Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Customizable security baselines built on Azure Policy and Machine Configuration enable organizations to assess, monitor, and continuously improve server compliance against trusted industry benchmarks.
This capability introduces audit baselines for both Windows and Linux, empowering customers to align security posture with internal compliance frameworks and regulatory standards. By passing custom baseline parameter input directly into Azure Policy, you can now represent organization-specific controls at scale.
These baselines deliver a cloud-native governance experience for both Azure machines and non-Azure machines connected through Azure Arc. This includes machines that run on-premises, in other public clouds, or at the edge. Together, Policy and Machine Configuration establish a unified control plane for compliance visibility. This approach enables you to assess, monitor, and enforce consistent security standards across your entire estate, regardless of location or platform. This approach reflects Microsoft's Secure by Design and Secure by Default principles. It helps ensure robust security and compliance everywhere your workloads run.
Key Scenarios
Baseline Customization
Create tailored baselines using the Modify Settings wizard under Policy > Machine Configuration. Administrators can enable, exclude, or adjust rules from industry benchmarks (such as CIS Benchmarks or Microsoft baselines) to match internal standards. Each customization builds a downloadable JSON file that captures configuration intent—a reusable artifact compatible for policy-as-code workflows.
Assign Audit Policies
Azure Policy deploys your customized baseline parameters across Azure and Arc-connected machines. When you assign an audit policy, Azure Policy:
- Evaluates configuration states against selected benchmarks
- Reports compliance in real time
- Surfaces findings across Azure Policy, Azure Resource Graph (ARG), and the Guest Assignments view
Integration and Automation
Integrate baselines into CI/CD pipelines or configuration management workflows. Each baseline produces a declarative settings catalog (JSON) that can be version-controlled and deployed using CLI, ARM, or Bicep templates—ensuring reproducible compliance configurations across environments.
Supported Standards
| Standard | Description |
|---|---|
| Center for Internet Security (CIS) Linux Benchmarks | Official CIS Benchmarks for all Azure endorsed Linux distributions in parity with what is published on the CIS website. |
| Azure Compute Security Baseline for Windows | Applies customized values for Windows Server 2022 and Windows Server 2025. |
| Azure Compute Security Baseline for Linux | Enforces consistent security controls aligned with Azure Compute guidance. |
Availability
All public Azure regions are supported.
Note
Support for Azure Government and Sovereign Clouds is not supported for Public Preview.
Getting Started
Process Overview
The end-to-end experience for configuring Customizable Security Baselines follows these high-level steps:
Select a baseline from the Machine Configuration blade under Azure Policy.
Modify settings—enable, exclude, or parameterize rules to match your internal requirements.
Download the JSON file representing your configured baseline.
Assign the baseline policy using the Azure portal, CLI, or CI/CD integration.
Review compliance results through Azure Policy, Azure Resource Graph, or the Guest Assignments page.
Prerequisites
Azure Machine Configuration prerequisite policy initiative must be deployed. The capability enables Guest Configuration policies and installs the required extension on virtual machines (VMs).
An Azure subscription or management group containing supported Windows and Linux VMs.
Sufficient permissions to create and assign custom policy definitions (Owner or Resource Policy Contributor roles).