GRCLANKER / azure-sec-inspector

Azure Security Inspector

Microsoft · Cloud Infrastructure

Download GitHub
VENDOR: Microsoft LANG: go UPDATED: 2026-03-29

azure-sec-inspector

Multi-framework security compliance audit tool for Azure and Microsoft 365 environments.

1. Overview

azure-sec-inspector is a command-line tool that audits the security posture of Azure subscriptions and Microsoft 365 tenants against eight compliance frameworks. It pulls data from Microsoft Graph API (Entra ID, Intune, Purview, Security), Azure Resource Manager (Defender for Cloud, networking, Key Vault, RBAC), and Defender for Cloud REST API, then correlates findings into unified compliance reports.

Why it matters: Azure and Microsoft 365 share a single identity plane (Entra ID) but split their security data across Graph API, ARM, and Defender for Cloud. Microsoft Secure Score gives a number but not framework-specific evidence. This tool bridges that gap, producing auditable, control-level reports mapped to FedRAMP, CMMC, SOC 2, CIS, PCI-DSS, STIG, IRAP, and ISMAP.

2. APIs & SDKs

Microsoft Graph API (graph.microsoft.com)

Entra ID (Azure AD)

Endpoint Method Purpose
/v1.0/users GET Enumerate all users, properties, licenses
/v1.0/users/{id}/authentication/methods GET MFA methods per user
/v1.0/groups GET Group membership, dynamic groups
/v1.0/directoryRoles GET Active directory roles
/v1.0/directoryRoles/{id}/members GET Members of privileged roles
/v1.0/identity/conditionalAccess/policies GET All conditional access policies
/v1.0/policies/authorizationPolicy GET Tenant-wide authorization settings
/v1.0/policies/authenticationMethodsPolicy GET Allowed authentication methods
/v1.0/policies/identitySecurityDefaultsEnforcementPolicy GET Security defaults status
/v1.0/domains GET Domain configuration, federation
/v1.0/subscribedSkus GET License assignments (E3, E5, P1, P2)
/v1.0/applications GET App registrations
/v1.0/servicePrincipals GET Service principals and permissions

Audit & Sign-In Logs

Endpoint Method Purpose
/v1.0/auditLogs/directoryAudits GET Directory audit events (30-day window)
/v1.0/auditLogs/signIns GET Sign-in logs with risk data (30-day window)
/v1.0/auditLogs/provisioning GET Provisioning logs
/beta/reports/authenticationMethods/userRegistrationDetails GET MFA registration status per user

Security

Endpoint Method Purpose
/v1.0/security/secureScores GET Microsoft Secure Score history
/v1.0/security/secureScoreControlProfiles GET Individual Secure Score controls
/v1.0/security/alerts_v2 GET Unified security alerts
/v1.0/security/incidents GET Security incidents

Identity Protection

Endpoint Method Purpose
/v1.0/identityProtection/riskyUsers GET Users flagged as risky
/v1.0/identityProtection/riskDetections GET Individual risk detections
/v1.0/identityProtection/riskyServicePrincipals GET Risky service principals

Intune / Endpoint Management

Endpoint Method Purpose
/v1.0/deviceManagement/deviceCompliancePolicies GET Device compliance policies
/v1.0/deviceManagement/managedDevices GET Managed device inventory
/v1.0/deviceManagement/deviceConfigurations GET Device configuration profiles
/v1.0/deviceManagement/deviceCompliancePolicySettingStateSummaries GET Compliance setting summaries

Purview / Information Protection

Endpoint Method Purpose
/v1.0/informationProtection/sensitivityLabels GET Sensitivity label definitions
/beta/security/informationProtection/sensitivityLabels/evaluate POST Label evaluation
/v1.0/security/labels/retentionLabels GET Retention labels

Mail & Collaboration

Endpoint Method Purpose
/v1.0/users/{id}/mailboxSettings GET Mailbox settings incl. forwarding
/v1.0/admin/sharepoint/settings GET SharePoint sharing settings
/beta/teamwork/teamTemplates GET Teams templates and policies

Azure Resource Manager (management.azure.com)

