This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Google Cloud Platform

Are there any plans to list specific software on GCP Marketplace?

• Not at this time, but we are open to feedback on the topic if you think we should.

  Feel free to provide more context.

GCP suggested services and configurations

• Services: Google Firestore, Google Cloud Storage, Google Compute Engine, Cloud KMS. Configurations: Bucket Lock, Audit Logging.

How can I view the enabled Google Cloud APIs for an existing project on GCP?

• There are three ways to verify which APIs are enabled in your Google Cloud project:
  Google Cloud Console: Sign in and select your project, then navigate to Menu (☰) → APIs & Services → Enabled APIs & Services to view all enabled APIs.

  You can also use the search bar to find a specific API.
  gcloud CLI: Run gcloud services list --enabled --project=PROJECT_ID to list enabled APIs, or replace --enabled with --available to see all available APIs.

  REST API: Use the Service Usage API to retrieve enabled services:
  GET https://serviceusage.googleapis.com/v1/projects/PROJECT_NUMBER/services?filter=state:ENABLED
  This requires OAuth 2.0 authentication.
  Required Permissions: You'll need one of the following IAM roles: Viewer, Editor, Owner, or Service Usage Viewer. If you don't have access, contact your project administrator.

  Note: API enablement is project-specific and does not automatically apply to other projects within your organization.

  If you need further assistance, please don't hesitate to reach out to our support team!

How can one restrict service account privileges within an in-scope project on Google Cloud Platform (GCP)?

• Service accounts in in-scope projects should follow the principle of least privilege — they must not have administrative, owner, or write permissions, and should be limited to read-only access.

  How to pass this test:

  Log into the Google Cloud Platform Console.

  From the left navigation panel, go to IAM & Admin → Service Accounts.

  Select the relevant service account and open the Permissions tab.

  Review all principals with access.

  Revoke any admin, owner, or write roles, and ensure only necessary read-level roles remain.

  To adjust a principal’s roles:

  Find the principal in the list.

  Click Edit principal.

  Remove unwanted roles and add the appropriate read-only role.

  [Manage access to service accounts](https://cloud.google.com/iam/docs/manage-access-service-accounts)

How does Secureframe determine which GCP projects to include in testing?

• Secureframe evaluates only the GCP projects/resources that are considered “in-scope” in Secureframe.
  By default, everything should be in scope, unless a project/resource has been explicitly scoped out of scope via:

  Manual scoping (a user explicitly marks an asset out of scope), or

  An automated asset scope rule that excludes it, or

  Other scoping mechanisms that mark the asset as not in scope for any framework.

  If a project isn’t in scope for any framework, it won’t appear as being evaluated in framework-driven tests.

What might cause some GCP projects to be excluded from tests (even though they’re connected)?

• The most common cause is scoping, not connectivity. Projects can be excluded when:

  Manually scoped out by a user (intentional or accidental).

  Excluded by an automated scoping rule (e.g., rules that exclude by name, tag, environment, org/unit, etc.).

  Not marked in scope for any framework (so Secureframe treats it as out of scope for testing).

  Historical/backfill edge case (rare): There was mention of a past period where scoping rules required backfilling; if something is “not in scope by default,” it may warrant investigation—but in this case we have evidence of manual scoping.

Microsoft Azure

Are Azure Defender and Microsoft Defender for Cloud the same thing?

• Yes, Azure Defender and Microsoft Defender for Cloud are now the same. Microsoft Defender for Cloud encompasses the security features of Azure Defender.

How do I complete the Secureframe test for SQL instance availability zones scaling on Azure?

• Ensure that all database instances are configured with high availability by enabling a replica in a secondary Availability Zone. This setup helps protect against zone-level failures by ensuring that, if the primary zone becomes unavailable, the database can automatically fail over to a healthy replica in another zone.

   

  For cloud environments like Azure, this typically means:

   

  Using services that support zone redundancy, such as Azure SQL Database in the Business Critical tier or SQL Managed Instance with zone-redundant configuration.

   

  For self-managed SQL instances (e.g., SQL Server on VMs), implement Availability Groups with replicas distributed across multiple zones.

   

  Document and provide evidence (e.g., configuration screenshots or infrastructure code) showing that a secondary zone replica is enabled and actively maintained.

How should mutable files in Blob containers be handled in relation to the "Blob container data restrictions" test in Azure?

• Yes, evidence links are compatible with Google Drive as long as the sharing settings are configured to “Anyone with the link.”

If we connect our government Azure account to Secureframe Enclave, will the platform detect and display our existing virtual desktops?

• Not currently. Enclave only shows the new virtual desktops (VDs) that are provisioned through its workflow. It operates independently from any VDs you have already configured — so nothing in your existing environment is modified or interfered with.

