last sync: 2022-Sep-26 16:35:35 UTC

All Azure Policy definitions

BuiltIn
71 categories
Azure Landing Zones (ALZ)
13 categories
Community
25 categories
Category Category txt Id DisplayName Description Effect Roles Rule Aliases Rule ResourceTypes State Type
API for FHIR API for FHIR 051cba44-2429-45b9-9649-46cec11c7119 Azure API for FHIR should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default: Audit
Allowed: (audit, Audit, disabled, Disabled)
IF (1)
•Microsoft.HealthcareApis/services/cosmosDbConfiguration.keyVaultKeyUri
IF (1)
•Microsoft.HealthcareApis/services
GA BuiltIn
API for FHIR API for FHIR 1ee56206-5dd1-42ab-b02d-8aae8b1634ce Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.HealthcareApis/services/privateEndpointConnections[*]
•Microsoft.HealthcareApis/services/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HealthcareApis/services
GA BuiltIn
API for FHIR API for FHIR 0fea8f8a-4169-495d-8307-30ec335f387d CORS should not allow every domain to access your API for FHIR Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. Default: Audit
Allowed: (audit, Audit, disabled, Disabled)
IF (1)
•Microsoft.HealthcareApis/services/corsConfiguration.origins[*]
IF (1)
•Microsoft.HealthcareApis/services
GA BuiltIn
API Management API Management ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 API Management APIs should use encrypted protocols only APIs should use encrypted protocols. APIs should not use the unencrypted protocols such as HTTP or WS. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.ApiManagement/service/apis/protocols[*]
GA BuiltIn
API Management API Management c15dcc82-b93c-4dcb-9332-fbf121685b54 API Management calls to API backends should be authenticated Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (5)
•Microsoft.ApiManagement/service/backends/credentials.authorization.parameter
•Microsoft.ApiManagement/service/backends/credentials.authorization.scheme
•Microsoft.ApiManagement/service/backends/credentials.certificate
•Microsoft.ApiManagement/service/backends/protocol
•Microsoft.ApiManagement/service/backends/url
GA BuiltIn
API Management API Management 92bb331d-ac71-416a-8c91-02f2cb734ce4 API Management calls to API backends should not bypass certificate thumbprint or name validation Calls from API Management to API backends should validate certificate thumbprint and certificate name. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (2)
•Microsoft.ApiManagement/service/backends/tls.validateCertificateChain
•Microsoft.ApiManagement/service/backends/tls.validateCertificateName
GA BuiltIn
API Management API Management b741306c-968e-4b67-b916-5675e5c709f4 API Management direct API Management endpoint should not be enabled Azure API Management provides a direct management REST API, which can bypass certain limits of the Azure Resource Manager based API, and should not be enabled by default. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.ApiManagement/service/tenant/enabled
GA BuiltIn
API Management API Management 549814b6-3212-4203-bdc8-1548d342fb67 API Management minimum API version should be set to 2019-12-01 or higher To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.ApiManagement/service/apiVersionConstraint.minApiVersion
•Microsoft.ApiManagement/service/sku.name
IF (1)
•Microsoft.ApiManagement/service
GA BuiltIn
API Management API Management f1cc7827-022c-473e-836e-5a51cae0b249 API Management Named Values secrets should be stored in Azure KeyVault Secrets referenced in Named Values should store the values in Azure KeyVault instead of within the Named Values store. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (4)
•Microsoft.ApiManagement/service/namedValues/displayName
•Microsoft.ApiManagement/service/namedValues/keyVault
•Microsoft.ApiManagement/service/namedValues/keyVault.secretIdentifier
•Microsoft.ApiManagement/service/namedValues/secret
GA BuiltIn
API Management API Management 73ef9241-5d81-4cd4-b483-8443d1730fe5 API Management service should use a SKU that supports virtual networks With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ApiManagement/service/sku.name
IF (1)
•Microsoft.ApiManagement/service
GA BuiltIn
API Management API Management df73bd95-24da-4a4f-96b9-4e8b94b402bd API Management services should disable public network access To improve the security of API Management services, ensure that endpoints aren't exposed to the public internet. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.ApiManagement/service/sku.name
THEN-ExistenceCondition (1)
•Microsoft.ApiManagement/service/tenant/enabled
IF (1)
•Microsoft.ApiManagement/service
GA BuiltIn
API Management API Management ef619a2c-cc4d-4d03-b2ba-8c94a834d85b API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.ApiManagement/service/sku.name
•Microsoft.ApiManagement/service/virtualNetworkType
IF (1)
•Microsoft.ApiManagement/service
GA BuiltIn
API Management API Management 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 API Management subscriptions should not be scoped at the All API scope. API Management subscriptions should be scoped at the product or individual API instead of all APIs, which could expose all APIs in the API Management instance. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (2)
•Microsoft.ApiManagement/service/subscriptions/scope
•Microsoft.ApiManagement/service/subscriptions/state
GA BuiltIn
API Management API Management 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 Configure API Management services to disable public network access To improve the security of API Management services, disable public endpoints. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
API Management Service Contributor IF (1)
•Microsoft.ApiManagement/service/sku.name
THEN-ExistenceCondition (1)
•Microsoft.ApiManagement/service/tenant/enabled
IF (1)
•Microsoft.ApiManagement/service
GA BuiltIn
App Configuration App Configuration 3d9f5e4c-9947-4579-9539-2a7695fbc187 App Configuration should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.AppConfiguration/configurationStores/publicNetworkAccess
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 App Configuration should use a customer-managed key Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.AppConfiguration/configurationStores/encryption.keyVaultProperties.keyIdentifier
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration 89c8a434-18f0-402c-8147-630a8dea54e0 App Configuration should use a SKU that supports private link When using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.AppConfiguration/configurationStores/sku.name
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration ca610c1d-041c-4332-9d88-7ed3094967c7 App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration b08ab3ca-1062-4db3-8803-eec9cae605d6 App Configuration stores should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.AppConfiguration/configurationStores/disableLocalAuth
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration 72bc14af-4ab8-43af-b4e4-38e7983f9a1f Configure App Configuration stores to disable local authentication methods Disable local authentication methods so that your App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.AppConfiguration/configurationStores/disableLocalAuth
THEN-Operations (1)
•Microsoft.AppConfiguration/configurationStores/disableLocalAuth
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration 73290fa2-dfa7-4bbb-945d-a5e23b75df2c Configure App Configuration to disable public network access Disable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.AppConfiguration/configurationStores/publicNetworkAccess
THEN-Operations (1)
•Microsoft.AppConfiguration/configurationStores/publicNetworkAccess
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration 7a860e27-9ca2-4fc6-822d-c2d248c300df Configure private DNS zones for private endpoints connected to App Configuration Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
App Configuration App Configuration 614ffa75-862c-456e-ad8b-eaa1b0844b07 Configure private endpoints for App Configuration Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (1)
•Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.AppConfiguration/configurationStores
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
App Platform App Platform 0f2d8593-4667-4932-acca-6a9f187af109 [Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.AppPlatform/Spring/trace.enabled
•Microsoft.AppPlatform/Spring/trace.state
IF (1)
•Microsoft.AppPlatform/Spring
Preview BuiltIn
App Platform App Platform af35e2a4-ef96-44e7-a9ae-853dd97032c4 Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (2)
•Microsoft.AppPlatform/Spring/networkProfile.serviceRuntimeSubnetId
•Microsoft.AppPlatform/Spring/sku.tier
IF (1)
•Microsoft.AppPlatform/Spring
GA BuiltIn
App Service App Service b7ddfbdc-1260-477d-91fd-98bd9be789a6 [Deprecated]: API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should only be accessible over HTTPS', which is scoped to include API apps in addition to Web Apps. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 0c192fe8-9cbb-4516-85b3-0ade8bd03886 [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have 'Client Certificates (Incoming client certificates)' enabled', which is scoped to include API apps in addition to Web Apps. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 324c7761-08db-4474-9661-d1039abc92ee [Deprecated]: API apps should use an Azure file share for its content directory The content directory of an API app should be located on an Azure file share. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use an Azure file shares for its content directory', which is scoped to include API apps in addition to Web Apps. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/storageAccountRequired
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 74c3584d-afae-46f7-a20a-6f8adba71a16 [Deprecated]: API apps that use Python should use the latest 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Python should use the latest 'Python version''. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service d79ab062-dffd-4318-8344-f70de714c0bc [Deprecated]: App Service should disable public network access Disabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/config/PublicNetworkAccess
Deprecated BuiltIn
App Service App Service 752c6934-9bcc-4749-b004-655e676ae2ac [Deprecated]: Audit enabling of diagnostic logs in App Services Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised Default: Audit
Allowed: (Audit, Disabled)
IF (3)
•Microsoft.Web/sites/config/detailedErrorLoggingEnabled
•Microsoft.Web/sites/config/httpLoggingEnabled
•Microsoft.Web/sites/config/requestTracingEnabled
Deprecated BuiltIn
App Service App Service c4ebc54a-46e1-481a-bee2-d4411e95d828 [Deprecated]: Authentication should be enabled on your API app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps should have authentication enabled', which is scoped to include API apps in addition to Web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/siteAuthEnabled
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac [Deprecated]: CORS should not allow every resource to access your API App Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should not have CORS configured to allow every resource to access your apps', which is scoped to include API apps in addition to Web Apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0 [Deprecated]: Diagnostic logs in App Services should be enabled Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (3)
•Microsoft.Web/sites/config/detailedErrorLoggingEnabled
•Microsoft.Web/sites/config/httpLoggingEnabled
•Microsoft.Web/sites/config/requestTracingEnabled
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 58d94fc1-a072-47c2-bd37-9cdb38e77453 [Deprecated]: Ensure Function app is using the latest version of TLS encryption Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.minTlsVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.netFrameworkVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 10c1859c-e1a7-4df3-ab97-a487fa8059f6 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.netFrameworkVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 843664e0-7563-41ee-a9cb-7522c382d2c4 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.netFrameworkVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 991310cd-e9f3-47bc-b7b6-f57b557d07db [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use latest 'HTTP Version'', which is scoped to include API apps in addition to Web Apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.http20Enabled
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 88999f4c-376a-45c8-bcb3-4058f713cf39 [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Java should use the latest 'Java version'', which is scoped to include API apps in addition to Web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps that use PHP should use the latest 'PHP version'', which is scoped to include API apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service ab965db2-d2bf-4b64-8b39-c38ec8179461 [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app PHP cannot be used with Function apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/config/web.linuxFxVersion
•Microsoft.Web/sites/config/web.phpVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 86d97760-d216-4d81-a3ad-163087b2b6c3 [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.managedServiceIdentityId
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service f0473e7a-a1ba-4e86-afb2-e829e11b01d8 [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.managedServiceIdentityId
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service aa81768c-cb87-4ce2-bfaa-00baa10d760c [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.managedServiceIdentityId
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 6ad61431-88ce-4357-a0e1-6da43f292bd7 [Deprecated]: Ensure WEB app is using the latest version of TLS encryption Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.minTlsVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 [Deprecated]: FTPS only should be required in your API App Enable FTPS enforcement for enhanced security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should require FTPS only', which is scoped to include API apps in addition to Web Apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/ftpsState
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e [Deprecated]: Latest TLS version should be used in your API App Upgrade to the latest TLS version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use the latest TLS version', which is scoped to include API apps in addition to Web Apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service c4d441f8-f9d9-4a9e-9cef-e82117cb3eef [Deprecated]: Managed identity should be used in your API App Use a managed identity for enhanced authentication security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use managed identity', which is scoped to include API apps in addition to Web Apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/config/managedServiceIdentityId
•Microsoft.Web/sites/config/xmanagedServiceIdentityId
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service e9c8d085-d9cc-4b17-9cdc-059f1f01f19e [Deprecated]: Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have remote debugging turned off', which is scoped to include API apps in addition to Web Apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service app-service_allowed-appservicesplan-skus Allowed App Services Plan SKUs This policy enables you to specify a set of App Services Plan SKUs that your organization can deploy. Fixed: Deny IF (1)
•Microsoft.Web/serverfarms/sku.name
IF (1)
•Microsoft.Web/serverfarms
GA Community
App Service App Service Deny-AppServiceApiApp-http API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA ALZ
App Service App Service 24b7a1c6-44fe-40cc-a2e6-242d2ef70e98 App Service app slots should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Web/sites/slots/virtualNetworkSubnetId
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 2f7c08c2-f671-4282-9fdb-597b6ef2c10d App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/slots/clientCertEnabled
