AZCheck
READ-ONLY · BROWSER-ONLY · NO INSTALL

Audit your Azure resources
in five minutes flat.

Paste a Cloud Shell token, choose a resource group, and export a structured Excel audit of its resources, configuration, and compliance gaps. No install, no app registration, no write-back to Azure.

Start audit See how it works
No sign-up · Uses your existing Azure permissions
Read-only — never writes to Azure Excel export, mid-audit OK
Early Access
You're in early access — AZCheck is free while we build. There will always be a free plan. See what's coming →

How it works

Five guided steps. No app to install, no service principal to register, no IT ticket required.

  1. 01

    Get your token

    Run one Azure Cloud Shell command and paste the output.

    ~1 min
  2. 02

    Pick subscription

    We list every subscription your account can read.

    ~30 sec
  3. 03

    Resource group

    Enter the resource group name — we validate and count what's inside.

    ~30 sec
  4. 04

    Choose resources

    Grouped by type. Select one, several, or everything.

    ~1 min
  5. 05

    Audit + export

    Live results stream in. Export to Excel any time.

    1–3 min

Built for security and platform teams

Two audit modes, an Excel-native report format, and zero attack surface in your tenant.

Discovery Mode · Compliance Mode

Discovery gives you a full inventory snapshot — every resource and its current configuration. Compliance mode evaluates each resource against structured policy checks mapped to CIS, MCSB, NZISM, and PCI-DSS, and flags drifts and gaps with plain-language remediation.

Excel-native output

Reports drop into Excel with proper styling, frozen headers, and conditional formatting. No CSV-to-spreadsheet wrangling for downstream stakeholders.

Zero tenant footprint

No app registration, no service principal, no agent. Authentication uses your existing Azure identity via a short-lived Cloud Shell token.

Policy Engine

Audits that explain themselves.

AZCheck evaluates your Azure environment against CIS, MCSB, NZISM, and PCI-DSS — simultaneously. One finding per issue. Multiple framework citations. Plain language. Exact steps to fix it in the tool you already use.

CIS AZURE v2.1
Center for Internet Security
CIS Benchmarks · 110 controls
MCSB v1
Microsoft Cloud Security
Microsoft · 180 controls
NZISM v3.7
NZ Information Security
GCSB · New Zealand · 330+ controls
PCI-DSS v4.0.1
Payment Card Industry
PCI SSC · 200 controls
HTTP traffic allowed on stprodapp001
Data in transit is unencrypted. An attacker on the same network can intercept or modify requests without detection.
CIS 3.1 NS-3 17.1.51
TLS 1.2 enforced — upgrade to 1.3 available
Compliant. TLS 1.2 meets current requirements. TLS 1.3 eliminates legacy cipher suites at no extra cost.
CIS 3.2 NS-3
Public blob access disabled
Anonymous users cannot read blobs without credentials. Most common Azure storage exposure class eliminated.
CIS 3.5 PA-7
?
Infrastructure encryption — org stance required
Whether double-encryption at rest is required depends on your organisation's risk posture. Declare your stance to evaluate this check.
CIS 3.3 17.1.46
One finding · Multiple frameworks
Without deduplication
HTTPS not enforced (CIS finding)
CIS 3.1
Secure transfer required (MCSB finding)
NS-3
Encrypted comms (NZISM finding)
17.1.51
Three findings. One fix. This is noise.
AZCheck — deduplicated
HTTP traffic allowed on stprodapp001
CIS 3.1 NS-3 17.1.51
az storage account update --https-only true
One finding. Three citations. One fix. All gaps closed.
See how the policy engine works →
Open source
AZCheck Core is free and open source — forever.
The core audit engine — a single HTML file — is published on GitHub under the Business Source License. Download it, self-host it, run it from your desktop. No sign-up, no cloud account, no strings. The hosted product builds a full governance workflow on the same foundation. See what's included in each →
View on GitHub
lensory-labs/azcheck-core

The core is free. The cloud adds more.

