How to Audit Azure Subscriptions

What to check: Inspect public IPs, endpoints, NSGs, route tables, DNS, private endpoints, and egress.

Why it matters: Networking exposure defines attack surface and operational complexity.

Common failure pattern: Management ports are open from broad ranges.

Example finding: Management ports are open from broad ranges.

Suggested remediation direction: Restrict administrative access paths.

Evidence to collect: capture the Azure objects, scopes, assignments, resource identifiers, and timestamps that prove the condition exists. Good evidence should let another reviewer understand the result without reopening the Azure portal and repeating the same investigation.

How to review it: separate isolated exceptions from repeated patterns. One exception may be acceptable when it has an owner, expiry, and rationale; a repeated pattern usually indicates a platform or operating model issue that belongs in the report.

How to report it: write the finding in business-readable language, then attach the technical evidence. The reader should understand the risk, the affected scope, and the recommended direction before they reach the detailed resource list.

Automation note: automate the evidence collection and consistency checks where possible, but keep human review for scope decisions, materiality, accepted exceptions, and remediation sequencing.

What to check: Inspect policy assignments, compliance state, exemptions, remediation, and budgets.

Why it matters: Governance evidence shows whether standards are applied consistently.

Common failure pattern: Policies are assigned but not remediated.

Example finding: Policies are assigned but not remediated.

Suggested remediation direction: Run remediation tasks and review non-compliance.

Evidence to collect: capture the Azure objects, scopes, assignments, resource identifiers, and timestamps that prove the condition exists. Good evidence should let another reviewer understand the result without reopening the Azure portal and repeating the same investigation.

How to review it: separate isolated exceptions from repeated patterns. One exception may be acceptable when it has an owner, expiry, and rationale; a repeated pattern usually indicates a platform or operating model issue that belongs in the report.

How to report it: write the finding in business-readable language, then attach the technical evidence. The reader should understand the risk, the affected scope, and the recommended direction before they reach the detailed resource list.

Automation note: automate the evidence collection and consistency checks where possible, but keep human review for scope decisions, materiality, accepted exceptions, and remediation sequencing.

What to check: Check unattached disks, idle public IPs, budget coverage, reservations, and SKU choices.

Why it matters: Cost waste often indicates weak ownership.

Common failure pattern: Orphaned resources continue to incur spend.

Example finding: Orphaned resources continue to incur spend.

Suggested remediation direction: Remove waste and improve ownership metadata.

Evidence to collect: capture the Azure objects, scopes, assignments, resource identifiers, and timestamps that prove the condition exists. Good evidence should let another reviewer understand the result without reopening the Azure portal and repeating the same investigation.

How to review it: separate isolated exceptions from repeated patterns. One exception may be acceptable when it has an owner, expiry, and rationale; a repeated pattern usually indicates a platform or operating model issue that belongs in the report.

How to report it: write the finding in business-readable language, then attach the technical evidence. The reader should understand the risk, the affected scope, and the recommended direction before they reach the detailed resource list.

Automation note: automate the evidence collection and consistency checks where possible, but keep human review for scope decisions, materiality, accepted exceptions, and remediation sequencing.

What to check: Write findings with severity, evidence, impact, recommendation, and affected resources.

Why it matters: The audit only creates value when the output is actionable.

Common failure pattern: Raw exports are handed over as the report.

Example finding: Raw exports are handed over as the report.

Suggested remediation direction: Convert evidence into prioritised findings.

Evidence to collect: capture the Azure objects, scopes, assignments, resource identifiers, and timestamps that prove the condition exists. Good evidence should let another reviewer understand the result without reopening the Azure portal and repeating the same investigation.

How to review it: separate isolated exceptions from repeated patterns. One exception may be acceptable when it has an owner, expiry, and rationale; a repeated pattern usually indicates a platform or operating model issue that belongs in the report.

How to report it: write the finding in business-readable language, then attach the technical evidence. The reader should understand the risk, the affected scope, and the recommended direction before they reach the detailed resource list.

Automation note: automate the evidence collection and consistency checks where possible, but keep human review for scope decisions, materiality, accepted exceptions, and remediation sequencing.