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service ec71c0bc-6a45-4b1f-9587-80dc83e6898c App Service app slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 847ef871-e2fe-4e6e-907e-4adbf71de5cf App Service app slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service cae7c12e-764b-4c87-841a-fdc6675d196f App Service app slots should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service ae1b9a8c-dfce-4605-bd91-69213b4a26fc App Service app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Web/sites/slots/httpsOnly
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service c285a320-8830-4665-9cc7-bbd05fc7c5c0 App Service app slots should require FTPS only Enable FTPS enforcement for enhanced security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/ftpsState
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service fd34e936-069e-4fe5-bac6-f7c9824caab6 App Service app slots should use an Azure file share for its content directory The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/slots/storageAccountRequired
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 72d04c29-f87d-4575-9731-419ff16a2757 App Service apps should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Web/sites/virtualNetworkSubnetId
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 33228571-70a4-4fa1-8ca1-26d0aba8d6ef App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/vnetRouteAllEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 95bccee9-a7f8-4bec-9ee9-62c3473701fc App Service apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/siteAuthEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 5bb220d9-2698-4ee4-8404-b9c30c9df609 App Service apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 871b205b-57cf-4e1e-a234-492616998bf7 App Service apps should have local authentication methods disabled for FTP deployments Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service aede300b-d67f-480a-ae26-4b3dfb1a1fdc App Service apps should have local authentication methods disabled for SCM site deployments Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service cb510bfd-1cba-4d9f-a230-cb0976f4bb71 App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 91a78b24-f231-4a8a-8da9-02c35b2b6510 App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service a4af4a39-4135-47fb-b175-47fbdf85311d App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b App Service apps should require FTPS only Enable FTPS enforcement for enhanced security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/ftpsState
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Web/serverFarms/sku.name
•Microsoft.Web/serverFarms/sku.tier
IF (1)
•Microsoft.Web/serverFarms
GA BuiltIn
App Service App Service dcbc65aa-59f3-4239-8978-3bb869d82604 App Service apps should use an Azure file share for its content directory The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/storageAccountRequired
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 8c122334-9d20-4eb8-89ea-ac9a705b74ae App Service apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.http20Enabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 2b9ad585-36bc-4615-b300-fd4435808332 App Service apps should use managed identity Use a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/config/managedServiceIdentityId
•Microsoft.Web/sites/config/xmanagedServiceIdentityId
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 687aa49d-0982-40f8-bf6b-66d1da97a04b App Service apps should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service apps should use the latest TLS version Upgrade to the latest TLS version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 496223c3-ad65-4ecd-878a-bae78737e9ed App Service apps that use Java should use the latest 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 7261b898-8a84-4db8-9e04-18527132abb3 App Service apps that use PHP should use the latest 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 7008174a-fd10-4ef0-817e-fc820a951d73 App Service apps that use Python should use the latest 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 2d048aca-6479-4923-88f5-e2ac295d9af3 App Service Environment apps should not be reachable over public internet To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Web/HostingEnvironments/internalLoadBalancingMode
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service 817dcf37-e83d-4999-a472-644eada2ea1e App Service Environment should be configured with strongest TLS Cipher suites The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Default: Audit
Allowed: (Audit, Disabled)
IF (3)
•Microsoft.Web/HostingEnvironments/clusterSettings[*]
•Microsoft.Web/HostingEnvironments/clusterSettings[*].name
•Microsoft.Web/HostingEnvironments/clusterSettings[*].value
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service eb4d34ab-0929-491c-bbf3-61e13da19f9a App Service Environment should be provisioned with latest versions Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service fb74e86f-d351-4b8d-b034-93da7391c01f App Service Environment should have internal encryption enabled Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Default: Audit
Allowed: (Audit, Disabled)
IF (3)
•Microsoft.Web/HostingEnvironments/clusterSettings[*]
•Microsoft.Web/HostingEnvironments/clusterSettings[*].name
•Microsoft.Web/HostingEnvironments/clusterSettings[*].value
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service d6545c6b-dd9d-4265-91e6-0b451e2f1c50 App Service Environment should have TLS 1.0 and 1.1 disabled TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (3)
•Microsoft.Web/HostingEnvironments/clusterSettings[*]
•Microsoft.Web/HostingEnvironments/clusterSettings[*].name
•Microsoft.Web/HostingEnvironments/clusterSettings[*].value
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7 App Services should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/publicNetworkAccess
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service app-service_audit-appservicesbackend-appgw Apps Require App Gateway Front End Custom policy requires that HTTP(S) triggered apps require App GW Front-End so that inbound ports are not opened on apps Default: auditIfNotExists
Allowed: (auditIfNotExists, disabled)
THEN-ExistenceCondition (2)
•Microsoft.Network/applicationGateways/backendAddressPools[*].backendAddresses[*]
•Microsoft.Network/applicationGateways/backendAddressPools[*].backendAddresses[*].fqdn
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service Append-AppService-httpsonly AppService append enable https only setting to enforce https setting. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny. Default: Append
Allowed: (Append, Disabled)
IF (1)
•Microsoft.Web/sites/httpsOnly
THEN-Details (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA ALZ
App Service App Service Append-AppService-latestTLS AppService append sites with minimum TLS version to enforce. Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. Default: Append
Allowed: (Append, Disabled)
IF (1)
•Microsoft.Web/sites/config/minTlsVersion
THEN-Details (1)
•Microsoft.Web/sites/config/minTlsVersion
GA ALZ
App Service App Service f493116f-3b7f-4ab3-bf80-0c2af35e46c2 Configure App Service app slots to disable local authentication for FTP deployments Disable local authentication methods for FTP deployments so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 2c034a29-2a5f-4857-b120-f800fe5549ae Configure App Service app slots to disable local authentication for SCM sites Disable local authentication methods for SCM sites so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service a18c77f2-3d6d-497a-9f61-849a7e8a3b79 Configure App Service app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Modify
Allowed: (Modify, Disabled)
Website Contributor IF (1)
•Microsoft.Web/sites/slots/httpsOnly
THEN-Operations (1)
•Microsoft.Web/sites/slots/httpsOnly
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 Configure App Service apps to disable local authentication for FTP deployments Disable local authentication methods for FTP deployments so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 5e97b776-f380-4722-a9a3-e7f0be029e79 Configure App Service apps to disable local authentication for SCM sites Disable local authentication methods for SCM sites so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 0f98368e-36bc-4716-8ac2-8f8067203b63 Configure App Service apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Modify
Allowed: (Modify, Disabled)
Website Contributor IF (1)
•Microsoft.Web/sites/httpsOnly
THEN-Operations (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b Configure App Service apps to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service b318f84a-b872-429b-ac6d-a01b96814452 Configure App Service apps to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Web/sites
GA BuiltIn
App Service App Service ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d Configure App Service apps to use the latest TLS version Upgrade to the latest TLS version. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 81dff7c0-4020-4b58-955d-c076a2136b56 Configure App Services to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/publicNetworkAccess
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 08cf2974-d178-48a0-b26d-f6b8e555748b Configure Function app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Modify
Allowed: (Modify, Disabled)
Website Contributor IF (1)
•Microsoft.Web/sites/slots/httpsOnly
THEN-Operations (1)
•Microsoft.Web/sites/slots/httpsOnly
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service a096cbd0-4693-432f-9374-682f485f23f3 Configure Function apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Modify
Allowed: (Modify, Disabled)
Website Contributor IF (1)
•Microsoft.Web/sites/httpsOnly
THEN-Operations (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 25a5046c-c423-4805-9235-e844ae9ef49b Configure Function apps to turn off remote debugging Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 Configure Function apps to use the latest TLS version Upgrade to the latest TLS version. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service app-service_functionapp-enforce-ftps-only Enforce FTPS only or disablement of FTP/FTPS for App Service and Azure Functions Enforce FTPS only or disablement of FTP/FTPS for App Service and Azure Functions Default: AuditIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/ftpsState
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service Deny-AppServiceFunctionApp-http Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA ALZ
App Service App Service app-service_functionapp-enforce-https-only-audit_or_deny Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-enforce-https-only-dine Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
THEN-Deployment (1)
•Microsoft.Web/sites
GA Community
App Service App Service cf9ca02d-383e-4506-a421-258cc1a5300d Function app slots should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/slots/clientCertEnabled
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service a1a22235-dd10-4062-bd55-7d62778f41b0 Function app slots should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 Function app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Web/sites/slots/httpsOnly
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service e1a09430-221d-4d4c-a337-1edb5a1fa9bb Function app slots should require FTPS only Enable FTPS enforcement for enhanced security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/ftpsState
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 13bcff5d-f0eb-4ce7-913e-83ad6300376b Function app slots should use an Azure file share for its content directory The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/slots/storageAccountRequired
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service app-service_functionapp-deployed-to-appserviceenvironment Function apps must be deployed to an App Service Environment (ASE) Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Web/sites/hostingEnvironmentProfile.id
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-private-endpoints-enabled-aine Function apps must have private endpoints enabled A private endpoint connection enables private connectivity to your function app via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-private-endpoints-enabled-dine Function apps must have private endpoints enabled A private endpoint connection enables private connectivity to your function app via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Web/sites
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA Community
App Service App Service app-service_functionapp-enforce-connect-to-acr-with-identity Function apps should authenticate to Azure Container Registry using a managed identity Function apps should authenticate to Azure Container Registry using a managed identity Default: AuditIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/acrUseManagedIdentityCreds
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-vnet-injection-enabled Function apps should be injected into a virtual network Injecting function apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/networkConfig/subnetResourceId
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 Function apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/siteAuthEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service eaebaea7-8013-4ceb-9d14-7eb32271373c Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service app-service_functionapp-enforce-client-certs-dine Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
THEN-Deployment (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-enforce-client-certs-audit_or_deny Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-disable-deployment-local-auth-ftp_functionapp-disable-deployment-local-auth-scm Function apps should have local authentication methods for deployment disabled Disabling local authentication methods improves security by ensuring that the app exclusively requires Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-disable-deployment-local-auth-scm Function apps should have local authentication methods for deployment disabled Disabling local authentication methods improves security by ensuring that the app exclusively requires Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service 0e60b895-3786-45da-8377-9c6b4b6ac5f9 Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 0820b7b9-23aa-4725-a1ce-ae4558f718e5 Function apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 399b2637-a50f-4f95-96f8-3a145476eb15 Function apps should require FTPS only Enable FTPS enforcement for enhanced security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/ftpsState
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 Function apps should use an Azure file share for its content directory The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/storageAccountRequired
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service e2c1c086-2d84-4019-bff3-c44ccd95113c Function apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.http20Enabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 0da106f2-4ca3-48e8-bc85-c638fe6aea8f Function apps should use managed identity Use a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/config/managedServiceIdentityId
•Microsoft.Web/sites/config/xmanagedServiceIdentityId
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service f9d614c5-c173-4d56-95a7-b4437057d193 Function apps should use the latest TLS version Upgrade to the latest TLS version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc Function apps that use Java should use the latest 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 7238174a-fd10-4ef0-817e-fc820a951d73 Function apps that use Python should use the latest 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps since Python is not supported on Windows apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service app-service_functionapp-enforce-latest-tls Latest TLS version should be used in your Function App Upgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-pull-from-specified-registry Linux function apps should only use a specified Azure Container Registry instance Ensure that Linux function apps can only pull custom images from a specified container registry Default: AuditIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service Deny-AppServiceWebApp-http Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA ALZ
