BuiltIn
67 categories
67 categories
Enterprise-Scale
13 categories
13 categories
Community
25 categories
25 categories
| Category | Category txt | Id | DisplayName | Description | Effect | Roles | Rule Aliases | Rule ResourceTypes | State | Type | API for FHIR | API for FHIR | 051cba44-2429-45b9-9649-46cec11c7119 | Azure API for FHIR should use a customer-managed key to encrypt data at rest | Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. | Default: Audit Allowed: (audit, Audit, disabled, Disabled) | IF (1) •Microsoft.HealthcareApis/services/cosmosDbConfiguration.keyVaultKeyUri |
IF (1) •Microsoft.HealthcareApis/services |
GA | BuiltIn |
|---|---|---|---|---|---|---|---|---|---|---|
| API for FHIR | API for FHIR | 1ee56206-5dd1-42ab-b02d-8aae8b1634ce | Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.HealthcareApis/services/privateEndpointConnections[*] •Microsoft.HealthcareApis/services/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.HealthcareApis/services |
GA | BuiltIn | |
| API for FHIR | API for FHIR | 0fea8f8a-4169-495d-8307-30ec335f387d | CORS should not allow every domain to access your API for FHIR | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. | Default: Audit Allowed: (audit, Audit, disabled, Disabled) | IF (1) •Microsoft.HealthcareApis/services/corsConfiguration.origins[*] |
IF (1) •Microsoft.HealthcareApis/services |
GA | BuiltIn | |
| API Management | API Management | 73ef9241-5d81-4cd4-b483-8443d1730fe5 | API Management service should use a SKU that supports virtual networks | With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ApiManagement/service/sku.name |
IF (1) •Microsoft.ApiManagement/service |
GA | BuiltIn | |
| API Management | API Management | df73bd95-24da-4a4f-96b9-4e8b94b402bd | API Management services should disable public network access | To improve the security of API Management services, ensure that endpoints aren't exposed to the public internet. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (1) •Microsoft.ApiManagement/service/sku.name THEN-ExistenceCondition (1) •Microsoft.ApiManagement/service/tenant/enabled |
IF (1) •Microsoft.ApiManagement/service |
GA | BuiltIn | |
| API Management | API Management | ef619a2c-cc4d-4d03-b2ba-8c94a834d85b | API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.ApiManagement/service/sku.name •Microsoft.ApiManagement/service/virtualNetworkType |
IF (1) •Microsoft.ApiManagement/service |
GA | BuiltIn | |
| API Management | API Management | 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 | Configure API Management services to disable public network access | To improve the security of API Management services, disable public endpoints. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | API Management Service Contributor | IF (1) •Microsoft.ApiManagement/service/sku.name THEN-ExistenceCondition (1) •Microsoft.ApiManagement/service/tenant/enabled |
IF (1) •Microsoft.ApiManagement/service |
GA | BuiltIn |
| App Configuration | App Configuration | 3d9f5e4c-9947-4579-9539-2a7695fbc187 | App Configuration should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.AppConfiguration/configurationStores/publicNetworkAccess |
IF (1) •Microsoft.AppConfiguration/configurationStores |
GA | BuiltIn | |
| App Configuration | App Configuration | 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 | App Configuration should use a customer-managed key | Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.AppConfiguration/configurationStores/encryption.keyVaultProperties.keyIdentifier |
IF (1) •Microsoft.AppConfiguration/configurationStores |
GA | BuiltIn | |
| App Configuration | App Configuration | 89c8a434-18f0-402c-8147-630a8dea54e0 | App Configuration should use a SKU that supports private link | When using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.AppConfiguration/configurationStores/sku.name |
IF (1) •Microsoft.AppConfiguration/configurationStores |
GA | BuiltIn | |
| App Configuration | App Configuration | ca610c1d-041c-4332-9d88-7ed3094967c7 | App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.AppConfiguration/configurationStores |
GA | BuiltIn | |
| App Configuration | App Configuration | b08ab3ca-1062-4db3-8803-eec9cae605d6 | App Configuration stores should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.AppConfiguration/configurationStores/disableLocalAuth |
IF (1) •Microsoft.AppConfiguration/configurationStores |
GA | BuiltIn | |
| App Configuration | App Configuration | 72bc14af-4ab8-43af-b4e4-38e7983f9a1f | Configure App Configuration stores to disable local authentication methods | Disable local authentication methods so that your App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.AppConfiguration/configurationStores/disableLocalAuth THEN-Operations (1) •Microsoft.AppConfiguration/configurationStores/disableLocalAuth |
IF (1) •Microsoft.AppConfiguration/configurationStores |
GA | BuiltIn |
| App Configuration | App Configuration | 73290fa2-dfa7-4bbb-945d-a5e23b75df2c | Configure App Configuration to disable public network access | Disable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.AppConfiguration/configurationStores/publicNetworkAccess THEN-Operations (1) •Microsoft.AppConfiguration/configurationStores/publicNetworkAccess |
IF (1) •Microsoft.AppConfiguration/configurationStores |
GA | BuiltIn |
| App Configuration | App Configuration | 7a860e27-9ca2-4fc6-822d-c2d248c300df | Configure private DNS zones for private endpoints connected to App Configuration | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| App Configuration | App Configuration | 614ffa75-862c-456e-ad8b-eaa1b0844b07 | Configure private endpoints for App Configuration | Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor | THEN-ExistenceCondition (1) •Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.AppConfiguration/configurationStores THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| App Platform | App Platform | 0f2d8593-4667-4932-acca-6a9f187af109 | [Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled | Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.AppPlatform/Spring/trace.enabled •Microsoft.AppPlatform/Spring/trace.state |
IF (1) •Microsoft.AppPlatform/Spring |
Preview | BuiltIn | |
| App Platform | App Platform | af35e2a4-ef96-44e7-a9ae-853dd97032c4 | Azure Spring Cloud should use network injection | Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. | Default: Audit Allowed: (Audit, Disabled, Deny) | IF (2) •Microsoft.AppPlatform/Spring/networkProfile.serviceRuntimeSubnetId •Microsoft.AppPlatform/Spring/sku.tier |
IF (1) •Microsoft.AppPlatform/Spring |
GA | BuiltIn | |
| App Service | App Service | d79ab062-dffd-4318-8344-f70de714c0bc | [Deprecated]: App Service should disable public network access | Disabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.Web/sites/config/PublicNetworkAccess |
Deprecated | BuiltIn | ||
| App Service | App Service | 752c6934-9bcc-4749-b004-655e676ae2ac | [Deprecated]: Audit enabling of diagnostic logs in App Services | Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised | Default: Audit Allowed: (Audit, Disabled) | IF (3) •Microsoft.Web/sites/config/detailedErrorLoggingEnabled •Microsoft.Web/sites/config/httpLoggingEnabled •Microsoft.Web/sites/config/requestTracingEnabled |
Deprecated | BuiltIn | ||
| App Service | App Service | b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0 | [Deprecated]: Diagnostic logs in App Services should be enabled | Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (3) •Microsoft.Web/sites/config/detailedErrorLoggingEnabled •Microsoft.Web/sites/config/httpLoggingEnabled •Microsoft.Web/sites/config/requestTracingEnabled |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | |
| App Service | App Service | 58d94fc1-a072-47c2-bd37-9cdb38e77453 | [Deprecated]: Ensure Function app is using the latest version of TLS encryption | Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.minTlsVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | |
| App Service | App Service | c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.netFrameworkVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | |
| App Service | App Service | 10c1859c-e1a7-4df3-ab97-a487fa8059f6 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.netFrameworkVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | |
| App Service | App Service | 843664e0-7563-41ee-a9cb-7522c382d2c4 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.netFrameworkVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | |
| App Service | App Service | ab965db2-d2bf-4b64-8b39-c38ec8179461 | [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app | PHP cannot be used with Function apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (2) •Microsoft.Web/sites/config/web.linuxFxVersion •Microsoft.Web/sites/config/web.phpVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | |
| App Service | App Service | 86d97760-d216-4d81-a3ad-163087b2b6c3 | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.managedServiceIdentityId |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | |
| App Service | App Service | f0473e7a-a1ba-4e86-afb2-e829e11b01d8 | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.managedServiceIdentityId |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | |
| App Service | App Service | aa81768c-cb87-4ce2-bfaa-00baa10d760c | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.managedServiceIdentityId |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | |
| App Service | App Service | 6ad61431-88ce-4357-a0e1-6da43f292bd7 | [Deprecated]: Ensure WEB app is using the latest version of TLS encryption | Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.minTlsVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | |
| App Service | App Service | app-service_allowed-appservicesplan-skus | Allowed App Services Plan SKUs | This policy enables you to specify a set of App Services Plan SKUs that your organization can deploy. | Fixed: Deny | IF (1) •Microsoft.Web/serverfarms/sku.name |
IF (1) •Microsoft.Web/serverfarms |
GA | Community | |
| App Service | App Service | Deny-AppServiceApiApp-http | API App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | ESLZ | |
| App Service | App Service | b7ddfbdc-1260-477d-91fd-98bd9be789a6 | API App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 324c7761-08db-4474-9661-d1039abc92ee | API apps should use an Azure file share for its content directory | The content directory of an API app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.Web/sites/storageAccountRequired |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 72d04c29-f87d-4575-9731-419ff16a2757 | App Service Apps should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Web/sites/virtualNetworkSubnetId |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 33228571-70a4-4fa1-8ca1-26d0aba8d6ef | App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/vnetRouteAllEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Web/serverFarms/sku.tier |
IF (1) •Microsoft.Web/serverFarms |
GA | BuiltIn | |
| App Service | App Service | 2d048aca-6479-4923-88f5-e2ac295d9af3 | App Service Environment apps should not be reachable over public internet | To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Web/HostingEnvironments/internalLoadBalancingMode |
IF (1) •Microsoft.Web/hostingEnvironments |
GA | BuiltIn | |
| App Service | App Service | 817dcf37-e83d-4999-a472-644eada2ea1e | App Service Environment should be configured with strongest TLS Cipher suites | The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. | Default: Audit Allowed: (Audit, Disabled) | IF (3) •Microsoft.Web/HostingEnvironments/clusterSettings[*] •Microsoft.Web/HostingEnvironments/clusterSettings[*].name •Microsoft.Web/HostingEnvironments/clusterSettings[*].value |
IF (1) •Microsoft.Web/hostingEnvironments |
GA | BuiltIn | |
| App Service | App Service | eb4d34ab-0929-491c-bbf3-61e13da19f9a | App Service Environment should be provisioned with latest versions | Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Web/hostingEnvironments |
GA | BuiltIn | ||
| App Service | App Service | d6545c6b-dd9d-4265-91e6-0b451e2f1c50 | App Service Environment should disable TLS 1.0 and 1.1 | TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (3) •Microsoft.Web/HostingEnvironments/clusterSettings[*] •Microsoft.Web/HostingEnvironments/clusterSettings[*].name •Microsoft.Web/HostingEnvironments/clusterSettings[*].value |
IF (1) •Microsoft.Web/hostingEnvironments |
GA | BuiltIn | |
| App Service | App Service | fb74e86f-d351-4b8d-b034-93da7391c01f | App Service Environment should enable internal encryption | Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. | Default: Audit Allowed: (Audit, Disabled) | IF (3) •Microsoft.Web/HostingEnvironments/clusterSettings[*] •Microsoft.Web/HostingEnvironments/clusterSettings[*].name •Microsoft.Web/HostingEnvironments/clusterSettings[*].value |
IF (1) •Microsoft.Web/hostingEnvironments |
GA | BuiltIn | |
| App Service | App Service | 871b205b-57cf-4e1e-a234-492616998bf7 | App Service should have local authentication methods disabled for FTP deployments | Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | aede300b-d67f-480a-ae26-4b3dfb1a1fdc | App Service should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 687aa49d-0982-40f8-bf6b-66d1da97a04b | App Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | ec71c0bc-6a45-4b1f-9587-80dc83e6898c | App Service slots should have local authentication methods disabled for FTP deployments | Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | |
| App Service | App Service | 847ef871-e2fe-4e6e-907e-4adbf71de5cf | App Service slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | |
| App Service | App Service | 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7 | App Services should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/publicNetworkAccess |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | app-service_audit-appservicesbackend-appgw | Apps Require App Gateway Front End | Custom policy requires that HTTP(S) triggered apps require App GW Front-End so that inbound ports are not opened on apps | Default: auditIfNotExists Allowed: (auditIfNotExists, disabled) | THEN-ExistenceCondition (2) •Microsoft.Network/applicationGateways/backendAddressPools[*].backendAddresses[*] •Microsoft.Network/applicationGateways/backendAddressPools[*].backendAddresses[*].fqdn |
IF (1) •Microsoft.Web/sites |
GA | Community | |
| App Service | App Service | Append-AppService-httpsonly | AppService append enable https only setting to enforce https setting. | Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny. | Default: Append Allowed: (Append, Disabled) | IF (1) •Microsoft.Web/sites/httpsOnly THEN-Details (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | ESLZ | |
| App Service | App Service | Append-AppService-latestTLS | AppService append sites with minimum TLS version to enforce. | Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. | Default: Append Allowed: (Append, Disabled) | IF (1) •Microsoft.Web/sites/config/minTlsVersion THEN-Details (1) •Microsoft.Web/sites/config/minTlsVersion |
GA | ESLZ | ||
| App Service | App Service | c4ebc54a-46e1-481a-bee2-d4411e95d828 | Authentication should be enabled on your API app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/siteAuthEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 | Authentication should be enabled on your Function app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/siteAuthEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 95bccee9-a7f8-4bec-9ee9-62c3473701fc | Authentication should be enabled on your web app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/siteAuthEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | f493116f-3b7f-4ab3-bf80-0c2af35e46c2 | Configure App Service slots to disable local authentication for FTP deployments. | Disable local authentication methods for FTP deployments so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn |
| App Service | App Service | 2c034a29-2a5f-4857-b120-f800fe5549ae | Configure App Service slots to disable local authentication for SCM sites. | Disable local authentication methods for SCM sites so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn |
| App Service | App Service | 5e97b776-f380-4722-a9a3-e7f0be029e79 | Configure App Service to disable local authentication for SCM sites. | Disable local authentication methods for SCM sites so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn |
| App Service | App Service | 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 | Configure App Service to disable local authentication on FTP deployments. | Disable local authentication methods for FTP deployments so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn |
| App Service | App Service | 81dff7c0-4020-4b58-955d-c076a2136b56 | Configure App Services to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/publicNetworkAccess |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn |
| App Service | App Service | b318f84a-b872-429b-ac6d-a01b96814452 | Configure App Services to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.Network/privateEndpoints •Microsoft.Web/sites |
GA | BuiltIn |
| App Service | App Service | 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac | CORS should not allow every resource to access your API App | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.cors.allowedOrigins[*] |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 0820b7b9-23aa-4725-a1ce-ae4558f718e5 | CORS should not allow every resource to access your Function Apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.cors.allowedOrigins[*] |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 | CORS should not allow every resource to access your Web Applications | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.cors.allowedOrigins[*] |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | app-service_functionapp-enforce-ftps-only | Enforce FTPS only or disablement of FTP/FTPS for App Service and Azure Functions | Enforce FTPS only or disablement of FTP/FTPS for App Service and Azure Functions | Default: AuditIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/ftpsState |
IF (1) •Microsoft.Web/sites |
GA | Community |
| App Service | App Service | 0c192fe8-9cbb-4516-85b3-0ade8bd03886 | Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.Web/sites/clientCertEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 991310cd-e9f3-47bc-b7b6-f57b557d07db | Ensure that 'HTTP Version' is the latest, if used to run the API app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.http20Enabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | e2c1c086-2d84-4019-bff3-c44ccd95113c | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.http20Enabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 8c122334-9d20-4eb8-89ea-ac9a705b74ae | Ensure that 'HTTP Version' is the latest, if used to run the Web app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.http20Enabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 88999f4c-376a-45c8-bcb3-4058f713cf39 | Ensure that 'Java version' is the latest, if used as a part of the API app | Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Ensure that 'Java version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 496223c3-ad65-4ecd-878a-bae78737e9ed | Ensure that 'Java version' is the latest, if used as a part of the Web app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba | Ensure that 'PHP version' is the latest, if used as a part of the API app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | Ensure that 'PHP version' is the latest, if used as a part of the WEB app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 74c3584d-afae-46f7-a20a-6f8adba71a16 | Ensure that 'Python version' is the latest, if used as a part of the API app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Ensure that 'Python version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | Ensure that 'Python version' is the latest, if used as a part of the Web app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 5bb220d9-2698-4ee4-8404-b9c30c9df609 | Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.Web/sites/clientCertEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 | FTPS only should be required in your API App | Enable FTPS enforcement for enhanced security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/ftpsState |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 399b2637-a50f-4f95-96f8-3a145476eb15 | FTPS only should be required in your Function App | Enable FTPS enforcement for enhanced security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/ftpsState |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b | FTPS should be required in your Web App | Enable FTPS enforcement for enhanced security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/ftpsState |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | app-service_functionapp-enforce-https-only-audit_or_deny | Function App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | Community | |
| App Service | App Service | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | Function App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | app-service_functionapp-enforce-https-only-dine | Function App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites THEN-Deployment (1) •Microsoft.Web/sites |
GA | Community |
| App Service | App Service | Deny-AppServiceFunctionApp-http | Function App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | ESLZ | |
| App Service | App Service | app-service_functionapp-deployed-to-appserviceenvironment | Function apps must be deployed to an App Service Environment (ASE) | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Web/sites/hostingEnvironmentProfile.id |
IF (1) •Microsoft.Web/sites |
GA | Community | ||
| App Service | App Service | app-service_functionapp-private-endpoints-enabled-dine | Function apps must have private endpoints enabled | A private endpoint connection enables private connectivity to your function app via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Web/sites THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | Community |
| App Service | App Service | app-service_functionapp-private-endpoints-enabled-aine | Function apps must have private endpoints enabled | A private endpoint connection enables private connectivity to your function app via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Web/sites |
GA | Community | |
| App Service | App Service | app-service_functionapp-enforce-connect-to-acr-with-identity | Function apps should authenticate to Azure Container Registry using a managed identity | Function apps should authenticate to Azure Container Registry using a managed identity | Default: AuditIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/acrUseManagedIdentityCreds |
IF (1) •Microsoft.Web/sites |
GA | Community |
| App Service | App Service | app-service_functionapp-vnet-injection-enabled | Function apps should be injected into a virtual network | Injecting function apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/networkConfig/subnetResourceId |
IF (1) •Microsoft.Web/sites |
GA | Community | |
| App Service | App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.Web/sites/clientCertEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | app-service_functionapp-enforce-client-certs-dine | Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/clientCertEnabled |
IF (1) •Microsoft.Web/sites THEN-Deployment (1) •Microsoft.Web/sites |
GA | Community |
| App Service | App Service | app-service_functionapp-enforce-client-certs-audit_or_deny | Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Web/sites/clientCertEnabled |
IF (1) •Microsoft.Web/sites |
GA | Community | |
| App Service | App Service | app-service_functionapp-disable-deployment-local-auth-scm | Function apps should have local authentication methods for deployment disabled | Disabling local authentication methods improves security by ensuring that the app exclusively requires Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites |
GA | Community |
| App Service | App Service | app-service_functionapp-disable-deployment-local-auth-ftp_functionapp-disable-deployment-local-auth-scm | Function apps should have local authentication methods for deployment disabled | Disabling local authentication methods improves security by ensuring that the app exclusively requires Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites |
GA | Community |
| App Service | App Service | 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 | Function apps should use an Azure file share for its content directory | The content directory of a function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.Web/sites/storageAccountRequired |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e | Latest TLS version should be used in your API App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/minTlsVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | app-service_functionapp-enforce-latest-tls | Latest TLS version should be used in your Function App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/minTlsVersion |
IF (1) •Microsoft.Web/sites |
GA | Community |
| App Service | App Service | f9d614c5-c173-4d56-95a7-b4437057d193 | Latest TLS version should be used in your Function App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/minTlsVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b | Latest TLS version should be used in your Web App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/minTlsVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | app-service_functionapp-pull-from-specified-registry | Linux function apps should only use a specified Azure Container Registry instance | Ensure that Linux function apps can only pull custom images from a specified container registry | Default: AuditIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Website Contributor | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | Community |
