Customizable Security Baselines in Azure Machine Configuration: Public Preview
mutemwamasheke presents a detailed overview of customizable security baselines in Azure Machine Configuration, explaining how to tailor industry security standards and automate server compliance workflows.
Customizable Security Baselines in Azure Machine Configuration
Overview
Azure Machine Configuration (formerly Azure Policy Guest Configuration) allows organizations to enforce and audit security and configuration policies across Azure and hybrid environments, including Azure Arc-enabled servers. With the Public Preview of customizable security baselines, users can now tailor these standards to meet their organization’s specific requirements.
Key Features
- Custom Security Baselines: Adapt industry standards like Center for Internet Security (CIS) benchmarks and Microsoft Azure Compute Security Baselines for both Windows Server and Linux.
- Policy-as-Code Integration: Export and manage baseline configurations as JSON artifacts, allowing version control and CI/CD integration.
- Real-Time Compliance Visibility: Assign baseline audit policies via Azure Policy and monitor results in Azure Policy, Azure Resource Graph, and Guest Assignments.
- Automation Support: Integrate baseline deployment into DevOps pipelines using Azure CLI, ARM templates, Bicep, and other common tools.
Implementation Steps
Prerequisites
- Deploy the Azure Machine Configuration prerequisite policy initiative to install necessary extensions.
- Ensure you have supported Windows or Linux VMs in your Azure subscription or management group.
- Grant Owner or Resource Policy Contributor permissions to create and assign policies.
How to Use
- Select a Baseline: In Azure Policy’s Machine Configuration tab, choose a relevant standard (CIS, Microsoft Baseline).
- Customize Settings: Use the Modify Settings wizard to enable, exclude, or parameterize rules, matching internal compliance needs.
- Export JSON Configuration: Download your custom baseline for repeatable deployments and integration.
- Policy Assignment: Assign the baseline policy through the Azure portal, CLI, or CI/CD.
- Monitor Compliance: Review near real-time compliance status and findings across Azure Policy, Resource Graph, and Guest Assignments.
Supported Standards
- CIS Linux Benchmarks: Official standards for Azure-endorsed Linux distributions.
- Azure Compute Security Baseline for Windows: Security controls for Windows Server 2022 and 2025.
- Azure Compute Security Baseline for Linux: Consistent controls for recommended Linux setups.
DevOps and Automation Integration
Custom baseline configurations can be integrated and automated through:
- Azure CLI
- ARM templates
- Bicep
- CI/CD pipelines
This approach ensures all compliance requirements are deployed, audited, and tracked programmatically at scale.
Availability
Customizable security baselines are available in all public Azure regions. Support for Azure Government and Sovereign Clouds will be added in future releases.
Learn More
- Azure Machine Configuration security baselines documentation
- CIS Benchmark for Linux documentation
- Azure Windows Baseline
- Azure Linux Baseline
Note: Using Azure Machine Configuration on Azure Arc-enabled servers incurs a charge.
Post by mutemwamasheke
Version 2.0 · Updated Nov 13, 2025
This post appeared first on “Microsoft Tech Community”. Read the entire article here