Attestation Attestation 5e7e928c-8693-4a23-9bf3-1c77b9a8fe97 Azure Attestation providers should disable public network access To improve the security of Azure Attestation Service, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in aka.ms/azureattestation. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Attestation/attestationProviders/publicNetworkAccess
IF (1)
•Microsoft.Attestation/attestationProviders
GA BuiltIn
Attestation Attestation 7b256a2d-058b-41f8-bed9-3f870541c40a Azure Attestation providers should use private endpoints Private endpoints provide a way to connect Azure Attestation providers to your Azure resources without sending traffic over the public internet. By preventing public access, private endpoints help protect against undesired anonymous access. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (3)
•Microsoft.Attestation/attestationProviders/privateEndpointConnections/privateEndpoint
•Microsoft.Attestation/attestationProviders/privateEndpointConnections/privateLinkServiceConnectionState.status
•Microsoft.Attestation/attestationProviders/privateEndpointConnections/provisioningState
IF (1)
•Microsoft.Attestation/attestationProviders
GA BuiltIn
Automanage Automanage 270610db-8c04-438a-a739-e8e6745b22d3 [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (8)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.id
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (2)
•Microsoft.Automanage/configurationProfileAssignments/accountId
•Microsoft.Automanage/configurationProfileAssignments/configurationProfile
IF (1)
•Microsoft.Compute/virtualMachines
Deprecated BuiltIn
Automanage Automanage f889cab7-da27-4c41-a3b0-de1f6f87c550 Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor IF (9)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.id
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/machines/osSku
THEN-ExistenceCondition (1)
•Microsoft.Automanage/configurationProfileAssignments/configurationProfile
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Automanage Automanage b025cfb4-3702-47c2-9110-87fe0cfcc99b Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor IF (9)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.id
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/machines/osSku
THEN-ExistenceCondition (1)
•Microsoft.Automanage/configurationProfileAssignments/configurationProfile
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Automanage Automanage 6d02d2f7-e38b-4bdc-96f3-adc0a8726abc Hotpatch should be enabled for Windows Server Azure Edition VMs Minimize reboots and install updates quickly with hotpatch. Learn more at https://docs.microsoft.com/azure/automanage/automanage-hotpatch Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.enableHotpatching
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Automation Automation 3657f5a0-770e-44a3-b44e-9431ba1e9735 Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Automation/automationAccounts/variables/isEncrypted
GA BuiltIn
Automation Automation 955a914f-bf86-4f0e-acd5-e0766b0efcb6 Automation accounts should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Automation/automationAccounts/publicNetworkAccess
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 48c5f1cb-14ad-4797-8e3b-f78ab3f8d700 Azure Automation account should have local authentication method disabled Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Automation/automationAccounts/disableLocalAuth
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 56a5ee18-2ae6-4810-86f7-18e39ce5629b Azure Automation accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Automation/automationAccounts/encryption.keySource
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 30d1d58e-8f96-47a5-8564-499a3f3cca81 Configure Azure Automation account to disable local authentication Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.Automation/automationAccounts/disableLocalAuth
THEN-Operations (1)
•Microsoft.Automation/automationAccounts/disableLocalAuth
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 23b36a7c-9d26-4288-a8fd-c1d2fa284d8c Configure Azure Automation accounts to disable public network access Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.Automation/automationAccounts/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Automation/automationAccounts/publicNetworkAccess
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 6dd01e4f-1be1-4e80-9d0b-d109e04cb064 Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Automation Automation c0c3130e-7dda-4187-aed0-ee4a472eaa60 Configure private endpoint connections on Azure Automation accounts Private endpoint connections allow secure communication by enabling private connectivity to Azure Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Contributor THEN-ExistenceCondition (1)
•Microsoft.Automation/automationAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Automation/automationAccounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Automation Automation Deny-AA-child-resources No child resources in Automation Account This policy denies the creation of child resources on the Automation Account Default: Deny
Allowed: (Audit, Deny, Disabled)
GA ALZ
Automation Automation 0c2b3618-68a8-4034-a150-ff4abc873462 Private endpoint connections on Automation Accounts should be enabled Private endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Automation/automationAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Azure Active Directory Azure Active Directory 3aa87b5a-7813-4b57-8a43-42dd9df5aaa7 Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.AAD/domainServices/domainSecuritySettings.tlsV1
IF (1)
•Microsoft.AAD/domainServices
GA BuiltIn
Azure Active Directory Azure Active Directory 2e9411a0-0c5a-44b3-9ddb-ff10a1a2bf28 Azure Active Directory should use private link to access Azure services Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.aadiam/privateLinkForAzureAD
GA BuiltIn
Azure Active Directory Azure Active Directory 7e4301f9-5f32-4738-ad9f-7ec2d15563ad Configure Private Link for Azure AD to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure AD. Learn more at: https://aka.ms/privateLinkforAzureADDocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.aadiam/privateLinkForAzureAD
•Microsoft.Network/privateEndpoints
GA BuiltIn
Azure Active Directory Azure Active Directory b923afcf-4c3a-4ed6-8386-1ff64b68de47 Configure Private Link for Azure AD with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (1)
•microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.aadiam/privateLinkForAzureAD
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Azure Arc Azure Arc 7eab1da3-2bf0-4ff0-8303-1a4277c380e8 Azure Arc Private Link Scopes should be configured with a private endpoint Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Arc Private Link Scopes, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections[*]
•Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HybridCompute/privateLinkScopes
GA BuiltIn
Azure Arc Azure Arc 898f2439-3333-4713-af25-f1d78bc50556 Azure Arc Private Link Scopes should disable public network access Disabling public network access improves security by ensuring that Azure Arc resources cannot connect via the public internet. Creating private endpoints can limit exposure of Azure Arc resources. Learn more at: https://aka.ms/arc/privatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess
IF (1)
•Microsoft.HybridCompute/privateLinkScopes
GA BuiltIn
Azure Arc Azure Arc efa3f296-ff2b-4f38-bc0d-5ef12c965b68 Azure Arc-enabled servers should be configured with an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.HybridCompute/machines/privateLinkScopeResourceId
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Azure Arc Azure Arc de0bc8ea-76e2-4fe2-a288-a07556d0e9c4 Configure Azure Arc Private Link Scopes to disable public network access Disable public network access for your Azure Arc Private Link Scope so that associated Azure Arc resources cannot connect to Azure Arc services over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/arc/privatelink. Default: Modify
Allowed: (Modify, Disabled)
Azure Connected Machine Resource Administrator IF (1)
•Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess
THEN-Operations (1)
•Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess
IF (1)
•Microsoft.HybridCompute/privateLinkScopes
GA BuiltIn
Azure Arc Azure Arc 55c4db33-97b0-437b-8469-c4f4498f5df9 Configure Azure Arc Private Link Scopes to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.HybridCompute/privateLinkScopes
•Microsoft.Network/privateEndpoints
GA BuiltIn
Azure Arc Azure Arc d6eeba80-df61-4de5-8772-bc1b7852ba6b Configure Azure Arc Private Link Scopes with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Azure Connected Machine Resource Administrator THEN-ExistenceCondition (1)
•Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HybridCompute/privateLinkScopes
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Azure Arc Azure Arc a3461c8c-6c9d-4e42-a644-40ba8a1abf49 Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default: Modify
Allowed: (Modify, Disabled)
Azure Connected Machine Resource Administrator IF (1)
•Microsoft.HybridCompute/machines/privateLinkScopeResourceId
THEN-Operations (1)
•Microsoft.HybridCompute/machines/privateLinkScopeResourceId
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Azure Data Explorer Azure Data Explorer 81e74cea-30fd-40d5-802f-d72103c2aaaa Azure Data Explorer encryption at rest should use a customer-managed key Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (4)
•Microsoft.Kusto/clusters/keyVaultProperties
•Microsoft.Kusto/clusters/keyVaultProperties.keyName
•Microsoft.Kusto/clusters/keyVaultProperties.keyVaultUri
•Microsoft.Kusto/clusters/keyVaultProperties.keyVersion
IF (1)
•Microsoft.Kusto/Clusters
GA BuiltIn
Azure Data Explorer Azure Data Explorer f4b53539-8df9-40e4-86c6-6b607703bd4e Disk encryption should be enabled on Azure Data Explorer Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Kusto/clusters/enableDiskEncryption
IF (1)
•Microsoft.Kusto/Clusters
GA BuiltIn
Azure Data Explorer Azure Data Explorer ec068d99-e9c7-401f-8cef-5bdde4e6ccf1 Double encryption should be enabled on Azure Data Explorer Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Kusto/clusters/enableDoubleEncryption
IF (1)
•Microsoft.Kusto/Clusters
GA BuiltIn
Azure Data Explorer Azure Data Explorer 9ad2fd1f-b25f-47a2-aa01-1a5a779e6413 Virtual network injection should be enabled for Azure Data Explorer Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (4)
•Microsoft.Kusto/clusters/virtualNetworkConfiguration
•Microsoft.Kusto/clusters/virtualNetworkConfiguration.dataManagementPublicIpId
•Microsoft.Kusto/clusters/virtualNetworkConfiguration.enginePublicIpId
•Microsoft.Kusto/clusters/virtualNetworkConfiguration.subnetId
IF (1)
•Microsoft.Kusto/Clusters
GA BuiltIn
Azure Databricks Azure Databricks 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 Azure Databricks Workspaces should disable public network access Azure Databricks Workspaces should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Databricks/workspaces/publicNetworkAccess
IF (1)
•Microsoft.Databricks/workspaces
GA BuiltIn
Azure DNS Azure DNS network_enforce_azfw_dns_servers Enforce Firewall Policy DNS servers This policy prevent settings non authorized dns servers for firewall policies. Default: Audit
Allowed: (Deny, Audit, Disabled)
IF (1)
•Microsoft.Network/firewallPolicies/dnsSettings.servers[*]
GA Community
Azure DNS Azure DNS network_enforce_vnet_dns_servers Enforce VNET DNS servers This policy prevent settings non authorized dns servers for vnets. Default: Audit
Allowed: (Deny, Audit, Disabled)
IF (1)
•Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]
GA Community
Azure DNS Azure DNS compute_only_approved_vmss_extensions_should_be_installed Only approved VMSS extensions should be installed This policy governs the virtual machine scale set extensions that are not approved. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.extensionProfile.extensions[*].type
GA Community
Azure Edge Hardware Center Azure Edge Hardware Center 08a6b96f-576e-47a2-8511-119a212d344d Azure Edge Hardware Center devices should have double encryption support enabled Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.EdgeOrder/orderItems/orderItemDetails.preferences.encryptionPreferences.doubleEncryptionStatus
•Microsoft.EdgeOrder/orderItems/orderItemDetails.productDetails.productDoubleEncryptionStatus
IF (1)
•Microsoft.EdgeOrder/orderItems
GA BuiltIn
Azure Load Testing Azure Load Testing 65c4f833-1f2e-426c-8780-f6d7593bed7a Azure load testing resource should use customer-managed keys to encrypt data at rest Use customer-managed keys(CMK) to manage the encryption at rest for your Azure Load Testing resource. By default the encryptio is done using Service managed keys, customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/load-testing/how-to-configure-customer-managed-keys?tabs=portal. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.LoadTestService/loadTests/encryption.keyUrl
IF (1)
•Microsoft.LoadTestService/loadtests
GA BuiltIn
Azure Purview Azure Purview 9259053b-ddb8-40ab-842a-0aef19d0ade4 Azure Purview accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.Purview/accounts/privateEndpointConnections[*]
•Microsoft.Purview/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Purview/accounts
GA BuiltIn
Azure Stack Edge Azure Stack Edge b4ac1030-89c5-4697-8e00-28b5ba6a8811 Azure Stack Edge devices should use double-encryption To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.DataboxEdge/DataBoxEdgeDevices/sku.name
IF (1)
•Microsoft.DataBoxEdge/DataBoxEdgeDevices
GA BuiltIn
Backup Backup 2e94d99a-8a36-4563-bc77-810d8893b671 [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.RecoveryServices/vaults/encryption.infrastructureEncryption
•Microsoft.RecoveryServices/vaults/encryption.keyVaultProperties.keyUri
IF (1)
•Microsoft.RecoveryServices/vaults
Preview BuiltIn
Backup Backup deeddb44-9f94-4903-9fa0-081d524406e3 [Preview]: Azure Recovery Services vaults should use private link for backup Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. Default: Audit
Allowed: (Audit, Disabled)
IF (4)
•Microsoft.RecoveryServices/vaults/privateEndpointConnections[*]
•Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].id
•Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status
•Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].provisioningState
IF (1)
•Microsoft.RecoveryServices/vaults
Preview BuiltIn
Backup Backup 615b01c4-d565-4f6f-8c6e-d130268e3a1a [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Backup Contributor IF (3)
•Microsoft.Storage/storageAccounts/isHnsEnabled
•Microsoft.Storage/storageAccounts/isNfsV3Enabled
•Microsoft.Storage/storageAccounts/sku.name
THEN-ExistenceCondition (1)
•Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled
IF (1)
•Microsoft.Storage/StorageAccounts
THEN-Deployment (3)
•Microsoft.Resources/deployments
•Microsoft.Storage/storageAccounts
•Microsoft.Storage/storageAccounts/blobServices
Preview BuiltIn
Backup Backup 958dbd4e-0e20-4385-a082-d3f20c2a6ad8 [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Backup Contributor IF (3)
•Microsoft.Storage/storageAccounts/isHnsEnabled
•Microsoft.Storage/storageAccounts/isNfsV3Enabled
•Microsoft.Storage/storageAccounts/sku.name
THEN-ExistenceCondition (1)
•Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled
IF (1)
•Microsoft.Storage/StorageAccounts
THEN-Deployment (3)
•Microsoft.Resources/deployments
•Microsoft.Storage/storageAccounts
•Microsoft.Storage/storageAccounts/blobServices
Preview BuiltIn
Backup Backup af783da1-4ad1-42be-800d-d19c70038820 [Preview]: Configure Recovery Services vaults to use private DNS zones for backup Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.Network/privateEndpoints
•Microsoft.RecoveryServices/vaults
Preview BuiltIn
Backup Backup 8015d6ed-3641-4534-8d0b-5c67b67ff7de [Preview]: Configure Recovery Services vaults to use private endpoints for backup Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.RecoveryServices/vaults/backupStorageVersion
IF (1)
•Microsoft.RecoveryServices/vaults
THEN-Deployment (1)
•Microsoft.Network/privateEndpoints
Preview BuiltIn
