Coverage · Azure

47 read-only Azure checks, zero changes to your settings.

If your business runs servers, storage, or databases in Microsoft Azure, Tenant Strike checks them for risky settings — open to the internet, weak access, missing encryption — and shows your admin the exact fix for each.

Read-only checks
47
Areas covered
7
Changes we make
0
Typical scan
<3min

The problem

Most Azure security tools want permission to change your settings. We don't.

Most cloud-security platforms want the keys to your cloud so they can offer one-click "auto-fixes" — you press a button and trust that the right thing changed. We made the opposite bet. Tenant Strike tells you the exact setting to change, where to find it, and what to set it to; your own admin makes the change. Nothing in your records ever shows an outside vendor editing your cloud, because there's nothing for us to edit.

What we look at

47 checks across 7 service categories.

  • Access & permissions

    8

    Who owns each subscription, overly broad roles, outside guests with access, stale app credentials, and whether sensitive access is time-limited.

  • Storage

    10

    Storage left open to the public, anonymous access, unencrypted transfers, weak firewall rules, recovery (soft delete), and private connections.

  • Servers

    7

    Servers exposed directly to the internet, missing disk encryption, antivirus coverage, out-of-date operating systems, and insecure web apps.

  • Networking

    8

    Remote-access (SSH/RDP) and database ports open to the internet, overly permissive rules, public addresses, DDoS protection, and web firewalls.

  • Databases

    6

    Databases reachable from anywhere, weak sign-in controls, missing encryption, and whether threat protection is turned on.

  • Logging & alerts

    4

    Whether activity is being recorded, kept long enough, and whether anyone gets alerted when something critical changes.

  • Security policy

    4

    Whether Microsoft's own security baseline and threat-protection plans are switched on, and which high-priority recommendations are open.

How it works

From read-only access to a clear Azure report.

  1. 01

    Give read-only access

    In the Azure portal, give the Tenant Strike app Microsoft's built-in 'Reader' role — their own read-only role. It takes about two minutes, and we show you exactly where to click.

  2. 02

    Pick your subscriptions

    Tenant Strike shows the subscriptions it can see. You choose which ones to scan — one, some, or all. It's never all-or-nothing.

  3. 03

    Scan

    All 47 Azure checks run in a couple of minutes. The results show up next to your Microsoft 365 findings, tagged by subscription so you can filter.

Sample finding

One finding, exactly as it appears.

Every finding comes with a severity, a plain description of what's wrong, a one-step fix, how an attacker would use it, and a direct link to the right Azure settings page.

Storage account allows anonymous blob access

CRITICALFAIL

Subscription: Production · East US

The storage account acmestorageprod001 allows anonymous public access (allowBlobPublicAccess=true). Any folder inside it can be opened up to the entire internet — no password needed, and nothing in your logs when it happens.

Fix path

Set allowBlobPublicAccess to false at the account level. Portal: Storage account → Configuration → Allow Blob anonymous access → Disabled → Save.

Attacker’s View™

Attackers run automated tools that guess storage account names around the clock — every account has a public web address, whether you use it or not. With anonymous access allowed, any folder marked public can be downloaded by anyone, leaving no trail. Several high-profile 2024 leaks — including 43 TB of Microsoft’s own AI research data — started exactly this way.

Microsoft Learn — Prevent anonymous public read access →

Related coverage

  • 6 Azure attack paths — the real break-in routes attackers used against Azure environments in 2024, and the one fix that breaks each.
  • What we read in Azure — the complete list of everything Tenant Strike looks at, automatically verified to be read-only.

Give read-only access and scan your first subscription.

It takes a couple of minutes. Pro includes all 47 Azure checks alongside Microsoft 365 and Vulnerability Watch.