Microsoft Azure · 217 checks

VMs, disks, SQL, and subscription security in one Reader scan.

Azure has its own classic waste patterns: VMs stopped in the OS but never deallocated (still billing), managed disks orphaned by deleted VMs, over-replicated storage, and premium services left running in dev.

InfraSweep reads VMs/VMSS, disks, SQL, AKS, App Service, Cosmos, storage, Key Vault, and networking across your subscriptions with a Reader-only service principal, flagging both spend and subscription-level security posture, and even platforms facing retirement before the deadline bites.

Protecting nothing

An Azure DDoS Network Protection plan carries a flat monthly fee even with no virtual networks attached - so you may be paying the full fee for coverage you're not using.

Still billing

VMs stopped in the OS but not deallocated keep charging; we flag them to actually stop the meter.

Deadline

Retired-platform migrations (APIM stv1, Logic Apps ISE, Edgio CDN, classic App Insights) surfaced before they break.

What we scan on Azure

75 security checks

A representative sample of the 217 Azure checks, grouped by service domain. Cost waste and security risk are surfaced in the same read-only pass.

Compute & containers

VMs, VMSS, AKS, App Service, dedicated hosts, Batch.

VMs stopped but not deallocated

Stopped in the OS, still billing; deallocate to stop paying.

Oversized VMs & VMSS

Right-size candidates from real metrics.

AKS node right-sizing

Clusters provisioned beyond demand.

App Service & dedicated host waste

Plans and hosts running for trickle workloads.

Storage & database

Managed disks, storage accounts, SQL, Cosmos, Redis.

Unattached managed disks

Disks orphaned by deleted VMs, still billing.

Storage redundancy right-sizing

GRS/RA-GRS where LRS would do.

SQL Multi-region & elastic-pool fit

Geo-replicas and pools sized beyond need.

Cosmos DB RU over-provisioning

Throughput reserved far above consumption.

Network & long tail

Public IPs, DDoS plans, load balancers, retired platforms.

DDoS plan with no networks attached

A Network Protection plan billed a flat monthly fee in full, even when it protects no virtual networks.

Unattached public IPs

Static IPs pointing at nothing, billing monthly.

Retired-platform migrations

APIM stv1, Logic Apps ISE, Edgio CDN, classic App Insights.

Managed HSM in non-prod

A premium security appliance billing in dev/test.

Security & subscription posture

NSGs, Key Vault, role assignments, Defender, activity logs.

NSG exposure to the internet

Network security groups letting the world in.

Owner sprawl & custom-role risk

Over-broad role assignments across subscriptions.

Key Vault & secret hygiene

Access policy and rotation gaps.

Stale credentials & guest privileges

Identity risk via optional Graph reads.

How you connect

A Reader service principal

Register an app, assign the Reader role at subscription or management-group scope, and add the client secret in the dashboard.

Reader (read-only) over ARM. Optional graph/activity-log reads for deeper identity and exposure checks.

How the dollars are calculated

Live Azure VM pricing from the anonymous Retail Prices API, with a curated baseline fallback.

Every finding is backed by the raw cloud API response it came from, with a confidence score and the pricing source labelled, no black-box numbers.

Scan your Azure estate free

Connect a reader service principal and run a read-only scan. Findings come priced in real dollars with a fix and the evidence for each.

Start scanning free

Other clouds we scan