Backup Backup 013e242c-8828-4970-87b3-ab247555486d Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.Compute/imagePublisher
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Details (1)
•Microsoft.RecoveryServices/backupprotecteditems
GA BuiltIn
Backup Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor, Backup Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.RecoveryServices/vaults
GA BuiltIn
Backup Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor, Backup Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Resources/deployments
GA BuiltIn
Backup Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor, Backup Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.RecoveryServices/vaults
GA BuiltIn
Backup Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Virtual Machine Contributor, Backup Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Resources/deployments
GA BuiltIn
Backup Backup c717fb0c-d118-4c43-ab3d-ece30ac81fb3 Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. Fixed: deployIfNotExists Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].Category
•Microsoft.Insights/diagnosticSettings/logs[*].Enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.RecoveryServices/vaults
GA BuiltIn
Batch Batch 99e9ccd8-3db9-4592-b0d1-14b1715a4d8a Azure Batch account should use customer-managed keys to encrypt data Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Batch/batchAccounts/encryption.keySource
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 1760f9d4-7206-436e-a28f-d9f3a5c8a227 Azure Batch pools should have disk encryption enabled Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Batch/batchAccounts/pools/deploymentConfiguration.virtualMachineConfiguration.diskEncryptionConfiguration.targets[*]
IF (1)
•Microsoft.Batch/batchAccounts/pools
GA BuiltIn
Batch Batch 6f68b69f-05fe-49cd-b361-777ee9ca7e35 Batch accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*]
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 4dbc2f5c-51cf-4e38-9179-c7028eed2274 Configure Batch accounts to disable local authentication Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (2)
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*]
THEN-Operations (1)
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch c520cefc-285f-40f3-86e2-2efc38ef1f64 Configure Batch accounts to disable public network access Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.Batch/batchAccounts/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Batch/batchAccounts/publicNetworkAccess
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 0ef5aac7-c064-427a-b87b-d47b3ddcaf73 Configure Batch accounts with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/batch/private-connectivity. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (1)
•Microsoft.Batch/batchAccounts/publicNetworkAccess
THEN-ExistenceCondition (1)
•Microsoft.Batch/batchAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Batch/batchAccounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Batch Batch 4ec38ebc-381f-45ee-81a4-acbc4be878f8 Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Batch Batch 26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7 Metric alert rules should be configured on Batch accounts Audit configuration of metric alert rules on Batch account to enable the required metric Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (3)
•Microsoft.Insights/alertRules/condition.dataSource.metricName
•Microsoft.Insights/alertRules/condition.dataSource.resourceUri
•Microsoft.Insights/alertRules/isEnabled
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 009a0c92-f5b4-4776-9b66-4ed2b4775563 Private endpoint connections on Batch accounts should be enabled Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at https://docs.microsoft.com/azure/batch/private-connectivity. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Batch/batchAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 74c5a0ae-5e48-4738-b093-65e23a060488 Public network access should be disabled for Batch accounts Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Batch/batchAccounts/publicNetworkAccess
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 428256e6-1fac-4f48-a757-df34c2b3336d Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Bot Service Bot Service 6164527b-e1ee-4882-8673-572f425f5e0a Bot Service endpoint should be a valid HTTPS URI Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.BotService/botServices/endpoint
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service 51522a96-0869-4791-82f3-981000c2c67f Bot Service should be encrypted with a customer-managed key Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.BotService/botServices/isCmekEnabled
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service 52152f42-0dda-40d9-976e-abb1acdd611e Bot Service should have isolated mode enabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.BotService/botServices/publicNetworkAccess
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service ffea632e-4e3a-4424-bf78-10e179bb2e1a Bot Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.BotService/botServices/disableLocalAuth
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service 5e8168db-69e3-4beb-9822-57cb59202a9d Bot Service should have public network access disabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.BotService/botServices/publicNetworkAccess
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service ad5621d6-a877-4407-aa93-a950b428315e BotService resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your BotService resource, data leakage risks are reduced. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.BotService/botServices/privateEndpointConnections[*]
•Microsoft.BotService/botServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service 6a4e6f44-f2af-4082-9702-033c9e88b9f8 Configure BotService resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.BotService/botServices
•Microsoft.Network/privateEndpoints
GA BuiltIn
Bot Service Bot Service 29261f8e-efdb-4255-95b8-8215414515d6 Configure BotService resources with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your BotService resource, you can reduce data leakage risks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor THEN-ExistenceCondition (1)
•Microsoft.BotService/botServices/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.BotService/botServices
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Budget Budget Deploy-Budget Deploy a default budget on all subscriptions under the assigned scope Deploy a default budget on all subscriptions under the assigned scope Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (3)
•Microsoft.Consumption/budgets/amount
•Microsoft.Consumption/budgets/category
•Microsoft.Consumption/budgets/timeGrain
IF (1)
•Microsoft.Resources/subscriptions
THEN-Deployment (1)
•Microsoft.Consumption/budgets
GA ALZ
Budget Budget Deny-MachineLearning-ComputeCluster-Scale Enforce scale settings for Azure Machine Learning compute clusters Enforce scale settings for Azure Machine Learning compute clusters. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (3)
•Microsoft.MachineLearningServices/workspaces/computes/computeType
•Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount
•Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes
GA ALZ
Budget Budget Deny-MachineLearning-Compute-VmSize Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (2)
•Microsoft.MachineLearningServices/workspaces/computes/computeType
•Microsoft.MachineLearningServices/workspaces/computes/vmSize
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes
GA ALZ
Cache Cache 7d092e0a-7acd-40d2-a975-dca21cae48c4 [Deprecated]: Azure Cache for Redis should reside within a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Cache/Redis/subnetId
IF (1)
•Microsoft.Cache/redis
Deprecated BuiltIn
Cache Cache Append-Redis-sslEnforcement Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default: Append
Allowed: (Append, Disabled)
IF (1)
•Microsoft.Cache/Redis/minimumTlsVersion
THEN-Details (1)
•Microsoft.Cache/Redis/minimumTlsVersion
IF (1)
•Microsoft.Cache/redis
GA ALZ
Cache Cache Append-Redis-disableNonSslPort Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default: Append
Allowed: (Append, Disabled, Modify)
IF (1)
•Microsoft.Cache/Redis/enableNonSslPort
THEN-Details (1)
•Microsoft.Cache/Redis/enableNonSslPort
IF (1)
•Microsoft.Cache/redis
GA ALZ
Cache Cache Deny-Redis-http Azure Cache for Redis only secure connections should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Cache/Redis/enableNonSslPort
•Microsoft.Cache/Redis/minimumTlsVersion
IF (1)
•Microsoft.Cache/redis
GA ALZ
Cache Cache 470baccb-7e51-4549-8b1a-3e5be069f663 Azure Cache for Redis should disable public network access Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Cache/Redis/publicNetworkAccess
IF (1)
•Microsoft.Cache/Redis
GA BuiltIn
Cache Cache 7803067c-7d34-46e3-8c79-0ca68fc4036d Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Cache/redis/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Cache/redis
GA BuiltIn
Cache Cache 30b3dfa5-a70d-4c8e-bed6-0083858f663d Configure Azure Cache for Redis to disable public network access Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks. Default: Modify
Allowed: (Modify, Disabled)
Redis Cache Contributor IF (1)
•Microsoft.Cache/Redis/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Cache/Redis/publicNetworkAccess
IF (1)
•Microsoft.Cache/Redis
GA BuiltIn
Cache Cache e016b22b-e0eb-436d-8fd7-160c4eaed6e2 Configure Azure Cache for Redis to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Cache Cache 5d8094d7-7340-465a-b6fd-e60ab7e48920 Configure Azure Cache for Redis with private endpoints Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Redis Cache Contributor THEN-ExistenceCondition (1)
•Microsoft.Cache/redis/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Cache/redis
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Cache Cache 22bee202-a82f-4305-9a2a-6d7f44d4dedb Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Cache/Redis/enableNonSslPort
IF (1)
•Microsoft.Cache/redis
GA BuiltIn
CDN CDN dfc212af-17ea-423a-9dcb-91e2cb2caa6b Azure Front Door profiles should use Premium tier that supports managed WAF rules and private link Azure Front Door Premium supports Azure managed WAF rules and private link to supported Azure origins. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Cdn/Profiles/sku.name
IF (1)
•Microsoft.Cdn/Profiles
GA BuiltIn
CDN CDN 679da822-78a7-4eff-8fff-a899454a9970 Azure Front Door Standard and Premium should be running minimum TLS version of 1.2 Setting minimal TLS version to 1.2 improves security by ensuring your custom domains are accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they are weak and do not support modern cryptographic algorithms. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Cdn/profiles/customDomains/tlsSettings.minimumTlsVersion
IF (1)
•Microsoft.Cdn/profiles/customDomains
GA BuiltIn
CDN CDN daba2cce-8326-4af3-b049-81a362da024d Secure private connectivity between Azure Front Door Premium and Azure Storage Blob, or Azure App Service Private link ensures private connectivity between AFD Premium and Azure Storage Blob or Azure App Service over the Azure backbone network, without the Azure Storage Blob or the Azure App Service being publicly exposed to the internet. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.Cdn/profiles/originGroups/origins/hostName
•Microsoft.Cdn/profiles/originGroups/origins/sharedPrivateLinkResource.privateLink
IF (1)
•Microsoft.Cdn/profiles/originGroups/origins
GA BuiltIn
Cognitive Services Cognitive Services 2bdd0062-9d75-436e-89df-487dd8e4b3c7 [Deprecated]: Cognitive Services accounts should enable data encryption This policy is deprecated. Cognitive Services have data encryption enforced. Default: Disabled
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.CognitiveServices/accounts/encryption
•Microsoft.CognitiveServices/accounts/encryption.keySource
IF (1)
•Microsoft.CognitiveServices/accounts
Deprecated BuiltIn
Cognitive Services Cognitive Services 11566b39-f7f7-4b82-ab06-68d8700eb0a4 [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. This policy is deprecated. Cognitive Services have data encryption enforced. Default: Disabled
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.CognitiveServices/accounts/encryption
•Microsoft.CognitiveServices/accounts/encryption.keySource
IF (1)
•Microsoft.CognitiveServices/accounts
Deprecated BuiltIn
Cognitive Services Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca Cognitive Services accounts should disable public network access Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.CognitiveServices/accounts/publicNetworkAccess
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 67121cc7-ff39-4ab8-b7e3-95b84dab487d Cognitive Services accounts should enable data encryption with a customer-managed key Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (3)
•Microsoft.CognitiveServices/accounts/capabilities[*]
•Microsoft.CognitiveServices/accounts/capabilities[*].name
•Microsoft.CognitiveServices/accounts/encryption.keySource
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 71ef260a-8f18-47b7-abcb-62d0673d94dc Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.CognitiveServices/accounts/disableLocalAuth
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Cognitive Services accounts should restrict network access Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.CognitiveServices/accounts/networkAcls.defaultAction
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services fe3fd216-4f83-4fc1-8984-2bbec80a3418 Cognitive Services accounts should use a managed identity Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 46aa9b05-0e60-4eae-a88b-1e9d374fa515 Cognitive Services accounts should use customer owned storage Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.CognitiveServices/accounts/capabilities[*]
•Microsoft.CognitiveServices/accounts/capabilities[*].name
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services cddd188c-4b82-4c48-a19d-ddf74ee66a01 Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.CognitiveServices/accounts/privateEndpointConnections[*]
•Microsoft.CognitiveServices/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 14de9e63-1b31-492e-a5a3-c3f7fd57f555 Configure Cognitive Services accounts to disable local authentication methods Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.CognitiveServices/accounts/disableLocalAuth
THEN-Operations (1)
•Microsoft.CognitiveServices/accounts/disableLocalAuth
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c Configure Cognitive Services accounts to disable public network access Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Modify
Allowed: (Disabled, Modify)
Contributor IF (1)
•Microsoft.CognitiveServices/accounts/publicNetworkAccess
THEN-Operations (1)
•Microsoft.CognitiveServices/accounts/publicNetworkAccess
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services c4bc6f10-cb41-49eb-b000-d5ab82e2a091 Configure Cognitive Services accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.CognitiveServices/accounts
•Microsoft.Network/privateEndpoints
GA BuiltIn
Cognitive Services Cognitive Services db630ad5-52e9-4f4d-9c44-53912fe40053 Configure Cognitive Services accounts with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Cognitive Services Contributor THEN-ExistenceCondition (1)
•Microsoft.CognitiveServices/accounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.CognitiveServices/accounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Compute Compute 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 [Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs This policy deploys the Log Analytics Extension on Ubuntu VMs, and connects to the selected Log Analytics workspace Fixed: deployIfNotExists Log Analytics Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
Deprecated BuiltIn
Compute Compute 2c89a2e5-7285-40fe-afe0-ae8654b92fb2 [Deprecated]: Unattached disks should be encrypted This policy audits any unattached disk without encryption enabled. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.Compute/disks/diskState
•Microsoft.Compute/disks/encryptionSettingsCollection.enabled
IF (1)
•Microsoft.Compute/disks
Deprecated BuiltIn