Defender for Cloud

Endpoint Method Purpose
/providers/Microsoft.Security/alerts GET Defender security alerts
/providers/Microsoft.Security/assessments GET Security assessments and recommendations
/providers/Microsoft.Security/complianceResults GET Regulatory compliance results
/providers/Microsoft.Security/regulatoryComplianceStandards GET Enabled compliance standards
/providers/Microsoft.Security/regulatoryComplianceControls GET Control-level compliance
/providers/Microsoft.Security/regulatoryComplianceAssessments GET Assessment-level compliance
/providers/Microsoft.Security/securityContacts GET Security contact configuration
/providers/Microsoft.Security/autoProvisioningSettings GET Auto-provisioning status
/providers/Microsoft.Security/pricings GET Defender plan enablement per resource type

Networking

Endpoint Method Purpose
/providers/Microsoft.Network/networkSecurityGroups GET NSG rules
/providers/Microsoft.Network/virtualNetworks GET VNet configuration
/providers/Microsoft.Network/applicationGateways GET WAF configuration
/providers/Microsoft.Network/networkWatchers GET Network Watcher and flow logs

Key Vault

Endpoint Method Purpose
/providers/Microsoft.KeyVault/vaults GET Key Vault configuration
/providers/Microsoft.KeyVault/vaults/{name}/keys GET Key inventory and rotation
/providers/Microsoft.KeyVault/vaults/{name}/secrets GET Secret metadata (not values)

Identity & Access

Endpoint Method Purpose
/providers/Microsoft.Authorization/roleAssignments GET RBAC role assignments
/providers/Microsoft.Authorization/roleDefinitions GET Custom role definitions
/providers/Microsoft.Authorization/policyAssignments GET Azure Policy assignments
/providers/Microsoft.Authorization/policyDefinitions GET Custom policy definitions

Storage & Compute

Endpoint Method Purpose
/providers/Microsoft.Storage/storageAccounts GET Storage account configuration
/providers/Microsoft.Compute/virtualMachines GET VM configuration, extensions
/providers/Microsoft.Sql/servers GET SQL Server configuration

Monitoring

Endpoint Method Purpose
/providers/Microsoft.Insights/diagnosticSettings GET Diagnostic logging configuration
/providers/Microsoft.Insights/activityLogAlerts GET Activity log alert rules
/providers/Microsoft.Insights/logProfiles GET Activity log export configuration

SDKs and CLIs

  • msgraph-sdk-python — Microsoft Graph API client
  • azure-identity — Azure authentication (DefaultAzureCredential, ClientSecretCredential)
  • azure-mgmt-security — Defender for Cloud management
  • azure-mgmt-authorization — RBAC and Policy
  • azure-mgmt-network — NSG, VNet, Network Watcher
  • azure-mgmt-keyvault — Key Vault management
  • azure-mgmt-storage — Storage account management
  • azure-mgmt-monitor — Diagnostic settings, alerts
  • azure-mgmt-resource — Resource group and subscription management
  • azure-cliaz security, az ad, az policy, az network nsg

3. Authentication

OAuth 2.0 Client Credentials Flow

The tool uses an Entra ID app registration with client credentials:

  1. Register an application in Entra ID
  2. Grant required Microsoft Graph and ARM API permissions (application permissions)
  3. Grant admin consent
  4. Authenticate with tenant ID + client ID + client secret (or certificate)

Environment Variables

Variable Required Description
AZURE_TENANT_ID Yes Entra ID tenant ID
AZURE_CLIENT_ID Yes App registration client ID
AZURE_CLIENT_SECRET Yes* Client secret (*or use certificate)
AZURE_CLIENT_CERTIFICATE_PATH No Path to PFX/PEM certificate (alternative to secret)
AZURE_SUBSCRIPTION_ID No Default subscription (auto-detected if omitted)
AZURE_AUTHORITY_HOST No Authority URL (defaults to login.microsoftonline.com; use login.microsoftonline.us for GCC High)

Credential Resolution

The tool uses azure-identity.DefaultAzureCredential which attempts, in order:

  1. Environment variables (AZURE_TENANT_ID + AZURE_CLIENT_ID + AZURE_CLIENT_SECRET)
  2. Managed Identity (for Azure-hosted execution)
  3. Azure CLI (az login session)
  4. Azure PowerShell session
  5. Interactive browser login (optional, disabled by default)

Required API Permissions

Microsoft Graph (Application):

