Microsoft Azure Process for Penetration Testing

An Overview of Penetration Testing on Azure

Security assessment is an important part of application development and deployment. Microsoft conducts regular penetration testing to improve Azure security controls and processes. No one can start the penetration testing without letting know the Azure team (legally) but if you have started the penetration testing of your application deployed on Azure its much better that you create a ticket on the azure portal that you want to pen-test your application and infrastructure.

Microsoft has announced a policy for customers to carry out authorized penetration testing on their applications hosted in Azure. Because such testing can be indistinguishable from a real attack, it is critical that customers conduct penetration testing only after obtaining approval in advance from Azure Customer Support. Penetration testing must be conducted in accordance with the terms and conditions of Azure. Requests for penetration testing should be submitted with a minimum of 7-day advanced notice.

Penetration Test Approval Process:

1. Initiate Approval for Penetration Testing
2. Approval from Azure TeamOnce the form is submitted, the Azure Team will respond to the request within three (3) business days. In case any further information is required, the Azure Team will contact you by email using the information provided in the ‘Penetration Test Approval Form’. You can track the status of the request using the reference number you received when you submitted the request.
3. Test CompletionYou may only conduct those tests approved by the Azure Team and subject to any conditions specified in the approval email. In case you require additional time (or a different time) to carry out the testing, you must submit a new request for approval. The testing can only be carried out after authorization by the Azure Team for the new dates.

Penetration test terms and conditions

By submitting this form, you agree that the information you have provided is true and accurate and to the following terms and conditions:

1. You are the owner of the Azure subscription specified above and authorized to conduct penetration testing against that subscription.
2. Your testing will not target any other subscription or any other customer of Azure or other Microsoft service.
3. You will not conduct any Prohibited Tests (see below).
4. You will not conduct any tests that will exceed the bandwidth quota for your subscription (ask Customer Support if you are unsure).
5. You will conduct only those tests approved in the authorization email from Microsoft for the time and duration Microsoft specifies. You will abide by any other restrictions or conditions Microsoft specifies in the authorization email or any subsequent communication from Microsoft regarding these tests.
6. Your testing will be in accordance with the information you provide in this form, except where Microsoft specifies otherwise.
7. If during the course of your testing, you believe you have discovered a potential security flaw related to Azure or any other Microsoft service, you will report it to Microsoft within 24 hours by following the instructions at http://technet.microsoft.com/en-us/security/ff852094 and will not disclose this information publicly or to any third party for at least 90 days.
8. Your use of Azure, including this testing, will continue to be subject to the terms and conditions of the agreement(s) under which you purchased azure.
9. You are responsible for any damage to Azure or other Azure customers that are caused by failure to abide by this agreement.

Standard Tests

The following standard tests will be subject to expedited review:

• Tests on your endpoints to uncover OWASP top 10 web vulnerabilities
• Fuzz testing on your endpoints
• Port scanning on your endpoints

Prohibited Tests

You are prohibited from carrying out any type of Denial of Service tests, or any other tests that determine, demonstrate or simulate the existence of any type of Denial of Service (DoS).

Follow under given link to create a pen-test request:

Penetration Testing Request