Compute Compute cccc23c7-8427-4f53-ad12-b6a63eb452b3 Allowed virtual machine size SKUs This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. Fixed: Deny IF (1)
•Microsoft.Compute/virtualMachines/sku.name
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Compute Compute 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Fixed: auditIfNotExists IF (1)
•Microsoft.ClassicCompute/virtualMachines
GA BuiltIn
Compute Compute 06a78e20-9358-41c9-923c-fb736d382a4d Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks Fixed: audit IF (3)
•Microsoft.Compute/virtualMachines/osDisk.uri
•Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl
•Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/VirtualMachineScaleSets
GA BuiltIn
Compute Compute DeployDefenderForServers COMPUTE - Deploy Defender for Servers Uses a DeployIfNotExists policy to automatically deploy the Defender for Servers Fixed: deployIfNotExists Security Admin IF (1)
•Microsoft.Resources/subscriptions
THEN-Deployment (1)
•Microsoft.Security/pricings
GA Community
Compute Compute ac34a73f-9fa5-4067-9247-a3ecae514468 Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Owner THEN-ExistenceCondition (1)
•Microsoft.Resources/links/targetId
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (7)
•Microsoft.Compute/availabilitySets
•Microsoft.Compute/proximityPlacementGroups
•Microsoft.Network/virtualNetworks
•Microsoft.RecoveryServices/replicationEligibilityResults
•Microsoft.RecoveryServices/vaults
•Microsoft.Resources/deployments
•Microsoft.Storage/storageAccounts
GA BuiltIn
Compute Compute bc05b96c-0b36-4ca9-82f0-5c53f96ce05a Configure disk access resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.Compute/diskAccesses
•Microsoft.Network/privateEndpoints
GA BuiltIn
Compute Compute 582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5 Configure disk access resources with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (1)
•Microsoft.Compute/diskAccesses/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Compute/diskAccesses
THEN-Deployment (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Compute Compute compute_configure-managed-disks-to-disable-public-access Configure managed disks to disable public access This policy configures managed disks to disable public access. Default: modify
Allowed: (deny, audit, disabled, modify)
Contributor IF (1)
•Microsoft.Compute/disks/networkAccessPolicy
THEN-Operations (1)
•Microsoft.Compute/disks/networkAccessPolicy
GA Community
Compute Compute 8426280e-b5be-43d9-979e-653d12a08638 Configure managed disks to disable public network access Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (2)
•Microsoft.Compute/disks/networkAccessPolicy
•Microsoft.Compute/disks/publicNetworkAccess
THEN-Operations (3)
•Microsoft.Compute/disks/diskAccessId
•Microsoft.Compute/disks/networkAccessPolicy
•Microsoft.Compute/disks/publicNetworkAccess
IF (1)
•Microsoft.Compute/disks
GA BuiltIn
Compute Compute compute_deploy-hybrid-benefit-windows Deploy Azure Hybrid Benefit for Windows. This policy ensures virtual machines are configured for Azure Hybrid Benefit for Windows Client and Server - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/hybrid-use-benefit-licensing#ways-to-use-azure-hybrid-benefit-for-windows-server. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor IF (2)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
THEN-ExistenceCondition (1)
•Microsoft.Compute/virtualMachines/licenseType
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines
GA Community
Compute Compute monitoring_deploy-oms-agent-based-on-region-linux Deploy default Log Analytics VM Extension for Linux VMs. This policy deploys Log Analytics VM Extensions on Linux VMs in specific regions, and connects to the selected Log Analytics workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor IF (1)
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/settings.workspaceId
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.compute/virtualmachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA Community
Compute Compute monitoring_deploy-oms-agent-based-on-region-windows Deploy default Log Analytics VM Extension for Windows VMs. This policy deploys Log Analytics VM Extensions on Windows VMs in specific regions, and connects to the selected Log Analytics workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor IF (1)
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/settings.workspaceId
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.compute/virtualmachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA Community
Compute Compute 2835b622-407b-4114-9198-6f7064cbe0dc Deploy default Microsoft IaaSAntimalware extension for Windows Server This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. Fixed: deployIfNotExists Virtual Machine Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Compute Compute hybridusebenefits_deploy-hybrid-use-windows-server Deploy hybrid use for Windows Server This Policy will enable HUB for Windows Server Fixed: deployIfNotExists Owner IF (1)
•Microsoft.Compute/virtualMachines/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.Compute/virtualMachines/licenseType
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines
GA Community
Compute Compute compute_deploy-or-audit-auto-shutdown-by-tag-value-on-vm Deploy VM auto shutdown Default: audit
Allowed: (audit, Deny, DeployIfNotExists, Disabled)
Virtual Machine Contributor THEN-ExistenceCondition (2)
•Microsoft.DevTestLab/labs/virtualMachines/schedules/status
•Microsoft.DevTestLab/labs/virtualMachines/schedules/targetResourceId
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.devtestlab/schedules
GA Community
Compute Compute f39f5f49-4abf-44de-8c70-0756997bfb51 Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Compute/diskAccesses/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Compute/diskAccesses
GA BuiltIn
Compute Compute ca91455f-eace-4f96-be59-e6e2c35b4816 Managed disks should be double encrypted with both platform-managed and customer-managed keys High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Compute/diskEncryptionSets/encryptionType
IF (1)
•Microsoft.Compute/diskEncryptionSets
GA BuiltIn
Compute Compute 8405fdab-1faf-48aa-b702-999c9c172094 Managed disks should disable public network access Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.Compute/disks/networkAccessPolicy
•Microsoft.Compute/disks/publicNetworkAccess
IF (1)
•Microsoft.Compute/disks
GA BuiltIn
Compute Compute d461a302-a187-421a-89ac-84acdb4edc04 Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (9)
•Microsoft.Compute/disks/encryption.diskEncryptionSetId
•Microsoft.Compute/disks/managedBy
•Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId
•Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.osDiskImage.diskEncryptionSetId
•Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id
•Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.managedDisk.diskEncryptionSet.id
IF (5)
•Microsoft.Compute/disks
•Microsoft.Compute/galleries/images/versions
•Microsoft.Compute/images
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachineScaleSets
GA BuiltIn
Compute Compute c43e4a30-77cb-48ab-a4dd-93f175c63b57 Microsoft Antimalware for Azure should be configured to automatically update protection signatures This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Compute Compute 9b597639-28e4-48eb-b506-56b05d366257 Microsoft IaaSAntimalware extension should be deployed on Windows servers This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Compute Compute c0e996f8-39cf-4af9-9f45-83fbde810432 Only approved VM extensions should be installed This policy governs the virtual machine extensions that are not approved. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Compute Compute 702dd420-7fcc-42c5-afe8-4026edd20fe0 OS and data disks should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (10)
•Microsoft.Compute/disks/encryption.diskEncryptionSetId
•Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*]
•Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId
•Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id
•Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.id
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.managedDisk.diskEncryptionSet.id
IF (5)
•Microsoft.Compute/disks
•Microsoft.Compute/galleries/images/versions
•Microsoft.Compute/images
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachineScaleSets
GA BuiltIn
Compute Compute 465f0161-0087-490a-9ad9-ad6217f4f43a Require automatic OS image patching on Virtual Machine Scale Sets This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. Fixed: deny IF (2)
•Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade
•Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
GA BuiltIn
Compute Compute 7c1b1214-f927-48bf-8882-84f0af6588b1 Resource logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachineScaleSets/extensions/publisher
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
GA BuiltIn
Compute Compute fc4d8e41-e223-45ea-9bf5-eada37891d87 Virtual machines and virtual machine scale sets should have encryption at host enabled Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.encryptionAtHost
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachineScaleSets
GA BuiltIn
Compute Compute 1d84d5fb-01f6-4d12-ba4f-4a26081d403d Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.ClassicCompute/virtualMachines
•Microsoft.Compute/virtualMachines
GA BuiltIn
Container Apps Container Apps 2b585559-a78e-4cc4-b1aa-fb169d2f6b96 Authentication should be enabled on Container Apps Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.App/containerApps/authConfigs/platform.enabled
IF (1)
•Microsoft.App/containerApps
GA BuiltIn
Container Apps Container Apps 8b346db6-85af-419b-8557-92cee2c0f9bb Container App environments should use network injection Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.App/managedEnvironments/vnetConfiguration.infrastructureSubnetId
IF (1)
•Microsoft.App/managedEnvironments
GA BuiltIn
Container Apps Container Apps 7c9f3fbb-739d-4844-8e42-97e3be6450e0 Container App should configure with volume mount Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.App/containerApps
GA BuiltIn
Container Apps Container Apps d074ddf8-01a5-4b5e-a2b8-964aed452c0a Container Apps environment should disable public network access Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.App/managedEnvironments/vnetConfiguration
•Microsoft.App/managedEnvironments/vnetConfiguration.internal
IF (1)
•Microsoft.App/managedEnvironments
GA BuiltIn
Container Apps Container Apps 783ea2a8-b8fd-46be-896a-9ae79643a0b1 Container Apps should disable external network access Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.App/containerApps/configuration.ingress
•Microsoft.App/containerApps/configuration.ingress.external
IF (1)
•Microsoft.App/containerApps
GA BuiltIn
Container Apps Container Apps 0e80e269-43a4-4ae9-b5bc-178126b8a5cb Container Apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.App/containerApps/configuration.ingress.allowInsecure
IF (1)
•Microsoft.App/containerApps
GA BuiltIn
Container Apps Container Apps b874ab2d-72dd-47f1-8cb5-4a306478a4e7 Managed Identity should be enabled for Container Apps Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.App/containerApps
GA BuiltIn
Container Instance Container Instance 8af8f826-edcb-4178-b35f-851ea6fea615 Azure Container Instance container group should deploy into a virtual network Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (3)
•Microsoft.ContainerInstance/containerGroups/ipAddress.type
•Microsoft.ContainerInstance/containerGroups/networkProfile.id
•Microsoft.ContainerInstance/containerGroups/subnetIds[*].id
IF (1)
•Microsoft.ContainerInstance/containerGroups
GA BuiltIn
Container Instance Container Instance 0aa61e00-0a01-4a3c-9945-e93cffedf0e6 Azure Container Instance container group should use customer-managed key for encryption Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (2)
•Microsoft.ContainerInstance/containerGroups/encryptionProperties.keyName
•Microsoft.ContainerInstance/containerGroups/encryptionProperties.vaultBaseUrl
IF (1)
•Microsoft.ContainerInstance/containerGroups
GA BuiltIn
Container Registry Container Registry cced2946-b08a-44fe-9fd9-e4ed8a779897 Configure container registries to disable anonymous authentication. Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.ContainerRegistry/registries/anonymousPullEnabled
THEN-Operations (1)
•Microsoft.ContainerRegistry/registries/anonymousPullEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry 785596ed-054f-41bc-aaec-7f3d0ba05725 Configure container registries to disable ARM audience token authentication. Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (2)
•Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy
•Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy.status
THEN-Operations (1)
•Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy.status
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry 79fdfe03-ffcb-4e55-b4d0-b925b8241759 Configure container registries to disable local admin account. Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.ContainerRegistry/registries/adminUserEnabled
THEN-Operations (1)
•Microsoft.ContainerRegistry/registries/adminUserEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry a3701552-92ea-433e-9d17-33b7f1208fc9 Configure Container registries to disable public network access Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
THEN-Operations (1)
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry a9b426fe-8856-4945-8600-18c5dd1cca2a Configure container registries to disable repository scoped access token. Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.ContainerRegistry/registries/tokens/status
THEN-Operations (1)
•Microsoft.ContainerRegistry/registries/tokens/status
IF (1)
•Microsoft.ContainerRegistry/registries/tokens
GA BuiltIn
Container Registry Container Registry e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 Configure Container registries to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Container Registry Container Registry d85c6833-7d33-4cf5-a915-aaa2de84405f Configure Container registries with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (1)
•Microsoft.ContainerRegistry/registries/sku.name
THEN-ExistenceCondition (1)
•Microsoft.ContainerRegistry/registries/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.ContainerRegistry/registries
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Container Registry Container Registry containerregistry_container-registries-prevent-access-to-trusted-services Container Registries prevent access to trusted services This policy configures container registry acr_firewall_bypass to prevent access to trusted services Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Container Registry Container Registry containerregistry_container-registries-prevent-managed-identity Container Registries prevent managed identity This policy configures container registry to prevent managed identity Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Container Registry Container Registry 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 Container registries should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerRegistry/registries/encryption.status
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry 9f2dea28-e834-476c-99c5-3507b4728395 Container registries should have anonymous authentication disabled. Disable anonymous pull for your registry so that data is not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerRegistry/registries/anonymousPullEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry 42781ec6-6127-4c30-bdfa-fb423a0047d3 Container registries should have ARM audience token authentication disabled. Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy
•Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy.status
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry 524b0254-c285-4903-bee6-bb8126cde579 Container registries should have exports disabled Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.ContainerRegistry/registries/policies.exportPolicy.status
