Platform: AZURE
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | True | Client secrets and certificates can be generated for service principals. | For service principals. |
| Authentication & Authorization | IAM Integration | True | Azure AD provides the core identity and access management capabilities for Azure. | Azure AD is the foundation of IAM in Azure. |
| Authentication & Authorization | MFA | True | Azure AD provides Multi-Factor Authentication. | Core feature of the service. |
| Authentication & Authorization | Service Account Support | True | Service principals and managed identities are used for programmatic access. | |
| Authentication & Authorization | Standard Protocols | True | Azure AD supports standard protocols like OAuth 2.0, OpenID Connect, and SAML. | |
| Compliance & Certifications | Compliance Documentation | True | Compliance documentation is available through the Azure Trust Center. | |
| Compliance & Certifications | Industry Certifications | True | Azure AD is compliant with numerous industry standards. | |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Azure AD is an identity and access management service. | Not applicable. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | Azure AD is an identity and access management service, not a data storage service for customer data. | Not applicable. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | False | Azure AD is a globally distributed service. Data is replicated across multiple regions for high availability. | Azure AD is a global service. |
| Data Residency & Sovereignty | Data Location Transparency | True | The location of the Azure AD tenant is visible in the Azure Portal. | |
| Data Residency & Sovereignty | Region Selection | True | Customers can choose the country/region for their Azure AD tenant during creation. | |
| Encryption | Encryption at Rest | True | Data at rest in Azure AD is encrypted by default. | |
| Encryption | Encryption in Transit | True | All traffic to Azure AD is encrypted using TLS. | |
| Logging & Monitoring | Access Logging | True | Sign-in logs provide information about user sign-in activity. | |
| Logging & Monitoring | Audit Logging | True | Azure AD provides audit logs for all changes made in the directory. | |
| Logging & Monitoring | Log Retention | True | Log retention policies can be configured for audit and sign-in logs. | |
| Logging & Monitoring | Monitoring & Alerting | True | Azure AD Identity Protection provides monitoring and alerting for identity-related risks. | |
| Network Security | API Gateway Integration | True | Azure API Management can be configured to use Azure AD for authentication. | Indirectly. |
| Network Security | DDoS Protection | True | Azure provides DDoS protection for the underlying infrastructure. | Inherited from the Azure platform. |
| Network Security | Firewall Rules | True | Conditional Access policies can be used to restrict access based on IP address and other conditions. | Through Conditional Access. |
| Network Security | Private Access | False | Azure AD is accessed over the public internet. | Azure AD is a public cloud service. |
| Secure Development Lifecycle (SDL) | API Design Principles | True | The Microsoft Graph API follows Microsoft's SDL. | Applies to the Microsoft Graph API. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Microsoft performs security testing and code reviews of the Azure platform. | Applies to the Azure platform. |
| Vulnerability Management & Patching | Security Updates | True | Microsoft is responsible for patching the Azure AD service. | Microsoft manages the service. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Microsoft performs vulnerability scanning of the Azure platform. | Microsoft manages the service. |