  • User.Read.All — user enumeration and properties
  • Directory.Read.All — roles, groups, policies
  • Policy.Read.All — conditional access, authentication methods
  • SecurityEvents.Read.All — security alerts, Secure Score
  • AuditLog.Read.All — directory audits, sign-in logs
  • IdentityRiskyUser.Read.All — risky user data
  • DeviceManagementConfiguration.Read.All — Intune policies
  • DeviceManagementManagedDevices.Read.All — managed devices
  • InformationProtectionPolicy.Read.All — sensitivity labels
  • Mail.Read — mailbox forwarding rules (delegated, optional)
  • Reports.Read.All — MFA registration reports

Azure Resource Manager:

  • Reader role on target subscriptions
  • Security Reader role for Defender for Cloud data

Multi-Tenant / Multi-Subscription

For organizations with multiple tenants or subscriptions:

Tenant A
  ├─ Subscription 1 (ARM audit)
  ├─ Subscription 2 (ARM audit)
  └─ Entra ID (Graph audit)

Tenant B (optional)
  ├─ Subscription 3
  └─ Entra ID

4. Security Controls

# Control API Surface Description
1 Conditional Access Policies Graph Baseline CA policies enforced (require MFA, block legacy auth, require compliant device)
2 MFA Enforcement Graph All users registered for MFA; no exemptions for privileged accounts
3 Secure Score Graph Microsoft Secure Score above threshold; critical controls addressed
4 Legacy Authentication Blocked Graph Legacy authentication protocols disabled via CA policy
5 Privileged Role Assignments Graph Global Admin count minimized; PIM enabled; no permanent assignments
6 Guest User Access Graph Guest user access restricted; external collaboration settings configured
7 Sign-In Risk Policies Graph Identity Protection sign-in risk policy enabled at medium+ risk
8 User Risk Policies Graph Identity Protection user risk policy enabled; self-remediation configured
9 Device Compliance Graph (Intune) Compliance policies defined and enforced; non-compliant devices blocked
10 DLP Policies Graph (Purview) Data Loss Prevention policies active for sensitive data types
11 Sensitivity Labels Graph (Purview) Sensitivity labels published and applied to sensitive content
12 NSG Rules ARM No unrestricted inbound access on admin ports (22, 3389, 3306, 1433)
13 Key Vault Access ARM Key Vault access policies follow least privilege; soft delete and purge protection enabled
14 Storage Encryption ARM Storage accounts enforce HTTPS; encryption at rest with CMK where required
15 Diagnostic Logging ARM Diagnostic settings enabled on all critical resources; logs sent to Log Analytics
16 Defender for Cloud Enabled ARM All Defender plans enabled (Servers, SQL, Storage, App Service, Key Vault, DNS, ARM)
17 RBAC Least Privilege ARM No Owner/Contributor at subscription scope; custom roles scoped appropriately
18 Subscription Security Contacts ARM Security contact email and phone configured; alert notifications enabled
19 Audit Log Retention Graph, ARM Audit logs retained for 90+ days; exported to external SIEM
20 Mail Forwarding Rules Graph No external mail forwarding rules; transport rules reviewed
21 External Sharing Graph SharePoint/OneDrive external sharing restricted; Teams guest access controlled
22 App Registrations Graph No apps with excessive permissions; credentials rotated regularly
23 Service Principal Security Graph No service principals with Owner/Contributor; credentials have expiry
24 Network Watcher ARM Network Watcher enabled in all regions; NSG flow logs active
25 Azure Policy Compliance ARM Mandatory policies assigned (allowed locations, required tags, allowed SKUs)