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry dc921057-6b28-4fbe-9b83-f7bec05db6c2 Container registries should have local admin account disabled. Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerRegistry/registries/adminUserEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry ff05e24e-195c-447e-b322-5e90c9f9f366 Container registries should have repository scoped access token disabled. Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerRegistry/registries/tokens/status
IF (1)
•Microsoft.ContainerRegistry/registries/tokens
GA BuiltIn
Container Registry Container Registry bd560fc0-3c69-498a-ae9f-aa8eb7de0e13 Container registries should have SKUs that support Private Links Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerRegistry/registries/sku.name
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry d0793b48-0edc-4296-a390-4c75d1bdfd71 Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry e8eef0a8-67cf-4eb4-9386-14b0e78733d4 Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.ContainerRegistry/registries/privateEndpointConnections[*]
•Microsoft.ContainerRegistry/registries/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry containerregistry_container-registry-admin-user-filter Enforce Admin User is disabled on all Container Registry instances This policy ensures Admin User is disabled on all Container Registry instances Fixed: deny IF (1)
•Microsoft.ContainerRegistry/registries/adminUserEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA Community
Container Registry Container Registry 0fdf0491-d080-4575-b627-ad0e843cba0f Public network access should be disabled for Container registries Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Cosmos DB Cosmos DB 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (4)
•Microsoft.DocumentDB/databaseAccounts/ipRangeFilter
•Microsoft.DocumentDB/databaseAccounts/ipRules
•Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled
•Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 1f905d99-2ab7-462c-a6b0-f709acca6c8f Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.DocumentDB/databaseAccounts/keyVaultKeyUri
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 0473574d-2d43-4217-aefe-941fcdf7e684 Azure Cosmos DB allowed locations This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.DocumentDB/databaseAccounts/Locations[*]
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 4750c32b-89c0-46af-bfcb-2e4541a818d5 Azure Cosmos DB key based metadata write access should be disabled This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. Fixed: append IF (1)
•Microsoft.DocumentDB/databaseAccounts/disableKeyBasedMetadataWriteAccess
THEN-Details (1)
•Microsoft.DocumentDB/databaseAccounts/disableKeyBasedMetadataWriteAccess
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 797b37f7-06b8-444c-b1ad-fc62867f335a Azure Cosmos DB should disable public network access Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf Azure Cosmos DB throughput should be limited This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (27)
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/options
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/options
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/options
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/options
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/options
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/options
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/options
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/options
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/tables/options
•Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.throughput
GA BuiltIn
Cosmos DB Cosmos DB dc2d41d1-4ab1-4666-a3e1-3d51c43e0049 Configure Cosmos DB database accounts to disable local authentication Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default: Modify
Allowed: (Modify, Disabled)
DocumentDB Account Contributor IF (1)
•Microsoft.DocumentDB/databaseAccounts/disableLocalAuth
THEN-Operations (1)
•Microsoft.DocumentDB/databaseAccounts/disableLocalAuth
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB da69ba51-aaf1-41e5-8651-607cd0b37088 Configure CosmosDB accounts to disable public network access Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Default: Modify
Allowed: (Modify, Disabled)
Contributor, DocumentDB Account Contributor IF (1)
•Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess
THEN-Operations (1)
•Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB a63cc0bd-cda4-4178-b705-37dc439d3e0f Configure CosmosDB accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.DocumentDb/databaseAccounts
•Microsoft.Network/privateEndpoints
GA BuiltIn
Cosmos DB Cosmos DB b609e813-3156-4079-91fa-a8494c1471c4 Configure CosmosDB accounts with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your CosmosDB account, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor, DocumentDB Account Contributor THEN-ExistenceCondition (1)
•Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DocumentDB/databaseAccounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Cosmos DB Cosmos DB 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 Cosmos DB database accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DocumentDB/databaseAccounts/disableLocalAuth
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 58440f8a-10c5-4151-bdce-dfbaad4a20b7 CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections[*]
•Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB b5f04e03-92a3-4b09-9410-2cc5e5047656 Deploy Advanced Threat Protection for Cosmos DB Accounts This policy enables Advanced Threat Protection across Cosmos DB accounts. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin THEN-ExistenceCondition (1)
•Microsoft.Security/advancedThreatProtectionSettings/isEnabled
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Custom Provider Custom Provider c15c281f-ea5c-44cd-90b8-fc3c14d13f0c Deploy associations for a custom provider Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. Fixed: deployIfNotExists Contributor THEN-Deployment (1)
•Microsoft.Resources/deployments
GA BuiltIn
Data Box Data Box c349d81b-9985-44ae-a8da-ff98d108ede8 Azure Data Box jobs should enable double encryption for data at rest on the device Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.DataBox/jobs/details.preferences.encryptionPreferences.doubleEncryption
•Microsoft.Databox/jobs/sku.name
IF (1)
•Microsoft.DataBox/jobs
GA BuiltIn
Data Box Data Box 86efb160-8de7-451d-bc08-5d475b0aadae Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.DataBox/jobs/details.keyEncryptionKey.kekType
•Microsoft.Databox/jobs/sku.name
IF (1)
•Microsoft.DataBox/jobs
GA BuiltIn
Data Factory Data Factory 85bb39b5-2f66-49f8-9306-77da3ac5130f [Preview]: Azure Data Factory integration runtime should have a limit for number of cores To manage your resources and costs, limit the number of cores for an integration runtime. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.dataFlowProperties.coreCount
•Microsoft.DataFactory/factories/integrationruntimes/type
IF (1)
•Microsoft.DataFactory/factories/integrationRuntimes
Preview BuiltIn
Data Factory Data Factory 6809a3d0-d354-42fb-b955-783d207c62a8 [Preview]: Azure Data Factory linked service resource type should be in allow list Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DataFactory/factories/linkedservices/type
Preview BuiltIn
Data Factory Data Factory 127ef6d7-242f-43b3-9eef-947faf1725d0 [Preview]: Azure Data Factory linked services should use Key Vault for storing secrets To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (30)
•Microsoft.DataFactory/factories/linkedservices/AmazonMWS.typeProperties.mwsAuthToken.type
•Microsoft.DataFactory/factories/linkedservices/AmazonMWS.typeProperties.secretKey.type
•Microsoft.DataFactory/factories/linkedservices/AmazonS3.typeProperties.secretAccessKey.type
•Microsoft.DataFactory/factories/linkedservices/AzureBlobStorage.typeProperties.servicePrincipalKey
•Microsoft.DataFactory/factories/linkedservices/AzureBlobStorage.typeProperties.servicePrincipalKey.type
•Microsoft.DataFactory/factories/linkedservices/AzureSearch.typeProperties.key.type
•Microsoft.DataFactory/factories/linkedservices/AzureSqlDW.typeProperties.servicePrincipalKey.type
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.accountKey
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri.type
•Microsoft.DataFactory/factories/linkedservices/CosmosDb.typeProperties.accountKey.type
•Microsoft.DataFactory/factories/linkedservices/Dynamics.typeProperties.servicePrincipalCredential
•Microsoft.DataFactory/factories/linkedservices/Dynamics.typeProperties.servicePrincipalCredential.type
•Microsoft.DataFactory/factories/linkedservices/GoogleAdWords.typeProperties.developerToken.type
•Microsoft.DataFactory/factories/linkedservices/GoogleBigQuery.typeProperties.clientSecret.type
•Microsoft.DataFactory/factories/linkedservices/GoogleBigQuery.typeProperties.refreshToken.type
•Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken
•Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken.type
•Microsoft.DataFactory/factories/linkedservices/OData.typeProperties.servicePrincipalEmbeddedCert.type
•Microsoft.DataFactory/factories/linkedservices/OData.typeProperties.servicePrincipalEmbeddedCertPassword.type
•Microsoft.DataFactory/factories/linkedservices/Odbc.typeProperties.credential.type
•Microsoft.DataFactory/factories/linkedservices/Salesforce.typeProperties.securityToken.type
•Microsoft.DataFactory/factories/linkedservices/Sftp.typeProperties.passPhrase.type
•Microsoft.DataFactory/factories/linkedservices/Sftp.typeProperties.privateKeyContent.type
•Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password
•Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password.type
•Microsoft.DataFactory/factories/linkedservices/type
•Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString
•Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString.type
•Microsoft.DataFactory/factories/linkedservices/typeProperties.encryptedCredential
Preview BuiltIn
Data Factory Data Factory f78ccdb4-7bf4-4106-8647-270491d2978a [Preview]: Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (7)
•Microsoft.DataFactory/factories/linkedservices/AzureSqlDW.typeProperties.servicePrincipalKey
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.accountKey
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri
•Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken
•Microsoft.DataFactory/factories/linkedservices/type
•Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString
•Microsoft.DataFactory/factories/linkedservices/typeProperties.encryptedCredential
Preview BuiltIn
Data Factory Data Factory 77d40665-3120-4348-b539-3192ec808307 [Preview]: Azure Data Factory should use a Git repository for source control Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DataFactory/factories/repoConfiguration.repositoryName
IF (1)
•Microsoft.DataFactory/factories
Preview BuiltIn
Data Factory Data Factory 4ec52d6d-beb7-40c4-9a9e-fe753254690e Azure data factories should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DataFactory/factories/encryption.vaultBaseUrl
IF (1)
•Microsoft.DataFactory/factories
GA BuiltIn
Data Factory Data Factory 8b0323be-cc25-4b61-935d-002c3798c6ea Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.DataFactory/factories/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DataFactory/factories
GA BuiltIn
Data Factory Data Factory 08b1442b-7789-4130-8506-4f99a97226a7 Configure Data Factories to disable public network access Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default: Modify
Allowed: (Modify, Disabled)
Data Factory Contributor IF (1)
•Microsoft.DataFactory/factories/publicNetworkAccess
THEN-Operations (1)
•Microsoft.DataFactory/factories/publicNetworkAccess
IF (1)
•Microsoft.DataFactory/factories
GA BuiltIn
Data Factory Data Factory 86cd96e1-1745-420d-94d4-d3f2fe415aa4 Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Data Factory Data Factory 496ca26b-f669-4322-a1ad-06b7b5e41882 Configure private endpoints for Data factories Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Data Factory Contributor THEN-ExistenceCondition (1)
•Microsoft.DataFactory/factories/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DataFactory/factories
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Data Factory Data Factory 1cf164be-6819-4a50-b8fa-4bcaa4f98fb6 Public network access on Azure Data Factory should be disabled Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DataFactory/factories/publicNetworkAccess
IF (1)
•Microsoft.DataFactory/factories
GA BuiltIn
Data Factory Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.vnetProperties.vnetId
•Microsoft.DataFactory/factories/integrationruntimes/type
IF (1)
•Microsoft.DataFactory/factories/integrationRuntimes
GA BuiltIn
Data Lake Data Lake a7ff3161-0087-490a-9ad9-ad6217f4f43a Require encryption on Data Lake Store accounts This policy ensures encryption is enabled on all Data Lake Store accounts Fixed: deny IF (1)
•Microsoft.DataLakeStore/accounts/encryptionState
IF (1)
•Microsoft.DataLakeStore/accounts
GA BuiltIn
Data Lake Data Lake 057ef27e-665e-4328-8ea3-04b3122bd9fb Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.DataLakeStore/accounts
GA BuiltIn
Data Lake Data Lake c95c74d9-38fe-4f0d-af86-0c7d626a315c Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.DataLakeAnalytics/accounts
GA BuiltIn
Databricks Databricks Deny-Databricks-VirtualNetwork Deny Databricks workspaces without Vnet injection Enforces the use of vnet injection for Databricks workspaces. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (3)
•Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value
•Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value
•Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value
IF (1)
•Microsoft.Databricks/workspaces
GA ALZ
Databricks Databricks Deny-Databricks-Sku Deny non-premium Databricks sku Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.DataBricks/workspaces/sku.name
IF (1)
•Microsoft.Databricks/workspaces
GA ALZ
Databricks Databricks Deny-Databricks-NoPublicIp Deny public IPs for Databricks cluster Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value
IF (1)
•Microsoft.Databricks/workspaces
GA ALZ
DB for MySQL DB for MySQL dbformysql_db-for-mysql-ssl-enforce-filter Enforce SSL on all DB for MySQL instances This policy ensures SSL is enforced on all DB for MySQL instances Fixed: deny IF (1)
•Microsoft.DBforMySQL/servers/sslEnforcement
IF (1)
•Microsoft.DBforMySQL/servers
GA Community
DevTestLabs DevTestLabs aca94a15-a131-4a06-ab0e-89f57e28cc5c Allowed DevTestLabs Repo URL prefix Fixed: deny IF (1)
•Microsoft.DevTestLab/labs/artifactSources/uri
GA Community
Event Grid Event Grid f8f774be-6aee-492a-9e29-486ef81f3a68 Azure Event Grid domains should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/domains/publicNetworkAccess
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 8bfadddb-ee1c-4639-8911-a38cb8e0b3bd Azure Event Grid domains should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/domains/disableLocalAuth
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 9830b652-8523-49cc-b1b3-e17dce1127ca Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.EventGrid/domains/privateEndpointConnections[*]
•Microsoft.EventGrid/domains/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 8632b003-3545-4b29-85e6-b2b96773df1e Azure Event Grid partner namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/partnerNamespaces/disableLocalAuth
IF (1)
•Microsoft.EventGrid/partnerNamespaces
GA BuiltIn
Event Grid Event Grid 1adadefe-5f21-44f7-b931-a59b54ccdb45 Azure Event Grid topics should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/topics/publicNetworkAccess
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Grid Event Grid ae9fb87f-8a17-4428-94a4-8135d431055c Azure Event Grid topics should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/topics/disableLocalAuth
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Grid Event Grid 4b90e17e-8448-49db-875e-bd83fb6f804f Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.EventGrid/topics/privateEndpointConnections[*]
•Microsoft.EventGrid/topics/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Grid Event Grid 8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1 Configure Azure Event Grid domains to disable local authentication Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor IF (1)
•Microsoft.EventGrid/domains/disableLocalAuth
THEN-Operations (1)
