tokens and analytics query data over cipher suites with known practical exploits.
CIS Azure 9.3 SOC2 CC6.7 NIST 800-53 SC-8
Remediation

Update the Application Gateway SSL policy to AppGwSslPolicy20220101 (TLS 1.2 minimum, TLS 1.3 preferred). Disable all cipher suites below 128-bit strength. Apply the same policy to any Azure Front Door or API Management endpoints.

High H-09
Azure Container Registry — Admin Account Enabled, No Image Scanning
The Azure Container Registry storing all AKS workload images had the built-in admin account enabled — a shared username/password that provides full push/pull access to all container images. Additionally, Microsoft Defender for Container Registries was not enabled, meaning container images used in production AKS were never scanned for CVEs. Images with critical vulnerabilities (Log4Shell equivalents in base images) are deployed to production with zero detection.
CIS Azure 7.4 SOC2 CC7.7 NIST 800-53 SI-3
Medium M-01
No Virtual Network Service Endpoints for PaaS Services
Azure SQL, Blob Storage, and Key Vault were all accessible over public internet routes — no VNet service endpoints or Private Endpoints were configured. Without service endpoints, traffic from Azure VMs and Functions to PaaS services traverses the public Azure backbone rather than staying within the private network boundary. Any future NSG misconfiguration or routing change could expose PaaS service traffic to unintended paths.
CIS Azure 6.5 SOC2 CC6.6 NIST 800-53 SC-7
Medium M-02
No Azure Policy Assignments for Compliance Enforcement
AzureVault had zero Azure Policy assignments at either the subscription or management group level. Azure Policy is the primary mechanism for enforcing security baselines continuously — it can prevent the creation of public storage containers, require encryption on all SQL databases, and deny NSG rules with open-world access. Without it, every misconfiguration found in this assessment can silently recur after remediation with no automated detection.
CIS Azure 1.2.1 SOC2 CC7.1 NIST 800-53 CM-2
Medium M-03
No Password Expiration Policy in Azure AD
AzureVault's Azure AD tenant had no password expiration policy configured — all 31 user accounts were set to password never expires. While password expiration alone is not sufficient (and NIST now recommends expiration only on evidence of compromise), the absence of any enforcement combined with no Conditional Access policies, no MFA, and no anomaly detection means stale or compromised credentials can remain valid indefinitely.
CIS Azure 1.6 SOC2 CC6.1 NIST 800-53 IA-5
Medium M-04
Azure SendGrid Integration Without SPF or DKIM
AzureVault's transactional email integration via Azure Communication Services (SendGrid) was configured without SPF or DKIM records on the sending domain. Any server on the internet can spoof @azurevault.io email without authentication failures — enabling external phishing attacks against AzureVault's enterprise customers using the company's own domain for credibility.
SOC2 CC6.8 NIST 800-53 SI-8 Email Spoofing
Remediation

Add SPF record to the sending domain's DNS: v=spf1 include:sendgrid.net ~all. Enable DKIM signing in the Azure Communication Services domain settings and add the DKIM CNAME records to DNS. Enable DMARC with policy p=reject after verifying DKIM/SPF alignment.

Medium M-05
Azure Front Door Without WAF Policy
AzureVault's Azure Front Door profile — which handles global routing for the customer-facing analytics portal — had no Web Application Firewall policy attached. Without WAF, the application is fully exposed to automated OWASP Top 10 attacks: SQL injection against the analytics query API, XSS in the dashboard rendering engine, HTTP flood DDoS, and bot-driven credential stuffing against the login endpoint.
CIS Azure 9.5 SOC2 CC6.6 NIST 800-53 SC-5
Medium M-06
Azure Functions Running on Deprecated Runtime Stacks
9 Azure Functions apps were running on Node.js 14 (EOL April 2023) and Python 3.8 (EOL September 2024). Microsoft has deprecated these runtimes and ceased security patching. Any new CVE discovered in Node.js 14 or Python 3.8 will never receive a patch — vulnerabilities in the runtime itself are exploitable permanently in production.
Azure Functions EOL SOC2 CC7.7 NIST 800-53 SI-2
Medium M-07
Secrets Stored in Azure App Configuration Instead of Key Vault
52 application secrets — database connection strings, internal service-to-service tokens, and third-party API keys — were stored as plain key-value pairs in Azure App Configuration instead of being referenced via Azure Key Vault references. App Configuration does not provide the same secret management controls as Key Vault: no versioning for individual secrets, no access audit logging, no automatic rotation integration, and no purge protection.
CIS Azure 8.1 SOC2 CC6.7 NIST 800-53 IA-5
Medium M-08
No Cost Alerts — $35k/Month Azure Spend Unmonitored
AzureVault was spending approximately $35,000/month across Azure subscriptions with zero Azure Cost Management budget alerts or anomaly detection configured. Cryptomining attacks — the most common post-exploitation action in cloud environments — can add $15,000–$60,000 in GPU/VM compute costs within 72 hours. Without budget alerts, a cryptomining attack would only be discovered on the next Azure invoice, potentially weeks later. Unauthorized resource provisioning by a compromised service principal is similarly undetectable.
Azure Cost Best Practice SOC2 CC9.1 Cryptomining Indicator
Remediation

