# Azure Policies

**Azure / Entra ID Policies define security controls and assessment rules tailored for cloud-based identity environments.**

These policies focus on analyzing identity-related risks, role assignments, authentication configurations, and access control mechanisms within Azure and Entra ID.

By using Azure-specific policies, FSProtect helps identify privilege misuse, risky identity configurations, and exposure points in modern cloud identity infrastructures.

### Edit Scan Policy (Azure / Entra ID)

**This section allows users to configure scan settings specific to Azure / Entra ID environments, including enabled modules, exclusions, and scan options.**

<figure><img src="/files/nUOxNCJRX0RXHoQ4lBIt" alt=""><figcaption><p>Azure Scan Policy Settings</p></figcaption></figure>

#### Vulnerability Policies and Tiering (Azure / Entra ID)

This section defines vulnerability policies and tiering configurations specific to Azure / Entra ID environments.\
Vulnerability policies determine which Azure-specific security checks are executed during the scan, while tiering helps identify critical cloud identities and roles based on their potential security impact.

### **Azure Scan Modules**

**Azure Assessment:** This module enables users to identify and evaluate vulnerabilities, misconfigurations, and security risks within their Azure environment, including Azure AD, resources, roles, and permissions. It provides deep visibility into the cloud configuration and access relationships across subscriptions and tenants. As a core component of the engine for cloud-based assessments, this module is a mandatory option. When it is the only enabled module in the scan policy, the engine communicates solely with Azure services and APIs, without interacting with on-premises infrastructure.

#### Tier 0 Assets (Azure / Entra ID)

Tier 0 Assets settings allow users to designate critical Azure and Entra ID identities as privileged.\
Selected Azure users, groups, service principals, and roles are treated as high-impact identities and are prioritized during privilege exposure and attack path analysis.\
Identities marked as Tier 0 Assets represent potential tenant-level compromise if misused or exposed.

<figure><img src="/files/nK3nmroJfBm0VWTm7xAf" alt=""><figcaption><p>Adding Tier 0 Assets</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/scans/policies/azure-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.