•Microsoft.EventGrid/domains/disableLocalAuth
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 2dd0e8b9-4289-4bb0-b813-1883298e9924 Configure Azure Event Grid partner namespaces to disable local authentication Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor IF (1)
•Microsoft.EventGrid/partnerNamespaces/disableLocalAuth
THEN-Operations (1)
•Microsoft.EventGrid/partnerNamespaces/disableLocalAuth
IF (1)
•Microsoft.EventGrid/partnerNamespaces
GA BuiltIn
Event Grid Event Grid 1c8144d9-746a-4501-b08c-093c8d29ad04 Configure Azure Event Grid topics to disable local authentication Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor IF (1)
•Microsoft.EventGrid/topics/disableLocalAuth
THEN-Operations (1)
•Microsoft.EventGrid/topics/disableLocalAuth
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Grid Event Grid d389df0a-e0d7-4607-833c-75a6fdac2c2d Deploy - Configure Azure Event Grid domains to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (deployIfNotExists, DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Event Grid Event Grid 36f4658a-848a-467b-881c-e6fa20cf75fc Deploy - Configure Azure Event Grid domains with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, EventGrid Contributor THEN-ExistenceCondition (1)
•Microsoft.EventGrid/domains/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventGrid/domains
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Event Grid Event Grid baf19753-7502-405f-8745-370519b20483 Deploy - Configure Azure Event Grid topics to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (deployIfNotExists, DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Event Grid Event Grid 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca Deploy - Configure Azure Event Grid topics with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, EventGrid Contributor THEN-ExistenceCondition (1)
•Microsoft.EventGrid/topics/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventGrid/topics
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Event Grid Event Grid eventgrid_enforce-event-grid-sys-topic-handler-type-to-be-storage-account Enforce event grid system topic handler type to be storage account This policy enforce event grid system topic handler type to be storage account. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/systemTopics/eventSubscriptions/destination.endpointType
GA Community
Event Grid Event Grid eventgrid_enforce-event-grid-system-topic-source-type-be-storage-account Enforce event grid system topic source type to be storage account This policy enforce event grid system topic source type to be storage account. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/systemTopics/topicType
GA Community
Event Grid Event Grid 898e9824-104c-4965-8e0e-5197588fa5d4 Modify - Configure Azure Event Grid domains to disable public network access Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor IF (1)
•Microsoft.EventGrid/domains/publicNetworkAccess
THEN-Operations (1)
•Microsoft.EventGrid/domains/publicNetworkAccess
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 36ea4b4b-0f7f-4a54-89fa-ab18f555a172 Modify - Configure Azure Event Grid topics to disable public network access Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor IF (1)
•Microsoft.EventGrid/topics/publicNetworkAccess
THEN-Operations (1)
•Microsoft.EventGrid/topics/publicNetworkAccess
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Hub Event Hub b278e460-7cfc-4451-8294-cccc40a940d7 All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventHub/namespaces/authorizationRules
GA BuiltIn
Event Hub Event Hub f4826e5f-6a27-407c-ae3e-9582eb39891d Authorization rules on the Event Hub instance should be defined Audit existence of authorization rules on Event Hub entities to grant least-privileged access Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.EventHub/namespaces/eventhubs
THEN-Details (1)
•Microsoft.EventHub/namespaces/eventHubs/authorizationRules
GA BuiltIn
Event Hub Event Hub 5d4e3c65-4873-47be-94f3-6f8b953a3598 Azure Event Hub namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventHub/namespaces/disableLocalAuth
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub 57f35901-8389-40bb-ac49-3ba4f86d889d Configure Azure Event Hub namespaces to disable local authentication Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default: Modify
Allowed: (Modify, Disabled)
Azure Event Hubs Data Owner IF (1)
•Microsoft.EventHub/namespaces/disableLocalAuth
THEN-Operations (1)
•Microsoft.EventHub/namespaces/disableLocalAuth
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub ed66d4f5-8220-45dc-ab4a-20d1749c74e6 Configure Event Hub namespaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Event Hub Event Hub 91678b7c-d721-4fc5-b179-3cdf74e96b1c Configure Event Hub namespaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Azure Event Hubs Data Owner THEN-ExistenceCondition (1)
•Microsoft.EventHub/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventHub/namespaces
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Event Hub Event Hub 836cd60e-87f3-4e6a-a27c-29d687f01a4c Event Hub namespaces should have double encryption enabled Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.EventHub/namespaces/clusterArmId
•Microsoft.EventHub/namespaces/encryption.requireInfrastructureEncryption
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub a1ad735a-e96f-45d2-a7b2-9a4932cab7ec Event Hub namespaces should use a customer-managed key for encryption Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.EventHub/namespaces/clusterArmId
•Microsoft.EventHub/namespaces/encryption.keySource
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub b8564268-eb4a-4337-89be-a19db070c59d Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.EventHub/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub 83a214f7-d01a-484b-91a9-ed54470c9a6a Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Fluid Relay Fluid Relay 46388f67-373c-4018-98d3-2b83172dd13a Fluid Relay should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Fluid Relay server. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. Learn more at https://docs.microsoft.com/azure/azure-fluid-relay/concepts/customer-managed-keys. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.FluidRelay/fluidRelayServers/encryption.customerManagedKeyEncryption
IF (1)
•Microsoft.FluidRelay/fluidRelayServers
GA BuiltIn
General General c1b9cbed-08e3-427d-b9ce-7c535b1e9b94 [Deprecated]: Allow resource creation only in Asia data centers Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West Fixed: Deny Deprecated BuiltIn
General General 94c19f19-8192-48cd-a11b-e37099d3e36b [Deprecated]: Allow resource creation only in European data centers Allows resource creation in the following locations only: North Europe, West Europe Fixed: Deny Deprecated BuiltIn
General General 5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54 [Deprecated]: Allow resource creation only in India data centers Allows resource creation in the following locations only: West India, South India, Central India Fixed: Deny Deprecated BuiltIn
General General 983211ba-f348-4758-983b-21fa29294869 [Deprecated]: Allow resource creation only in United States data centers Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US Fixed: Deny Deprecated BuiltIn
General General 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9 [Deprecated]: Custom subscription owner roles should not exist This policy is deprecated. Default: Audit
Allowed: (Audit, Disabled)
IF (4)
•Microsoft.Authorization/roleDefinitions/assignableScopes[*]
•Microsoft.Authorization/roleDefinitions/permissions.actions[*]
•Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]
•Microsoft.Authorization/roleDefinitions/type
IF (1)
•Microsoft.Authorization/roleDefinitions
Deprecated BuiltIn
General General e56962a6-4747-49cd-b67b-bf8b01975c4c Allowed locations This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. Fixed: deny IF (1)
•Microsoft.AzureActiveDirectory/b2cDirectories
GA BuiltIn
General General e765b5de-1225-4ba3-bd56-1ac6695af988 Allowed locations for resource groups This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. Fixed: deny IF (1)
•Microsoft.Resources/subscriptions/resourceGroups
GA BuiltIn
General General a08ec900-254a-4555-9bf5-e42af04b5c5c Allowed resource types This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. Fixed: deny GA BuiltIn
General General 0a914e76-4921-4c19-b460-a2d36003525a Audit resource location matches resource group location Audit that the resource location matches its resource group location Fixed: audit GA BuiltIn
General General a451c1ef-c6ca-483d-87ed-f49761e3ffb5 Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Authorization/roleDefinitions/type
IF (1)
•Microsoft.Authorization/roleDefinitions
GA BuiltIn
General General 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 Not allowed resource types Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Guest Configuration Guest Configuration faf25c8c-9598-4305-b4de-0aee1317fb31 [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5fc23db3-dd4d-4c56-bcc7-43626243e601 [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
Deprecated BuiltIn
Guest Configuration Guest Configuration ec49586f-4939-402d-a29e-6ff502b20592 [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f19aa1c1-6b91-4c27-ae6a-970279f03db9 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 4d1c04de-2172-403f-901b-90608c35c721 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 3470477a-b35a-49db-aca5-1073d04524fe [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 884b209a-963b-4520-8006-d20cb3c213e0 [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7a031c68-d6ab-406e-a506-697a19c634b0 [Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ec7ac234-2af5-4729-94d2-c557c071799d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f1f4825d-58fb-4257-8016-8c00e3c9ed9d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 985285b7-b97a-419c-8d48-c88cc934c8d8 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 40917425-69db-4018-8dae-2a0556cef899 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e5b81f87-9185-4224-bf00-9f505e9f89f3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 498b810c-59cd-4222-9338-352ba146ccf3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 6481cc21-ed6e-4480-99dd-ea7c5222e897 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 3750712b-43d0-478e-9966-d2c26f6141b9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration bbcdd8fa-b600-4ee3-85b8-d184e3339652 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 86880e5c-df35-43c5-95ad-7e120635775e [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f56a3ab2-89d1-44de-ac0d-2ada5962e22a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 36e17963-7202-494a-80c3-f508211c826b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 1f8c20ce-3414-4496-8b26-0e902a1541da [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 12ae2d24-3805-4b37-9fa9-465968bfbcfa [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 437a1f8f-8552-47a8-8b12-a2fee3269dd5 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e425e402-a050-45e5-b010-bd3f934589fc [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e3d95ab7-f47a-49d8-a347-784177b6c94c [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c1e289c0-ffad-475d-a924-adc058765d65 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 0a9991e6-21be-49f9-8916-a06d934bcf29 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 42a07bbf-ffcf-459a-b4b1-30ecd118a505 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c04255ee-1b9f-42c1-abaa-bf1553f79930 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 8e170edb-e0f5-497a-bb36-48b3280cec6a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 97b595c8-fd10-400e-8543-28e2b9138b13 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ce2370f6-0ac5-4d85-8ab4-10721cc640b0 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f8b0158d-4766-490f-bea0-259e52dba473 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 815dcc9f-6662-43f2-9a03-1b83e9876f24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7040a231-fb65-4412-8c0a-b365f4866c24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 909c958d-1b99-4c74-b88f-46a5c5bc34f9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 144f1397-32f9-4598-8c88-118decc3ccba [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 93507a81-10a4-4af0-9ee2-34cf25a96e98 [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration b821191b-3a12-44bc-9c38-212138a29ff3 [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration d38b4c26-9d2e-47d7-aefe-18d859a8706a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 68511db2-bd02-41c4-ae6b-1900a012968a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5bb36dda-8a78-4df9-affd-4f05a8612a8a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 32b1e4d4-6cd5-47b4-a935-169da8a5c262 [Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 6a7a2bcf-f9be-4e35-9734-4f9657a70f1d [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 726671ac-c4de-4908-8c7d-6043ae62e3b6 [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 315c850a-272d-4502-8935-b79010405970 [Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c21f7060-c148-41cf-a68b-0ab3e14c764c [Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c5fbc59e-fb6f-494f-81e2-d99a671bdaa8 [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 106ccbe4-a791-4f33-a44a-06796944b8d5 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 356a906e-05e5-4625-8729-90771e0ee934 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 16390df4-2f73-4b42-af13-c801066763df [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 12f7e5d0-42a7-4630-80d8-54fb7cff9bd6 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e0efc13a-122a-47c5-b817-2ccfe5d12615 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 90ba2ee7-4ca8-4673-84d1-c851c50d3baf [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 23020aa6-1135-4be2-bae2-149982b06eca [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 8ff0b18b-262e-4512-857a-48ad0aeb9a78 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f4b245d4-46c9-42be-9b1a-49e2b5b94194 [Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f0633351-c7b2-41ff-9981-508fc08553c2 [Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c96f3246-4382-4264-bf6b-af0b35e23c3c [Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration b2fc8f91-866d-4434-9089-5ebfe38d6fd8 [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
Deprecated BuiltIn
Guest Configuration Guest Configuration 0ecd903d-91e7-4726-83d3-a229d7f2e293 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
Deprecated BuiltIn
