Microsoft Azure — Extraction Guide

Data Extraction Guide
for Microsoft Azure

Step-by-step instructions for your IT or Cloud team to extract Azure security configuration data as CSV files for the AuditCore cloud security assessment. Uses Azure PowerShell (Az module) — no live API access granted to AuditCore.

11Data Files
7Domains
39+Checks
~25 minEst. Time
All Guides
0 Before You Begin
Automated extraction recommended. AuditCore provides Extract-AuditCoreAzure.ps1 which uses the Azure Az PowerShell module and Microsoft Graph to extract all 11 files automatically. Requires PowerShell 5.1+ on Windows.
Read-only — no changes to your Azure environment. All operations use Get-* and List cmdlets only. AuditCore never modifies any Azure resource, role assignment, or policy. Revoke credentials after the assessment is complete.
RequirementDetailsNotes
Az PowerShell ModuleInstall-Module -Name Az -AllowClobber -Scope CurrentUserRequires PowerShell 5.1+ on Windows
Microsoft Graph ModuleInstall-Module -Name Microsoft.Graph -Scope CurrentUserRequired for AAD users, admins, CA policies
Azure RBAC RoleReader on the subscription + Security ReaderAssigned via Azure Portal → Subscriptions → Access Control (IAM)
Azure AD RoleGlobal Reader or Security ReaderRequired for AAD users, privileged roles, CA policies
Subscription IDFound in Azure Portal → SubscriptionsPass as -SubscriptionId parameter
1 Required Files (11 total)

All files are CSV format. The PowerShell script produces these exact filenames.

Identity & Access
aad_users.csvIdentity

Azure AD Users

All AAD users: account status, MFA registration, last sign-in date, user type (member/guest), department.

aad_admins.csvIdentity

Privileged Role Assignments

All users/groups with privileged Azure AD roles (Global Admin, Security Admin, User Admin, etc.).

conditional_access.csvIdentity

Conditional Access Policies

All CA policies: state (enabled/disabled), MFA requirement, compliant device requirement, included users.

Access Control
role_assignments.csvAccess

RBAC Role Assignments

All subscription-level RBAC assignments: principal type, role name, scope, custom role indicator.

Data Security
storage_accounts.csvData Sec

Storage Accounts

All storage accounts: public blob access, HTTPS enforcement, TLS version, network default action.

sql_servers.csvData Sec

SQL Servers & Databases

All Azure SQL servers: TDE status, public network access, Azure AD admin configuration, audit settings.

Network Security
vms.csvNetwork

Virtual Machines

All VMs: public IP, NSG attachment, disk encryption status, monitoring agent, OS type, power state.

nsg_rules.csvNetwork

NSG Rules

All Network Security Group inbound/outbound rules: source/destination prefixes, port ranges, allow/deny.

Key Management, Audit & Compliance
key_vaults.csvKey Mgmt

Key Vaults

All Key Vaults: soft delete, purge protection, public network access, audit logging, network ACLs.

activity_logs.csvAudit

Diagnostic & Activity Log Settings

Subscription activity log configuration and per-resource diagnostic settings: retention, Log Analytics workspace.

subscriptions.csvCompliance

Subscriptions & Security Center

Microsoft Defender for Cloud tier, security score, policy compliance count, security contacts, MFA enforcement.

2 Automated Extraction (Recommended)
Fastest path. Extract-AuditCoreAzure.ps1 uses the Az module and Microsoft Graph to extract all 11 data sources. Works on any Windows machine with PowerShell 5.1+.

Step-by-step

  1. 1Install required modules (run once as Administrator):
    # Install Az module (if not already installed) Install-Module -Name Az -AllowClobber -Scope CurrentUser # Install Microsoft Graph module (for AAD data) Install-Module -Name Microsoft.Graph -Scope CurrentUser
  2. 2Assign the extraction account the Reader + Security Reader roles on the subscription via Azure Portal → Subscriptions → Access Control (IAM) → Add role assignment.
  3. 3Assign Global Reader or Security Reader role in Azure AD (Entra ID) → Roles and administrators → find the role → Add assignments.
  4. 4Connect to Azure and Graph, then run the script:
    # Connect to Azure Connect-AzAccount # Connect to Microsoft Graph (for AAD data) Connect-MgGraph -Scopes "User.Read.All","RoleManagement.Read.All","Policy.Read.All" # Run extraction .\Extract-AuditCoreAzure.ps1 ` -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ` -OutputFolder "C:\AuditCore\Azure"
  5. 5All 11 CSV files will be saved to C:\AuditCore\Azure\.
  6. 6Upload to AuditCore → New Project → Microsoft Azure → upload the CSV files.
  7. 7After assessment: Remove the Reader/Security Reader role assignments from the extraction account in Azure Portal.
Best practice. Create a dedicated Azure AD account (e.g. auditcore@yourtenant.onmicrosoft.com) for this extraction. Disable the account immediately after uploading the CSV files. Do not use a Global Administrator account for the extraction.
3 Manual Extraction Reference

Use these paths if the PowerShell script is not permitted in your environment.

FileAzure Portal Path / PowerShellNotes
aad_users.csvAzure AD → Users → Download usersInclude all columns; last sign-in requires Azure AD P1/P2
aad_admins.csvAzure AD → Roles and administrators → Export for each privileged roleFocus on Global Admin, Security Admin, User Admin
conditional_access.csvAzure AD → Security → Conditional Access → export policy listRequires Azure AD P1 license or higher
role_assignments.csvAzure Portal → Subscriptions → Access Control (IAM) → Download role assignmentsScope to subscription level
nsg_rules.csvGet-AzNetworkSecurityGroup | Select-Object -ExpandProperty SecurityRulesRun per resource group or subscription-wide
key_vaults.csvGet-AzKeyVault then Get-AzKeyVault -VaultName <name>Soft delete and purge protection settings
subscriptions.csvMicrosoft Defender for Cloud → Overview → Security postureNote the overall secure score and non-compliant policies count
4 What AuditCore Checks
DomainKey ChecksFrameworks
Identity & AccessGlobal Admin count, admin MFA, guest privilege, stale accounts, CA policy gaps, permanent PIM assignmentsCIS Azure v2.0, NIST AC-2, M365 Security Benchmark
Data SecurityPublic blob access, HTTPS enforcement, TLS version, SQL TDE, public SQL endpoints, Azure AD SQL adminCIS 3.x, NIST SC-28, ISO 27001 A.8.24
Network SecurityNSG open SSH/RDP from Internet, all-ports-open rules, VM public IP without NSG, disk encryptionCIS 6.x, NIST SC-7, ISO 27001 A.8.20
Audit & LoggingSubscription activity log, diagnostic settings, log retention ≥90 days, Log Analytics workspaceCIS 5.x, NIST AU-2, SOX ITGC
Access ControlOwner at subscription scope, guest Contributor, service principal over-privilege, individual vs. group assignmentsCIS 1.x, NIST AC-6, ISO 27001 A.5.15
Key ManagementKey Vault soft delete, purge protection, public network access, audit loggingCIS 8.x, NIST SC-12, PCI DSS 3.6
ComplianceDefender for Cloud tier (Free vs. Standard), security defaults, non-compliant policies, security contactsCIS 2.x, SOC 2 CC7, NIST RA-5