Azure resource configuration audit
Sweep an Azure subscription's resource (control) plane for misconfigurations: storage account public access, NSG hygiene, Key Vault soft-delete, SQL firewall rules, exposed managed disks, etc. Our tool of choice is ScoutSuite (NCC Group), a multi-cloud security audit tool that fingerprints the configuration of an Azure subscription (or AWS / GCP / OCI / Alibaba) and writes an HTML report grouped by service and severity.
ScoutSuite
Install
python3 -m venv venv && source venv/bin/activate
pip install scoutsuiteRun against Azure
Two common auth modes; use whichever fits the engagement scope.
Reuse the operator's az login session:
az login --tenant <tenantid>
scout azure --cli --report-dir scout-reportService principal (unattended, e.g. when working from a jump box):
scout azure --service-principal \
--tenant <tenantid> \
--client-id <appid> \
--client-secret <secret> \
--subscriptions <sub-id> \
--report-dir scout-reportUse --subscriptions <id> [<id> ...] to restrict scope, or --all-subscriptions for everything the identity can read. Add --no-browser on a headless host to skip the auto-open of the report.
Required permissions
Reader at subscription scope is enough for the configuration audit and is what we usually request. Some controls (Defender for Cloud findings, Activity Log queries) additionally need Security Reader and Log Analytics Reader. ScoutSuite logs each API permission denial it hits, so missing roles surface in the run output.
Output
The HTML report is written to scout-report/scoutsuite-results/ and auto-opens unless --no-browser is set. The dashboard is the entry point; the per-service pages list each finding with severity, affected resource, and a remediation link to Microsoft Learn. The raw JSON in the same folder (scoutsuite_results_azure-<tenant>.js) is what you grep for during reporting.