During an incident response engagement last month, we traced a lateral movement chain (MITRE ATT&CK T1021.001) across a client’s hybrid environment—Azure VMs, on-prem file servers, and a forgotten AWS instance. The attacker had been inside for 11 days. The client had Azure Security Center deployed but had never moved past the free tier. No continuous monitoring. No threat alerts. Just a list of recommendations nobody had looked at in six months. That gap between having a tool and using it is exactly what this checklist addresses.
Azure Security Center—now folded into Microsoft Defender for Cloud—is a unified infrastructure security management system that monitors workloads across Azure, on-premises, and multi-cloud environments. It uses machine learning for malware detection, provides security recommendations scored by impact, and can enforce application whitelisting to shrink your attack surface. But none of that matters if you haven’t configured it properly.
Here’s the audit checklist we run for every client environment.
Checkpoint 1: Verify Your Service Tier
Security Center ships at two levels: Free and Standard. The free tier gives you assessments and recommendations for Azure resources only. That’s it—no continuous monitoring, no threat detection, no coverage for on-prem or other clouds.
Pass criteria: Standard tier enabled on all subscriptions containing production workloads.
Fail indicator: Any production subscription running on the free tier. We see this constantly. A financial services client we support had three subscriptions—two on Standard, one on Free. Guess which one the attacker targeted.
Why Standard Matters
Standard gives you behavioral analytics, anomaly detection, and threat intelligence feeds that analyze events from your workloads. Security Center triggers prioritized alerts and groups correlated attacks into security incidents. Without Standard, you’re flying blind on everything except static recommendations.
Checkpoint 2: Confirm Hybrid Agent Deployment
The Security Center agent installs on Windows and Linux machines—on-prem, in Azure VMs, or in AWS. This is what feeds telemetry back to your workspace for analysis.
Pass criteria: Agent deployed on 100% of servers across all environments. Events flowing to your Log Analytics workspace.
Fail indicator: Agents missing from on-prem servers or non-Azure cloud instances. Run a coverage report and compare against your CMDB.
I’ll be blunt: if you’re only monitoring Azure resources while your Active Directory domain controllers sit unmonitored on-prem, you have a visibility gap that any competent threat actor will exploit. Hybrid coverage is the entire point of this platform.
Checkpoint 3: Review Your Secure Score
Secure Score is Security Center’s way of quantifying your security posture. Each recommendation carries a score impact value. Higher impact means higher risk if left unresolved.
Pass criteria: Secure Score above 70%. All critical-severity recommendations addressed. Score trending upward over the past 90 days.
Fail indicator: Score below 50%, or a downward trend. Sort recommendations by score impact and start with the highest-value fixes first.
One caveat: Secure Score is a useful metric, not gospel. We’ve seen environments score 80%+ while running unpatched VPN appliances that Security Center doesn’t assess. Always supplement with external vulnerability scanning. If you’re also managing data backup and recovery for critical workloads, make sure those configurations are part of your broader posture review too.
Checkpoint 4: Enable Just-in-Time VM Access
JIT access control is one of the most underused features in Security Center Standard. It locks down management ports (RDP, SSH) by default and opens them only on request, for a specified time window, to a specified IP.
Pass criteria: JIT enabled on all VMs with management ports. Default deny on ports 3389 and 22.
Fail indicator: Management ports open 24/7 in NSG rules. This is the equivalent of leaving your front door propped open because you might need to walk through it later.
During a compliance audit for a client in healthcare, we cut their exposed attack surface by 40% just by enabling JIT and removing standing RDP access. Took less than an hour to configure. If you’ve already locked down admin access with PowerShell JEA for remote administration, JIT is the natural next step for network-level port control.
Checkpoint 5: Validate Alert Rules and Integration
Security Center generates alerts using threat intelligence, behavioral analytics, and anomaly detection. Those alerts are useless if nobody sees them.
Pass criteria: Alert notifications routed to your SOC or on-call team. Email notifications configured. SIEM integration active if applicable.
Fail indicator: Default notification settings unchanged. No integration with your incident response workflow. Alerts sitting unreviewed for more than 24 hours.
Check that security incidents—correlated clusters of related alerts—are being surfaced properly. A single alert might be noise. Two or more alerts tied to the same resource in the same timeframe is a kill chain in progress.
Checkpoint 6: Audit Application Whitelisting
Security Center can enforce adaptive application controls—essentially a whitelist of approved executables. Everything else gets blocked or flagged.
Pass criteria: Application controls enabled on server workloads. Whitelist reviewed and updated within the last 30 days.
Fail indicator: Controls not enabled, or whitelist so broad it’s meaningless. If cmd.exe and powershell.exe are whitelisted without constraints on child processes, you haven’t actually restricted anything.
Checkpoint 7: Review Event Log Policies
Security Center’s detection capabilities depend on the data it ingests. If your AD audit policies aren’t generating the right events, the ML models have nothing to work with.
Pass criteria: Audit policies configured to capture logon events, privilege use, and process creation (Event ID 4688 with command-line logging). Data flowing consistently to the workspace.
Fail indicator: Default audit policies unchanged from OS installation. Gaps in event ingestion longer than 1 hour.
Your Audit Summary
| Checkpoint | Status | Priority |
|---|---|---|
| Standard tier on all production subscriptions | ☐ Pass / ☐ Fail | Critical |
| Agent deployed on all servers (Azure + on-prem + multi-cloud) | ☐ Pass / ☐ Fail | Critical |
| Secure Score above 70%, trending up | ☐ Pass / ☐ Fail | High |
| JIT access enabled, management ports locked | ☐ Pass / ☐ Fail | High |
| Alert notifications routed and reviewed | ☐ Pass / ☐ Fail | High |
| Application whitelisting active and current | ☐ Pass / ☐ Fail | Medium |
| Audit policies generating required events | ☐ Pass / ☐ Fail | Medium |
If you’re failing on checkpoints 1 or 2, stop here and fix those first. Everything else depends on having the right tier and full agent coverage. If you need help running this audit across your environment or want a deeper assessment, reach out to our team—we’ve done this for dozens of production environments and can get you from failing to passing faster than you’d expect.
