Microsoft Azure — Extraction Guide

Data Extraction Guide
for Microsoft Azure

Step-by-step instructions for your IT or Cloud team to extract Azure security configuration data as CSV files for the V/ergent cloud security assessment. Uses Azure PowerShell (Az module) — no live API access granted to V/ergent. Includes Release 5 programme packs: 50 cross-system SoD rules across all 10 platforms.

11Data Files

7Domains

54+Checks + R5 rules

~25 minEst. Time

All Guides

Quick start

Recommended extraction path

Use the V/ergent extractor first. It writes CSVs to a timestamped folder under C:\Vergent\Export, then you upload that folder into the audit project.

Get extractor

1. Confirm accessUse the read-only role/API scopes listed below.

2. Download with codePaid/active users receive an email code before download.

3. Run locallyPowerShell writes CSV output; V/ergent does not receive credentials.

4. Upload and auditUpload CSVs, confirm file match, then run the audit.

Manual path if automated extraction is blocked

Use the required-file list below as the manual checklist. Keep filenames unchanged, leave unavailable files empty with only headers, and record any missing source in the upload notes before running the audit.

0 Before You Begin

Automated extraction recommended. V/ergent provides Extract-VergentAzure.ps1 which uses the Azure Az PowerShell module and Microsoft Graph to extract all 11 files automatically. Requires PowerShell 5.1+ on Windows.

Read-only — no changes to your Azure environment. All operations use Get-* and List cmdlets only. V/ergent never modifies any Azure resource, role assignment, or policy. Revoke credentials after the assessment is complete.

Requirement	Details	Notes
Az PowerShell Module	`Install-Module -Name Az -AllowClobber -Scope CurrentUser`	Requires PowerShell 5.1+ on Windows
Microsoft Graph Module	`Install-Module -Name Microsoft.Graph -Scope CurrentUser`	Required for AAD users, admins, CA policies
Azure RBAC Role	`Reader` on the subscription + `Security Reader`	Assigned via Azure Portal → Subscriptions → Access Control (IAM)
Azure AD Role	`Global Reader` or `Security Reader`	Required for AAD users, privileged roles, CA policies
Subscription ID	Found in Azure Portal → Subscriptions	Pass as `-SubscriptionId` parameter

1 Required Files (11 total)

All files are CSV format. The PowerShell script produces these exact filenames.

Identity & Access

aad_users.csvIdentity

Azure AD Users

All AAD users: account status, MFA registration, last sign-in date, user type (member/guest), department.

aad_admins.csvIdentity

Privileged Role Assignments

All users/groups with privileged Azure AD roles (Global Admin, Security Admin, User Admin, etc.).

conditional_access.csvIdentity

Conditional Access Policies

All CA policies: state (enabled/disabled), MFA requirement, compliant device requirement, included users.

Access Control

role_assignments.csvAccess

RBAC Role Assignments

All subscription-level RBAC assignments: principal type, role name, scope, custom role indicator.

Data Security

storage_accounts.csvData Sec

Storage Accounts

All storage accounts: public blob access, HTTPS enforcement, TLS version, network default action.

sql_servers.csvData Sec

SQL Servers & Databases

All Azure SQL servers: TDE status, public network access, Azure AD admin configuration, audit settings.

Network Security

vms.csvNetwork

Virtual Machines

All VMs: public IP, NSG attachment, disk encryption status, monitoring agent, OS type, power state.

nsg_rules.csvNetwork

NSG Rules

All Network Security Group inbound/outbound rules: source/destination prefixes, port ranges, allow/deny.

Key Management, Audit & Compliance

key_vaults.csvKey Mgmt

Key Vaults

All Key Vaults: soft delete, purge protection, public network access, audit logging, network ACLs.

activity_logs.csvAudit

Diagnostic & Activity Log Settings

Subscription activity log configuration and per-resource diagnostic settings: retention, Log Analytics workspace.

subscriptions.csvCompliance

Subscriptions & Security Center

Microsoft Defender for Cloud tier, security score, policy compliance count, security contacts, MFA enforcement.

Detailed extraction steps require sign-in

The full extraction guide — including SQL queries, transaction codes, PowerShell scripts, and the complete file/table reference — is available to V/ergent customers. The overview above tells you what's involved; sign in to access the operational detail.

Already a customer? Sign in here.

What V/ergent ships for Microsoft Azure (Release 5)

Native coverage: 15 RBAC + Entra dangerous role-pairing rules (AZ-CSOD-001..015) — every combination Microsoft itself documents as forbidden.

Plus the three Release 5 programme packs that run alongside this platform's audit:

AML / Wolfsberg Programme Controls — 25 controls spanning sanctions-list cadence, PEP / KYC review, CTR / SAR filing, structuring detection, transaction-monitoring tuning. Wired into all 7 ERP connectors (skips on cloud-only audits). Guide.
Cross-System SoD — 50 multi-ERP conflict patterns spanning SAP × Oracle × D365 × NetSuite × Sage × AWS × Azure. Detects fraud paths a single-system review will never see. Guide.
SAP Fraud Patterns — 30 SAP-GRC-parity patterns (STAD audit-log delete, debugger replace in PROD, Z* shadow SAP_ALL, dormant SAP_ALL, posting-period unlock + GL post, etc.). Guide.

Every finding carries citations across 13 frameworks (COSO 2013, COBIT 2019, NIST CSF 2.0, ISO 27001:2022, CIS v8, SOX ITGC, SOC 2 TSC, PCI DSS v4, HIPAA, DORA, NIS2, GDPR, Kenya DPA) — 11 of 13 at ≥75% mapped coverage. See the Check Packs page for per-pack framework coverage badges.

Data Extraction Guidefor Microsoft Azure

Recommended extraction path

Data Extraction Guide
for Microsoft Azure