| App Service | App Service | c4d441f8-f9d9-4a9e-9cef-e82117cb3eef | Managed identity should be used in your API App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (2) •Microsoft.Web/sites/config/managedServiceIdentityId •Microsoft.Web/sites/config/xmanagedServiceIdentityId |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | Managed identity should be used in your Function App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (2) •Microsoft.Web/sites/config/managedServiceIdentityId •Microsoft.Web/sites/config/xmanagedServiceIdentityId |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 2b9ad585-36bc-4615-b300-fd4435808332 | Managed identity should be used in your Web App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (2) •Microsoft.Web/sites/config/managedServiceIdentityId •Microsoft.Web/sites/config/xmanagedServiceIdentityId |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | e9c8d085-d9cc-4b17-9cdc-059f1f01f19e | Remote debugging should be turned off for API Apps | Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/remoteDebuggingEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 0e60b895-3786-45da-8377-9c6b4b6ac5f9 | Remote debugging should be turned off for Function Apps | Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.remoteDebuggingEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | cb510bfd-1cba-4d9f-a230-cb0976f4bb71 | Remote debugging should be turned off for Web Applications | Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.remoteDebuggingEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | 91a78b24-f231-4a8a-8da9-02c35b2b6510 | Resource logs in App Services should be enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | Deny-AppServiceWebApp-http | Web Application should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | ESLZ | |
| App Service | App Service | a4af4a39-4135-47fb-b175-47fbdf85311d | Web Application should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| App Service | App Service | dcbc65aa-59f3-4239-8978-3bb869d82604 | Web apps should use an Azure file share for its content directory | The content directory of a web app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.Web/sites/storageAccountRequired |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
| Attestation | Attestation | 5e7e928c-8693-4a23-9bf3-1c77b9a8fe97 | Azure Attestation providers should disable public network access | To improve the security of Azure Attestation Service, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in aka.ms/azureattestation. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Attestation/attestationProviders/publicNetworkAccess |
IF (1) •Microsoft.Attestation/attestationProviders |
GA | BuiltIn | |
| Attestation | Attestation | 7b256a2d-058b-41f8-bed9-3f870541c40a | Azure Attestation providers should use private endpoints | Private endpoints provide a way to connect Azure Attestation providers to your Azure resources without sending traffic over the public internet. By preventing public access, private endpoints help protect against undesired anonymous access. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (3) •Microsoft.Attestation/attestationProviders/privateEndpointConnections/privateEndpoint •Microsoft.Attestation/attestationProviders/privateEndpointConnections/privateLinkServiceConnectionState.status •Microsoft.Attestation/attestationProviders/privateEndpointConnections/provisioningState |
IF (1) •Microsoft.Attestation/attestationProviders |
GA | BuiltIn | |
| Automanage | Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor | IF (8) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.imageReference.id •Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (2) •Microsoft.Automanage/configurationProfileAssignments/accountId •Microsoft.Automanage/configurationProfileAssignments/configurationProfile |
IF (1) •Microsoft.Compute/virtualMachines |
Deprecated | BuiltIn |
| Automanage | Automanage | f889cab7-da27-4c41-a3b0-de1f6f87c550 | Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor | IF (9) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.imageReference.id •Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/machines/osSku THEN-ExistenceCondition (1) •Microsoft.Automanage/configurationProfileAssignments/configurationProfile |
IF (1) •Microsoft.HybridCompute/machines |
GA | BuiltIn |
| Automanage | Automanage | b025cfb4-3702-47c2-9110-87fe0cfcc99b | Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor | IF (9) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.imageReference.id •Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/machines/osSku THEN-ExistenceCondition (1) •Microsoft.Automanage/configurationProfileAssignments/configurationProfile |
IF (1) •Microsoft.HybridCompute/machines |
GA | BuiltIn |
| Automanage | Automanage | 6d02d2f7-e38b-4bdc-96f3-adc0a8726abc | Hotpatch should be enabled for Windows Server Azure Edition VMs | Minimize reboots and install updates quickly with hotpatch. Learn more at https://docs.microsoft.com/azure/automanage/automanage-hotpatch | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.enableHotpatching •Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku |
IF (1) •Microsoft.Compute/virtualMachines |
GA | BuiltIn | |
| Automation | Automation | 3657f5a0-770e-44a3-b44e-9431ba1e9735 | Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Automation/automationAccounts/variables/isEncrypted |
GA | BuiltIn | ||
| Automation | Automation | 955a914f-bf86-4f0e-acd5-e0766b0efcb6 | Automation accounts should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Automation/automationAccounts/publicNetworkAccess |
IF (1) •Microsoft.Automation/automationAccounts |
GA | BuiltIn | |
| Automation | Automation | 48c5f1cb-14ad-4797-8e3b-f78ab3f8d700 | Azure Automation account should have local authentication method disabled | Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Automation/automationAccounts/disableLocalAuth |
IF (1) •Microsoft.Automation/automationAccounts |
GA | BuiltIn | |
| Automation | Automation | 56a5ee18-2ae6-4810-86f7-18e39ce5629b | Azure Automation accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Automation/automationAccounts/encryption.keySource |
IF (1) •Microsoft.Automation/automationAccounts |
GA | BuiltIn | |
| Automation | Automation | 30d1d58e-8f96-47a5-8564-499a3f3cca81 | Configure Azure Automation account to disable local authentication | Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.Automation/automationAccounts/disableLocalAuth THEN-Operations (1) •Microsoft.Automation/automationAccounts/disableLocalAuth |
IF (1) •Microsoft.Automation/automationAccounts |
GA | BuiltIn |
| Automation | Automation | 23b36a7c-9d26-4288-a8fd-c1d2fa284d8c | Configure Azure Automation accounts to disable public network access | Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.Automation/automationAccounts/publicNetworkAccess THEN-Operations (1) •Microsoft.Automation/automationAccounts/publicNetworkAccess |
IF (1) •Microsoft.Automation/automationAccounts |
GA | BuiltIn |
| Automation | Automation | 6dd01e4f-1be1-4e80-9d0b-d109e04cb064 | Configure Azure Automation accounts with private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Automation | Automation | c0c3130e-7dda-4187-aed0-ee4a472eaa60 | Configure private endpoint connections on Azure Automation accounts | Private endpoint connections allow secure communication by enabling private connectivity to Azure Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, Contributor | THEN-ExistenceCondition (1) •Microsoft.Automation/automationAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Automation/automationAccounts THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Automation | Automation | Deny-AA-child-resources | No child resources in Automation Account | This policy denies the creation of child resources on the Automation Account | Default: Deny Allowed: (Audit, Deny, Disabled) | GA | ESLZ | |||
| Automation | Automation | 0c2b3618-68a8-4034-a150-ff4abc873462 | Private endpoint connections on Automation Accounts should be enabled | Private endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Automation/automationAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Automation/automationAccounts |
GA | BuiltIn | |
| Azure Active Directory | Azure Active Directory | 3aa87b5a-7813-4b57-8a43-42dd9df5aaa7 | Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode | Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.AAD/domainServices/domainSecuritySettings.tlsV1 |
IF (1) •Microsoft.AAD/domainServices |
GA | BuiltIn | |
| Azure Arc | Azure Arc | 7eab1da3-2bf0-4ff0-8303-1a4277c380e8 | Azure Arc Private Link Scopes should be configured with a private endpoint | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Arc Private Link Scopes, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections[*] •Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.HybridCompute/privateLinkScopes |
GA | BuiltIn | |
| Azure Arc | Azure Arc | 898f2439-3333-4713-af25-f1d78bc50556 | Azure Arc Private Link Scopes should disable public network access | Disabling public network access improves security by ensuring that Azure Arc resources cannot connect via the public internet. Creating private endpoints can limit exposure of Azure Arc resources. Learn more at: https://aka.ms/arc/privatelink. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess |
IF (1) •Microsoft.HybridCompute/privateLinkScopes |
GA | BuiltIn | |
| Azure Arc | Azure Arc | efa3f296-ff2b-4f38-bc0d-5ef12c965b68 | Azure Arc-enabled servers should be configured with an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.HybridCompute/machines/privateLinkScopeResourceId |
IF (1) •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Azure Arc | Azure Arc | de0bc8ea-76e2-4fe2-a288-a07556d0e9c4 | Configure Azure Arc Private Link Scopes to disable public network access | Disable public network access for your Azure Arc Private Link Scope so that associated Azure Arc resources cannot connect to Azure Arc services over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/arc/privatelink. | Default: Modify Allowed: (Modify, Disabled) | Azure Connected Machine Resource Administrator | IF (1) •Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess THEN-Operations (1) •Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess |
IF (1) •Microsoft.HybridCompute/privateLinkScopes |
GA | BuiltIn |
| Azure Arc | Azure Arc | 55c4db33-97b0-437b-8469-c4f4498f5df9 | Configure Azure Arc Private Link Scopes to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.HybridCompute/privateLinkScopes •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Azure Arc | Azure Arc | d6eeba80-df61-4de5-8772-bc1b7852ba6b | Configure Azure Arc Private Link Scopes with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, Azure Connected Machine Resource Administrator | THEN-ExistenceCondition (1) •Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.HybridCompute/privateLinkScopes THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Azure Arc | Azure Arc | a3461c8c-6c9d-4e42-a644-40ba8a1abf49 | Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default: Modify Allowed: (Modify, Disabled) | Azure Connected Machine Resource Administrator | IF (1) •Microsoft.HybridCompute/machines/privateLinkScopeResourceId THEN-Operations (1) •Microsoft.HybridCompute/machines/privateLinkScopeResourceId |
IF (1) •Microsoft.HybridCompute/machines |
GA | BuiltIn |
| Azure Data Explorer | Azure Data Explorer | 81e74cea-30fd-40d5-802f-d72103c2aaaa | Azure Data Explorer encryption at rest should use a customer-managed key | Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (4) •Microsoft.Kusto/clusters/keyVaultProperties •Microsoft.Kusto/clusters/keyVaultProperties.keyName •Microsoft.Kusto/clusters/keyVaultProperties.keyVaultUri •Microsoft.Kusto/clusters/keyVaultProperties.keyVersion |
IF (1) •Microsoft.Kusto/Clusters |
GA | BuiltIn | |
| Azure Data Explorer | Azure Data Explorer | f4b53539-8df9-40e4-86c6-6b607703bd4e | Disk encryption should be enabled on Azure Data Explorer | Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Kusto/clusters/enableDiskEncryption |
IF (1) •Microsoft.Kusto/Clusters |
GA | BuiltIn | |
| Azure Data Explorer | Azure Data Explorer | ec068d99-e9c7-401f-8cef-5bdde4e6ccf1 | Double encryption should be enabled on Azure Data Explorer | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Kusto/clusters/enableDoubleEncryption |
IF (1) •Microsoft.Kusto/Clusters |
GA | BuiltIn | |
| Azure Data Explorer | Azure Data Explorer | 9ad2fd1f-b25f-47a2-aa01-1a5a779e6413 | Virtual network injection should be enabled for Azure Data Explorer | Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (4) •Microsoft.Kusto/clusters/virtualNetworkConfiguration •Microsoft.Kusto/clusters/virtualNetworkConfiguration.dataManagementPublicIpId •Microsoft.Kusto/clusters/virtualNetworkConfiguration.enginePublicIpId •Microsoft.Kusto/clusters/virtualNetworkConfiguration.subnetId |
IF (1) •Microsoft.Kusto/Clusters |
GA | BuiltIn | |
| Azure DNS | Azure DNS | network_enforce_azfw_dns_servers | Enforce Firewall Policy DNS servers | This policy prevent settings non authorized dns servers for firewall policies. | Default: Audit Allowed: (Deny, Audit, Disabled) | IF (1) •Microsoft.Network/firewallPolicies/dnsSettings.servers[*] |
GA | Community | ||
| Azure DNS | Azure DNS | network_enforce_vnet_dns_servers | Enforce VNET DNS servers | This policy prevent settings non authorized dns servers for vnets. | Default: Audit Allowed: (Deny, Audit, Disabled) | IF (1) •Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*] |
GA | Community | ||
| Azure DNS | Azure DNS | compute_only_approved_vmss_extensions_should_be_installed | Only approved VMSS extensions should be installed | This policy governs the virtual machine scale set extensions that are not approved. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.Compute/virtualMachineScaleSets/extensions/type •Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.extensionProfile.extensions[*].type |
GA | Community | ||
| Azure Edge Hardware Center | Azure Edge Hardware Center | 08a6b96f-576e-47a2-8511-119a212d344d | Azure Edge Hardware Center devices should have double encryption support enabled | Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.EdgeOrder/orderItems/orderItemDetails.preferences.encryptionPreferences.doubleEncryptionStatus •Microsoft.EdgeOrder/orderItems/orderItemDetails.productDetails.productDoubleEncryptionStatus |
IF (1) •Microsoft.EdgeOrder/orderItems |
GA | BuiltIn | |
| Azure Purview | Azure Purview | 9259053b-ddb8-40ab-842a-0aef19d0ade4 | Azure Purview accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.Purview/accounts/privateEndpointConnections[*] •Microsoft.Purview/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Purview/accounts |
GA | BuiltIn | |
| Azure Stack Edge | Azure Stack Edge | b4ac1030-89c5-4697-8e00-28b5ba6a8811 | Azure Stack Edge devices should use double-encryption | To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.DataboxEdge/DataBoxEdgeDevices/sku.name |
IF (1) •Microsoft.DataBoxEdge/DataBoxEdgeDevices |
GA | BuiltIn | |
| Backup | Backup | 2e94d99a-8a36-4563-bc77-810d8893b671 | [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data | Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.RecoveryServices/vaults/encryption.infrastructureEncryption •Microsoft.RecoveryServices/vaults/encryption.keyVaultProperties.keyUri |
IF (1) •Microsoft.RecoveryServices/vaults |
Preview | BuiltIn | |
| Backup | Backup | deeddb44-9f94-4903-9fa0-081d524406e3 | [Preview]: Azure Recovery Services vaults should use private link for backup | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. | Default: Audit Allowed: (Audit, Disabled) | IF (4) •Microsoft.RecoveryServices/vaults/privateEndpointConnections[*] •Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].id •Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status •Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].provisioningState |
IF (1) •Microsoft.RecoveryServices/vaults |
Preview | BuiltIn | |
| Backup | Backup | 615b01c4-d565-4f6f-8c6e-d130268e3a1a | [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region | Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Backup Contributor | IF (3) •Microsoft.Storage/storageAccounts/isHnsEnabled •Microsoft.Storage/storageAccounts/isNfsV3Enabled •Microsoft.Storage/storageAccounts/sku.name THEN-ExistenceCondition (1) •Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled |
IF (1) •Microsoft.Storage/StorageAccounts THEN-Deployment (3) •Microsoft.Resources/deployments •Microsoft.Storage/storageAccounts •Microsoft.Storage/storageAccounts/blobServices |
Preview | BuiltIn |
| Backup | Backup | 958dbd4e-0e20-4385-a082-d3f20c2a6ad8 | [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region | Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Backup Contributor | IF (3) •Microsoft.Storage/storageAccounts/isHnsEnabled •Microsoft.Storage/storageAccounts/isNfsV3Enabled •Microsoft.Storage/storageAccounts/sku.name THEN-ExistenceCondition (1) •Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled |
IF (1) •Microsoft.Storage/StorageAccounts THEN-Deployment (3) •Microsoft.Resources/deployments •Microsoft.Storage/storageAccounts •Microsoft.Storage/storageAccounts/blobServices |
Preview | BuiltIn |
| Backup | Backup | af783da1-4ad1-42be-800d-d19c70038820 | [Preview]: Configure Recovery Services vaults to use private DNS zones for backup | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.Network/privateEndpoints •Microsoft.RecoveryServices/vaults |
Preview | BuiltIn |
| Backup | Backup | 8015d6ed-3641-4534-8d0b-5c67b67ff7de | [Preview]: Configure Recovery Services vaults to use private endpoints for backup | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.RecoveryServices/vaults/backupStorageVersion |
IF (1) •Microsoft.RecoveryServices/vaults THEN-Deployment (1) •Microsoft.Network/privateEndpoints |
Preview | BuiltIn |
| Backup | Backup | 013e242c-8828-4970-87b3-ab247555486d | Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (1) •Microsoft.Compute/imagePublisher |
IF (1) •Microsoft.Compute/virtualMachines THEN-Details (1) •Microsoft.RecoveryServices/backupprotecteditems |
GA | BuiltIn | |
| Backup | Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor, Backup Contributor | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.RecoveryServices/vaults |
GA | BuiltIn |
| Backup | Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor, Backup Contributor | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.Resources/deployments |
GA | BuiltIn |
| Backup | Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor, Backup Contributor | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.RecoveryServices/vaults |
GA | BuiltIn |
| Backup | Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Virtual Machine Contributor, Backup Contributor | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.Resources/deployments |
GA | BuiltIn |
| Backup | Backup | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. | Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. | Fixed: deployIfNotExists | Monitoring Contributor, Log Analytics Contributor | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].Category •Microsoft.Insights/diagnosticSettings/logs[*].Enabled •Microsoft.Insights/diagnosticSettings/workspaceId |
IF (1) •Microsoft.RecoveryServices/vaults |
GA | BuiltIn |
| Batch | Batch | 99e9ccd8-3db9-4592-b0d1-14b1715a4d8a | Azure Batch account should use customer-managed keys to encrypt data | Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Batch/batchAccounts/encryption.keySource |
IF (1) •Microsoft.Batch/batchAccounts |
GA | BuiltIn | |
| Batch | Batch | 1760f9d4-7206-436e-a28f-d9f3a5c8a227 | Azure Batch pools should have disk encryption enabled | Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption. | Default: Audit Allowed: (Audit, Disabled, Deny) | IF (1) •Microsoft.Batch/batchAccounts/pools/deploymentConfiguration.virtualMachineConfiguration.diskEncryptionConfiguration.targets[*] |
IF (1) •Microsoft.Batch/batchAccounts/pools |
GA | BuiltIn | |
| Batch | Batch | 6f68b69f-05fe-49cd-b361-777ee9ca7e35 | Batch accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.Batch/batchAccounts/allowedAuthenticationModes •Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*] |
IF (1) •Microsoft.Batch/batchAccounts |
GA | BuiltIn | |
| Batch | Batch | 4dbc2f5c-51cf-4e38-9179-c7028eed2274 | Configure Batch accounts to disable local authentication | Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (2) •Microsoft.Batch/batchAccounts/allowedAuthenticationModes •Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*] THEN-Operations (1) •Microsoft.Batch/batchAccounts/allowedAuthenticationModes |
IF (1) •Microsoft.Batch/batchAccounts |
GA | BuiltIn |
| Batch | Batch | 0ef5aac7-c064-427a-b87b-d47b3ddcaf73 | Configure Batch accounts with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/batch/private-connectivity. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor | IF (1) •Microsoft.Batch/batchAccounts/publicNetworkAccess THEN-ExistenceCondition (1) •Microsoft.Batch/batchAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Batch/batchAccounts THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Batch | Batch | 4ec38ebc-381f-45ee-81a4-acbc4be878f8 | Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts | Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Batch | Batch | 26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7 | Metric alert rules should be configured on Batch accounts | Audit configuration of metric alert rules on Batch account to enable the required metric | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (3) •Microsoft.Insights/alertRules/condition.dataSource.metricName •Microsoft.Insights/alertRules/condition.dataSource.resourceUri •Microsoft.Insights/alertRules/isEnabled |
IF (1) •Microsoft.Batch/batchAccounts |
GA | BuiltIn | |
| Batch | Batch | 009a0c92-f5b4-4776-9b66-4ed2b4775563 | Private endpoint connections on Batch accounts should be enabled | Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at https://docs.microsoft.com/azure/batch/private-connectivity. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Batch/batchAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Batch/batchAccounts |
GA | BuiltIn | |
| Batch | Batch | 74c5a0ae-5e48-4738-b093-65e23a060488 | Public network access should be disabled for Batch accounts | Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Batch/batchAccounts/publicNetworkAccess |
IF (1) •Microsoft.Batch/batchAccounts |
GA | BuiltIn | |
| Batch | Batch | 428256e6-1fac-4f48-a757-df34c2b3336d | Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.Batch/batchAccounts |
GA | BuiltIn | |
| Bot Service | Bot Service | 6164527b-e1ee-4882-8673-572f425f5e0a | Bot Service endpoint should be a valid HTTPS URI | Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.BotService/botServices/endpoint |
IF (1) •Microsoft.BotService/botServices |
GA | BuiltIn | |
| Bot Service | Bot Service | 51522a96-0869-4791-82f3-981000c2c67f | Bot Service should be encrypted with a customer-managed key | Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.BotService/botServices/isCmekEnabled |
IF (1) •Microsoft.BotService/botServices |
GA | BuiltIn | |
| Bot Service | Bot Service | 52152f42-0dda-40d9-976e-abb1acdd611e | Bot Service should have isolated mode enabled | Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.BotService/botServices/publicNetworkAccess |
IF (1) •Microsoft.BotService/botServices |
GA | BuiltIn | |
| Bot Service | Bot Service | ffea632e-4e3a-4424-bf78-10e179bb2e1a | Bot Service should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.BotService/botServices/disableLocalAuth |
IF (1) •Microsoft.BotService/botServices |
GA | BuiltIn | |
| Bot Service | Bot Service | 5e8168db-69e3-4beb-9822-57cb59202a9d | Bot Service should have public network access disabled | Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.BotService/botServices/publicNetworkAccess |
IF (1) •Microsoft.BotService/botServices |
GA | BuiltIn | |
| Bot Service | Bot Service | ad5621d6-a877-4407-aa93-a950b428315e | BotService resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your BotService resource, data leakage risks are reduced. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.BotService/botServices/privateEndpointConnections[*] •Microsoft.BotService/botServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.BotService/botServices |
GA | BuiltIn | |
| Bot Service | Bot Service | 6a4e6f44-f2af-4082-9702-033c9e88b9f8 | Configure BotService resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.BotService/botServices •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Bot Service | Bot Service | 29261f8e-efdb-4255-95b8-8215414515d6 | Configure BotService resources with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your BotService resource, you can reduce data leakage risks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | THEN-ExistenceCondition (1) •Microsoft.BotService/botServices/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.BotService/botServices THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Budget | Budget | Deploy-Budget | Deploy a default budget on all subscriptions under the assigned scope | Deploy a default budget on all subscriptions under the assigned scope | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Contributor | THEN-ExistenceCondition (3) •Microsoft.Consumption/budgets/amount •Microsoft.Consumption/budgets/category •Microsoft.Consumption/budgets/timeGrain |
IF (1) •Microsoft.Resources/subscriptions THEN-Deployment (1) •Microsoft.Consumption/budgets |
GA | ESLZ |
| Budget | Budget | Deny-MachineLearning-ComputeCluster-Scale | Enforce scale settings for Azure Machine Learning compute clusters | Enforce scale settings for Azure Machine Learning compute clusters. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (3) •Microsoft.MachineLearningServices/workspaces/computes/computeType •Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount •Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount |
IF (1) •Microsoft.MachineLearningServices/workspaces/computes |
GA | ESLZ | |
| Budget | Budget | Deny-MachineLearning-Compute-VmSize | Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances | Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (2) •Microsoft.MachineLearningServices/workspaces/computes/computeType •Microsoft.MachineLearningServices/workspaces/computes/vmSize |
IF (1) •Microsoft.MachineLearningServices/workspaces/computes |
GA | ESLZ | |
| Cache | Cache | 7d092e0a-7acd-40d2-a975-dca21cae48c4 | [Deprecated]: Azure Cache for Redis should reside within a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Cache/Redis/subnetId |
IF (1) •Microsoft.Cache/redis |
Deprecated | BuiltIn | |
| Cache | Cache | Append-Redis-sslEnforcement | Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. | Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default: Append Allowed: (Append, Disabled) | IF (1) •Microsoft.Cache/Redis/minimumTlsVersion THEN-Details (1) •Microsoft.Cache/Redis/minimumTlsVersion |
IF (1) •Microsoft.Cache/redis |
GA | ESLZ | |
| Cache | Cache | Append-Redis-disableNonSslPort | Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. | Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default: Append Allowed: (Append, Disabled, Modify) | IF (1) •Microsoft.Cache/Redis/enableNonSslPort THEN-Details (1) •Microsoft.Cache/Redis/enableNonSslPort |
IF (1) •Microsoft.Cache/redis |
GA | ESLZ | |
| Cache | Cache | Deny-Redis-http | Azure Cache for Redis only secure connections should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default: Deny Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.Cache/Redis/enableNonSslPort •Microsoft.Cache/Redis/minimumTlsVersion |
