Well-ArchitectedMetricsAzureWAF

Azure Well-Architected Framework Metrics: What to Track and Why

The key metrics across all five WAF pillars that tell you whether your Azure environment is actually well-architected.

3 min read

Beyond the Questionnaire

Microsoft's Well-Architected Framework defines principles. But principles do not tell you whether your environment is healthy — metrics do. Here are the metrics that matter across each pillar, and how to track them continuously.

Security Metrics

Posture Score (0-100)

A weighted aggregate across all security checks. Weight distribution matters — a single Global Admin without MFA should impact your score more than ten missing resource tags.

How Unsave calculates it: 103 checks, each weighted by severity (Critical: 10, High: 7, Medium: 4, Low: 1). Score = passed weight / total weight.

Identity Coverage Metrics

MetricTargetWhy It Matters
MFA enrollment rate100%Single biggest identity risk factor
Conditional Access policy coverage100% of usersEnsures sign-in risk evaluation
Privileged role countFewer than 5 Global AdminsReduces blast radius
Service principal credential ageUnder 180 daysPrevents stale credential exploitation

Infrastructure Metrics

  • Encryption at rest coverage: percentage of storage accounts using encryption
  • Public endpoint exposure: count of resources reachable from the internet
  • NSG coverage: percentage of subnets with attached NSGs
  • Key Vault soft-delete adoption: percentage of vaults protected from accidental deletion

Cost Optimization Metrics

FinOps Score (0-100)

Measures cost maturity across four dimensions:

  1. Waste elimination (25%) — dollar value of detectable waste vs. total spend
  2. Right-sizing adoption (25%) — percentage of right-sizing recommendations acted on
  3. Reservation coverage (25%) — percentage of eligible workloads covered by RIs
  4. Budget adherence (25%) — percentage of budgets within threshold

Efficiency Ratios

  • Cost per resource: total spend / resource count — tracks efficiency over time
  • Waste ratio: waste detected / total spend — should trend downward
  • Month-over-month change: catch unexpected growth early

Compliance Metrics

Framework Coverage

Track compliance percentage across each framework:

  • CIS Azure v2.1: 180+ controls
  • SOC 2 Type II: 60+ controls
  • ISO 27001:2022: 90+ controls
  • NIST CSF 2.0: 100+ controls

Gap Velocity

How quickly are compliance gaps being closed? Track:

  • New gaps introduced per scan
  • Gaps resolved per week
  • Average time-to-remediation by severity
  • Controls that regressed (were passing, now failing)

Reliability Metrics

  • Availability zone coverage: percentage of critical resources deployed across zones
  • Backup policy coverage: percentage of VMs and databases with active backup policies
  • Resource lock adoption: critical resources protected from accidental deletion

Operational Excellence Metrics

  • Tag coverage: percentage of resources with required tags (Environment, Owner, CostCenter)
  • Policy compliance: percentage of resources compliant with Azure Policy assignments
  • Scan frequency: how often your environment is assessed
  • Alert rule coverage: critical metrics monitored with defined thresholds

Building a WAF Dashboard

The most effective approach combines all five pillars into a single dashboard with:

  1. Top-level scores: Security, FinOps, Compliance — each as a 0-100 gauge
  2. Trend lines: 30-day score trajectories
  3. Finding breakdown: Critical/High/Medium/Low distribution
  4. Action items: Top 5 findings by impact, with remediation links

Unsave's dashboard provides exactly this view — all five pillars, continuously updated, with drill-down into any metric.

Track your Azure Well-Architected metrics automatically. 103 checks, four compliance frameworks, FinOps scoring. Try Unsave free at unsave.io.