5. Compliance Framework Mappings

# Control FedRAMP (NIST 800-53) CMMC 2.0 SOC 2 CIS Azure v2.1 PCI-DSS v4.0 DISA STIG IRAP ISMAP
1 Conditional Access AC-2, AC-3, AC-7 AC.L2-3.1.1 CC6.1, CC6.6 1.2.1, 1.2.2 7.2.1 SRG-APP-000033 ISM-1401 7.1.1
2 MFA Enforcement IA-2(1), IA-2(2) IA.L2-3.5.3 CC6.1 1.1.1, 1.1.2, 1.1.3 8.4.2 SRG-APP-000149 ISM-1401 7.2.1
3 Secure Score CA-7, SI-4 CA.L2-3.12.3 CC7.1 11.5.1 SRG-APP-000516 ISM-1228 8.2.1
4 Legacy Auth Blocked AC-17, IA-2(6) AC.L2-3.1.12 CC6.1, CC6.7 1.2.6 8.2.1 SRG-APP-000295 ISM-1557 7.2.2
5 Privileged Roles AC-6(1), AC-6(5) AC.L2-3.1.5 CC6.1, CC6.3 1.1.4, 1.23 7.2.2 SRG-APP-000340 ISM-1507 7.1.2
6 Guest User Access AC-2, AC-3 AC.L2-3.1.1 CC6.1, CC6.2 1.14 7.2.5 SRG-APP-000033 ISM-1380 7.1.3
7 Sign-In Risk IA-5(13), SI-4 IA.L2-3.5.2 CC6.1, CC6.8 1.2.3 8.3.1 SRG-APP-000516 ISM-0120 7.2.3
8 User Risk IA-5(13), SI-4 IA.L2-3.5.2 CC6.1, CC6.8 1.2.4 8.3.1 SRG-APP-000516 ISM-0120 7.2.4
9 Device Compliance CM-2, CM-6 CM.L2-3.4.1 CC6.1, CC6.8 6.3.1 SRG-APP-000383 ISM-1490 6.3.1
10 DLP Policies MP-4, SC-28 SC.L2-3.13.16 CC6.1, CC6.7 3.4.1 SRG-APP-000231 ISM-0264 6.2.1
11 Sensitivity Labels MP-4, SC-16 SC.L2-3.13.16 CC6.1, CC6.5 3.4.1 SRG-APP-000231 ISM-0264 6.2.2
12 NSG Rules AC-4, SC-7 SC.L2-3.13.1 CC6.1, CC6.6 6.1, 6.2 1.3.1 SRG-APP-000142 ISM-1416 6.1.1
13 Key Vault Access SC-12, SC-28 SC.L2-3.13.10 CC6.1, CC6.7 8.1, 8.2, 8.5 3.6.4 SRG-APP-000231 ISM-0457 6.2.3
14 Storage Encryption SC-8, SC-28 SC.L2-3.13.8 CC6.1, CC6.7 3.1, 3.7 3.4.1, 4.1.1 SRG-APP-000014 ISM-0457 6.2.4
15 Diagnostic Logging AU-2, AU-3, AU-6 AU.L2-3.3.1 CC7.2, CC7.3 5.1.1, 5.1.2 10.2.1 SRG-APP-000089 ISM-0580 8.1.1
16 Defender Enabled SI-4, IR-4 SI.L2-3.14.6 CC7.2, CC7.3 2.1.1 through 2.1.15 11.5.1 SRG-APP-000516 ISM-1228 8.2.2
17 RBAC Least Privilege AC-6, AC-6(1) AC.L2-3.1.5 CC6.1, CC6.3 1.23 7.2.2 SRG-APP-000342 ISM-1380 7.1.4
18 Security Contacts IR-6, PM-2 IR.L2-3.6.2 CC7.4 2.1.19, 2.1.20 12.10.5 SRG-APP-000516 ISM-0072 9.1.1
19 Audit Log Retention AU-9, AU-11 AU.L2-3.3.8 CC7.2 5.1.3, 5.2.6 10.7.1 SRG-APP-000125 ISM-0859 8.1.2
20 Mail Forwarding AC-4, SC-7 SC.L2-3.13.1 CC6.1 1.3.4 SRG-APP-000142 ISM-1416 6.1.2
21 External Sharing AC-3, AC-4 AC.L2-3.1.3 CC6.1, CC6.6 7.2.5 SRG-APP-000033 ISM-0263 6.1.3
22 App Registrations CM-7, IA-5 CM.L2-3.4.8 CC6.1, CC6.2 1.11 8.6.3 SRG-APP-000175 ISM-1590 7.2.5
23 Service Principals AC-6, IA-4 AC.L2-3.1.5 CC6.1, CC6.3 8.6.3 SRG-APP-000340 ISM-1507 7.2.6
24 Network Watcher AU-12, SI-4 AU.L2-3.3.1 CC7.2 6.4, 6.5 10.2.1 SRG-APP-000089 ISM-0580 8.1.3
25 Azure Policy CM-2, CM-6 CM.L2-3.4.2 CC6.1, CC8.1 6.3.1 SRG-APP-000383 ISM-1490 6.3.2

6. Existing Tools

Tool Language Notes
ScoutSuite Python Multi-cloud auditing with Azure support. Reference for check logic.
Azure Policy Managed Service Built-in policy definitions for CIS, NIST, PCI-DSS. Inspector reads compliance state.
Microsoft Compliance Manager Managed Service Microsoft's native compliance assessment. Inspector exports comparable data.
Prowler Python Added Azure support. Reference for check definitions.
Steampipe Go SQL-based queries with Azure plugin. Reference for control queries.
AzureADAssessment PowerShell Microsoft's Entra ID assessment tool. Reference for identity checks.
Monkey365 PowerShell Azure and M365 security auditing. Reference for M365 checks.
Microsoft Secure Score Managed Service Native security posture scoring. Inspector ingests this data.