IF (1) •Microsoft.Cache/redis |
GA | ESLZ | |
| Cache | Cache | 470baccb-7e51-4549-8b1a-3e5be069f663 | Azure Cache for Redis should disable public network access | Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Cache/Redis/publicNetworkAccess |
IF (1) •Microsoft.Cache/Redis |
GA | BuiltIn | |
| Cache | Cache | 7803067c-7d34-46e3-8c79-0ca68fc4036d | Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Cache/redis/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Cache/redis |
GA | BuiltIn | |
| Cache | Cache | 30b3dfa5-a70d-4c8e-bed6-0083858f663d | Configure Azure Cache for Redis to disable public network access | Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks. | Default: Modify Allowed: (Modify, Disabled) | Redis Cache Contributor | IF (1) •Microsoft.Cache/Redis/publicNetworkAccess THEN-Operations (1) •Microsoft.Cache/Redis/publicNetworkAccess |
IF (1) •Microsoft.Cache/Redis |
GA | BuiltIn |
| Cache | Cache | e016b22b-e0eb-436d-8fd7-160c4eaed6e2 | Configure Azure Cache for Redis to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Cache | Cache | 5d8094d7-7340-465a-b6fd-e60ab7e48920 | Configure Azure Cache for Redis with private endpoints | Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Redis Cache Contributor | THEN-ExistenceCondition (1) •Microsoft.Cache/redis/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Cache/redis THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Cache | Cache | 22bee202-a82f-4305-9a2a-6d7f44d4dedb | Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Cache/Redis/enableNonSslPort |
IF (1) •Microsoft.Cache/redis |
GA | BuiltIn | |
| CDN | CDN | dfc212af-17ea-423a-9dcb-91e2cb2caa6b | Azure Front Door profiles should use Premium tier that supports managed WAF rules and private link | Azure Front Door Premium supports Azure managed WAF rules and private link to supported Azure origins. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Cdn/Profiles/sku.name |
IF (1) •Microsoft.Cdn/Profiles |
GA | BuiltIn | |
| CDN | CDN | 679da822-78a7-4eff-8fff-a899454a9970 | Azure Front Door Standard and Premium should be running minimum TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your custom domains are accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they are weak and do not support modern cryptographic algorithms. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Cdn/profiles/customDomains/tlsSettings.minimumTlsVersion |
IF (1) •Microsoft.Cdn/profiles/customDomains |
GA | BuiltIn | |
| CDN | CDN | daba2cce-8326-4af3-b049-81a362da024d | Secure private connectivity between Azure Front Door Premium and Azure Storage Blob, or Azure App Service | Private link ensures private connectivity between AFD Premium and Azure Storage Blob or Azure App Service over the Azure backbone network, without the Azure Storage Blob or the Azure App Service being publicly exposed to the internet. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.Cdn/profiles/originGroups/origins/hostName •Microsoft.Cdn/profiles/originGroups/origins/sharedPrivateLinkResource.privateLink |
IF (1) •Microsoft.Cdn/profiles/originGroups/origins |
GA | BuiltIn | |
| Cognitive Services | Cognitive Services | 2bdd0062-9d75-436e-89df-487dd8e4b3c7 | [Deprecated]: Cognitive Services accounts should enable data encryption | This policy is deprecated. Cognitive Services have data encryption enforced. | Default: Disabled Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.CognitiveServices/accounts/encryption •Microsoft.CognitiveServices/accounts/encryption.keySource |
IF (1) •Microsoft.CognitiveServices/accounts |
Deprecated | BuiltIn | |
| Cognitive Services | Cognitive Services | 11566b39-f7f7-4b82-ab06-68d8700eb0a4 | [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. | This policy is deprecated. Cognitive Services have data encryption enforced. | Default: Disabled Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.CognitiveServices/accounts/encryption •Microsoft.CognitiveServices/accounts/encryption.keySource |
IF (1) •Microsoft.CognitiveServices/accounts |
Deprecated | BuiltIn | |
| Cognitive Services | Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | Cognitive Services accounts should disable public network access | Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (3) •Microsoft.CognitiveServices/accounts/capabilities[*] •Microsoft.CognitiveServices/accounts/capabilities[*].name •Microsoft.CognitiveServices/accounts/publicNetworkAccess |
IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn | |
| Cognitive Services | Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (3) •Microsoft.CognitiveServices/accounts/capabilities[*] •Microsoft.CognitiveServices/accounts/capabilities[*].name •Microsoft.CognitiveServices/accounts/encryption.keySource |
IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn | |
| Cognitive Services | Cognitive Services | 71ef260a-8f18-47b7-abcb-62d0673d94dc | Cognitive Services accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.CognitiveServices/accounts/disableLocalAuth |
IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn | |
| Cognitive Services | Cognitive Services | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | Cognitive Services accounts should restrict network access | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (3) •Microsoft.CognitiveServices/accounts/capabilities[*] •Microsoft.CognitiveServices/accounts/capabilities[*].name •Microsoft.CognitiveServices/accounts/networkAcls.defaultAction |
IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn | |
| Cognitive Services | Cognitive Services | fe3fd216-4f83-4fc1-8984-2bbec80a3418 | Cognitive Services accounts should use a managed identity | Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn | ||
| Cognitive Services | Cognitive Services | 46aa9b05-0e60-4eae-a88b-1e9d374fa515 | Cognitive Services accounts should use customer owned storage | Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.CognitiveServices/accounts/capabilities[*] •Microsoft.CognitiveServices/accounts/capabilities[*].name |
IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn | |
| Cognitive Services | Cognitive Services | cddd188c-4b82-4c48-a19d-ddf74ee66a01 | Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: Audit Allowed: (Audit, Disabled) | IF (4) •Microsoft.CognitiveServices/accounts/capabilities[*] •Microsoft.CognitiveServices/accounts/capabilities[*].name •Microsoft.CognitiveServices/accounts/privateEndpointConnections[*] •Microsoft.CognitiveServices/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn | |
| Cognitive Services | Cognitive Services | 14de9e63-1b31-492e-a5a3-c3f7fd57f555 | Configure Cognitive Services accounts to disable local authentication methods | Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.CognitiveServices/accounts/disableLocalAuth THEN-Operations (1) •Microsoft.CognitiveServices/accounts/disableLocalAuth |
IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn |
| Cognitive Services | Cognitive Services | 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c | Configure Cognitive Services accounts to disable public network access | Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: Modify Allowed: (Disabled, Modify) | Contributor | IF (3) •Microsoft.CognitiveServices/accounts/capabilities[*] •Microsoft.CognitiveServices/accounts/capabilities[*].name •Microsoft.CognitiveServices/accounts/publicNetworkAccess THEN-Operations (1) •Microsoft.CognitiveServices/accounts/publicNetworkAccess |
IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn |
| Cognitive Services | Cognitive Services | c4bc6f10-cb41-49eb-b000-d5ab82e2a091 | Configure Cognitive Services accounts to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.CognitiveServices/accounts •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Cognitive Services | Cognitive Services | db630ad5-52e9-4f4d-9c44-53912fe40053 | Configure Cognitive Services accounts with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, Cognitive Services Contributor | IF (2) •Microsoft.CognitiveServices/accounts/capabilities[*] •Microsoft.CognitiveServices/accounts/capabilities[*].name THEN-ExistenceCondition (1) •Microsoft.CognitiveServices/accounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.CognitiveServices/accounts THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Compute | Compute | 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 | [Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs | This policy deploys the Log Analytics Extension on Ubuntu VMs, and connects to the selected Log Analytics workspace | Fixed: deployIfNotExists | Log Analytics Contributor | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (2) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
Deprecated | BuiltIn |
| Compute | Compute | 2c89a2e5-7285-40fe-afe0-ae8654b92fb2 | [Deprecated]: Unattached disks should be encrypted | This policy audits any unattached disk without encryption enabled. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.Compute/disks/diskState •Microsoft.Compute/disks/encryptionSettingsCollection.enabled |
IF (1) •Microsoft.Compute/disks |
Deprecated | BuiltIn | |
| Compute | Compute | cccc23c7-8427-4f53-ad12-b6a63eb452b3 | Allowed virtual machine size SKUs | This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. | Fixed: Deny | IF (1) •Microsoft.Compute/virtualMachines/sku.name |
IF (1) •Microsoft.Compute/virtualMachines |
GA | BuiltIn | |
| Compute | Compute | 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 | Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Fixed: auditIfNotExists | IF (1) •Microsoft.ClassicCompute/virtualMachines |
GA | BuiltIn | ||
| Compute | Compute | 06a78e20-9358-41c9-923c-fb736d382a4d | Audit VMs that do not use managed disks | This policy audits VMs that do not use managed disks | Fixed: audit | IF (3) •Microsoft.Compute/virtualMachines/osDisk.uri •Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl •Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.Compute/VirtualMachineScaleSets |
GA | BuiltIn | |
| Compute | Compute | ac34a73f-9fa5-4067-9247-a3ecae514468 | Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Owner | THEN-ExistenceCondition (1) •Microsoft.Resources/links/targetId |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (7) •Microsoft.Compute/availabilitySets •Microsoft.Compute/proximityPlacementGroups •Microsoft.Network/virtualNetworks •Microsoft.RecoveryServices/replicationEligibilityResults •Microsoft.RecoveryServices/vaults •Microsoft.Resources/deployments •Microsoft.Storage/storageAccounts |
GA | BuiltIn |
| Compute | Compute | bc05b96c-0b36-4ca9-82f0-5c53f96ce05a | Configure disk access resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.Compute/diskAccesses •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Compute | Compute | 582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5 | Configure disk access resources with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor | THEN-ExistenceCondition (1) •Microsoft.Compute/diskAccesses/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Compute/diskAccesses THEN-Deployment (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Compute | Compute | compute_configure-managed-disks-to-disable-public-access | Configure managed disks to disable public access | This policy configures managed disks to disable public access. | Default: modify Allowed: (deny, audit, disabled, modify) | Contributor | IF (1) •Microsoft.Compute/disks/networkAccessPolicy THEN-Operations (1) •Microsoft.Compute/disks/networkAccessPolicy |
GA | Community | |
| Compute | Compute | 8426280e-b5be-43d9-979e-653d12a08638 | Configure managed disks to disable public network access | Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.Compute/disks/networkAccessPolicy THEN-Operations (2) •Microsoft.Compute/disks/diskAccessId •Microsoft.Compute/disks/networkAccessPolicy |
IF (1) •Microsoft.Compute/disks |
GA | BuiltIn |
| Compute | Compute | compute_deploy-hybrid-benefit-windows | Deploy Azure Hybrid Benefit for Windows. | This policy ensures virtual machines are configured for Azure Hybrid Benefit for Windows Client and Server - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/hybrid-use-benefit-licensing#ways-to-use-azure-hybrid-benefit-for-windows-server. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor | IF (2) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher THEN-ExistenceCondition (1) •Microsoft.Compute/virtualMachines/licenseType |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines |
GA | Community |
| Compute | Compute | monitoring_deploy-oms-agent-based-on-region-linux | Deploy default Log Analytics VM Extension for Linux VMs. | This policy deploys Log Analytics VM Extensions on Linux VMs in specific regions, and connects to the selected Log Analytics workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor | IF (1) •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/settings.workspaceId •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.compute/virtualmachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
GA | Community |
| Compute | Compute | monitoring_deploy-oms-agent-based-on-region-windows | Deploy default Log Analytics VM Extension for Windows VMs. | This policy deploys Log Analytics VM Extensions on Windows VMs in specific regions, and connects to the selected Log Analytics workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor | IF (1) •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/settings.workspaceId •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.compute/virtualmachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
GA | Community |
| Compute | Compute | 2835b622-407b-4114-9198-6f7064cbe0dc | Deploy default Microsoft IaaSAntimalware extension for Windows Server | This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. | Fixed: deployIfNotExists | Virtual Machine Contributor | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (2) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
GA | BuiltIn |
| Compute | Compute | hybridusebenefits_deploy-hybrid-use-windows-server | Deploy hybrid use for Windows Server | This Policy will enable HUB for Windows Server | Fixed: deployIfNotExists | Owner | IF (1) •Microsoft.Compute/virtualMachines/imageOffer THEN-ExistenceCondition (1) •Microsoft.Compute/virtualMachines/licenseType |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines |
GA | Community |
| Compute | Compute | compute_deploy-or-audit-auto-shutdown-by-tag-value-on-vm | Deploy VM auto shutdown | Default: audit Allowed: (audit, Deny, DeployIfNotExists, Disabled) | Virtual Machine Contributor | THEN-ExistenceCondition (2) •Microsoft.DevTestLab/labs/virtualMachines/schedules/status •Microsoft.DevTestLab/labs/virtualMachines/schedules/targetResourceId |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.devtestlab/schedules |
GA | Community | |
| Compute | Compute | f39f5f49-4abf-44de-8c70-0756997bfb51 | Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Compute/diskAccesses/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Compute/diskAccesses |
GA | BuiltIn | |
| Compute | Compute | ca91455f-eace-4f96-be59-e6e2c35b4816 | Managed disks should be double encrypted with both platform-managed and customer-managed keys | High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Compute/diskEncryptionSets/encryptionType |
IF (1) •Microsoft.Compute/diskEncryptionSets |
GA | BuiltIn | |
| Compute | Compute | 8405fdab-1faf-48aa-b702-999c9c172094 | Managed disks should disable public network access | Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.Compute/disks/networkAccessPolicy |
IF (1) •Microsoft.Compute/disks |
GA | BuiltIn | |
| Compute | Compute | d461a302-a187-421a-89ac-84acdb4edc04 | Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption | Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (9) •Microsoft.Compute/disks/encryption.diskEncryptionSetId •Microsoft.Compute/disks/managedBy •Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId •Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.osDiskImage.diskEncryptionSetId •Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id •Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.managedDisk.diskEncryptionSet.id |
IF (5) •Microsoft.Compute/disks •Microsoft.Compute/galleries/images/versions •Microsoft.Compute/images •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachineScaleSets |
GA | BuiltIn | |
| Compute | Compute | c43e4a30-77cb-48ab-a4dd-93f175c63b57 | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (1) •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines |
GA | BuiltIn | |
| Compute | Compute | 9b597639-28e4-48eb-b506-56b05d366257 | Microsoft IaaSAntimalware extension should be deployed on Windows servers | This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (2) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines |
GA | BuiltIn | |
| Compute | Compute | c0e996f8-39cf-4af9-9f45-83fbde810432 | Only approved VM extensions should be installed | This policy governs the virtual machine extensions that are not approved. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines/extensions |
GA | BuiltIn | |
| Compute | Compute | 702dd420-7fcc-42c5-afe8-4026edd20fe0 | OS and data disks should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (10) •Microsoft.Compute/disks/encryption.diskEncryptionSetId •Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*] •Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId •Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id •Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.id •Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.managedDisk.diskEncryptionSet.id |
IF (5) •Microsoft.Compute/disks •Microsoft.Compute/galleries/images/versions •Microsoft.Compute/images •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachineScaleSets |
GA | BuiltIn | |
| Compute | Compute | 465f0161-0087-490a-9ad9-ad6217f4f43a | Require automatic OS image patching on Virtual Machine Scale Sets | This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. | Fixed: deny | IF (2) •Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade •Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade |
IF (1) •Microsoft.Compute/virtualMachineScaleSets |
GA | BuiltIn | |
| Compute | Compute | 7c1b1214-f927-48bf-8882-84f0af6588b1 | Resource logs in Virtual Machine Scale Sets should be enabled | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (2) •Microsoft.Compute/virtualMachineScaleSets/extensions/publisher •Microsoft.Compute/virtualMachineScaleSets/extensions/type |
IF (1) •Microsoft.Compute/virtualMachineScaleSets |
GA | BuiltIn | |
| Compute | Compute | fc4d8e41-e223-45ea-9bf5-eada37891d87 | Virtual machines and virtual machine scale sets should have encryption at host enabled | Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost •Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.encryptionAtHost |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachineScaleSets |
GA | BuiltIn | |
| Compute | Compute | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.ClassicCompute/virtualMachines •Microsoft.Compute/virtualMachines |
GA | BuiltIn | ||
| Container App | Container App | 783ea2a8-b8fd-46be-896a-9ae79643a0b1 | Container Apps should disable external network access | Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.App/containerApps/configuration.ingress •Microsoft.App/containerApps/configuration.ingress.external |
IF (1) •Microsoft.App/containerApps |
GA | BuiltIn | |
| Container App | Container App | 2b585559-a78e-4cc4-b1aa-fb169d2f6b96 | Authentication should be enabled on Container Apps | Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.App/containerApps/authConfigs/platform.enabled |
IF (1) •Microsoft.App/containerApps |
GA | BuiltIn | |
| Container App | Container App | 7c9f3fbb-739d-4844-8e42-97e3be6450e0 | Container App should configure with volume mount | Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.App/containerApps |
GA | BuiltIn | ||
| Container App | Container App | d074ddf8-01a5-4b5e-a2b8-964aed452c0a | Container Apps environment should disable public network access | Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.App/managedEnvironments/vnetConfiguration •Microsoft.App/managedEnvironments/vnetConfiguration.internal |
IF (1) •Microsoft.App/managedEnvironments |
GA | BuiltIn | |
| Container App | Container App | 0e80e269-43a4-4ae9-b5bc-178126b8a5cb | Container Apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.App/containerApps/configuration.ingress.allowInsecure |
IF (1) •Microsoft.App/containerApps |
GA | BuiltIn | |
| Container App | Container App | b874ab2d-72dd-47f1-8cb5-4a306478a4e7 | Managed Identity should be enabled for Container Apps | Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.App/containerApps |
GA | BuiltIn | ||
| Container Apps | Container Apps | 8b346db6-85af-419b-8557-92cee2c0f9bb | Container App environments should use network injection | Container App environment should use virtual network injection. It isolates Container Apps from the Internet, unlocks advanced Container Apps networking and security features, and provides you with greater control over your network security configuration. | Default: Audit Allowed: (Audit, Disabled, Deny) | IF (1) •Microsoft.App/managedEnvironments/vnetConfiguration.infrastructureSubnetId |
IF (1) •Microsoft.App/managedEnvironments |
GA | BuiltIn | |
| Container Instance | Container Instance | 8af8f826-edcb-4178-b35f-851ea6fea615 | Azure Container Instance container group should deploy into a virtual network | Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. | Default: Audit Allowed: (Audit, Disabled, Deny) | IF (1) •Microsoft.ContainerInstance/containerGroups/networkProfile.id |
IF (1) •Microsoft.ContainerInstance/containerGroups |
GA | BuiltIn | |
| Container Instance | Container Instance | 0aa61e00-0a01-4a3c-9945-e93cffedf0e6 | Azure Container Instance container group should use customer-managed key for encryption | Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default: Audit Allowed: (Audit, Disabled, Deny) | IF (2) •Microsoft.ContainerInstance/containerGroups/encryptionProperties.keyName •Microsoft.ContainerInstance/containerGroups/encryptionProperties.vaultBaseUrl |
IF (1) •Microsoft.ContainerInstance/containerGroups |
GA | BuiltIn | |
| Container Registry | Container Registry | cced2946-b08a-44fe-9fd9-e4ed8a779897 | Configure container registries to disable anonymous authentication. | Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.ContainerRegistry/registries/anonymousPullEnabled THEN-Operations (1) •Microsoft.ContainerRegistry/registries/anonymousPullEnabled |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn |
| Container Registry | Container Registry | 79fdfe03-ffcb-4e55-b4d0-b925b8241759 | Configure container registries to disable local admin account. | Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.ContainerRegistry/registries/adminUserEnabled THEN-Operations (1) •Microsoft.ContainerRegistry/registries/adminUserEnabled |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn |
| Container Registry | Container Registry | a3701552-92ea-433e-9d17-33b7f1208fc9 | Configure Container registries to disable public network access | Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.ContainerRegistry/registries/publicNetworkAccess THEN-Operations (1) •Microsoft.ContainerRegistry/registries/publicNetworkAccess |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn |
| Container Registry | Container Registry | a9b426fe-8856-4945-8600-18c5dd1cca2a | Configure container registries to disable repository scoped access token. | Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.ContainerRegistry/registries/tokens/status THEN-Operations (1) •Microsoft.ContainerRegistry/registries/tokens/status |
IF (1) •Microsoft.ContainerRegistry/registries/tokens |
GA | BuiltIn |
| Container Registry | Container Registry | e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 | Configure Container registries to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Container Registry | Container Registry | d85c6833-7d33-4cf5-a915-aaa2de84405f | Configure Container registries with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor | IF (1) •Microsoft.ContainerRegistry/registries/sku.name THEN-ExistenceCondition (1) •Microsoft.ContainerRegistry/registries/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.ContainerRegistry/registries THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Container Registry | Container Registry | containerregistry_container-registries-prevent-access-to-trusted-services | Container Registries prevent access to trusted services | This policy configures container registry acr_firewall_bypass to prevent access to trusted services | Default: Deny Allowed: (Audit, Deny, Disabled) | GA | Community | |||
| Container Registry | Container Registry | containerregistry_container-registries-prevent-managed-identity | Container Registries prevent managed identity | This policy configures container registry to prevent managed identity | Default: Deny Allowed: (Audit, Deny, Disabled) | GA | Community | |||
| Container Registry | Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerRegistry/registries/encryption.status |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | |
| Container Registry | Container Registry | 9f2dea28-e834-476c-99c5-3507b4728395 | Container registries should have anonymous authentication disabled. | Disable anonymous pull for your registry so that data is not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerRegistry/registries/anonymousPullEnabled |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | |
| Container Registry | Container Registry | 524b0254-c285-4903-bee6-bb8126cde579 | Container registries should have exports disabled | Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.ContainerRegistry/registries/policies.exportPolicy.status •Microsoft.ContainerRegistry/registries/publicNetworkAccess |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | |
| Container Registry | Container Registry | dc921057-6b28-4fbe-9b83-f7bec05db6c2 | Container registries should have local admin account disabled. | Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerRegistry/registries/adminUserEnabled |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | |
| Container Registry | Container Registry | ff05e24e-195c-447e-b322-5e90c9f9f366 | Container registries should have repository scoped access token disabled. | Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerRegistry/registries/tokens/status |
IF (1) •Microsoft.ContainerRegistry/registries/tokens |
GA | BuiltIn | |
| Container Registry | Container Registry | bd560fc0-3c69-498a-ae9f-aa8eb7de0e13 | Container registries should have SKUs that support Private Links | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerRegistry/registries/sku.name |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | |
| Container Registry | Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | |
| Container Registry | Container Registry | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.ContainerRegistry/registries/privateEndpointConnections[*] •Microsoft.ContainerRegistry/registries/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | |
| Container Registry | Container Registry | containerregistry_container-registry-admin-user-filter | Enforce Admin User is disabled on all Container Registry instances | This policy ensures Admin User is disabled on all Container Registry instances | Fixed: deny | IF (1) •Microsoft.ContainerRegistry/registries/adminUserEnabled |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | Community | |
| Container Registry | Container Registry | 0fdf0491-d080-4575-b627-ad0e843cba0f | Public network access should be disabled for Container registries | Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerRegistry/registries/publicNetworkAccess |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | |
| Cosmos DB | Cosmos DB | 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb | Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Default: Deny Allowed: (Audit, Deny, Disabled) | IF (4) •Microsoft.DocumentDB/databaseAccounts/ipRangeFilter •Microsoft.DocumentDB/databaseAccounts/ipRules •Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled •Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | |
| Cosmos DB | Cosmos DB | 1f905d99-2ab7-462c-a6b0-f709acca6c8f | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.DocumentDB/databaseAccounts/keyVaultKeyUri |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | |
| Cosmos DB | Cosmos DB | 0473574d-2d43-4217-aefe-941fcdf7e684 | Azure Cosmos DB allowed locations | This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.DocumentDB/databaseAccounts/Locations[*] |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | |
| Cosmos DB | Cosmos DB | 4750c32b-89c0-46af-bfcb-2e4541a818d5 | Azure Cosmos DB key based metadata write access should be disabled | This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. | Fixed: append | IF (1) •Microsoft.DocumentDB/databaseAccounts/disableKeyBasedMetadataWriteAccess THEN-Details (1) •Microsoft.DocumentDB/databaseAccounts/disableKeyBasedMetadataWriteAccess |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | |
| Cosmos DB | Cosmos DB | 797b37f7-06b8-444c-b1ad-fc62867f335a | Azure Cosmos DB should disable public network access | Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | |
| Cosmos DB | Cosmos DB | 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf | Azure Cosmos DB throughput should be limited | This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (27) •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/options •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/options •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/options •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/options •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/options •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/options •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/options •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/options •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/tables/options •Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.throughput |
GA | BuiltIn | ||
| Cosmos DB | Cosmos DB | dc2d41d1-4ab1-4666-a3e1-3d51c43e0049 | Configure Cosmos DB database accounts to disable local authentication | Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. | Default: Modify Allowed: (Modify, Disabled) | DocumentDB Account Contributor | IF (1) •Microsoft.DocumentDB/databaseAccounts/disableLocalAuth THEN-Operations (1) •Microsoft.DocumentDB/databaseAccounts/disableLocalAuth |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn |
| Cosmos DB | Cosmos DB | da69ba51-aaf1-41e5-8651-607cd0b37088 | Configure CosmosDB accounts to disable public network access | Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. | Default: Modify Allowed: (Modify, Disabled) | Contributor, DocumentDB Account Contributor | IF (1) •Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess THEN-Operations (1) •Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn |
| Cosmos DB | Cosmos DB | a63cc0bd-cda4-4178-b705-37dc439d3e0f | Configure CosmosDB accounts to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Cosmos DB | Cosmos DB | b609e813-3156-4079-91fa-a8494c1471c4 | Configure CosmosDB accounts with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your CosmosDB account, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor, DocumentDB Account Contributor | THEN-ExistenceCondition (1) •Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.DocumentDB/databaseAccounts THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Cosmos DB | Cosmos DB | 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 | Cosmos DB database accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.DocumentDB/databaseAccounts/disableLocalAuth |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | |
| Cosmos DB | Cosmos DB | 58440f8a-10c5-4151-bdce-dfbaad4a20b7 | CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections[*] •Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | |
| Cosmos DB | Cosmos DB | b5f04e03-92a3-4b09-9410-2cc5e5047656 | Deploy Advanced Threat Protection for Cosmos DB Accounts | This policy enables Advanced Threat Protection across Cosmos DB accounts. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Security Admin | THEN-ExistenceCondition (1) •Microsoft.Security/advancedThreatProtectionSettings/isEnabled |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn |
| Custom Provider | Custom Provider | c15c281f-ea5c-44cd-90b8-fc3c14d13f0c | Deploy associations for a custom provider | Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. | Fixed: deployIfNotExists | Contributor | THEN-Deployment (1) •Microsoft.Resources/deployments |
GA | BuiltIn | |
| Data Box | Data Box | c349d81b-9985-44ae-a8da-ff98d108ede8 | Azure Data Box jobs should enable double encryption for data at rest on the device | Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.DataBox/jobs/details.preferences.encryptionPreferences.doubleEncryption •Microsoft.Databox/jobs/sku.name |
IF (1) •Microsoft.DataBox/jobs |
GA | BuiltIn | |
| Data Box | Data Box | 86efb160-8de7-451d-bc08-5d475b0aadae | Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password | Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.DataBox/jobs/details.keyEncryptionKey.kekType •Microsoft.Databox/jobs/sku.name |
IF (1) •Microsoft.DataBox/jobs |
GA | BuiltIn | |
| Data Factory | Data Factory | 85bb39b5-2f66-49f8-9306-77da3ac5130f | [Preview]: Azure Data Factory integration runtime should have a limit for number of cores | To manage your resources and costs, limit the number of cores for an integration runtime. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.dataFlowProperties.coreCount •Microsoft.DataFactory/factories/integrationruntimes/type |
IF (1) •Microsoft.DataFactory/factories/integrationRuntimes |
Preview | BuiltIn | |
| Data Factory | Data Factory | 6809a3d0-d354-42fb-b955-783d207c62a8 | [Preview]: Azure Data Factory linked service resource type should be in allow list | Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.DataFactory/factories/linkedservices/type |
Preview | BuiltIn | ||
| Data Factory | Data Factory | 127ef6d7-242f-43b3-9eef-947faf1725d0 | [Preview]: Azure Data Factory linked services should use Key Vault for storing secrets | To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (30) •Microsoft.DataFactory/factories/linkedservices/AmazonMWS.typeProperties.mwsAuthToken.type •Microsoft.DataFactory/factories/linkedservices/AmazonMWS.typeProperties.secretKey.type •Microsoft.DataFactory/factories/linkedservices/AmazonS3.typeProperties.secretAccessKey.type •Microsoft.DataFactory/factories/linkedservices/AzureBlobStorage.typeProperties.servicePrincipalKey •Microsoft.DataFactory/factories/linkedservices/AzureBlobStorage.typeProperties.servicePrincipalKey.type •Microsoft.DataFactory/factories/linkedservices/AzureSearch.typeProperties.key.type •Microsoft.DataFactory/factories/linkedservices/AzureSqlDW.typeProperties.servicePrincipalKey.type •Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.accountKey •Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri •Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri.type •Microsoft.DataFactory/factories/linkedservices/CosmosDb.typeProperties.accountKey.type •Microsoft.DataFactory/factories/linkedservices/Dynamics.typeProperties.servicePrincipalCredential •Microsoft.DataFactory/factories/linkedservices/Dynamics.typeProperties.servicePrincipalCredential.type •Microsoft.DataFactory/factories/linkedservices/GoogleAdWords.typeProperties.developerToken.type •Microsoft.DataFactory/factories/linkedservices/GoogleBigQuery.typeProperties.clientSecret.type •Microsoft.DataFactory/factories/linkedservices/GoogleBigQuery.typeProperties.refreshToken.type •Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken •Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken.type •Microsoft.DataFactory/factories/linkedservices/OData.typeProperties.servicePrincipalEmbeddedCert.type •Microsoft.DataFactory/factories/linkedservices/OData.typeProperties.servicePrincipalEmbeddedCertPassword.type •Microsoft.DataFactory/factories/linkedservices/Odbc.typeProperties.credential.type •Microsoft.DataFactory/factories/linkedservices/Salesforce.typeProperties.securityToken.type •Microsoft.DataFactory/factories/linkedservices/Sftp.typeProperties.passPhrase.type •Microsoft.DataFactory/factories/linkedservices/Sftp.typeProperties.privateKeyContent.type •Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password •Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password.type •Microsoft.DataFactory/factories/linkedservices/type •Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString •Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString.type •Microsoft.DataFactory/factories/linkedservices/typeProperties.encryptedCredential |
Preview | BuiltIn | ||
| Data Factory | Data Factory | f78ccdb4-7bf4-4106-8647-270491d2978a | [Preview]: Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported | Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (7) •Microsoft.DataFactory/factories/linkedservices/AzureSqlDW.typeProperties.servicePrincipalKey •Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.accountKey •Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri •Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken •Microsoft.DataFactory/factories/linkedservices/type •Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString •Microsoft.DataFactory/factories/linkedservices/typeProperties.encryptedCredential |
Preview | BuiltIn | ||
| Data Factory | Data Factory | 77d40665-3120-4348-b539-3192ec808307 | [Preview]: Azure Data Factory should use a Git repository for source control | Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.DataFactory/factories/repoConfiguration.repositoryName |
IF (1) •Microsoft.DataFactory/factories |
Preview | BuiltIn | |
| Data Factory | Data Factory | 4ec52d6d-beb7-40c4-9a9e-fe753254690e | Azure data factories should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.DataFactory/factories/encryption.vaultBaseUrl |
IF (1) •Microsoft.DataFactory/factories |
GA | BuiltIn | |
| Data Factory | Data Factory | 8b0323be-cc25-4b61-935d-002c3798c6ea | Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.DataFactory/factories/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.DataFactory/factories |
GA | BuiltIn | |
| Data Factory | Data Factory | 08b1442b-7789-4130-8506-4f99a97226a7 | Configure Data Factories to disable public network access | Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default: Modify Allowed: (Modify, Disabled) | Data Factory Contributor | IF (1) •Microsoft.DataFactory/factories/publicNetworkAccess THEN-Operations (1) •Microsoft.DataFactory/factories/publicNetworkAccess |
IF (1) •Microsoft.DataFactory/factories |
GA | BuiltIn |
| Data Factory | Data Factory | 86cd96e1-1745-420d-94d4-d3f2fe415aa4 | Configure private DNS zones for private endpoints that connect to Azure Data Factory | Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Data Factory | Data Factory | 496ca26b-f669-4322-a1ad-06b7b5e41882 | Configure private endpoints for Data factories | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Data Factory Contributor | THEN-ExistenceCondition (1) •Microsoft.DataFactory/factories/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.DataFactory/factories THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Data Factory | Data Factory | 1cf164be-6819-4a50-b8fa-4bcaa4f98fb6 | Public network access on Azure Data Factory should be disabled | Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.DataFactory/factories/publicNetworkAccess |
IF (1) •Microsoft.DataFactory/factories |
GA | BuiltIn | |
| Data Factory | Data Factory | 0088bc63-6dee-4a9c-9d29-91cfdc848952 | SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.vnetProperties.vnetId •Microsoft.DataFactory/factories/integrationruntimes/type |
IF (1) •Microsoft.DataFactory/factories/integrationRuntimes |
GA | BuiltIn | |
| Data Lake | Data Lake | a7ff3161-0087-490a-9ad9-ad6217f4f43a | Require encryption on Data Lake Store accounts | This policy ensures encryption is enabled on all Data Lake Store accounts | Fixed: deny | IF (1) •Microsoft.DataLakeStore/accounts/encryptionState |
IF (1) •Microsoft.DataLakeStore/accounts |
GA | BuiltIn | |
| Data Lake | Data Lake | 057ef27e-665e-4328-8ea3-04b3122bd9fb | Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.DataLakeStore/accounts |
GA | BuiltIn | |
| Data Lake | Data Lake | c95c74d9-38fe-4f0d-af86-0c7d626a315c | Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.DataLakeAnalytics/accounts |
GA | BuiltIn | |
| Databricks | Databricks | Deny-Databricks-VirtualNetwork | Deny Databricks workspaces without Vnet injection | Enforces the use of vnet injection for Databricks workspaces. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (3) •Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value •Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value •Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value |
IF (1) •Microsoft.Databricks/workspaces |
GA | ESLZ | |
| Databricks | Databricks | Deny-Databricks-Sku | Deny non-premium Databricks sku | Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (1) •Microsoft.DataBricks/workspaces/sku.name |
IF (1) •Microsoft.Databricks/workspaces |
GA | ESLZ | |
| Databricks | Databricks | Deny-Databricks-NoPublicIp | Deny public IPs for Databricks cluster | Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (1) •Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value |
IF (1) •Microsoft.Databricks/workspaces |
GA | ESLZ | |
| DB for MySQL | DB for MySQL | dbformysql_db-for-mysql-ssl-enforce-filter | Enforce SSL on all DB for MySQL instances | This policy ensures SSL is enforced on all DB for MySQL instances | Fixed: deny | IF (1) •Microsoft.DBforMySQL/servers/sslEnforcement |
IF (1) •Microsoft.DBforMySQL/servers |
GA | Community | |
| DevTestLabs | DevTestLabs | aca94a15-a131-4a06-ab0e-89f57e28cc5c | Allowed DevTestLabs Repo URL prefix | Fixed: deny | IF (1) •Microsoft.DevTestLab/labs/artifactSources/uri |
GA | Community | |||
| Event Grid | Event Grid | f8f774be-6aee-492a-9e29-486ef81f3a68 | Azure Event Grid domains should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.EventGrid/domains/publicNetworkAccess |
IF (1) •Microsoft.EventGrid/domains |
GA | BuiltIn | |
| Event Grid | Event Grid | 8bfadddb-ee1c-4639-8911-a38cb8e0b3bd | Azure Event Grid domains should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.EventGrid/domains/disableLocalAuth |
IF (1) •Microsoft.EventGrid/domains |
GA | BuiltIn | |
| Event Grid | Event Grid | 9830b652-8523-49cc-b1b3-e17dce1127ca | Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.EventGrid/domains/privateEndpointConnections[*] •Microsoft.EventGrid/domains/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.EventGrid/domains |
GA | BuiltIn | |
| Event Grid | Event Grid | 8632b003-3545-4b29-85e6-b2b96773df1e | Azure Event Grid partner namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.EventGrid/partnerNamespaces/disableLocalAuth |
IF (1) •Microsoft.EventGrid/partnerNamespaces |
GA | BuiltIn | |
| Event Grid | Event Grid | 1adadefe-5f21-44f7-b931-a59b54ccdb45 | Azure Event Grid topics should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.EventGrid/topics/publicNetworkAccess |
IF (1) •Microsoft.EventGrid/topics |
GA | BuiltIn | |
| Event Grid | Event Grid | ae9fb87f-8a17-4428-94a4-8135d431055c | Azure Event Grid topics should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.EventGrid/topics/disableLocalAuth |
IF (1) •Microsoft.EventGrid/topics |
GA | BuiltIn | |
| Event Grid | Event Grid | 4b90e17e-8448-49db-875e-bd83fb6f804f | Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.EventGrid/topics/privateEndpointConnections[*] •Microsoft.EventGrid/topics/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.EventGrid/topics |
GA | BuiltIn | |
| Event Grid | Event Grid | 8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1 | Configure Azure Event Grid domains to disable local authentication | Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default: Modify Allowed: (Modify, Disabled) | EventGrid Contributor | IF (1) •Microsoft.EventGrid/domains/disableLocalAuth THEN-Operations (1) •Microsoft.EventGrid/domains/disableLocalAuth |
IF (1) •Microsoft.EventGrid/domains |
GA | BuiltIn |
| Event Grid | Event Grid | 2dd0e8b9-4289-4bb0-b813-1883298e9924 | Configure Azure Event Grid partner namespaces to disable local authentication | Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default: Modify Allowed: (Modify, Disabled) | EventGrid Contributor | IF (1) •Microsoft.EventGrid/partnerNamespaces/disableLocalAuth THEN-Operations (1) •Microsoft.EventGrid/partnerNamespaces/disableLocalAuth |
IF (1) •Microsoft.EventGrid/partnerNamespaces |
GA | BuiltIn |
| Event Grid | Event Grid | 1c8144d9-746a-4501-b08c-093c8d29ad04 | Configure Azure Event Grid topics to disable local authentication | Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default: Modify Allowed: (Modify, Disabled) | EventGrid Contributor | IF (1) •Microsoft.EventGrid/topics/disableLocalAuth THEN-Operations (1) •Microsoft.EventGrid/topics/disableLocalAuth |
IF (1) •Microsoft.EventGrid/topics |
GA | BuiltIn |
| Event Grid | Event Grid | d389df0a-e0d7-4607-833c-75a6fdac2c2d | Deploy - Configure Azure Event Grid domains to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | Default: DeployIfNotExists Allowed: (deployIfNotExists, DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Event Grid | Event Grid | 36f4658a-848a-467b-881c-e6fa20cf75fc | Deploy - Configure Azure Event Grid domains with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, EventGrid Contributor | THEN-ExistenceCondition (1) •Microsoft.EventGrid/domains/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.EventGrid/domains THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Event Grid | Event Grid | baf19753-7502-405f-8745-370519b20483 | Deploy - Configure Azure Event Grid topics to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | Default: DeployIfNotExists Allowed: (deployIfNotExists, DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Event Grid | Event Grid | 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca | Deploy - Configure Azure Event Grid topics with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, EventGrid Contributor | THEN-ExistenceCondition (1) •Microsoft.EventGrid/topics/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.EventGrid/topics THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Event Grid | Event Grid | eventgrid_enforce-event-grid-sys-topic-handler-type-to-be-storage-account | Enforce event grid system topic handler type to be storage account | This policy enforce event grid system topic handler type to be storage account. | Default: Deny Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.EventGrid/systemTopics/eventSubscriptions/destination.endpointType |
GA | Community | ||
| Event Grid | Event Grid | eventgrid_enforce-event-grid-system-topic-source-type-be-storage-account | Enforce event grid system topic source type to be storage account | This policy enforce event grid system topic source type to be storage account. | Default: Deny Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.EventGrid/systemTopics/topicType |
GA | Community | ||
| Event Grid | Event Grid | 898e9824-104c-4965-8e0e-5197588fa5d4 | Modify - Configure Azure Event Grid domains to disable public network access | Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Modify Allowed: (Modify, Disabled) | EventGrid Contributor | IF (1) •Microsoft.EventGrid/domains/publicNetworkAccess THEN-Operations (1) •Microsoft.EventGrid/domains/publicNetworkAccess |
IF (1) •Microsoft.EventGrid/domains |
GA | BuiltIn |
| Event Grid | Event Grid | 36ea4b4b-0f7f-4a54-89fa-ab18f555a172 | Modify - Configure Azure Event Grid topics to disable public network access | Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Modify Allowed: (Modify, Disabled) | EventGrid Contributor | IF (1) •Microsoft.EventGrid/topics/publicNetworkAccess THEN-Operations (1) •Microsoft.EventGrid/topics/publicNetworkAccess |
IF (1) •Microsoft.EventGrid/topics |
GA | BuiltIn |
| Event Hub | Event Hub | b278e460-7cfc-4451-8294-cccc40a940d7 | All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace | Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.EventHub/namespaces/authorizationRules |
GA | BuiltIn | ||
| Event Hub | Event Hub | f4826e5f-6a27-407c-ae3e-9582eb39891d | Authorization rules on the Event Hub instance should be defined | Audit existence of authorization rules on Event Hub entities to grant least-privileged access | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (1) •Microsoft.EventHub/namespaces/eventhubs THEN-Details (1) •Microsoft.EventHub/namespaces/eventHubs/authorizationRules |
GA | BuiltIn | ||
| Event Hub | Event Hub | 5d4e3c65-4873-47be-94f3-6f8b953a3598 | Azure Event Hub namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.EventHub/namespaces/disableLocalAuth |
IF (1) •Microsoft.EventHub/namespaces |
GA | BuiltIn | |
| Event Hub | Event Hub | 57f35901-8389-40bb-ac49-3ba4f86d889d | Configure Azure Event Hub namespaces to disable local authentication | Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. | Default: Modify Allowed: (Modify, Disabled) | Azure Event Hubs Data Owner | IF (1) •Microsoft.EventHub/namespaces/disableLocalAuth THEN-Operations (1) •Microsoft.EventHub/namespaces/disableLocalAuth |
IF (1) •Microsoft.EventHub/namespaces |
GA | BuiltIn |
| Event Hub | Event Hub | ed66d4f5-8220-45dc-ab4a-20d1749c74e6 | Configure Event Hub namespaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Event Hub | Event Hub | 91678b7c-d721-4fc5-b179-3cdf74e96b1c | Configure Event Hub namespaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, Azure Event Hubs Data Owner | THEN-ExistenceCondition (1) •Microsoft.EventHub/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.EventHub/namespaces THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Event Hub | Event Hub | 836cd60e-87f3-4e6a-a27c-29d687f01a4c | Event Hub namespaces should have double encryption enabled | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.EventHub/namespaces/clusterArmId •Microsoft.EventHub/namespaces/encryption.requireInfrastructureEncryption |
IF (1) •Microsoft.EventHub/namespaces |
GA | BuiltIn | |
| Event Hub | Event Hub | a1ad735a-e96f-45d2-a7b2-9a4932cab7ec | Event Hub namespaces should use a customer-managed key for encryption | Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.EventHub/namespaces/clusterArmId •Microsoft.EventHub/namespaces/encryption.keySource |
IF (1) •Microsoft.EventHub/namespaces |
GA | BuiltIn | |
| Event Hub | Event Hub | b8564268-eb4a-4337-89be-a19db070c59d | Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.EventHub/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.EventHub/namespaces |
GA | BuiltIn | |
| Event Hub | Event Hub | 83a214f7-d01a-484b-91a9-ed54470c9a6a | Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.EventHub/namespaces |
GA | BuiltIn | |
| General | General | c1b9cbed-08e3-427d-b9ce-7c535b1e9b94 | [Deprecated]: Allow resource creation only in Asia data centers | Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West | Fixed: Deny | Deprecated | BuiltIn | |||
| General | General | 94c19f19-8192-48cd-a11b-e37099d3e36b | [Deprecated]: Allow resource creation only in European data centers | Allows resource creation in the following locations only: North Europe, West Europe | Fixed: Deny | Deprecated | BuiltIn | |||
| General | General | 5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54 | [Deprecated]: Allow resource creation only in India data centers | Allows resource creation in the following locations only: West India, South India, Central India | Fixed: Deny | Deprecated | BuiltIn | |||
| General | General | 983211ba-f348-4758-983b-21fa29294869 | [Deprecated]: Allow resource creation only in United States data centers | Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US | Fixed: Deny | Deprecated | BuiltIn | |||
| General | General | 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9 | [Deprecated]: Custom subscription owner roles should not exist | This policy is deprecated. | Default: Audit Allowed: (Audit, Disabled) | IF (4) •Microsoft.Authorization/roleDefinitions/assignableScopes[*] •Microsoft.Authorization/roleDefinitions/permissions.actions[*] •Microsoft.Authorization/roleDefinitions/permissions[*].actions[*] •Microsoft.Authorization/roleDefinitions/type |
IF (1) •Microsoft.Authorization/roleDefinitions |
Deprecated | BuiltIn | |
| General | General | e56962a6-4747-49cd-b67b-bf8b01975c4c | Allowed locations | This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. | Fixed: deny | IF (1) •Microsoft.AzureActiveDirectory/b2cDirectories |
GA | BuiltIn | ||
| General | General | e765b5de-1225-4ba3-bd56-1ac6695af988 | Allowed locations for resource groups | This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. | Fixed: deny | IF (1) •Microsoft.Resources/subscriptions/resourceGroups |
GA | BuiltIn | ||
| General | General | a08ec900-254a-4555-9bf5-e42af04b5c5c | Allowed resource types | This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. | Fixed: deny | GA | BuiltIn | |||
| General | General | 0a914e76-4921-4c19-b460-a2d36003525a | Audit resource location matches resource group location | Audit that the resource location matches its resource group location | Fixed: audit | GA | BuiltIn | |||
| General | General | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | Audit usage of custom RBAC rules | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.Authorization/roleDefinitions/type |
