Identity & Access
Identity is the primary security perimeter in the cloud. We review who has access to what, whether that access is appropriate, and how well your credentials and secrets are managed.
RBAC, Privileged Access & Conditional Access
We review role assignments across all subscriptions and management groups to identify overly permissive access, standing Owner or Contributor roles where Privileged Identity Management (PIM) should be used, and accounts with access that is no longer justified. Conditional Access policies are assessed for coverage gaps — particularly around MFA enforcement, device compliance, and risky sign-in conditions.
Secrets, Key Vault & Certificate Management
We assess whether Azure Key Vault is being used consistently for secrets, keys, and certificates — or whether credentials are stored in plain text in application settings, environment variables, or code. We review Key Vault access policies, check for expiring or expired certificates, and identify any secrets that are shared across environments or have no rotation schedule in place.