Cyber Essentials for Microsoft Azure: configuration guide

Cyber Essentials for Microsoft Azure: configuration guide

Cyber Essentials v3.3 treats your Azure tenant as in-scope cloud services. Assessors expect MFA on every identity, Conditional Access blocking legacy auth, role-based access with no permanent global admins, and a Secure Score baseline. The certificate fails most commonly on unmanaged admin accounts and unpatched customer-operated VMs.

What's in scope

Anything your organisation administers in Azure falls under Cyber Essentials:

• Entra ID (Azure AD) - all user accounts with access to corporate data
• Azure subscriptions - anything you pay for or control
• Virtual machines you operate - OS-level security is your responsibility (IaaS)
• PaaS services you configure - App Service, Functions, SQL Database firewall rules
• Administrative access paths - the Azure portal itself, CLI, PowerShell

Azure's underlying fabric (hypervisor, physical hosts, the control plane) is Microsoft's responsibility under the shared responsibility model and is out of your assessment scope.

1. Identity and authentication (Control: Secure Configuration + User Access Control)

Mandatory settings:

• MFA on all accounts, no exceptions. Microsoft's "Security Defaults" meet this if you haven't customised. If you have Conditional Access licences (any Entra ID P1+), prefer a Conditional Access policy that requires MFA for all users, all cloud apps.
• Block legacy authentication via Conditional Access. Legacy auth (IMAP, POP, SMTP AUTH, older Office clients) bypasses MFA entirely.
• Minimum password length 12 characters per Cyber Essentials v3.3. Configure in Entra ID password policy or enforce via Conditional Access + banned password lists.
• No shared admin accounts. Each admin has a named, MFA-enforced account.

Evidence assessors expect: screenshots of the Conditional Access policies, the Security Defaults toggle, and the user list showing MFA status.

2. Privileged access

• No permanent Global Administrators. Use Privileged Identity Management (PIM) to require just-in-time elevation with approval workflows.
• Break-glass accounts: one or two emergency accounts, excluded from MFA policies (with FIDO2 hardware keys), stored securely and audited.
• Separate admin identities - admin work happens on separate accounts that do not receive email.

3. Secure configuration baseline

• Enforce Microsoft Secure Score ≥ 70% as a floor. The actions Secure Score recommends map almost 1:1 to Cyber Essentials secure-configuration requirements.
• Turn on Microsoft Defender for Cloud (free tier minimum) on all subscriptions.
• Disable guest user self-invite and restrict external collaboration to approved domains.

4. Firewall and boundary

Cyber Essentials requires a boundary firewall between untrusted networks and devices.

• Network Security Groups (NSGs) on every subnet - deny-by-default, explicit allow rules.
• No 0.0.0.0/0 inbound rules on SSH (22), RDP (3389), or database ports. Use Azure Bastion or a VPN.
• Azure Firewall or a third-party NVA on hub subnets carrying production traffic.

5. Patching customer-operated VMs

IaaS VMs you control must be patched within 14 days of a high/critical CVE.

• Enable Azure Update Manager (rebranded from Azure Automation Update Management).
• Remove end-of-support OSes from scope or decommission. Windows Server 2012 / 2012 R2, Ubuntu 18.04 and earlier, and RHEL 7 are all outside the 14-day supported-OS window now.

6. Common failure points

1. Legacy auth not blocked. Default tenants ship with it enabled. One policy, five minutes.

2. One service account with an ancient password and no MFA used by a line-of-business app. Either migrate to a managed identity or enforce MFA via app password + Conditional Access exclusion (documented).

3. VMs with public IPs and RDP open. Failure on both firewall and secure-configuration controls.

4. Global admin count > 4. Assessors query any tenant with standing admin roles; PIM is the clean answer.

What Fig checks

Our CE readiness scan pulls your Entra ID and subscription config via read-only scopes and flags each of the above against v3.3 requirements before you pay. Azure tenants that score above 85% on our scan pass first-attempt assessment at >95% rate.

Start Cyber Essentials for your Azure tenant - from £299.99 + VAT | Full pricing | CE Plus if your assessor is also going to test