IF (1) •Microsoft.Authorization/roleDefinitions |
GA | BuiltIn | |
| General | General | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 | Not allowed resource types | Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. | Default: Deny Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Guest Configuration | Guest Configuration | faf25c8c-9598-4305-b4de-0aee1317fb31 | [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled | This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (5) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/provisioningState •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 5fc23db3-dd4d-4c56-bcc7-43626243e601 | [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled | This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (5) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/provisioningState •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | ec49586f-4939-402d-a29e-6ff502b20592 | [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | f19aa1c1-6b91-4c27-ae6a-970279f03db9 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 4d1c04de-2172-403f-901b-90608c35c721 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 3470477a-b35a-49db-aca5-1073d04524fe | [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 884b209a-963b-4520-8006-d20cb3c213e0 | [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 7a031c68-d6ab-406e-a506-697a19c634b0 | [Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled | This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | ec7ac234-2af5-4729-94d2-c557c071799d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 985285b7-b97a-419c-8d48-c88cc934c8d8 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 40917425-69db-4018-8dae-2a0556cef899 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | e5b81f87-9185-4224-bf00-9f505e9f89f3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 498b810c-59cd-4222-9338-352ba146ccf3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 6481cc21-ed6e-4480-99dd-ea7c5222e897 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 3750712b-43d0-478e-9966-d2c26f6141b9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | bbcdd8fa-b600-4ee3-85b8-d184e3339652 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 86880e5c-df35-43c5-95ad-7e120635775e | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | f56a3ab2-89d1-44de-ac0d-2ada5962e22a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 36e17963-7202-494a-80c3-f508211c826b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 1f8c20ce-3414-4496-8b26-0e902a1541da | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 12ae2d24-3805-4b37-9fa9-465968bfbcfa | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 437a1f8f-8552-47a8-8b12-a2fee3269dd5 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | e425e402-a050-45e5-b010-bd3f934589fc | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | e3d95ab7-f47a-49d8-a347-784177b6c94c | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | c1e289c0-ffad-475d-a924-adc058765d65 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 0a9991e6-21be-49f9-8916-a06d934bcf29 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 42a07bbf-ffcf-459a-b4b1-30ecd118a505 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | c04255ee-1b9f-42c1-abaa-bf1553f79930 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 8e170edb-e0f5-497a-bb36-48b3280cec6a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 97b595c8-fd10-400e-8543-28e2b9138b13 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | ce2370f6-0ac5-4d85-8ab4-10721cc640b0 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | f8b0158d-4766-490f-bea0-259e52dba473 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 815dcc9f-6662-43f2-9a03-1b83e9876f24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 7040a231-fb65-4412-8c0a-b365f4866c24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 909c958d-1b99-4c74-b88f-46a5c5bc34f9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 144f1397-32f9-4598-8c88-118decc3ccba | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 93507a81-10a4-4af0-9ee2-34cf25a96e98 | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | b821191b-3a12-44bc-9c38-212138a29ff3 | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | d38b4c26-9d2e-47d7-aefe-18d859a8706a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant | This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 68511db2-bd02-41c4-ae6b-1900a012968a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 5bb36dda-8a78-4df9-affd-4f05a8612a8a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 32b1e4d4-6cd5-47b4-a935-169da8a5c262 | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 6a7a2bcf-f9be-4e35-9734-4f9657a70f1d | [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 726671ac-c4de-4908-8c7d-6043ae62e3b6 | [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords | This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 315c850a-272d-4502-8935-b79010405970 | [Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain | This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | c21f7060-c148-41cf-a68b-0ab3e14c764c | [Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone | This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | c5fbc59e-fb6f-494f-81e2-d99a671bdaa8 | [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 106ccbe4-a791-4f33-a44a-06796944b8d5 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root | This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 356a906e-05e5-4625-8729-90771e0ee934 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 16390df4-2f73-4b42-af13-c801066763df | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 12f7e5d0-42a7-4630-80d8-54fb7cff9bd6 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | e0efc13a-122a-47c5-b817-2ccfe5d12615 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy | This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 90ba2ee7-4ca8-4673-84d1-c851c50d3baf | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 23020aa6-1135-4be2-bae2-149982b06eca | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 8ff0b18b-262e-4512-857a-48ad0aeb9a78 | [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | f4b245d4-46c9-42be-9b1a-49e2b5b94194 | [Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | f0633351-c7b2-41ff-9981-508fc08553c2 | [Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | c96f3246-4382-4264-bf6b-af0b35e23c3c | [Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot | This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | b2fc8f91-866d-4434-9089-5ebfe38d6fd8 | [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols | This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor | IF (5) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/provisioningState •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor | IF (5) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/provisioningState •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions |
Deprecated | BuiltIn |
| Guest Configuration | Guest Configuration | 2d67222d-05fd-4526-a171-2ee132ad9e83 | [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | b18175dd-c599-4c64-83ba-bb018a06d35b | [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | fee5cb2b-9d9b-410e-afe3-2902d90d0004 | [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | c40c9087-1981-4e73-9f53-39743eda9d05 | [Deprecated]: Show audit results from Linux VMs that have accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 | [Deprecated]: Show audit results from Linux VMs that have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | d7ccd0ca-8d78-42af-a43d-6b7f928accbc | [Deprecated]: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 87b590fe-4a1d-4697-ae74-d4fe72ab786c | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 97646672-5efa-4622-9b54-740270ad60bf | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 7229bd6a-693d-478a-87f0-1dc1af06f3b8 | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | a1e8dda3-9fd2-4835-aec3-0e55531fde33 | [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | b872a447-cc6f-43b9-bccf-45703cd81607 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 21e2995e-683e-497a-9e81-2f42ad07050a | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 3d7b154e-2700-4c8c-9e46-cb65ac1578c2 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | c8abcef9-fc26-482f-b8db-5fa60ee4586d | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | fcbc55c9-f25a-4e55-a6cb-33acb3be778b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 6fe4ef56-7576-4dc4-8e9c-26bad4b087ce | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 30040dab-4e75-4456-8273-14b8f75d91d9 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 5c028d2a-1889-45f6-b821-31f42711ced8 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | ba12366f-f9a6-42b8-9d98-157d0b1a837b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | e3a77a94-cf41-4ee8-b45c-98be28841c03 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 620e58b5-ac75-49b4-993f-a9d4f0459636 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 8a39d1f1-5513-4628-b261-f469a5a3341b | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 29829ec2-489d-4925-81b7-bda06b1718e0 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | ddb53c61-9db4-41d4-a953-2abff5b66c12 | [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | bc87d811-4a9b-47cc-ae54-0a41abda7768 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 225e937e-d32e-4713-ab74-13ce95b3519a | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | a9a33475-481d-4b81-9116-0bf02ffe67e8 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | b3802d79-dd88-4bce-b81d-780218e48280 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 60aeaf73-a074-417a-905f-7ce9df0ff77b | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | dd4680ed-0559-4a6a-ad10-081d14cbb484 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 7066131b-61a6-4917-a7e4-72e8983f0aa6 | [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | c961dac9-5916-42e8-8fb1-703148323994 | [Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 9178b430-2295-406e-bb28-f6a7a2a2f897 | [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 8bbd627e-4d25-4906-9a6e-3789780af3ec | [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | bde62c94-ccca-4821-a815-92c1d31a76de | [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | f3b44e5d-1456-475f-9c67-c66c4618e85a | [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | cc7cda28-f867-4311-8497-a526129a8d19 | [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 7227ebe5-9ff7-47ab-b823-171cd02fb90f | [Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | a030a57e-4639-4e8f-ade9-a92f33afe7ee | [Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 02a84be7-c304-421f-9bb7-5d2c26af54ad | [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a | [Deprecated]: Show audit results from Windows VMs on which the specified services are not installed and 'Running' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 0d9b45ff-9ddd-43fc-bf59-fbd1c8423053 | [Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | cdbf72d9-ac9c-4026-8a3a-491a5ac59293 | [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | a29ee95c-0395-4515-9851-cc04ffe82a91 | [Deprecated]: Show audit results from Windows VMs that are not joined to the specified domain | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 9f658460-46b7-43af-8565-94fc0662be38 | [Deprecated]: Show audit results from Windows VMs that are not set to the specified time zone | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 9328f27e-611e-44a7-a244-39109d7d35ab | [Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | f3b9ad83-000d-4dc1-bff0-6d54533dd03f | [Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 24dde96d-f0b1-425e-884f-4a1421e2dcdc | [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 5aa11bbc-5c76-4302-80e5-aba46a4282e7 | [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | f48b2913-1dc5-4834-8c72-ccc1dfd819bb | [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 5e393799-e3ca-4e43-a9a5-0ec4648a57d9 | [Deprecated]: Show audit results from Windows VMs that do not have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | f8036bd0-c10b-4931-86bb-94a878add855 | [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 16f9b37c-4408-4c30-bc17-254958f2e2d6 | [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 5aebc8d1-020d-4037-89a0-02043a7524ec | [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 2d60d3b7-aa10-454c-88a8-de39d99d17c6 | [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 7e84ba44-6d03-46fd-950e-5efa5a1112fa | [Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 7e56b49b-5990-4159-a734-511ea19b731c | [Deprecated]: Show audit results from Windows VMs that have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 8b0de57a-f511-4d45-a277-17cb79cb163b | [Deprecated]: Show audit results from Windows VMs with a pending reboot | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 60ffe3e2-4604-4460-8f22-0f1da058266c | [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |
Deprecated | BuiltIn | |
| Guest Configuration | Guest Configuration | 50c52fc9-cb21-4d99-9031-d6a0c613361c | [Preview]: Windows machines should meet STIG compliance requirements for Azure compute | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirements for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
Preview | BuiltIn | |
| Guest Configuration | Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType |
IF (1) •Microsoft.Compute/virtualMachines |
GA | BuiltIn |
| Guest Configuration | Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType |
IF (1) •Microsoft.Compute/virtualMachines |
GA | BuiltIn |
| Guest Configuration | Guest Configuration | ea53dbee-c6c9-4f0e-9f9e-de0039b78023 | Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | e6955644-301c-44b5-a4c4-528577de6861 | Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | d3b823c9-e0fc-4453-9fb2-8213b7338523 | Audit Linux machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 | Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 0447bc18-e2f7-4c0d-aa20-bff034275be1 | Audit Linux machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 | Audit Windows machines missing any of specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 630ac30f-a234-4533-ac2d-e0df77acda51 | Audit Windows machines network connectivity | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd | Audit Windows machines on which the DSC configuration is not compliant | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 6265018c-d7e2-432f-a75d-094d5f6f4465 | Audit Windows machines on which the Log Analytics agent is not connected as expected | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | e6ebf138-3d71-4935-a13b-9c7fdddd94df | Audit Windows machines on which the specified services are not installed and 'Running' | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 58c460e9-7573-4bb2-9676-339c2f2486bb | Audit Windows machines on which Windows Serial Console is not enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 5b054a0d-39e2-4d53-bea3-9734cad2c69b | Audit Windows machines that allow re-use of the previous 24 passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 84662df4-0e37-44a6-9ce1-c9d2150db18c | Audit Windows machines that are not joined to the specified domain | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | c633f6a2-7f8b-4d9e-9456-02f0f04f5505 | Audit Windows machines that are not set to the specified time zone | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 1417908b-4bff-46ee-a2a6-4acc899320ab | Audit Windows machines that contain certificates expiring within the specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 934345e1-4dfb-4c70-90d7-41990dc9608b | Audit Windows machines that do not contain the specified certificates in Trusted Root | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 4ceb8dc2-559c-478b-a15b-733fbf1e3738 | Audit Windows machines that do not have a maximum password age of 70 days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 237b38db-ca4d-4259-9e47-7882441ca2c0 | Audit Windows machines that do not have a minimum password age of 1 day | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | bf16e0bb-31e1-4646-8202-60a235cc7e74 | Audit Windows machines that do not have the password complexity setting enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | c648fbbb-591c-4acd-b465-ce9b176ca173 | Audit Windows machines that do not have the specified Windows PowerShell execution policy | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 | Audit Windows machines that do not have the specified Windows PowerShell modules installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | a2d0e922-65d0-40c4-8f87-ea6da2d307a2 | Audit Windows machines that do not restrict the minimum password length to 14 characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | da0f98fe-a24b-4ad5-af69-bd0400233661 | Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | ebb67efd-3c46-49b0-adfe-5599eb944998 | Audit Windows machines that don't have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2 | Audit Windows machines that have extra accounts in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | beb6ccee-b6b8-4e91-9801-a5fa4260a104 | Audit Windows machines that have not restarted within the specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | c5b85cba-6e6f-4de4-95e1-f0233cd712ac | Audit Windows machines that have the specified applications installed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f | Audit Windows machines that have the specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 4221adbc-5c0f-474f-88b7-037a99e6114c | Audit Windows VMs with a pending reboot | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. | Fixed: auditIfNotExists | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | Authentication to Linux machines should require SSH keys | Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 6141c932-9384-44c6-a395-59e4c057d7c9 | Configure time zone on Windows machines. | This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. | Fixed: deployIfNotExists | Contributor | IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.hybridcompute/machines |
GA | BuiltIn |
| Guest Configuration | Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor | IF (5) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/provisioningState •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
GA | BuiltIn |
| Guest Configuration | Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor | IF (5) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/provisioningState •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
GA | BuiltIn |
| Guest Configuration | Guest Configuration | Deploy-Windows-DomainJoin | Deploy Windows Domain Join Extension with keyvault configuration | Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Virtual Machine Contributor | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (2) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
GA | ESLZ |
| Guest Configuration | Guest Configuration | 1e7fed80-8321-4605-b42c-65fc300f23a3 | Linux machines should have Log Analytics agent installed on Azure Arc | Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (1) •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (1) •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | fc9b3da7-8347-4380-8e70-0a0361d8dedd | Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 73db37c4-f180-4b0f-ab2c-8ee96467686b | Linux machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 480d0f91-30af-4a76-9afb-f5710ac52b09 | Private endpoints for Guest Configuration assignments should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.Compute/virtualMachines •Microsoft.GuestConfiguration/guestConfigurationAssignments |
GA | BuiltIn | ||
| Guest Configuration | Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 4078e558-bda6-41fb-9b3c-361e8875200d | Windows machines should have Log Analytics agent installed on Azure Arc | Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (1) •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (1) •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 3aa2661b-02d7-4ba6-99bc-dc36b10489fd | Windows machines should meet requirements for 'Administrative Templates - Control Panel' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | e0a7e899-2ce2-4253-8a13-d808fdeb75af | Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 67e010c1-640d-438e-a3a5-feaccb533a98 | Windows machines should meet requirements for 'Administrative Templates - Network' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 968410dc-5ca0-4518-8a5b-7b55f0530ea9 | Windows machines should meet requirements for 'Administrative Templates - System' | Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | ee984370-154a-4ee8-9726-19d900e56fc0 | Windows machines should meet requirements for 'Security Options - Accounts' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 33936777-f2ac-45aa-82ec-07958ec9ade4 | Windows machines should meet requirements for 'Security Options - Audit' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 8794ff4f-1a35-4e18-938f-0b22055067cd | Windows machines should meet requirements for 'Security Options - Devices' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | d472d2c9-d6a3-4500-9f5f-b15f123005aa | Windows machines should meet requirements for 'Security Options - Interactive Logon' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | d6c69680-54f0-4349-af10-94dd05f4225e | Windows machines should meet requirements for 'Security Options - Microsoft Network Client' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | caf2d518-f029-4f6b-833b-d7081702f253 | Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd | Windows machines should meet requirements for 'Security Options - Network Access' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 1221c620-d201-468c-81e7-2817e6107e84 | Windows machines should meet requirements for 'Security Options - Network Security' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 | Windows machines should meet requirements for 'Security Options - Recovery console' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | b4a4d1eb-0263-441b-84cb-a44073d8372d | Windows machines should meet requirements for 'Security Options - Shutdown' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 2f262ace-812a-4fd0-b731-b38ba9e9708d | Windows machines should meet requirements for 'Security Options - System objects' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 12017595-5a75-4bb1-9d97-4c2c939ea3c3 | Windows machines should meet requirements for 'Security Options - System settings' | Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 492a29ed-d143-4f03-b6a4-705ce081b463 | Windows machines should meet requirements for 'Security Options - User Account Control' | Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | f2143251-70de-4e81-87a8-36cee5a2f29d | Windows machines should meet requirements for 'Security Settings - Account Policies' | Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 | Windows machines should meet requirements for 'System Audit Policies - Account Logon' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 94d9aca8-3757-46df-aa51-f218c5f11954 | Windows machines should meet requirements for 'System Audit Policies - Account Management' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 58383b73-94a9-4414-b382-4146eb02611b | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 19be9779-c776-4dfa-8a15-a2fd5dc843d6 | Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 35781875-8026-4628-b19b-f6efb4d88a1d | Windows machines should meet requirements for 'System Audit Policies - Object Access' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 2a7a701e-dff3-4da9-9ec5-42cb98594c0b | Windows machines should meet requirements for 'System Audit Policies - Policy Change' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 87845465-c458-45f3-af66-dcd62176f397 | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 8316fa92-d69c-4810-8124-62414f560dcf | Windows machines should meet requirements for 'System Audit Policies - System' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | e068b215-0026-4354-b347-8fb2766f73a2 | Windows machines should meet requirements for 'User Rights Assignment' | Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 8537fe96-8cbe-43de-b0ef-131bc72bc22a | Windows machines should meet requirements for 'Windows Components' | Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 35d9882c-993d-44e6-87d2-db66ce21b636 | Windows machines should meet requirements for 'Windows Firewall Properties' | Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc | Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | f79fef0d-0050-4c18-a303-5babb9c14ac7 | Windows machines should only have local accounts that are allowed | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| Guest Configuration | Guest Configuration | 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 | Windows web servers should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (7) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (2) •Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (3) •Microsoft.Compute/virtualMachines •Microsoft.ConnectedVMwarevSphere/virtualMachines •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
| HDInsight | HDInsight | b0ab5b05-1c98-40f7-bb9e-dc568e41b501 | Azure HDInsight clusters should be injected into a virtual network | Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration. | Default: Audit Allowed: (Audit, Disabled, Deny) | IF (3) •Microsoft.HDInsight/clusters/computeProfile.roles[*] •Microsoft.HDInsight/clusters/computeProfile.roles[*].virtualNetworkProfile.id •Microsoft.HDInsight/clusters/computeProfile.roles[*].virtualNetworkProfile.subnet |
IF (1) •Microsoft.HDInsight/clusters |
GA | BuiltIn | |
| HDInsight | HDInsight | 64d314f6-6062-4780-a861-c23e8951bee5 | Azure HDInsight clusters should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.HDInsight/clusters/diskEncryptionProperties.keyName |
IF (1) •Microsoft.HDInsight/clusters |
GA | BuiltIn | |
| HDInsight | HDInsight | 1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6 | Azure HDInsight clusters should use encryption at host to encrypt data at rest | Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.HDInsight/clusters/diskEncryptionProperties.encryptionAtHost |
IF (1) •Microsoft.HDInsight/clusters |
GA | BuiltIn | |
| HDInsight | HDInsight | d9da03a1-f3c3-412a-9709-947156872263 | Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes | Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.HDInsight/clusters/encryptionInTransitProperties.isEncryptionInTransitEnabled |
IF (1) •Microsoft.HDInsight/clusters |
GA | BuiltIn | |