  However, if you configure the Azure integration, we will import that infrastructure into your Asset Inventory and apply automated compliance tests to it. Those assets will appear in inventory, but the existing VDs won’t show in the Enclave VD list.

  Securely adopting existing virtual desktops is something the product team is evaluating, but it’s complex and may require design partners due to variations in customer configurations and CUI considerations.

If we update a patching control (e.g., onboarding NinjaOne or switching to Azure VDs) after our Level 2 certification, does that trigger a new C3PAO assessment?

• Not necessarily. Scope changes that simplify or reduce your CUI environment generally don't require involving a C3PAO or triggering a new full assessment. Adding tools like NinjaOne for patch management or moving to a VDI solution typically fall into this category, as they make the environment more controlled rather than expanding it.
  Where you'd need to loop in a C3PAO is if you're expanding scope significantly — for example, adding an entirely new product line or service that introduces new CUI flows. The most important thing is that you remain in compliance with the assessment objectives throughout the transition. We'd recommend maintaining versioned SSPs — one reflecting your pre-change environment and one post-change — to create a clear audit trail if questions arise later.

Suggested Azure services & configurations

• Services: Azure AD, Blob Storage, Azure Defender, Azure Key Vault. Configurations: MFA, Microsoft 365 group creation restriction, security groups.

What are VM availability sets in Azure?

• Azure VM Availability Sets are a feature that helps keep your virtual machines highly available during planned or unplanned outages. They work by grouping your VMs across separate physical hardware, power sources, and network switches so that if one fails, your other VMs stay up and running. If you have any questions about this test in Secureframe or need help getting it to pass, feel free to reach out and we are happy to help!

What is Azure Blob Storage?

• Azure Blob Storage is a scalable object storage solution for the cloud, optimized for storing large amounts of unstructured data, similar to AWS S3.

What is Azure Defender?

• Azure Defender is Microsoft's cloud security service that includes tools for internal vulnerability scanning, anti-virus/malware protection, threat detection, security alerts, SIEM, DNS, and more, providing comprehensive security for Azure environments.

What should I do if the token is expired for an Azure integration and I see an error saying the App ID is already in use when trying to reconnect?

• It depends on what’s causing the issue:

  If the error is simply due to an expired client secret (token), you do not need to archive the integration. You can resolve this by:

  Navigating to the Azure app.

  Clicking the blue link next to Client credentials.

  Going to the Client secrets tab.

  Creating a new secret, setting it to expire in 730 days (24 months), and pasting the secret value back into the setup flow in Secureframe.

  If you receive an error that the App ID is already in use, this means the application registration is still tied to a previous configuration. In that case, you will need to archive the existing integration and re-add it from scratch to clear the App ID association.

Where can I find the “Security” tab under Repositories in Azure DevOps?

• To locate the Security settings for a specific repository in Azure DevOps:

  Go to Azure DevOps and log in.

  Navigate to your Project.

  In the left-hand menu, select Repos > Files.

  Choose the repository you want to manage.

  Click the ellipsis (⋯) in the upper-right corner and select Manage repository.

  In the side panel, click on Security.

  This is where you can view and manage read permissions and other security-related settings.

  For more details on integrating Azure DevOps with Secureframe, refer to our [Azure DevOps](https://support.secureframe.com/hc/en-us/articles/5056157743891-Azure-DevOps) integration guide.

Additional cloud providers

We’re seeing a result on the “Service account privilege restriction for inter-project (GCP)” test. The service account was created automatically by Firebase, and it generates tokens for our app. We cannot disable it without breaking the app, but we’ve limited its abilities. Can we ignore this result or disable the test?

• Yes. If the service account is required for application functionality (e.g., created automatically by Firebase), you can ignore the test result with the justification you’ve provided. Be sure to document why the account is necessary and the compensating controls you’ve applied (such as limiting its permissions) to demonstrate awareness and risk mitigation.

We connected Cloudflare and some SOC 2 tests pass, but we do not see Cloudflare in Asset Inventory and cannot tell if our app or domain is covered. Is something wrong with the connection?

• Usually not. The integration focuses on account-level settings (for example security-related zone settings and account or user information), not on listing every Cloudflare product as separate “infrastructure” assets. Things like Cloudflare Pages projects or a specific production URL are often not shown as inventory items. If tests that apply to your frameworks are passing, the connection is typically working as designed for what that integration measures today.

Datadog and our cloud providers are set up, but the monitoring dashboards test still says no cloud infrastructure is being tracked, and evidence looks empty. What should we check first?

• Confirm that your cloud resources are in scope and mapped to every framework that test applies to. A resource can exist in Secureframe but still not “count” for a framework where it is not mapped or marked out of scope. Fixing framework or scope mapping often resolves this kind of message when the integrations themselves are already connected.