7. Architecture

Package Structure

azure-sec-inspector/
├── spec.md
├── pyproject.toml
├── src/
│   └── azure_sec_inspector/
│       ├── __init__.py
│       ├── cli.py                  # Click/Typer CLI entry point
│       ├── client.py               # Azure credential management, Graph + ARM clients
│       ├── collector.py            # Data collection orchestrator (Graph + ARM)
│       ├── engine.py               # Analysis engine: runs all analyzers, aggregates results
│       ├── models.py               # Pydantic models: Finding, Control, ComplianceResult
│       ├── analyzers/
│       │   ├── __init__.py
│       │   ├── base.py             # BaseAnalyzer ABC
│       │   ├── common.py           # Shared analysis utilities
│       │   ├── fedramp.py          # NIST 800-53 control mapping and evaluation
│       │   ├── cmmc.py             # CMMC 2.0 practice mapping and evaluation
│       │   ├── soc2.py             # SOC 2 Trust Services Criteria evaluation
│       │   ├── cis.py              # CIS Azure Foundations Benchmark evaluation
│       │   ├── pci_dss.py          # PCI-DSS v4.0 requirement evaluation
│       │   ├── stig.py             # DISA STIG evaluation
│       │   ├── irap.py             # IRAP (Australian ISM) evaluation
│       │   └── ismap.py            # ISMAP (Japanese cloud security) evaluation
│       └── reporters/
│           ├── __init__.py
│           ├── executive.py        # Executive summary (Secure Score, pass/fail, risk)
│           ├── matrix.py           # Cross-framework compliance matrix
│           ├── fedramp.py          # FedRAMP-formatted report
│           ├── cmmc.py             # CMMC-formatted report
│           ├── soc2.py             # SOC 2 report
│           ├── cis.py              # CIS benchmark report
│           ├── pci_dss.py          # PCI-DSS report
│           ├── stig.py             # STIG checklist (XCCDF/CKL format)
│           ├── irap.py             # IRAP report
│           ├── ismap.py            # ISMAP report
│           └── json_export.py      # Machine-readable JSON/OSCAL export
└── tests/
    ├── conftest.py
    ├── test_models.py
    ├── test_client.py
    ├── test_collector.py
    ├── test_analyzers/
    │   ├── test_common.py
    │   ├── test_fedramp.py
    │   └── ...
    └── test_reporters/
        └── ...

Data Flow

CLI (cli.py)
  │
  ├─ Client (client.py)          ← DefaultAzureCredential, Graph + ARM token acquisition
  │
  ├─ Collector (collector.py)     ← Calls Graph API + ARM API, normalizes into models
  │     ├─ EntraIDCollector       ← Users, roles, CA policies, auth methods
  │     ├─ AuditLogCollector      ← Directory audits, sign-in logs
  │     ├─ SecurityCollector      ← Secure Score, alerts, Identity Protection
  │     ├─ IntuneCollector        ← Device compliance, configurations
  │     ├─ PurviewCollector       ← Sensitivity labels, DLP policies
  │     ├─ DefenderCollector      ← Defender plans, assessments, regulatory compliance
  │     ├─ NetworkCollector       ← NSGs, VNets, Network Watcher, flow logs
  │     ├─ KeyVaultCollector      ← Vault config, key rotation, access policies
  │     ├─ RBACCollector          ← Role assignments, custom roles, Azure Policy
  │     ├─ StorageCollector       ← Storage account encryption, access config
  │     └─ MonitoringCollector    ← Diagnostic settings, activity log alerts
  │
  ├─ Engine (engine.py)           ← Runs analyzers against collected data
  │     ├─ FedRAMPAnalyzer
  │     ├─ CMMCAnalyzer
  │     ├─ SOC2Analyzer
  │     ├─ CISAnalyzer
  │     ├─ PCIDSSAnalyzer
  │     ├─ STIGAnalyzer
  │     ├─ IRAPAnalyzer
  │     └─ ISMAPAnalyzer
  │
  └─ Reporters                    ← Generate framework-specific output
        ├─ Markdown reports
        ├─ JSON/OSCAL export
        └─ STIG CKL/XCCDF