| HDInsight | HDInsight | c8cc2f85-e019-4065-9fa3-5e6a2b2dde56 | Azure HDInsight should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (1) •Microsoft.HDInsight/clusters/networkProperties.privateLink THEN-ExistenceCondition (1) •Microsoft.HDInsight/clusters/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.HDInsight/clusters |
GA | BuiltIn | |
| HDInsight | HDInsight | 43d6e3bd-fc6a-4b44-8b4d-2151d8736a11 | Configure Azure HDInsight clusters to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.HDInsight/clusters •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| HDInsight | HDInsight | 2676090a-4baf-46ac-9085-4ac02cc50e3e | Configure Azure HDInsight clusters with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor | IF (1) •Microsoft.HDInsight/clusters/networkProperties.privateLink THEN-ExistenceCondition (1) •Microsoft.HDInsight/clusters/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.HDInsight/clusters THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Healthcare APIs | Healthcare APIs | fe1c9040-c46a-4e81-9aea-c7850fbb3aa6 | CORS should not allow every domain to access your FHIR Service | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. | Default: Audit Allowed: (audit, Audit, disabled, Disabled) | IF (1) •Microsoft.HealthcareApis/workspaces/fhirservices/corsConfiguration.origins[*] |
IF (1) •Microsoft.HealthcareApis/workspaces/fhirservices |
GA | BuiltIn | |
| Internet of Things | Internet of Things | 2d7e144b-159c-44fc-95c1-ac3dbf5e6e54 | [Preview]: Azure IoT Hub should use customer-managed key to encrypt data at rest | Encryption of data at rest in IoT Hub with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Customer-managed keys must be configured during creation of IoT Hub. For more information on how to configure customer-managed keys, see https://aka.ms/iotcmk. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.Devices/IotHubs/encryption.keyVaultProperties[*] •Microsoft.Devices/IotHubs/encryption.keyVaultProperties[*].keyIdentifier |
IF (1) •Microsoft.Devices/IotHubs |
Preview | BuiltIn | |
| Internet of Things | Internet of Things | 47031206-ce96-41f8-861b-6a915f3de284 | [Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) | Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.Devices/provisioningServices/encryption.keyVaultProperties[*] •Microsoft.Devices/provisioningServices/encryption.keyVaultProperties[*].keyIdentifier |
IF (1) •Microsoft.Devices/provisioningServices |
Preview | BuiltIn | |
| Internet of Things | Internet of Things | 27d4c5ec-8820-443f-91fe-1215e96f64b2 | Azure Device Update for IoT Hub accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Device Update for IoT Hub accounts, data leakage risks are reduced. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (3) •Microsoft.DeviceUpdate/accounts/privateEndpointConnections/privateEndpoint •Microsoft.DeviceUpdate/accounts/privateEndpointConnections/privateLinkServiceConnectionState.status •Microsoft.DeviceUpdate/accounts/privateEndpointConnections/provisioningState |
IF (1) •Microsoft.DeviceUpdate/accounts |
GA | BuiltIn | |
| Internet of Things | Internet of Things | 672d56b3-23a7-4a3c-a233-b77ed7777518 | Azure IoT Hub should have local authentication methods disabled for Service Apis | Disabling local authentication methods improves security by ensuring that Azure IoT Hub exclusively require Azure Active Directory identities for Service Api authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Devices/IotHubs/disableLocalAuth |
IF (1) •Microsoft.Devices/IotHubs |
GA | BuiltIn | |
| Internet of Things | Internet of Things | 27573ebe-7ef3-4472-a8e1-33aef9ea65c5 | Configure Azure Device Update for IoT Hub accounts to disable public network access | Disabling the public network access property improves security by ensuring your Device Update for IoT Hub can only be accessed from a private endpoint. This policy disables public network access on Device Update for IoT Hub resources. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.DeviceUpdate/accounts/publicNetworkAccess THEN-Operations (1) •Microsoft.DeviceUpdate/accounts/publicNetworkAccess |
IF (1) •Microsoft.DeviceUpdate/accounts |
GA | BuiltIn |
| Internet of Things | Internet of Things | a222b93a-e6c2-4c01-817f-21e092455b2a | Configure Azure Device Update for IoT Hub accounts to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for Device Updatefor IoT Hub private endpoints. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, Contributor | IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.DeviceUpdate/accounts •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Internet of Things | Internet of Things | 5b9d063f-c5fd-4750-a489-1258d1fefcbf | Configure Azure Device Update for IoT Hub accounts with private endpoint | A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, Contributor | THEN-ExistenceCondition (1) •Microsoft.DeviceUpdate/accounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.DeviceUpdate/accounts THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Internet of Things | Internet of Things | 9f8ba900-a70f-486e-9ffc-faf907305376 | Configure Azure IoT Hub to disable local authentication | Disable local authentication methods so that your Azure IoT Hub exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.Devices/IotHubs/disableLocalAuth THEN-Operations (1) •Microsoft.Devices/IotHubs/disableLocalAuth |
IF (1) •Microsoft.Devices/IotHubs |
GA | BuiltIn |
| Internet of Things | Internet of Things | aaa64d2d-2fa3-45e5-b332-0b031b9b30e8 | Configure IoT Hub device provisioning instances to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://aka.ms/iotdpsvnet. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Internet of Things | Internet of Things | 859dfc91-ea35-43a6-8256-31271c363794 | Configure IoT Hub device provisioning service instances to disable public network access | Disable public network access for your IoT Hub device provisioning instance so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/iotdpsvnet. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.Devices/provisioningServices/publicNetworkAccess THEN-Operations (1) •Microsoft.Devices/provisioningServices/publicNetworkAccess |
IF (1) •Microsoft.Devices/provisioningServices |
GA | BuiltIn |
| Internet of Things | Internet of Things | 9b75ea5b-c796-4c99-aaaf-21c204daac43 | Configure IoT Hub device provisioning service instances with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to IoT Hub device provisioning service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/iotdpsvnet. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor | THEN-ExistenceCondition (2) •Microsoft.Devices/provisioningServices/privateEndpointConnections[*] •Microsoft.Devices/provisioningServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Devices/provisioningServices THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Internet of Things | Internet of Things | c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02 | Deploy - Configure Azure IoT Hubs to use private DNS zones | Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. | Default: DeployIfNotExists Allowed: (deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Network Contributor, Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Internet of Things | Internet of Things | bf684997-3909-404e-929c-d4a38ed23b2e | Deploy - Configure Azure IoT Hubs with private endpoints | A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, Contributor | THEN-ExistenceCondition (1) •Microsoft.Devices/IotHubs/PrivateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Devices/IotHubs THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Internet of Things | Internet of Things | d82101f3-f3ce-4fc5-8708-4c09f4009546 | IoT Hub device provisioning service instances should disable public network access | Disabling public network access improves security by ensuring that IoT Hub device provisioning service instance isn't exposed on the public internet. Creating private endpoints can limit exposure of the IoT Hub device provisioning instances. Learn more at: https://aka.ms/iotdpsvnet. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Devices/provisioningServices/publicNetworkAccess |
IF (1) •Microsoft.Devices/provisioningServices |
GA | BuiltIn | |
| Internet of Things | Internet of Things | df39c015-56a4-45de-b4a3-efe77bed320d | IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.Devices/provisioningServices/privateEndpointConnections[*] •Microsoft.Devices/provisioningServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Devices/provisioningServices |
GA | BuiltIn | |
| Internet of Things | Internet of Things | 114eec6e-5e59-4bad-999d-6eceeb39d582 | Modify - Configure Azure IoT Hubs to disable public network access | Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.Devices/IotHubs/publicNetworkAccess THEN-Operations (1) •Microsoft.Devices/IotHubs/publicNetworkAccess |
IF (1) •Microsoft.Devices/IotHubs |
GA | BuiltIn |
| Internet of Things | Internet of Things | 0d40b058-9f95-4a19-93e3-9b0330baa2a3 | Private endpoint should be enabled for IoT Hub | Private endpoint connections enforce secure communication by enabling private connectivity to IoT Hub. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.Devices/IotHubs/privateEndpointConnections[*] •Microsoft.Devices/IotHubs/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Devices/IotHubs |
GA | BuiltIn | |
| Internet of Things | Internet of Things | 510ec8b2-cb9e-461d-b7f3-6b8678c31182 | Public network access for Azure Device Update for IoT Hub accounts should be disabled | Disabling the public network access property improves security by ensuring your Azure Device Update for IoT Hub accounts can only be accessed from a private endpoint. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.DeviceUpdate/accounts/publicNetworkAccess |
IF (1) •Microsoft.DeviceUpdate/accounts |
GA | BuiltIn | |
| Internet of Things | Internet of Things | 2d6830fb-07eb-48e7-8c4d-2a442b35f0fb | Public network access on Azure IoT Hub should be disabled | Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Devices/IotHubs/publicNetworkAccess |
IF (1) •Microsoft.Devices/IotHubs |
GA | BuiltIn | |
| Internet of Things | Internet of Things | 383856f8-de7f-44a2-81fc-e5135b5c2aa4 | Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (4) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled |
IF (1) •Microsoft.Devices/IotHubs |
GA | BuiltIn | |
| Key Vault | Key Vault | 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5 | [Preview]: Azure Key Vault Managed HSM keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default: Audit Allowed: (Audit, Deny, Disabled) | Preview | BuiltIn | |||
| Key Vault | Key Vault | ad27588c-0198-4c84-81ef-08efd0274653 | [Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration | If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default: Audit Allowed: (Audit, Deny, Disabled) | Preview | BuiltIn | |||
| Key Vault | Key Vault | e58fd0c1-feac-4d12-92db-0a7e9421f53e | [Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names | Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default: Audit Allowed: (Audit, Deny, Disabled) | Preview | BuiltIn | |||
| Key Vault | Key Vault | 86810a98-8e91-4a44-8386-ec66d0de5d57 | [Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size | Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. | Default: Audit Allowed: (Audit, Deny, Disabled) | Preview | BuiltIn | |||
| Key Vault | Key Vault | 19ea9d63-adee-4431-a95e-1913c6c1c75f | [Preview]: Azure Key Vault Managed HSM should disable public network access | Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.KeyVault/managedHSMs/createMode •Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction |
IF (1) •Microsoft.KeyVault/managedHSMs |
Preview | BuiltIn | |
| Key Vault | Key Vault | 59fee2f4-d439-4f1b-9b9a-982e1474bfd8 | [Preview]: Azure Key Vault Managed HSM should use private link | Private link provides a way to connect Azure Key Vault Managed HSM to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link | Default: Audit Allowed: (Audit, Disabled) | IF (3) •Microsoft.KeyVault/managedHSMs/privateEndpointConnections •Microsoft.KeyVault/managedHSMs/privateEndpointConnections[*] •Microsoft.KeyVault/managedHSMs/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.KeyVault/managedHSMs |
Preview | BuiltIn | |
| Key Vault | Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | [Preview]: Azure Key Vault should disable public network access | Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.KeyVault/vaults/createMode •Microsoft.KeyVault/vaults/networkAcls.defaultAction |
IF (1) •Microsoft.KeyVault/vaults |
Preview | BuiltIn | |
| Key Vault | Key Vault | a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 | [Preview]: Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.KeyVault/vaults/privateEndpointConnections[*] •Microsoft.KeyVault/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.KeyVault/vaults |
Preview | BuiltIn | |
| Key Vault | Key Vault | 0a075868-4c26-42ef-914c-5bc007359560 | [Preview]: Certificates should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | Preview | BuiltIn | |||
| Key Vault | Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | [Preview]: Certificates should not expire within the specified number of days | Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | Preview | BuiltIn | |||
| Key Vault | Key Vault | 84d327c3-164a-4685-b453-900478614456 | [Preview]: Configure Azure Key Vault Managed HSM to disable public network access | Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. | Default: Modify Allowed: (Modify, Disabled) | Managed HSM contributor | IF (1) •Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction THEN-Operations (1) •Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction |
IF (1) •Microsoft.KeyVault/managedHSMs |
Preview | BuiltIn |
| Key Vault | Key Vault | d1d6d8bb-cc7c-420f-8c7d-6f6f5279a844 | [Preview]: Configure Azure Key Vault Managed HSM with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Key Vault Managed HSM, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, Managed HSM contributor | THEN-ExistenceCondition (1) •Microsoft.KeyVault/managedHSMs/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.KeyVault/managedHSMs THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
Preview | BuiltIn |
| Key Vault | Key Vault | ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 | [Preview]: Configure Azure Key Vaults to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
Preview | BuiltIn |
| Key Vault | Key Vault | 9d4fad1f-5189-4a42-b29e-cf7929c6b6df | [Preview]: Configure Azure Key Vaults with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, Key Vault Contributor | THEN-ExistenceCondition (1) •Microsoft.KeyVault/vaults/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.KeyVault/vaults THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
Preview | BuiltIn |
| Key Vault | Key Vault | ac673a9a-f77d-4846-b2d8-a57f8e1c01dc | [Preview]: Configure key vaults to disable public network access | Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. | Default: Modify Allowed: (Modify, Disabled) | Key Vault Contributor | IF (1) •Microsoft.KeyVault/vaults/networkAcls.defaultAction THEN-Operations (1) •Microsoft.KeyVault/vaults/networkAcls.defaultAction |
IF (1) •Microsoft.KeyVault/vaults |
Preview | BuiltIn |
| Key Vault | Key Vault | 5f0bc445-3935-4915-9981-011aa2b46147 | [Preview]: Private endpoint should be configured for Key Vault | Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.KeyVault/vaults/privateEndpointConnections |
IF (1) •Microsoft.KeyVault/vaults |
Preview | BuiltIn | |
| Key Vault | Key Vault | c39ba22d-4428-4149-b981-70acb31fc383 | Azure Key Vault Managed HSM should have purge protection enabled | Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.KeyVault/managedHsms/enablePurgeProtection •Microsoft.KeyVault/managedHsms/enableSoftDelete |
IF (1) •Microsoft.KeyVault/managedHsms |
GA | BuiltIn | |
| Key Vault | Key Vault | 8e826246-c976-48f6-b03e-619bb92b3d82 | Certificates should be issued by the specified integrated certificate authority | Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | a22f4a40-01d3-4c7d-8071-da157eeff341 | Certificates should be issued by the specified non-integrated certificate authority | Manage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | 12ef42cb-9903-4e39-9c26-422d29570417 | Certificates should have the specified lifetime action triggers | Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | 1151cede-290b-4ba0-8b38-0ad145ac888f | Certificates should use allowed key types | Manage your organizational compliance requirements by restricting the key types allowed for certificates. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | bd78111f-4953-4367-9fd5-7e08808b54bf | Certificates using elliptic curve cryptography should have allowed curve names | Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | cee51871-e572-4576-855c-047c820360f0 | Certificates using RSA cryptography should have the specified minimum key size | Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | keyvault_deny-access-policies-with-certificate-authorities-roles | Deny creation of access policies with certificate authorities roles | This policy prevent creation of key vault access policies with certificate authorities roles. | Default: Deny Allowed: (Audit, Deny, Disabled) | GA | Community | |||
| Key Vault | Key Vault | keyvault_deny-deployment-with-access-to-specific-services-(vm,-arm,-ade) | Deny deployment with access to specific services (VM, ARM, ADE) | This policy prevent specific services (VM, ARM, ADE) access to kv. | Default: audit Allowed: (audit, deny, disabled) | GA | Community | |||
| Key Vault | Key Vault | keyvault_deny-deployment-with-azure-rbac-enabled | Deny deployment with Azure RBAC enabled | This policy deny deployment with Azure RBAC enabled. | Default: audit Allowed: (audit, deny, disabled) | GA | Community | |||
| Key Vault | Key Vault | 951af2fa-529b-416e-ab6e-066fd85ac459 | Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor, Log Analytics Contributor | THEN-ExistenceCondition (3) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/metrics.enabled •Microsoft.Insights/diagnosticSettings/workspaceId |
IF (1) •Microsoft.KeyVault/vaults |
GA | BuiltIn |
| Key Vault | Key Vault | a6d2c800-5230-4a40-bff3-8268b4987d42 | Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM | Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Event Hub when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor | THEN-ExistenceCondition (2) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/metrics.enabled |
IF (1) •Microsoft.KeyVault/managedHsms |
GA | BuiltIn |
| Key Vault | Key Vault | ed7c8c13-51e7-49d1-8a43-8490431a0da2 | Deploy Diagnostic Settings for Key Vault to Event Hub | Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. | Fixed: deployIfNotExists | Contributor | THEN-ExistenceCondition (4) •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].enabled •Microsoft.Insights/diagnosticSettings/metrics[*] •Microsoft.Insights/diagnosticSettings/metrics[*].enabled |
IF (1) •Microsoft.KeyVault/vaults |
GA | BuiltIn |
| Key Vault | Key Vault | keyvault_deploy-soft-delete-and-purge-protection | Enable soft-delete and purge protection on Key Vaults | This Policy will enable soft-delete and purge protection on all Key Vaults. | Fixed: DeployIfNotExists | Key Vault Contributor | IF (2) •Microsoft.KeyVault/vaults/enablePurgeProtection •Microsoft.KeyVault/vaults/enableSoftDelete THEN-ExistenceCondition (2) •Microsoft.KeyVault/vaults/enablePurgeProtection •Microsoft.KeyVault/vaults/enableSoftDelete |
IF (1) •Microsoft.KeyVault/vaults THEN-Deployment (1) •Microsoft.KeyVault/vaults |
GA | Community |
| Key Vault | Key Vault | keyvault_enforce-key-vault-firewall-blocking-public-access | Enforce key vault firewall blocking public access | This policy prevents setting key vault public firewall as allow all or have any vnet/ip rules. | Default: Deny Allowed: (Audit, Deny, Disabled) | GA | Community | |||
| Key Vault | Key Vault | keyvault_enforce-key-vault-premium-sku | Enforce key vault premium SKU | This policy enforces premium sku for key vaults. | Default: Deny Allowed: (Deny, Audit, Disabled) | IF (1) •Microsoft.KeyVault/Vaults/sku.name |
GA | Community | ||
| Key Vault | Key Vault | key-vault-diagnostic-settings-aine | Key Vault - Diagnostic Settings AINE | This Azure Policy creates an audit event when all logs and metrics are not send to a specified Log Analytics Workspace | Fixed: [parameters('policyEffect')] | THEN-ExistenceCondition (7) •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].category •Microsoft.Insights/diagnosticSettings/logs[*].enabled •Microsoft.Insights/diagnosticSettings/metrics[*] •Microsoft.Insights/diagnosticSettings/metrics[*].category •Microsoft.Insights/diagnosticSettings/metrics[*].enabled •Microsoft.Insights/diagnosticSettings/workspaceId |
IF (1) •Microsoft.KeyVault/vaults |
GA | Community | |
| Key Vault | Key Vault | key-vault-diagnostic-settings-dine | Key Vault - Diagnostic Settings DINE | This Azure Policy creates a deployment to send all logs and metrics to a specified Log Analytics Workspace | Fixed: [parameters('policyEffect')] | Monitoring Contributor, Log Analytics Contributor | THEN-ExistenceCondition (7) •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].category •Microsoft.Insights/diagnosticSettings/logs[*].enabled •Microsoft.Insights/diagnosticSettings/metrics[*] •Microsoft.Insights/diagnosticSettings/metrics[*].category •Microsoft.Insights/diagnosticSettings/metrics[*].enabled •Microsoft.Insights/diagnosticSettings/workspaceId |
IF (1) •Microsoft.KeyVault/vaults |
GA | Community |
| Key Vault | Key Vault | key-vault-firewall-settings-audit | Key Vault - Firewall Settings AUDIT | This Azure Policy creates an audit event when the 'Allow access from' setting is not set to 'Private endpoints and selected networks' or when the Firewall does contain any IP addresses outside of the approved ones. | Default: Audit Allowed: () | IF (2) •Microsoft.KeyVault/vaults/networkAcls.defaultAction •Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value |
IF (1) •Microsoft.KeyVault/vaults |
GA | Community | |
| Key Vault | Key Vault | key-vault-firewall-settings-deny | Key vault - Firewall Settings DENY | This Azure Policy denies the deployment of an Azure Key Vault when the 'Allow access from' setting is not set to 'Private endpoints and selected networks' or when the Firewall does contain any IP addresses outside of the approved ones. | Default: Deny Allowed: () | IF (2) •Microsoft.KeyVault/vaults/networkAcls.defaultAction •Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value |
IF (1) •Microsoft.KeyVault/vaults |
GA | Community | |
| Key Vault | Key Vault | key-vault-sku-setting-audit | Key Vault - SKU Setting AUDIT | This Azure Policy creates an audit event when the 'SKU' setting is not included in the 'allowedSKUSetting' parameter. | Default: Audit Allowed: () | IF (1) •Microsoft.KeyVault/vaults/sku.name |
IF (1) •Microsoft.KeyVault/vaults |
GA | Community | |
| Key Vault | Key Vault | key-vault-sku-setting-deny | Key Vault - SKU Setting DENY | This Azure Policy denies the creation of an Azure Key Vault when the 'SKU' setting is not included in the 'allowedSKUSetting' parameter. | Default: Deny Allowed: () | IF (1) •Microsoft.KeyVault/vaults/sku.name |
IF (1) •Microsoft.KeyVault/vaults |
GA | Community | |
| Key Vault | Key Vault | 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 | Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | 98728c90-32c7-4049-8429-847dc0f4fe37 | Key Vault secrets should have an expiration date | Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | Key vaults should have purge protection enabled | Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (3) •Microsoft.KeyVault/vaults/createMode •Microsoft.KeyVault/vaults/enablePurgeProtection •Microsoft.KeyVault/vaults/enableSoftDelete |
IF (1) •Microsoft.KeyVault/vaults |
GA | BuiltIn | |
| Key Vault | Key Vault | 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d | Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.KeyVault/vaults/createMode •Microsoft.KeyVault/vaults/enableSoftDelete |
IF (1) •Microsoft.KeyVault/vaults |
GA | BuiltIn | |
| Key Vault | Key Vault | 587c79fe-dd04-4a5e-9d0b-f89598c7261b | Keys should be backed by a hardware security module (HSM) | An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | 75c4f823-d65c-4f29-a733-01d0077fdbcb | Keys should be the specified cryptographic type RSA or EC | Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | 5ff38825-c5d8-47c5-b70e-069a21955146 | Keys should have more than the specified number of days before expiration | If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | 49a22571-d204-4c91-a7b6-09b1a586fbc9 | Keys should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | c26e4b24-cf98-4c67-b48b-5a25c4c69eb9 | Keys should not be active for longer than the specified number of days | Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | ff25f3c8-b739-4538-9d07-3d6d25cfb255 | Keys using elliptic curve cryptography should have the specified curve names | Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | 82067dbb-e53b-4e06-b631-546d197452d9 | Keys using RSA cryptography should have a specified minimum key size | Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | Append-KV-SoftDelete | KeyVault SoftDelete should be enabled | This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added. | Fixed: append | IF (1) •Microsoft.KeyVault/vaults/enableSoftDelete THEN-Details (1) •Microsoft.KeyVault/vaults/enableSoftDelete |
IF (1) •Microsoft.KeyVault/vaults |
GA | ESLZ | |
| Key Vault | Key Vault | keyvault_prevent-key-vault-access-to-trusted-services | Prevent key vault access to trusted services | This policy prevents key vault access to trusted services. | Default: Deny Allowed: (Audit, Deny, Disabled) | GA | Community | |||
| Key Vault | Key Vault | a2a5b911-5617-447e-a49e-59dbe0e0434b | Resource logs in Azure Key Vault Managed HSM should be enabled | To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.KeyVault/managedHsms |
GA | BuiltIn | |
| Key Vault | Key Vault | cf820ca0-f99e-4f3e-84fb-66e913812d21 | Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.KeyVault/vaults |
GA | BuiltIn | |
| Key Vault | Key Vault | 75262d3e-ba4a-4f43-85f8-9f72c090e5e3 | Secrets should have content type set | A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | b0eb591a-5e70-4534-a8bf-04b9c489584a | Secrets should have more than the specified number of days before expiration | If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | 342e8053-e12e-4c44-be01-c3c2f318400f | Secrets should have the specified maximum validity period | Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Key Vault | Key Vault | e8d99835-8a06-45ae-a8e0-87a91941ccfe | Secrets should not be active for longer than the specified number of days | If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. | Default: Audit Allowed: (Audit, Deny, Disabled) | GA | BuiltIn | |||