AZCheck Core is a genuinely powerful standalone tool. The cloud product builds a full workflow on top — for teams that need history, scheduling, and collaboration.

Open source
AZCheck Core
github.com/lensory-labs/azcheck-core
Single resource group audit
Generic resource support
Specialised resource logic
Discovery Mode
Excel, CSV & JSON export
Live streaming results grid
Azure identity (Cloud Shell token)
Compliance audit mode
Multiple resource groups
Team workspaces & sharing
Audit history & diff view
Scheduled recurring audits
Policy management & baselines
Free, forever
A single HTML file. Download and run from anywhere — no server, no install, no account.
View on GitHub
Cloud product · Early Access
AZCheck
azcheck.dev — hosted, no setup
Single resource group audit
Generic resource support
Specialised resource logic — 15+ resource types (and growing)
Discovery Mode — Live
Excel, CSV & JSON export
Live streaming results grid
Azure identity (Cloud Shell token)
Compliance audit mode — CIS, MCSB, NZISM, PCI-DSS
soon
Multiple resource groups
soon
Team workspaces & sharing
soon
Audit history & diff view
soon
Scheduled recurring audits
soon
Policy management & baselines
Free
while in Early Access
✓ No credit card required
✓ A free tier will always exist after launch
✓ Founding users get first access to paid plans
Start free audit →
Stay in the loop
Get notified when new features ship
Compliance mode, scheduled audits, team workspaces — drop your email and we'll let you know when they land. No spam, just release notes.
No spam · Just release notes · Unsubscribe any time
✓ You're on the list. We'll be in touch.

The report is the product.

Fully styled workbooks — README, Audit Data, Errors, Summary. Shareable in Teams, attachable to tickets, openable in Excel on day one.

Privacy by design

If your security review asks where the data goes — the honest answer is "nowhere." Here's why.

Token never leaves your browser

Your Azure access token is held in JavaScript memory only — never written to localStorage, never sent to any server other than the official Azure Resource Manager API at management.azure.com.

Read-only by construction

AZCheck is designed to operate read-only and issues only GET requests to Azure Resource Manager. Your Azure RBAC enforces this server-side independently.

No backend, no telemetry

The Excel report is generated client-side using a JavaScript library. Audit results are not sent to AZCheck servers. Closing the tab clears all session data.

Your existing permissions apply

Reader role on the resource group is sufficient. The audit fetches the same configuration data you can already view in the Azure Portal — nothing more, nothing less.

Frequently asked questions

Quick answers to the things security and platform teams usually ask first.

Does this tool write anything to my Azure tenant?
AZCheck is designed to be read-only and issues only GET requests to Azure Resource Manager. Your existing Azure RBAC permissions enforce this independently server-side.
Where is my access token stored?
Your token is kept in browser memory for the duration of the tab — not intentionally persisted to disk or sent to any server other than Azure Resource Manager. Closing the tab clears it.
Do I need to register an Azure app or service principal?
No. You authenticate by pasting an access token from Azure Cloud Shell, which uses your existing identity. Nothing needs to be registered, granted, or installed in your tenant.
What permissions do I need?
Reader role on the resource group you want to audit is sufficient. The audit fetches the same configuration data you can already see in the Azure Portal.
How long does an audit take?
Most resource groups complete in 1–3 minutes. Results stream in live as each resource is fetched, and you can export to Excel at any point — even mid-audit.
What's the difference between AZCheck and AZCheck Core?
AZCheck Core is the open source tool on GitHub — a single HTML file you can download and run from anywhere, free forever. AZCheck at azcheck.dev is the hosted cloud product, currently in Early Access. Both do a complete resource group audit. The hosted product is evolving toward scheduled audits, team workspaces, audit history, and policy management.
What happens when Early Access ends?
There will always be a free tier — that's a commitment, not a footnote. Founding users (people using AZCheck during Early Access) will be offered the best available rate before public pricing is announced. No surprise paywalls, no bait-and-switch.

Run your first Azure audit now.

No install, no sign-up, no app registration. Or grab the open source version and run it yourself.

Start audit Download Core from GitHub