8. CLI Interface

# Full audit: Entra ID + all subscriptions, all frameworks
azure-sec-inspector audit

# Audit specific frameworks
azure-sec-inspector audit --frameworks fedramp,cmmc,pci-dss

# Audit only Entra ID / Microsoft 365 (no ARM)
azure-sec-inspector audit --scope entra

# Audit only Azure resources (no Graph API)
azure-sec-inspector audit --scope azure

# Specify tenant and subscription
azure-sec-inspector audit --tenant-id <GUID> --subscription-id <GUID>

# Audit multiple subscriptions
azure-sec-inspector audit --subscription-id sub1,sub2,sub3

# Audit all subscriptions the credential has access to
azure-sec-inspector audit --all-subscriptions

# GCC High / government cloud
azure-sec-inspector audit --cloud us-gov

# Output directory and format
azure-sec-inspector audit --output ./reports --format json

# Single control check
azure-sec-inspector check mfa-enforcement

# List all controls
azure-sec-inspector controls list

# List controls for a specific framework
azure-sec-inspector controls list --framework cmmc

# Export OSCAL-formatted results
azure-sec-inspector audit --format oscal --output ./oscal-results

# Dry run: show required permissions and API calls
azure-sec-inspector audit --dry-run

# Verbose output for debugging
azure-sec-inspector audit -v --log-level debug

# Compare two audit snapshots
azure-sec-inspector diff ./reports/2026-03-01 ./reports/2026-03-24

9. Build Sequence

Phase 1: Foundation

  • Project scaffolding (pyproject.toml, src layout, CI)
  • client.py — Azure credential management (DefaultAzureCredential, client_secret, certificate)
  • models.py — Pydantic models for findings, controls, compliance results
  • cli.py — basic Click/Typer CLI skeleton

Phase 2: Entra ID & Identity

  • EntraIDCollector — users, groups, roles, conditional access, authentication methods
  • SecurityCollector — Secure Score, alerts
  • AuditLogCollector — directory audits, sign-in logs (30-day window)
  • Controls 1-8: CA policies, MFA, Secure Score, legacy auth, privileged roles, guest access, sign-in risk, user risk

Phase 3: Microsoft 365 & Data Protection

  • IntuneCollector — device compliance policies, managed devices
  • PurviewCollector — sensitivity labels, DLP policies
  • Mail/collaboration settings — forwarding rules, external sharing
  • Controls 9-11, 20-23: device compliance, DLP, sensitivity labels, mail forwarding, external sharing, app registrations, service principals

Phase 4: Azure Infrastructure

  • DefenderCollector — Defender plans, assessments, regulatory compliance
  • NetworkCollector — NSGs, VNets, Network Watcher, flow logs
  • KeyVaultCollector — vault config, key rotation, access policies
  • RBACCollector — role assignments, custom roles, Azure Policy
  • StorageCollector — encryption, access tier, HTTPS enforcement
  • MonitoringCollector — diagnostic settings, activity log alerts
  • Controls 12-19, 24-25: NSGs, Key Vault, encryption, logging, Defender, RBAC, security contacts, audit retention, Network Watcher, Azure Policy

Phase 5: Analyzers

  • base.py — BaseAnalyzer ABC with common evaluation logic
  • Framework-specific analyzers: FedRAMP, CMMC, SOC 2, CIS, PCI-DSS, STIG, IRAP, ISMAP
  • Control-to-framework mapping tables
  • Scoring logic (pass/fail/not-applicable/manual-review)

Phase 6: Reporters & Polish

  • Executive summary reporter (Secure Score integration, pass/fail breakdown)
  • Framework-specific report generators (Markdown, JSON)
  • Cross-framework compliance matrix
  • STIG CKL/XCCDF export
  • OSCAL export format
  • Diff tool for comparing audit snapshots
  • Multi-subscription aggregation reports

Phase 7: Hardening

  • Comprehensive test suite (unit, integration with mocked Graph/ARM responses)
  • Rate limiting and retry logic (Graph API throttling: 429 handling)
  • Pagination handling (Graph @odata.nextLink, ARM nextLink)
  • Government cloud support (GCC, GCC High, DoD)
  • Error handling for missing permissions / unlicensed features
  • Documentation and required permissions manifest

10. Status

Not yet implemented. Spec only.

Download GitHub
URL copied to clipboard