| Kubernetes | Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.Kubernetes/connectedClusters |
Deprecated | BuiltIn | ||
| Kubernetes | Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Deprecated]: Kubernetes cluster containers should only listen on allowed ports | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Deprecated | BuiltIn | ||
| Kubernetes | Kubernetes | 8dfab9c4-fe7b-49ad-85e4-1e9be085358f | [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (2) •Microsoft.Kubernetes/connectedClusters/connectivityStatus •Microsoft.Kubernetes/connectedClusters/distribution THEN-ExistenceCondition (2) •Microsoft.KubernetesConfiguration/extensions/extensionType •Microsoft.KubernetesConfiguration/extensions/provisioningState |
IF (1) •Microsoft.Kubernetes/connectedClusters |
Preview | BuiltIn | |
| Kubernetes | Kubernetes | 6b2122c1-8120-4ff5-801b-17625a355590 | [Preview]: Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed | The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.KubernetesConfiguration/extensions/extensionType |
IF (1) •Microsoft.Kubernetes/connectedClusters |
Preview | BuiltIn | |
| Kubernetes | Kubernetes | a1840de2-8088-4ea8-b153-b4c723e9cb01 | [Preview]: Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters/securityProfile.azureDefender.enabled |
IF (1) •Microsoft.ContainerService/managedClusters |
Preview | BuiltIn | |
| Kubernetes | Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor, Log Analytics Contributor | IF (2) •Microsoft.Kubernetes/connectedClusters/connectivityStatus •Microsoft.Kubernetes/connectedClusters/distribution THEN-ExistenceCondition (2) •Microsoft.KubernetesConfiguration/extensions/extensionType •Microsoft.KubernetesConfiguration/extensions/provisioningState |
IF (1) •Microsoft.Kubernetes/connectedClusters THEN-Deployment (4) •Microsoft.KubernetesConfiguration/extensions •Microsoft.OperationalInsights/workspaces •Microsoft.Resources/deployments •Microsoft.Resources/resourceGroups |
Preview | BuiltIn |
| Kubernetes | Kubernetes | 0adc5395-9169-4b9b-8687-af838d69410a | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Kubernetes Extension Contributor | THEN-ExistenceCondition (1) •Microsoft.KubernetesConfiguration/extensions/extensionType |
IF (1) •Microsoft.Kubernetes/connectedClusters THEN-Deployment (1) •Microsoft.KubernetesConfiguration/extensions |
Preview | BuiltIn |
| Kubernetes | Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | [Preview]: Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor, Log Analytics Contributor | THEN-ExistenceCondition (1) •Microsoft.ContainerService/managedClusters/securityProfile.azureDefender.enabled |
IF (1) •Microsoft.ContainerService/managedClusters THEN-Deployment (4) •Microsoft.ContainerService/ManagedClusters •Microsoft.OperationalInsights/workspaces •Microsoft.Resources/deployments •Microsoft.Resources/resourceGroups |
Preview | BuiltIn |
| Kubernetes | Kubernetes | 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 | [Preview]: Kubernetes clusters should gate deployment of vulnerable images | Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | BuiltIn | ||
| Kubernetes | Kubernetes | b81f454c-eebb-4e4f-9dfe-dca060e8a8fd | [Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | BuiltIn | ||
| Kubernetes | Kubernetes | kubernetes_aks-prevent-load-balancer-profile | AKS prevent load balancer profile | This policy prevent load balancer profile for aks. | Default: Deny Allowed: (Audit, Deny, Disabled) | GA | Community | |||
| Kubernetes | Kubernetes | kubernetes_aks-prevent-node-public-ip | AKS prevent node public ip | This policy prevent node public ip for aks. | Default: Deny Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters/agentPoolProfiles[*] |
GA | Community | ||
| Kubernetes | Kubernetes | 73868911-4f4a-444f-adbd-5382bf70208a | Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed | Open Service Mesh extension provides all standard service mesh capabilities for security, traffic management and observability of application services. Learn more here: https://aka.ms/arc-osm-doc | Default: DeployIfNotExists Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled) | Owner | IF (1) •Microsoft.Kubernetes/connectedClusters/connectivityStatus THEN-ExistenceCondition (2) •Microsoft.KubernetesConfiguration/extensions/extensionType •Microsoft.KubernetesConfiguration/extensions/provisioningState |
IF (1) •Microsoft.Kubernetes/connectedClusters THEN-Deployment (2) •Microsoft.KubernetesConfiguration/extensions •Microsoft.Resources/deployments |
GA | BuiltIn |
| Kubernetes | Kubernetes | 89f2d532-c53c-4f8f-9afa-4927b1114a0d | Azure Kubernetes Service Clusters should disable Command Invoke | Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters/apiServerAccessProfile.disableRunCommand |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | |
| Kubernetes | Kubernetes | 450d2877-ebea-41e8-b00c-e286317d21bf | Azure Kubernetes Service Clusters should enable Azure Active Directory integration | AKS-managed Azure Active Directory integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters/aadProfile |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | |
| Kubernetes | Kubernetes | 993c2fcd-2b29-49d2-9eb0-df2c3a730c32 | Azure Kubernetes Service Clusters should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters/disableLocalAccounts |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | |
| Kubernetes | Kubernetes | da6e2401-19da-4532-9141-fb8fbde08431 | Azure Kubernetes Service Clusters should use managed identities | Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.ContainerService/managedClusters/servicePrincipalProfile •Microsoft.ContainerService/managedClusters/servicePrincipalProfile.clientId |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | |
| Kubernetes | Kubernetes | 040732e8-d947-40b8-95d6-854c95024bf8 | Azure Kubernetes Service Private Clusters should be enabled | Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | |
| Kubernetes | Kubernetes | 0a15ec92-a229-4763-bb14-0ea34a568f8d | Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters/addonProfiles.azurePolicy.enabled |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | |
| Kubernetes | Kubernetes | 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 | Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys | Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters/diskEncryptionSetID |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | |
| Kubernetes | Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Azure Active Directory integrated AKS clusters. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Kubernetes Service Contributor Role, Azure Kubernetes Service Policy Add-on Deployment | IF (1) •Microsoft.ContainerService/managedClusters/aadProfile THEN-ExistenceCondition (1) •Microsoft.ContainerService/managedClusters/aadProfile.adminGroupObjectIDs[*] |
IF (1) •Microsoft.ContainerService/managedClusters THEN-Deployment (2) •Microsoft.ContainerService/managedClusters •Microsoft.Resources/deployments |
GA | BuiltIn |
| Kubernetes | Kubernetes | a6f560f4-f582-4b67-b123-a37dcd1bf7ea | Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Contributor | THEN-ExistenceCondition (5) •Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator •Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues •Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion •Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams •Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn |
| Kubernetes | Kubernetes | 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 | Configure Kubernetes clusters with specified GitOps configuration using no secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Contributor | THEN-ExistenceCondition (5) •Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator •Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues •Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion •Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams •Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn |
| Kubernetes | Kubernetes | c050047b-b21b-4822-8a2d-c1e37c3c0c6a | Configure Kubernetes clusters with specified GitOps configuration using SSH secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | Default: DeployIfNotExists Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled) | Contributor | THEN-ExistenceCondition (6) •Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator •Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues •Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion •Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams •Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl •Microsoft.KubernetesConfiguration/sourceControlConfigurations/sshKnownHostsContents |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn |
| Kubernetes | Kubernetes | 6c66c325-74c8-42fd-a286-a74b0e2939d8 | Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor, Log Analytics Contributor | THEN-ExistenceCondition (3) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/metrics.enabled •Microsoft.Insights/diagnosticSettings/workspaceId |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn |
| Kubernetes | Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Kubernetes Service Contributor Role, Azure Kubernetes Service Policy Add-on Deployment | THEN-ExistenceCondition (1) •Microsoft.ContainerService/managedClusters/addonProfiles.azurePolicy.enabled |
IF (1) •Microsoft.ContainerService/managedClusters THEN-Deployment (2) •Microsoft.ContainerService/managedClusters •Microsoft.Resources/deployments |
GA | BuiltIn |
| Kubernetes | Kubernetes | 1b708b0a-3380-40e9-8b79-821f9fa224cc | Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Azure Kubernetes Service Contributor Role, Azure Kubernetes Service Policy Add-on Deployment | THEN-ExistenceCondition (1) •Microsoft.ContainerService/managedClusters/apiServerAccessProfile.disableRunCommand |
IF (1) •Microsoft.ContainerService/managedClusters THEN-Deployment (2) •Microsoft.ContainerService/managedClusters •Microsoft.Resources/deployments |
GA | BuiltIn |
| Kubernetes | Kubernetes | kubernetes_enforce-aks-aad-support | Enforce AKS aad support | This policy enforces aad support for AKS. | Default: Deny Allowed: (Audit, Deny, Disabled) | GA | Community | |||
| Kubernetes | Kubernetes | kubernetes_enforce-aks-network-plugin | Enforce AKS network plugin | This policy enforces network plugin for AKS. | Default: Deny Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters/networkProfile.networkPlugin |
GA | Community | ||
| Kubernetes | Kubernetes | kubernetes_enforce-aks-outbound-type | Enforce AKS outbound type | This policy enforces outbound type for AKS. | Default: Deny Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters/networkProfile.outboundType |
GA | Community | ||
| Kubernetes | Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | kubernetes_allowed-external-ips | Ensure only allowed External IPs are used in Kubernetes Cluster | This policy ensures only allowed external ips are used in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes | Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | d2e7ea85-6b44-4317-a0be-1b951587f626 | Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default: Deny Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 9a5f4e39-e427-4d5d-ae73-93db00328bec | Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | ||
| Kubernetes | Kubernetes | 245fc9df-fa96-4414-9a0b-3738c2f7341c | Resource logs in Azure Kubernetes Service should be enabled | Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | |
| Kubernetes | Kubernetes | 41425d9f-d1a5-499a-9932-f8ed8453932c | Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host | To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.ContainerService/managedClusters/agentPoolProfiles[*] •Microsoft.ContainerService/managedClusters/agentPoolProfiles[*].enableEncryptionAtHost |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | BuiltIn | |
| Kubernetes PSP | Kubernetes PSP | kubernetes_block-default-namespace | Block usage of the default namespace in a Kubernetes cluster | This policy blocks usage of the default namespace in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_allowed-host-paths | Control allowed Host Paths on volumes in a Kubernetes Cluster | This policy controls valid host paths that are allowed to be used by hostPath volumes in a Kubernetes Cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_allowed-proc-mount-types | Control allowed Proc Mount Type on pods in a Kubernetes Cluster | This policy controls valid ProcMount types on pods in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_host-network-ports | Control whether a Pod may use the Host Network, and allow Host Ports in a Kubernetes Cluster | This policy controls whether pod may use the host network, and allows host ports in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_allowed-users | Control which user ID containers are run with in a Kubernetes Cluster | This policy controls allowed user IDs for containers to run with in a Kubernetes Cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_container-no-privilege-escalation | Do not allow container privilege escalation in Kubernetes cluster | This policy does not allow containers to use privilege escalation in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_block-host-namespace | Do not allow sharing of host process ID and IPC namespaces in a Kubernetes Cluster | This policy blocks pod containers from sharing the host process ID namespace and IPC namespace in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_container-disallowed-capabilities | Ensure disallowed capabilities are not used in Kubernetes Cluster | This policy ensures specified security capabilities are not used inside a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_enforce-apparmor-profile | Ensure only allowed app armor profiles are used in Kubernetes Cluster | This policy ensures containers define an App Armor profile and only use allowed App Armor profiles. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_container-allowed-capabilities | Ensure only allowed capabilities are used in Kubernetes Cluster | This policy ensures specified security capabilities are defined and removed inside a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_selinux | Ensure only allowed SELinux options are used in a Kubernetes cluster | This policy ensures only allowed SELinux options are used in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) | Preview | Community | |||
| Kubernetes PSP | Kubernetes PSP | kubernetes_allowed-volume-types | Ensure only allowed Volume Types are used in Kubernetes Cluster | This policy ensures only allowed volume types are used in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_allowed-seccomp-profiles | Ensure Pods use only allowed Seccomp Profiles in a Kubernetes Cluster | This policy ensures Pods in a Kubernetes cluster only use allowed Seccomp Profiles. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_read-only-root-filesystem | Ensure Read-Only Access to Root Filesystem in a Kubernetes Cluster | This policy ensures pods only have read-only access to the root filesystem in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_forbidden-sysctl-interfaces | Forbid Pods in Kubernetes Cluster from using forbidden Sysctl Interfaces | This policy forbids pods in a Kubernetes cluster from using specified Sysctl Interfaces. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes PSP | Kubernetes PSP | kubernetes_block-automount-token | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit, deny, disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Preview | Community | ||
| Kubernetes service | Kubernetes service | 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 | [Deprecated]: Do not allow privileged containers in AKS | This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Deprecated | BuiltIn | ||
| Kubernetes service | Kubernetes service | 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 | [Deprecated]: Enforce HTTPS ingress in AKS | This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Deprecated | BuiltIn | ||
| Kubernetes service | Kubernetes service | a74d8f00-2fd9-4ce4-968e-0ee1eb821698 | [Deprecated]: Enforce internal load balancers in AKS | This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Deprecated | BuiltIn | ||
| Kubernetes service | Kubernetes service | 16c6ca72-89d2-4798-b87e-496f9de7fcb7 | [Deprecated]: Enforce labels on pods in AKS | This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Deprecated | BuiltIn | ||
| Kubernetes service | Kubernetes service | d011d9f7-ba32-4005-b727-b3d09371ca60 | [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS | This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Deprecated | BuiltIn | ||
| Kubernetes service | Kubernetes service | 0f636243-1b1c-4d50-880f-310f6199f2cb | [Deprecated]: Ensure containers listen only on allowed ports in AKS | This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Deprecated | BuiltIn | ||
| Kubernetes service | Kubernetes service | a2d3ed81-8d11-4079-80a5-1faadc0024f4 | [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS | This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Deprecated | BuiltIn | ||
| Kubernetes service | Kubernetes service | 5f86cb6e-c4da-441b-807c-44bd0cc14e66 | [Deprecated]: Ensure only allowed container images in AKS | This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Deprecated | BuiltIn | ||
| Kubernetes service | Kubernetes service | 25dee3db-6ce0-4c02-ab5d-245887b24077 | [Deprecated]: Ensure services listen only on allowed ports in AKS | This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy, Disabled) | IF (1) •Microsoft.ContainerService/managedClusters |
Deprecated | BuiltIn | ||
| Kubernetes service | Kubernetes service | kubernetesservice_append-aks-api-ip-restrictions | Append AKS API IP Restrictions | This policy will restrict access to the AKS API server as documented here: https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges | Fixed: append | THEN-Details (1) •Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges |
IF (1) •Microsoft.ContainerService/managedClusters |
GA | Community | |
| Lab Services | Lab Services | a6e9cf2d-7d76-440e-b795-8da246bd3aab | Lab Services should enable all options for auto shutdown | This policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (6) •Microsoft.LabServices/labPlans/defaultAutoShutdownProfile.shutdownOnDisconnect •Microsoft.LabServices/labPlans/defaultAutoShutdownProfile.shutdownOnIdle •Microsoft.LabServices/labPlans/defaultAutoShutdownProfile.shutdownWhenNotConnected •Microsoft.LabServices/labs/autoShutdownProfile.shutdownOnDisconnect •Microsoft.LabServices/labs/autoShutdownProfile.shutdownOnIdle •Microsoft.LabServices/labs/autoShutdownProfile.shutdownWhenNotConnected |
IF (2) •Microsoft.LabServices/labplans •Microsoft.LabServices/labs |
GA | BuiltIn | |
| Lighthouse | Lighthouse | 7a8a51a3-ad87-4def-96f3-65a1839242b6 | Allow managing tenant ids to onboard through Azure Lighthouse | Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. | Fixed: deny | IF (1) •Microsoft.ManagedServices/registrationDefinitions/managedByTenantId |
IF (1) •Microsoft.ManagedServices/registrationDefinitions |
GA | BuiltIn | |
| Lighthouse | Lighthouse | 76bed37b-484f-430f-a009-fd7592dff818 | Audit delegation of scopes to a managing tenant | Audit delegation of scopes to a managing tenant via Azure Lighthouse. | Default: Audit Allowed: (Audit, Disabled) | IF (1) •Microsoft.ManagedServices/registrationAssignments |
GA | BuiltIn | ||
| Load Balancer | Load Balancer | loadbalancer_deny-load-balancer-outbound-rules | Deny load balancer outbound rules | This policy deny load balancer outbound rules. | Default: Deny Allowed: (Audit, Deny, Disabled) | GA | Community | |||
| Load Balancer | Load Balancer | loadbalancer_enforce-disabling-of-snat-in-load-balancer-rules | Enforce disabling of snat in load balancer rules | This policy enforce disabling of snat in load balancer rules. | Default: Deny Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Network/loadBalancers/loadBalancingRules[*] |
GA | Community | ||
| Load Balancer | Load Balancer | loadbalancer_enforce-lb-private-ip-addresses-only-in-frontend-configuration | Enforce load balancer private ip addresses only in frontend configuration | This policy enforces private ip addresses only in frontend configuration. | Default: Deny Allowed: (Audit, Deny, Disabled) | GA | Community | |||
| Load Balancer | Load Balancer | loadbalancer_enforce-load-balancer-regional-tier | Enforce load balancer regional TIER | This policy enforces regional tier for load balancers. | Default: Deny Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Network/loadBalancers/sku.tier |
GA | Community | ||
| Load Balancer | Load Balancer | loadbalancer_enforce-load-balancer-standard-sku | Enforce load balancer standard SKU | This policy enforces standard sku for load balancers. | Default: Deny Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Network/loadBalancers/sku.name |
GA | Community | ||
| Logic Apps | Logic Apps | 1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5 | Logic Apps Integration Service Environment should be encrypted with customer-managed keys | Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Logic/integrationServiceEnvironments/encryptionConfiguration |
IF (1) •Microsoft.Logic/integrationServiceEnvironments |
GA | BuiltIn | |
| Logic Apps | Logic Apps | dc595cb1-1cde-45f6-8faf-f88874e1c0e1 | Logic Apps should be deployed into Integration Service Environment | Deploying Logic Apps into Integration Service Environment in a virtual network unlocks advanced Logic Apps networking and security features and provides you with greater control over your network configuration. Learn more at: https://aka.ms/integration-service-environment. Deploying into Integration Service Environment also allows encryption with customer-managed keys which provides enhanced data protection by allowing you to manage your encryption keys. This is often to meet compliance requirements. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Logic/workflows/integrationServiceEnvironment |
IF (1) •Microsoft.Logic/workflows |
GA | BuiltIn | |
| Logic Apps | Logic Apps | 34f95f76-5386-4de7-b824-0d8478470c9d | Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.Logic/workflows |
GA | BuiltIn | |
| Machine Learning | Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) | Preview | BuiltIn | |||
| Machine Learning | Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) | Preview | BuiltIn | |||
| Machine Learning | Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) | Preview | BuiltIn | |||
| Machine Learning | Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) | Preview | BuiltIn | |||
| Machine Learning | Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) | Preview | BuiltIn | |||
| Machine Learning | Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting, disabled) | Preview | BuiltIn | |||
| Machine Learning | Machine Learning | 7804b5c7-01dc-4723-969b-ae300cc07ff1 | Audit Azure Machine Learning Compute Cluster and Instance is behind virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access.When am Azure Machine Learning Compute instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default: Audit Allowed: (Audit, Disabled) | IF (2) •Microsoft.MachineLearningServices/workspaces/computes/computeType •Microsoft.MachineLearningServices/workspaces/computes/subnet.id |
IF (1) •Microsoft.MachineLearningServices/workspaces/computes |
GA | BuiltIn | |
| Machine Learning | Machine Learning | Deny-MachineLearning-PublicNetworkAccess | Azure Machine Learning should have disabled public network access | Denies public network access for Azure Machine Learning workspaces. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (1) •Microsoft.MachineLearningServices/workspaces/publicNetworkAccess |
IF (1) •Microsoft.MachineLearningServices/workspaces |
GA | ESLZ | |
| Machine Learning | Machine Learning | ba769a63-b8cc-4b2d-abf6-ac33c7204be8 | Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.MachineLearningServices/workspaces/encryption.status |
IF (1) •Microsoft.MachineLearningServices/workspaces |
GA | BuiltIn | |
| Machine Learning | Machine Learning | 438c38d2-3772-465a-a9cc-7a6666a275ce | Azure Machine Learning workspaces should disable public network access | Disabling public network access improves security by ensuring that the machine learning workspaces aren't exposed on the public internet. You can limit exposure of your workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.MachineLearningServices/workspaces/publicNetworkAccess |
IF (1) •Microsoft.MachineLearningServices/workspaces |
GA | BuiltIn | |
| Machine Learning | Machine Learning | 40cec1dd-a100-4920-b15b-3024fe8901ab | Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*] •Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.MachineLearningServices/workspaces |
GA | BuiltIn | |
| Machine Learning | Machine Learning | 5f0c7d88-c7de-45b8-ac49-db49e72eaa78 | Azure Machine Learning workspaces should use user-assigned managed identity | Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.MachineLearningServices/workspaces/primaryUserAssignedIdentity |
IF (1) •Microsoft.MachineLearningServices/workspaces |
GA | BuiltIn | |
| Machine Learning | Machine Learning | ee40564d-486e-4f68-a5ca-7a621edae0fb | Configure Azure Machine Learning workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Machine Learning | Machine Learning | a10ee784-7409-4941-b091-663697637c0f | Configure Azure Machine Learning workspaces to disable public network access | Disable public network access for Azure Machine Learning workspaces so that your workspaces aren't accessible over the public internet. This will help protect the workspaces against data leakage risks. You can limit exposure of the your machine learning workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default: Modify Allowed: (Modify, Disabled) | AzureML Data Scientist | IF (1) •Microsoft.MachineLearningServices/workspaces/publicNetworkAccess THEN-Operations (1) •Microsoft.MachineLearningServices/workspaces/publicNetworkAccess |
IF (1) •Microsoft.MachineLearningServices/workspaces |
GA | BuiltIn |
| Machine Learning | Machine Learning | 7838fd83-5cbb-4b5d-888c-bfa240972597 | Configure Azure Machine Learning workspaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Machine Learning workspace, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | THEN-ExistenceCondition (1) •Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.MachineLearningServices/workspaces THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Machine Learning | Machine Learning | a6f9a2d0-cff7-4855-83ad-4cd750666512 | Configure Machine Learning computes to disable local authentication methods | Disable location authentication methods so that your Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (1) •Microsoft.MachineLearningServices/workspaces/computes/disableLocalAuth THEN-Operations (1) •Microsoft.MachineLearningServices/workspaces/computes/disableLocalAuth |
