baref00t.io

// compliance / mcsb

Cloud Security Benchmark v2 Assessment

Global

Microsoft MCSB v2 | Global

Assess your Azure and Microsoft 365 environment against the Microsoft Cloud Security Benchmark v2 — 14 control domains covering Identity, Network, Data, AI, and DevOps security.

Optional — full coverageOne optional step unlocks deeper coverage

These steps are optional. The assessment runs either way — if you don’t grant the access below, the related controls simply report “Not Assessed”. Grant it and baref00t assesses them too.

  • Azure Security Reader role — recommended (read-only)

    Optional

    About a third of the Microsoft Cloud Security Benchmark covers Azure resources — Defender for Cloud, network security, data-service encryption, Key Vault. These live in Azure Resource Manager, NOT Microsoft Graph, so Entra admin consent does not reach them. Because this access is fully READ-ONLY (the Security Reader role cannot change anything), we recommend granting it so the assessment is complete. Grant it and baref00t assesses the Azure controls; skip it and they report "Not Assessed" (never failed or faked) — the Graph-based controls run regardless.

    Assign the built-in read-only "Security Reader" role to the baref00t MCSB application at each subscription you want assessed (Azure portal → Subscription → Access control (IAM) → Add role assignment → Security Reader → select the baref00t MCSB service principal), or run the Azure CLI below per subscription. This is read-only — Security Reader cannot change any resource. You can remove it any time.

    az role assignment create \
  --assignee "<baref00t-mcsb-app-id>" \
  --role "Security Reader" \
  --scope "/subscriptions/<subscription-id>"
One-off
$399

Single report, no commitment.

Monthly
$199/month

Continuous monitoring — fresh report every 30 days.

Available in AUD, USD, GBP, EUR, SGD. MSP partners get volume discounts via the partner programme.

What it scores

MCSB1

14 domains

Identity, Network, Logging, Data, DevOps, AI + more

MCSB2

Azure Secure Score and Defender for Cloud integration

MCSB3

Conditional Access, PIM, and MFA gap analysis

MCSB4

Maps to ISO 27001, NIST CSF v2, SOC 2, PCI-DSS v4

MCSB5

JSON and CSV exports for integration into your GRC tool

MCSB6

MCSB v2 preview controls

AI security and DevOps

Microsoft APIs

  • Microsoft Graph (universal scopes, read-only across the tenant)
  • Azure REST (when the product reads Azure subscription posture)
  • Defender + Intune APIs where applicable

Customer prerequisites

  • Microsoft 365 tenant with admin-consent capability
  • Global Reader or equivalent for the consenting admin
  • No agent installs, no infrastructure changes required
  • Report delivered by email within 10 minutes of consent

Other Compliance

e8
Essential Eight ML1, ML2 & ML3 Assessment

Assess your compliance with the ACSC Essential Eight Maturity Model. Mandatory for Australian Government entities under

cism365
CIS Microsoft 365 Benchmark Assessment

Assess your Microsoft 365 tenant against the CIS Benchmark — the industry-standard security configuration guide recognis

cps234
CPS 234 Information Security Assessment

Automated and governance-hybrid assessment against APRA's CPS 234 standard. Built for banks, insurers, and super funds t

See all Compliance Assessments