Microsoft Azure - Baseline configuration

The Public Cloud team provisions every Azure account with the following baseline setup.

Access control

Definitions

  • Subscription Owner - the person listed in the account request form as owner
  • Subscription Technical Contact - the person listed in the account request form as the technical contact
  • Owner Role - is an Azure built in role which grants full access to manage all resources, including the ability to assign roles in Azure RBAC.

Access

  • The Subscription Owner is the primary administrator for the Azure subscription and responsible for the subscription's maintenance and security.

  • The Subscription Owner is assigned the Owner Role which has full privileges to manage resources and assign roles, except Privileged Administrator-level roles.

  • The Subscription Owner and the Subscription Technical Contact are assigned the owner role for the subscription at the time of deployment.

  • If the people listed as the Subscription Owner or the Subscription Technical Contact need to be updated please notify the Public Cloud Team sending an email to cloud-services@cio.wisc.edu

Security Configuration

  • All Azure subscriptions are deployed with the UW Madison security baseline. The baseline contains the following configurations which are subject to be improved as new security concerns arise.

Security Center

The Azure Security Center is enabled with the following configuration:
  • Data collection: On
  • Prevention policy:
    • System updates: On
    • OS vulnerabilities: On
    • Endpoint protection: On
    • Disk encryption: On
    • Network security groups: On
    • Web application firewall: On
    • Next generation firewall: On
    • Vulnerability Assessment: On
    • SQL auditing & Threat detection: On
    • SQL Encryption: On
  • Email notifications
    • Security contact emails
    • Phone number
    • Send me emails about alerts: On
    • Send email also to subscription owners: On

Default region 

  • Central US
  • Central US should be used as the default region/location for operations that do not need a specific region.

Microsoft Defender for Cloud

  • Defender for Cloud is enabled in each subscription managed by the cloud team with the following Plans enabled. The cost is at a minimum $5 a month but will increase as certain resources are created.  
    • Cloud Security Posture Management (CSPM)
      • Foundational CSPM
      • Defender CSPM
  • All Defender plans are enabled except Defender for APIs.

Cloud Security Benchmark

  • The Microsoft Cloud Security Benchmark is enabled to ensure compliance with best practices.

Budget alerts

  • Budgets are configured according to the values provided in the account request form.

  • Alerts are sent to the Owner, Technical Contact, and Financial Contact. These contacts are the ones that were listed when the account request form was filled out.

  • Notifications are triggered when spending reaches 25%, 50%, 75%, 90%, and 100% of the defined budget.

Billing

  • Each Azure subscription is placed in the appropriate billing account based on the funding source or credits available from Microsoft.

  • Billing is processed monthly with a one‑month lag.

  • All charges are billed to your DoIT Billing Customer ID Number.

Minimum monthly charges

  • Even if no resources are provisioned, each subscription will incur a minimum cost of $5/month for Microsoft Defender for Cloud.

If you have any questions, feedback or ideas please Contact Us

Commonly Referenced Docs:

UW Madison Public Cloud Team Events
Online Learning Classes for Cloud Vendors
What Data Elements are allowed in the Public Cloud


Keywords:
Microsoft Azure Configuration baseline 
Doc ID:
156972
Owned by:
Femi O. in Public Cloud
Created:
2025-11-26
Updated:
2026-03-03
Sites:
Public Cloud