IF (1) •Microsoft.MachineLearningServices/workspaces/computes |
GA | BuiltIn |
| Machine Learning | Machine Learning | Audit-MachineLearning-PrivateEndpointId | Control private endpoint connections to Azure Machine Learning | Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id •Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status |
GA | ESLZ | ||
| Machine Learning | Machine Learning | Deny-MachineLearning-Aks | Deny AKS cluster creation in Azure Machine Learning | Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (2) •Microsoft.MachineLearningServices/workspaces/computes/computeType •Microsoft.MachineLearningServices/workspaces/computes/resourceId |
IF (1) •Microsoft.MachineLearningServices/workspaces/computes |
GA | ESLZ | |
| Machine Learning | Machine Learning | Deny-MachineLearning-PublicAccessWhenBehindVnet | Deny public acces behind vnet to Azure Machine Learning workspace | Deny public access behind vnet to Azure Machine Learning workspaces. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (1) •Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet |
IF (1) •Microsoft.MachineLearningServices/workspaces |
GA | ESLZ | |
| Machine Learning | Machine Learning | Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess | Deny public access of Azure Machine Learning clusters via SSH | Deny public access of Azure Machine Learning clusters via SSH. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (2) •Microsoft.MachineLearningServices/workspaces/computes/computeType •Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess |
IF (1) •Microsoft.MachineLearningServices/workspaces/computes |
GA | ESLZ | |
| Machine Learning | Machine Learning | Deny-MachineLearning-Compute-SubnetId | Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances | Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (2) •Microsoft.MachineLearningServices/workspaces/computes/computeType •Microsoft.MachineLearningServices/workspaces/computes/subnet.id |
IF (1) •Microsoft.MachineLearningServices/workspaces/computes |
GA | ESLZ | |
| Machine Learning | Machine Learning | Deny-MachineLearning-HbiWorkspace | Enforces high business impact Azure Machine Learning Workspaces | Enforces high business impact Azure Machine Learning workspaces. | Default: Deny Allowed: (Audit, Disabled, Deny) | IF (1) •Microsoft.MachineLearningServices/workspaces/hbiWorkspace |
IF (1) •Microsoft.MachineLearningServices/workspaces |
GA | ESLZ | |
| Machine Learning | Machine Learning | e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f | Machine Learning computes should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.MachineLearningServices/workspaces/computes/disableLocalAuth |
IF (1) •Microsoft.MachineLearningServices/workspaces/computes |
GA | BuiltIn | |
| Managed Application | Managed Application | 9db7917b-1607-4e7d-a689-bca978dd0633 | Application definition for Managed Application should use customer provided storage account | Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.Solutions/applicationDefinitions/storageAccountId |
IF (1) •Microsoft.Solutions/applicationDefinitions |
GA | BuiltIn | |
| Managed Application | Managed Application | 17763ad9-70c0-4794-9397-53d765932634 | Deploy associations for a managed application | Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. | Fixed: deployIfNotExists | Contributor | THEN-Deployment (1) •Microsoft.Resources/deployments |
GA | BuiltIn | |
| Managed Identity | Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor, User Access Administrator | IF (1) •Microsoft.Compute/virtualMachineScaleSets THEN-Deployment (5) •Microsoft.Authorization/locks •Microsoft.Compute/virtualMachineScaleSets •Microsoft.ManagedIdentity/userAssignedIdentities •Microsoft.Resources/deployments •Microsoft.Resources/resourceGroups |
GA | BuiltIn | |
| Managed Identity | Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default: DeployIfNotExists Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled) | Contributor, User Access Administrator | IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (5) •Microsoft.Authorization/locks •Microsoft.Compute/virtualMachines •Microsoft.ManagedIdentity/userAssignedIdentities •Microsoft.Resources/deployments •Microsoft.Resources/resourceGroups |
GA | BuiltIn | |
| Managed Labs | Managed Labs | e8a5a3eb-1ab6-4657-a701-7ae432cf14e1 | Lab Services should not allow template virtual machines for labs | This policy prevents creation and customization of a template virtual machines for labs managed through Lab Services. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.LabServices/labs/virtualMachineProfile.createOption |
IF (1) •Microsoft.LabServices/labs |
GA | BuiltIn | |
| Managed Labs | Managed Labs | 0fd9915e-cab3-4f24-b200-6e20e1aa276a | Lab Services should require non-admin user for labs | This policy requires non-admin user accounts to be created for the labs managed through lab-services. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.LabServices/labs/virtualMachineProfile.nonAdminUser.username |
IF (1) •Microsoft.LabServices/labs |
GA | BuiltIn | |
| Managed Labs | Managed Labs | 3e13d504-9083-4912-b935-39a085db2249 | Lab Services should restrict allowed virtual machine SKU sizes | This policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.LabServices/labs/virtualMachineProfile.sku.name |
IF (1) •Microsoft.LabServices/labs |
GA | BuiltIn | |
| Media Services | Media Services | 8bfe3603-0888-404a-87ff-5c1b6b4cc5e3 | Azure Media Services accounts should disable public network access | Disabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet. Creating private endpoints can limit exposure of Media Services resources. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Media/mediaservices/publicNetworkAccess |
IF (1) •Microsoft.Media/mediaservices |
GA | BuiltIn | |
| Media Services | Media Services | a77d8bb4-8d22-4bc1-a884-f582a705b480 | Azure Media Services accounts should use an API that supports Private Link | Media Services accounts should be created with an API that supports private link. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Media/mediaservices/encryption.type |
IF (1) •Microsoft.Media/mediaservices |
GA | BuiltIn | |
| Media Services | Media Services | ccf93279-9c91-4143-a841-8d1f21505455 | Azure Media Services accounts that allow access to the legacy v2 API should be blocked | The Media Services legacy v2 API allows requests that cannot be managed using Azure Policy. Media Services resources created using the 2020-05-01 API or later block access to the legacy v2 API. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Media/mediaservices/encryption.type |
IF (1) •Microsoft.Media/mediaservices |
GA | BuiltIn | |
| Media Services | Media Services | daccf7e4-9808-470c-a848-1c5b582a1afb | Azure Media Services content key policies should use token authentication | Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Azure Active Directory. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (6) •Microsoft.Media/mediaServices/contentKeyPolicies/options[*] •Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction •Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.audience •Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.issuer •Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.openIdConnectDiscoveryDocument •Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.restrictionTokenType |
IF (1) •Microsoft.Media/mediaservices/contentKeyPolicies |
GA | BuiltIn | |
| Media Services | Media Services | e9914afe-31cd-4b8a-92fa-c887f847d477 | Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns | Restrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property. | Default: Deny Allowed: (Deny, Disabled) | IF (8) •Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputClip.files[*] •Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputHttp.baseUri •Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*] •Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputClip.files[*] •Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri •Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*] •Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputClip.files[*] •Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri |
IF (1) •Microsoft.Media/mediaservices/transforms/jobs |
GA | BuiltIn | |
| Media Services | Media Services | 9285c3de-d5fd-4225-86d4-027894b0c442 | Azure Media Services should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Media Services accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/mediaservicescmkdocs. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (1) •Microsoft.Media/mediaservices/encryption.type |
IF (1) •Microsoft.Media/mediaservices |
GA | BuiltIn | |
| Media Services | Media Services | 4a591bf5-918e-4a5f-8dad-841863140d61 | Azure Media Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Media/mediaservices/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Media/mediaservices |
GA | BuiltIn | |
| Media Services | Media Services | b4a7f6c1-585e-4177-ad5b-c2c93f4bb991 | Configure Azure Media Services to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.Media/mediaservices •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Media Services | Media Services | c5632066-946d-4766-9544-cd79bcc1286e | Configure Azure Media Services with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor, Media Services Account Administrator | THEN-ExistenceCondition (4) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId •Microsoft.Network/privateEndpoints/subnet.id |
IF (1) •Microsoft.Media/mediaservices THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Migrate | Migrate | 7590a335-57cf-4c95-babd-ecbc8fafeb1f | Configure Azure Migrate resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://aka.ms/privatednszone. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (4) •Microsoft.Migrate/assessmentProjects •Microsoft.Migrate/migrateProjects •Microsoft.Network/privateEndpoints •Microsoft.OffAzure/masterSites |
GA | BuiltIn |
| Monitoring | Monitoring | bacd7fca-1938-443d-aad6-a786107b1bfb | [Preview]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace | Protect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor | IF (1) •Microsoft.HybridCompute/machines/osName THEN-ExistenceCondition (3) •Microsoft.HybridCompute/machines/extensions/provisioningState •Microsoft.HybridCompute/machines/extensions/publisher •Microsoft.HybridCompute/machines/extensions/type |
IF (1) •Microsoft.HybridCompute/machines THEN-Deployment (5) •Microsoft.HybridCompute/machines/extensions •Microsoft.OperationalInsights/workspaces •Microsoft.OperationsManagement/solutions •Microsoft.Resources/deployments •Microsoft.Resources/resourceGroups |
Preview | BuiltIn |
| Monitoring | Monitoring | 594c1276-f44f-482d-9910-71fac2ce5ae0 | [Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace | Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor | IF (1) •Microsoft.HybridCompute/machines/osName THEN-ExistenceCondition (3) •Microsoft.HybridCompute/machines/extensions/provisioningState •Microsoft.HybridCompute/machines/extensions/publisher •Microsoft.HybridCompute/machines/extensions/type |
IF (1) •Microsoft.HybridCompute/machines THEN-Deployment (5) •Microsoft.HybridCompute/machines/extensions •Microsoft.OperationalInsights/workspaces •Microsoft.OperationsManagement/solutions •Microsoft.Resources/deployments •Microsoft.Resources/resourceGroups |
Preview | BuiltIn |
| Monitoring | Monitoring | 17b3de92-f710-4cf4-aa55-0e7859f1ed7b | [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Default: Modify Allowed: (Modify, Disabled) | Virtual Machine Contributor, Managed Identity Contributor, Managed Identity Operator | IF (4) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSku •Microsoft.Compute/virtualMachines/securityProfile.uefiSettings |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachineScaleSets |
Preview | BuiltIn |
| Monitoring | Monitoring | 32133ab0-ee4b-4b44-98d6-042180979d50 | [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (4) •Microsoft.Compute/imageId •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (1) •Microsoft.Compute/virtualMachines/extensions/publisher |
IF (1) •Microsoft.Compute/virtualMachines |
Preview | BuiltIn | |
| Monitoring | Monitoring | 842c54e8-c2f9-4d79-ae8d-38d8b8019373 | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (1) •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (3) •Microsoft.HybridCompute/machines/extensions/provisioningState •Microsoft.HybridCompute/machines/extensions/publisher •Microsoft.HybridCompute/machines/extensions/type |
IF (1) •Microsoft.HybridCompute/machines |
Preview | BuiltIn | |
| Monitoring | Monitoring | d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (1) •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (3) •Microsoft.HybridCompute/machines/extensions/provisioningState •Microsoft.HybridCompute/machines/extensions/publisher •Microsoft.HybridCompute/machines/extensions/type |
IF (1) •Microsoft.HybridCompute/machines |
Preview | BuiltIn | |
| Monitoring | Monitoring | 04c4380f-3fae-46e8-96c9-30193528f602 | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/provisioningState •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines |
Preview | BuiltIn | |
| Monitoring | Monitoring | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/provisioningState •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines |
Preview | BuiltIn | |
| Monitoring | Monitoring | b02aacc0-b073-424e-8298-42b22829ee0a | Activity log should be retained for at least one year | This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (2) •Microsoft.Insights/logProfiles/retentionPolicy.days •Microsoft.Insights/logProfiles/retentionPolicy.enabled |
IF (1) •Microsoft.Resources/subscriptions |
GA | BuiltIn | |
| Monitoring | Monitoring | b954148f-4c11-4c38-8221-be76711e194a | An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (4) •Microsoft.Insights/ActivityLogAlerts/condition.allOf[*] •Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals •Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field •Microsoft.Insights/ActivityLogAlerts/enabled |
IF (1) •Microsoft.Resources/subscriptions |
GA | BuiltIn | |
| Monitoring | Monitoring | c5447c04-a4d7-4ba8-a263-c9ee321a6858 | An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (4) •Microsoft.Insights/ActivityLogAlerts/condition.allOf[*] •Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals •Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field •Microsoft.Insights/ActivityLogAlerts/enabled |
IF (1) •Microsoft.Resources/subscriptions |
GA | BuiltIn | |
| Monitoring | Monitoring | 3b980d31-7904-4bb7-8575-5665739a8052 | An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (4) •Microsoft.Insights/ActivityLogAlerts/condition.allOf[*] •Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals •Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field •Microsoft.Insights/ActivityLogAlerts/enabled |
IF (1) •Microsoft.Resources/subscriptions |
GA | BuiltIn | |
| Monitoring | Monitoring | 1bc02227-0cb6-4e11-8f53-eb0b22eab7e8 | Application Insights components should block log ingestion and querying from public networks | Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (2) •Microsoft.Insights/components/publicNetworkAccessForIngestion •Microsoft.Insights/components/publicNetworkAccessForQuery |
IF (1) •Microsoft.Insights/components |
GA | BuiltIn | |
| Monitoring | Monitoring | 199d5677-e4d9-4264-9465-efe1839c06bd | Application Insights components should block non-Azure Active Directory based ingestion. | Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. | Default: Audit Allowed: (Deny, Audit, Disabled) | IF (1) •Microsoft.Insights/components/DisableLocalAuth |
IF (1) •Microsoft.Insights/components |
GA | BuiltIn | |
| Monitoring | Monitoring | 0c4bd2e8-8872-4f37-a654-03f6f38ddc76 | Application Insights components with Private Link enabled should use Bring Your Own Storage accounts for profiler and debugger. | To support private link and customer-managed key policies, create your own storage account for profiler and debugger. Learn more in https://docs.microsoft.com/azure/azure-monitor/app/profiler-bring-your-own-storage | Default: Audit Allowed: (Deny, Audit, Disabled) | IF (1) •Microsoft.Insights/components/ForceCustomerStorageForProfiler |
IF (1) •Microsoft.Insights/components |
GA | BuiltIn | |
| Monitoring | Monitoring | monitoring_apply-diagnostic-setting-azsql-eventhub | Apply Diagnostic Settings for Azure SQL to a regional Event Hub | This policy automatically deploys diagnostic settings for Azure SQL to a regional event hub. | Fixed: deployIfNotExists | Contributor | THEN-ExistenceCondition (3) •Microsoft.Insights/diagnosticSettings/eventHubName •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/metrics.enabled |
IF (1) •Microsoft.Sql/servers/databases |
GA | Community |
| Monitoring | Monitoring | 7f89b1eb-583c-429a-8828-af049802c1d9 | Audit diagnostic setting | Audit diagnostic setting for selected resource types | Fixed: AuditIfNotExists | THEN-ExistenceCondition (2) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/metrics.enabled |
GA | BuiltIn | ||
| Monitoring | Monitoring | monitoring_audit-diagnostic-setting-for-wvd-applicationgroups-log-analytics | Audit Diagnostic Settings for WVD Application Groups to Log Analytics workspace | Audits the diagnostic settings for WVD Application Groups to stream to a regional Log Analytics workspace when any WVD Application Group which is missing these diagnostic settings is created or updated. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Insights/diagnosticSettings/logs.enabled |
IF (1) •Microsoft.DesktopVirtualization/applicationgroups |
GA | Community | |
| Monitoring | Monitoring | monitoring_audit-diagnostic-setting-for-wvd-hostpools-log-analytics | Audit Diagnostic Settings for WVD Host Pools to Log Analytics workspace | Audits the diagnostic settings for WVD Host Pools to stream to a regional Log Analytics workspace when any WVD Host Pool which is missing these diagnostic settings is created or updated. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Insights/diagnosticSettings/logs.enabled |
IF (1) •Microsoft.DesktopVirtualization/hostpools |
GA | Community | |
| Monitoring | Monitoring | monitoring_audit-diagnostic-setting-for-wvd-workspaces-log-analytics | Audit Diagnostic Settings for WVD Workspaces to Log Analytics workspace | Audits the diagnostic settings for WVD Workspaces to stream to a regional Log Analytics workspace when any WVD Workspace which is missing these diagnostic settings is created or updated. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Insights/diagnosticSettings/logs.enabled |
IF (1) •Microsoft.DesktopVirtualization/workspaces |
GA | Community | |
| Monitoring | Monitoring | 94c1f94d-33b0-4062-bd04-1cdc3e7eece2 | Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys | Ensure that Azure Log Search Alerts are implementing customer-managed keys, by storing the query text using the storage account that the customer had provided for the queried Log Analytics workspace. For more information, visit https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | Default: Audit Allowed: (Audit, Disabled, Deny) | IF (1) •Microsoft.Insights/scheduledqueryrules/checkWorkspaceAlertsStorageConfigured |
IF (1) •Microsoft.Insights/scheduledqueryrules |
GA | BuiltIn | |
| Monitoring | Monitoring | 1a4e592a-6a6e-44a5-9814-e36264ca96e7 | Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Insights/logProfiles/categories[*] |
IF (1) •Microsoft.Resources/subscriptions |
GA | BuiltIn | |
| Monitoring | Monitoring | ea0dfaed-95fb-448c-934e-d6e713ce393d | Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) | To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.OperationalInsights/clusters/isDoubleEncryptionEnabled |
IF (1) •Microsoft.OperationalInsights/clusters |
GA | BuiltIn | |
| Monitoring | Monitoring | 1f68a601-6e6d-4e42-babf-3f643a047ea2 | Azure Monitor Logs clusters should be encrypted with customer-managed key | Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (3) •Microsoft.OperationalInsights/clusters/keyVaultProperties.keyName •Microsoft.OperationalInsights/clusters/keyVaultProperties.keyVaultUri •Microsoft.OperationalInsights/clusters/keyVaultProperties.keyVersion |
IF (1) •Microsoft.OperationalInsights/clusters |
GA | BuiltIn | |
| Monitoring | Monitoring | d550e854-df1a-4de9-bf44-cd894b39a95e | Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace | Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | Default: Audit Allowed: (audit, Audit, deny, Deny, disabled, Disabled) | IF (1) •Microsoft.Insights/components/WorkspaceResourceId |
IF (1) •Microsoft.Insights/components |
GA | BuiltIn | |
| Monitoring | Monitoring | a499fed8-bcc8-4195-b154-641f14743757 | Azure Monitor Private Link Scope should block access to non private link resources | Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. | Default: Audit Allowed: (Audit, Deny, Disabled) | IF (2) •Microsoft.Insights/privateLinkScopes/accessModeSettings.ingestionAccessMode •Microsoft.Insights/privateLinkScopes/accessModeSettings.queryAccessMode |
IF (1) •Microsoft.Insights/privateLinkScopes |
GA | BuiltIn | |
| Monitoring | Monitoring | 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 | Azure Monitor Private Link Scope should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Insights/privateLinkScopes/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Insights/privateLinkScopes |
GA | BuiltIn | |
| Monitoring | Monitoring | 41388f1c-2db0-4c25-95b2-35d7f5ccbfa9 | Azure Monitor should collect activity logs from all regions | This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Insights/logProfiles/locations[*] |
IF (1) •Microsoft.Resources/subscriptions |
GA | BuiltIn | |
| Monitoring | Monitoring | 3e596b57-105f-48a6-be97-03e9243bad6e | Azure Monitor solution 'Security and Audit' must be deployed | This policy ensures that Security and Audit is deployed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.OperationsManagement/solutions/provisioningState |
IF (1) •Microsoft.Resources/subscriptions |
GA | BuiltIn | |
| Monitoring | Monitoring | 7796937f-307b-4598-941c-67d3a05ebfe7 | Azure subscriptions should have a log profile for Activity Log | This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. | Default: AuditIfNotExists Allowed: (AuditIfNotExists, Disabled) | THEN-ExistenceCondition (1) •Microsoft.Insights/logProfiles/categories |
IF (1) •Microsoft.Resources/subscriptions |
GA | BuiltIn | |
| Monitoring | Monitoring | 2465583e-4e78-4c15-b6be-a36cbc7c8b0f | Configure Azure Activity logs to stream to specified Log Analytics workspace | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Monitoring Contributor, Log Analytics Contributor | THEN-ExistenceCondition (2) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/workspaceId |
IF (1) •Microsoft.Resources/subscriptions THEN-Deployment (1) •Microsoft.Insights/diagnosticSettings |
GA | BuiltIn |
| Monitoring | Monitoring | dddfa1af-dcd6-42f4-b5b0-e1db01e0b405 | Configure Azure Application Insights components to disable public network access for log ingestion and querying | Disable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. | Default: Modify Allowed: (Modify, Disabled) | Application Insights Component Contributor | IF (2) •Microsoft.Insights/components/publicNetworkAccessForIngestion •Microsoft.Insights/components/publicNetworkAccessForQuery THEN-Operations (2) •Microsoft.Insights/components/publicNetworkAccessForIngestion •Microsoft.Insights/components/publicNetworkAccessForQuery |
IF (1) •Microsoft.Insights/components |
GA | BuiltIn |
| Monitoring | Monitoring | d3ba9c42-9dd5-441a-957c-274031c750c0 | Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying | Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. | Default: Modify Allowed: (Modify, Disabled) | Log Analytics Contributor | IF (2) •Microsoft.OperationalInsights/workspaces/publicNetworkAccessForIngestion •Microsoft.OperationalInsights/workspaces/publicNetworkAccessForQuery THEN-Operations (2) •Microsoft.OperationalInsights/workspaces/publicNetworkAccessForIngestion •Microsoft.OperationalInsights/workspaces/publicNetworkAccessForQuery |
IF (1) •Microsoft.OperationalInsights/workspaces |
GA | BuiltIn |
| Monitoring | Monitoring | bec5db8e-c4e3-40f9-a545-e0bd00065c82 | Configure Azure Monitor Private Link Scope to block access to non private link resources | Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. | Default: Modify Allowed: (Modify, Disabled) | Contributor | IF (2) •Microsoft.Insights/privateLinkScopes/accessModeSettings.ingestionAccessMode •Microsoft.Insights/privateLinkScopes/accessModeSettings.queryAccessMode THEN-Operations (2) •Microsoft.Insights/privateLinkScopes/accessModeSettings.ingestionAccessMode •Microsoft.Insights/privateLinkScopes/accessModeSettings.queryAccessMode |
IF (1) •Microsoft.Insights/privateLinkScopes |
GA | BuiltIn |
| Monitoring | Monitoring | 437914ee-c176-4fff-8986-7e05eb971365 | Configure Azure Monitor Private Link Scope to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Network Contributor | IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.Insights/privateLinkScopes •Microsoft.Network/privateEndpoints |
GA | BuiltIn |
| Monitoring | Monitoring | e8185402-357b-4768-8058-f620bc0ae6b5 | Configure Azure Monitor Private Link Scopes with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Monitor Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Contributor | THEN-ExistenceCondition (1) •Microsoft.Insights/privateLinkScopes/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Insights/privateLinkScopes THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn |
| Monitoring | Monitoring | deacecc0-9f84-44d2-bb82-46f32d766d43 | Configure Dependency agent on Azure Arc enabled Linux servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor | IF (1) •Microsoft.HybridCompute/machines/osName THEN-ExistenceCondition (3) •Microsoft.HybridCompute/machines/extensions/provisioningState •Microsoft.HybridCompute/machines/extensions/publisher •Microsoft.HybridCompute/machines/extensions/type |
IF (1) •Microsoft.HybridCompute/machines THEN-Deployment (1) •Microsoft.HybridCompute/machines/extensions |
GA | BuiltIn |
| Monitoring | Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | Configure Dependency agent on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default: DeployIfNotExists Allowed: (DeployIfNotExists, Disabled) | Log Analytics Contributor | IF (1) •Microsoft.HybridCompute/machines/osName THEN-ExistenceCondition (3) •Microsoft.HybridCompute/machines/extensions/provisioningState •Microsoft.HybridCompu |