Penetration testing of your service hosted in Azure



Imagene you have completed your application (service) and want to host it in Azure Cloud. Finally you decide to execute penetration testing. This is a good idea, but while testing, Microsoft might decide to block your source of penetration and put you on the blacklist. To avoid this, Microsoft has published a clear rulset, that explain what how to do this.

The set of rules defines the scope of following services:

  • Azure Active Directory
  • Microsoft Intune
  • Microsoft Azure
  • Microsoft Dynamics 365
  • Microsoft Account
  • Office 365
  • Azure DevOps

As of June 15, 2017, Microsoft no longer requires pre-approval to conduct a penetration test against Azure resources.

Customers who wish to formally document upcoming penetration testing engagements against Microsoft Azure are encouraged to fill out the Azure Service Penetration Testing Notification form. This process is only related to Microsoft Azure, and not applicable to any other Microsoft Cloud Service.

Penetration Testing Notification Form: https://portal.msrc.microsoft.com/en-us/engage/pentest