Create Azure Cost Management budgets at the subscription level with alert thresholds at 80% and 100% of expected monthly spend. Enable anomaly detection alerts. Set up daily cost export to a Log Analytics Workspace for trend monitoring. A $5,000 single-day spike is a reliable cryptomining signal that should trigger immediate investigation.

Compliance Benchmarks

Where AzureVault Stood

Three frameworks govern Azure cloud security. AzureVault's pre-assessment scores reflect an organization that has never run a formal cloud security review — and was using Azure's default configurations throughout.

CIS
9%
CIS Azure Foundations Benchmark
The CIS Azure Foundations Benchmark defines 60+ controls for hardening Azure accounts across identity, storage, SQL, networking, logging, and monitoring. AzureVault passed approximately 6 controls. Every identity control failed: no MFA enforcement, no Conditional Access, no privileged role restrictions. Every logging control failed: no Activity Log export, no Defender for Cloud, no diagnostic settings.
9% controls passing
Not compliant — requires full remediation program
SOC
12%
SOC 2 Type II
SOC 2 is required by virtually every enterprise buyer in AzureVault's target market. The audit found gaps across Security (CC6), Availability (A1), and Confidentiality (C1) trust service criteria. No Conditional Access, no MFA on privileged accounts, public data exposure, and zero threat detection are each individually disqualifying for SOC 2 certification. AzureVault cannot pass a SOC 2 audit in its current state.
~12% criteria met
Not certifiable in current state
NIST
10%
NIST 800-53
NIST 800-53 is the federal security control standard widely adopted by enterprises and government contractors. Findings mapped to Access Control (AC), Audit & Accountability (AU), Identification and Authentication (IA), System & Communications Protection (SC), and System Integrity (SI) control families. The absence of MFA, logging, encryption, and network controls spans nearly every control family.
~10% controls satisfied
Not aligned — significant gaps across 5 control families
Video Walkthrough

Watch the Azure Audit in Action

A screen-share walkthrough of the AzureVault findings — service by service, finding by finding. Coming soon to the Sentinel Stacks video channel.

Azure Cloud Security Audit · April 2026
25 Azure Misconfigurations — AzureVault Analytics
Azure-Native Data Analytics Platform · Risk Score 90 · Sentinel Stacks
Video coming soon Walkthrough covers Blob Storage anonymous access demo, Service Principal privilege escalation path, and the Key Vault soft-delete risk — live in the Azure portal
Coming Soon
More Use Cases

Other Audit Walkthroughs

Each use case covers a different industry, stack, and threat profile. All findings are realistic and reference-able for sales conversations.

CloudReach SaaS
AWS Cloud
Multi-account AWS infrastructure: public S3 leaking customer data, wildcard IAM roles, GuardDuty off in every region, Terraform state exposed. 25 findings, risk 92.
Live — Read full audit
NeuralPath AI
AI / ML
ML model serving platform audit: 4.2TB training data on public S3, model weights unauthenticated, Pickle RCE, Kubernetes container escape to cluster-admin. 25 findings, risk score 89.
Live — Read full audit
MedFlow Analytics
Healthcare
HIPAA-focused cloud audit: unencrypted PHI at rest in S3, overly permissive IAM, missing audit logging. 19 findings, full NIST 800-53 alignment.
Case study in progress
GridEdge Energy
IoT
Smart-grid IoT audit: unprotected MQTT endpoints, missing device authentication, insecure firmware update pipelines. 18 findings, full Azure IoT Core hardening.
Case study in progress

Running Azure Infrastructure?

If your team uses Blob Storage, Azure AD, Azure SQL, AKS, or Azure Functions — your environment may have findings like these. Run a free cloud audit or schedule a full Azure security assessment.

Run Azure Cloud Audit Book a Consultation