Guest Configuration Guest Configuration 2d67222d-05fd-4526-a171-2ee132ad9e83 [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration b18175dd-c599-4c64-83ba-bb018a06d35b [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration fee5cb2b-9d9b-410e-afe3-2902d90d0004 [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c40c9087-1981-4e73-9f53-39743eda9d05 [Deprecated]: Show audit results from Linux VMs that have accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 [Deprecated]: Show audit results from Linux VMs that have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration d7ccd0ca-8d78-42af-a43d-6b7f928accbc [Deprecated]: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 87b590fe-4a1d-4697-ae74-d4fe72ab786c [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 97646672-5efa-4622-9b54-740270ad60bf [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7229bd6a-693d-478a-87f0-1dc1af06f3b8 [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration a1e8dda3-9fd2-4835-aec3-0e55531fde33 [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration b872a447-cc6f-43b9-bccf-45703cd81607 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 21e2995e-683e-497a-9e81-2f42ad07050a [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 3d7b154e-2700-4c8c-9e46-cb65ac1578c2 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c8abcef9-fc26-482f-b8db-5fa60ee4586d [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration fcbc55c9-f25a-4e55-a6cb-33acb3be778b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 6fe4ef56-7576-4dc4-8e9c-26bad4b087ce [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 30040dab-4e75-4456-8273-14b8f75d91d9 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5c028d2a-1889-45f6-b821-31f42711ced8 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ba12366f-f9a6-42b8-9d98-157d0b1a837b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e3a77a94-cf41-4ee8-b45c-98be28841c03 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 620e58b5-ac75-49b4-993f-a9d4f0459636 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 8a39d1f1-5513-4628-b261-f469a5a3341b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 29829ec2-489d-4925-81b7-bda06b1718e0 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ddb53c61-9db4-41d4-a953-2abff5b66c12 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration bc87d811-4a9b-47cc-ae54-0a41abda7768 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 225e937e-d32e-4713-ab74-13ce95b3519a [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration a9a33475-481d-4b81-9116-0bf02ffe67e8 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration b3802d79-dd88-4bce-b81d-780218e48280 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 60aeaf73-a074-417a-905f-7ce9df0ff77b [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration dd4680ed-0559-4a6a-ad10-081d14cbb484 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7066131b-61a6-4917-a7e4-72e8983f0aa6 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c961dac9-5916-42e8-8fb1-703148323994 [Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 9178b430-2295-406e-bb28-f6a7a2a2f897 [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 8bbd627e-4d25-4906-9a6e-3789780af3ec [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration bde62c94-ccca-4821-a815-92c1d31a76de [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f3b44e5d-1456-475f-9c67-c66c4618e85a [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration cc7cda28-f867-4311-8497-a526129a8d19 [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7227ebe5-9ff7-47ab-b823-171cd02fb90f [Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration a030a57e-4639-4e8f-ade9-a92f33afe7ee [Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 02a84be7-c304-421f-9bb7-5d2c26af54ad [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a [Deprecated]: Show audit results from Windows VMs on which the specified services are not installed and 'Running' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 0d9b45ff-9ddd-43fc-bf59-fbd1c8423053 [Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration cdbf72d9-ac9c-4026-8a3a-491a5ac59293 [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration a29ee95c-0395-4515-9851-cc04ffe82a91 [Deprecated]: Show audit results from Windows VMs that are not joined to the specified domain This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 9f658460-46b7-43af-8565-94fc0662be38 [Deprecated]: Show audit results from Windows VMs that are not set to the specified time zone This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 9328f27e-611e-44a7-a244-39109d7d35ab [Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f3b9ad83-000d-4dc1-bff0-6d54533dd03f [Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 24dde96d-f0b1-425e-884f-4a1421e2dcdc [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5aa11bbc-5c76-4302-80e5-aba46a4282e7 [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f48b2913-1dc5-4834-8c72-ccc1dfd819bb [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5e393799-e3ca-4e43-a9a5-0ec4648a57d9 [Deprecated]: Show audit results from Windows VMs that do not have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f8036bd0-c10b-4931-86bb-94a878add855 [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 16f9b37c-4408-4c30-bc17-254958f2e2d6 [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5aebc8d1-020d-4037-89a0-02043a7524ec [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 2d60d3b7-aa10-454c-88a8-de39d99d17c6 [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7e84ba44-6d03-46fd-950e-5efa5a1112fa [Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7e56b49b-5990-4159-a734-511ea19b731c [Deprecated]: Show audit results from Windows VMs that have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 8b0de57a-f511-4d45-a277-17cb79cb163b [Deprecated]: Show audit results from Windows VMs with a pending reboot This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 60ffe3e2-4604-4460-8f22-0f1da058266c [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f40c7c00-b4e3-4068-a315-5fe81347a904 [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: DeployIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Contributor, User Access Administrator IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (5)
•Microsoft.Authorization/locks
•Microsoft.Compute/virtualMachines
•Microsoft.ManagedIdentity/userAssignedIdentities
•Microsoft.Resources/deployments
•Microsoft.Resources/resourceGroups
Preview BuiltIn
Guest Configuration Guest Configuration 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 [Preview]: Configure Windows Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Guest Configuration Resource Contributor IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.hybridcompute/machines
Preview BuiltIn
Guest Configuration Guest Configuration 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
Preview BuiltIn
Guest Configuration Guest Configuration e79ffbda-ff85-465d-ab8e-7e58a557660f [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
Preview BuiltIn
Guest Configuration Guest Configuration 50c52fc9-cb21-4d99-9031-d6a0c613361c [Preview]: Windows machines should meet STIG compliance requirements for Azure compute Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirements for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
Preview BuiltIn
Guest Configuration Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Guest Configuration Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Guest Configuration Guest Configuration ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration e6955644-301c-44b5-a4c4-528577de6861 Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration d3b823c9-e0fc-4453-9fb2-8213b7338523 Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 Audit Windows machines missing any of specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 630ac30f-a234-4533-ac2d-e0df77acda51 Audit Windows machines network connectivity Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd Audit Windows machines on which the DSC configuration is not compliant Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 6265018c-d7e2-432f-a75d-094d5f6f4465 Audit Windows machines on which the Log Analytics agent is not connected as expected Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration e6ebf138-3d71-4935-a13b-9c7fdddd94df Audit Windows machines on which the specified services are not installed and 'Running' Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 58c460e9-7573-4bb2-9676-339c2f2486bb Audit Windows machines on which Windows Serial Console is not enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 5b054a0d-39e2-4d53-bea3-9734cad2c69b Audit Windows machines that allow re-use of the previous 24 passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 84662df4-0e37-44a6-9ce1-c9d2150db18c Audit Windows machines that are not joined to the specified domain Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration c633f6a2-7f8b-4d9e-9456-02f0f04f5505 Audit Windows machines that are not set to the specified time zone Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 1417908b-4bff-46ee-a2a6-4acc899320ab Audit Windows machines that contain certificates expiring within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 934345e1-4dfb-4c70-90d7-41990dc9608b Audit Windows machines that do not contain the specified certificates in Trusted Root Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 4ceb8dc2-559c-478b-a15b-733fbf1e3738 Audit Windows machines that do not have a maximum password age of 70 days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 237b38db-ca4d-4259-9e47-7882441ca2c0 Audit Windows machines that do not have a minimum password age of 1 day Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration bf16e0bb-31e1-4646-8202-60a235cc7e74 Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration c648fbbb-591c-4acd-b465-ce9b176ca173 Audit Windows machines that do not have the specified Windows PowerShell execution policy Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 Audit Windows machines that do not have the specified Windows PowerShell modules installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Audit Windows machines that do not restrict the minimum password length to 14 characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration da0f98fe-a24b-4ad5-af69-bd0400233661 Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration ebb67efd-3c46-49b0-adfe-5599eb944998 Audit Windows machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2 Audit Windows machines that have extra accounts in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration beb6ccee-b6b8-4e91-9801-a5fa4260a104 Audit Windows machines that have not restarted within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration c5b85cba-6e6f-4de4-95e1-f0233cd712ac Audit Windows machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f Audit Windows machines that have the specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 4221adbc-5c0f-474f-88b7-037a99e6114c Audit Windows VMs with a pending reboot Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. Fixed: auditIfNotExists IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 828ba269-bf7f-4082-83dd-633417bc391d Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows servers Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows server Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.hybridcompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 6141c932-9384-44c6-a395-59e4c057d7c9 Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed: deployIfNotExists Guest Configuration Resource Contributor IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.hybridcompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Guest Configuration Guest Configuration 385f5831-96d4-41db-9a3c-cd3af78aaae6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Guest Configuration Guest Configuration Deploy-Windows-DomainJoin Deploy Windows Domain Join Extension with keyvault configuration Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA ALZ
Guest Configuration Guest Configuration 1e7fed80-8321-4605-b42c-65fc300f23a3 Linux machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 73db37c4-f180-4b0f-ab2c-8ee96467686b Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 480d0f91-30af-4a76-9afb-f5710ac52b09 Private endpoints for Guest Configuration assignments should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.GuestConfiguration/guestConfigurationAssignments
GA BuiltIn
Guest Configuration Guest Configuration bed48b13-6647-468e-aa2f-1af1d3f4dd40 Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration d96163de-dbe0-45ac-b803-0e9ca0f5764e Windows machines should configure Windows Defender to update protection signatures within one day To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration b3248a42-b1c1-41a4-87bc-8bad3d845589 Windows machines should enable Windows Defender Real-time protection Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 4078e558-bda6-41fb-9b3c-361e8875200d Windows machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 3aa2661b-02d7-4ba6-99bc-dc36b10489fd Windows machines should meet requirements for 'Administrative Templates - Control Panel' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration e0a7e899-2ce2-4253-8a13-d808fdeb75af Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 67e010c1-640d-438e-a3a5-feaccb533a98 Windows machines should meet requirements for 'Administrative Templates - Network' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 968410dc-5ca0-4518-8a5b-7b55f0530ea9 Windows machines should meet requirements for 'Administrative Templates - System' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration ee984370-154a-4ee8-9726-19d900e56fc0 Windows machines should meet requirements for 'Security Options - Accounts' Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 33936777-f2ac-45aa-82ec-07958ec9ade4 Windows machines should meet requirements for 'Security Options - Audit' Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 8794ff4f-1a35-4e18-938f-0b22055067cd Windows machines should meet requirements for 'Security Options - Devices' Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration d472d2c9-d6a3-4500-9f5f-b15f123005aa Windows machines should meet requirements for 'Security Options - Interactive Logon' Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration d6c69680-54f0-4349-af10-94dd05f4225e Windows machines should meet requirements for 'Security Options - Microsoft Network Client' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration caf2d518-f029-4f6b-833b-d7081702f253 Windows machines should meet requirements for 'Security Options - Microsoft Network Server' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd Windows machines should meet requirements for 'Security Options - Network Access' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 1221c620-d201-468c-81e7-2817e6107e84 Windows machines should meet requirements for 'Security Options - Network Security' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 Windows machines should meet requirements for 'Security Options - Recovery console' Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration b4a4d1eb-0263-441b-84cb-a44073d8372d Windows machines should meet requirements for 'Security Options - Shutdown' Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 2f262ace-812a-4fd0-b731-b38ba9e9708d Windows machines should meet requirements for 'Security Options - System objects' Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 12017595-5a75-4bb1-9d97-4c2c939ea3c3 Windows machines should meet requirements for 'Security Options - System settings' Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 492a29ed-d143-4f03-b6a4-705ce081b463 Windows machines should meet requirements for 'Security Options - User Account Control' Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration f2143251-70de-4e81-87a8-36cee5a2f29d Windows machines should meet requirements for 'Security Settings - Account Policies' Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 Windows machines should meet requirements for 'System Audit Policies - Account Logon' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 94d9aca8-3757-46df-aa51-f218c5f11954 Windows machines should meet requirements for 'System Audit Policies - Account Management' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 58383b73-94a9-4414-b382-4146eb02611b Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 19be9779-c776-4dfa-8a15-a2fd5dc843d6 Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 35781875-8026-4628-b19b-f6efb4d88a1d Windows machines should meet requirements for 'System Audit Policies - Object Access' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 2a7a701e-dff3-4da9-9ec5-42cb98594c0b Windows machines should meet requirements for 'System Audit Policies - Policy Change' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 87845465-c458-45f3-af66-dcd62176f397 Windows machines should meet requirements for 'System Audit Policies - Privilege Use' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 8316fa92-d69c-4810-8124-62414f560dcf Windows machines should meet requirements for 'System Audit Policies - System' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration e068b215-0026-4354-b347-8fb2766f73a2 Windows machines should meet requirements for 'User Rights Assignment' Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 8537fe96-8cbe-43de-b0ef-131bc72bc22a Windows machines should meet requirements for 'Windows Components' Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 35d9882c-993d-44e6-87d2-db66ce21b636 Windows machines should meet requirements for 'Windows Firewall Properties' Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc Windows machines should meet requirements of the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration f79fef0d-0050-4c18-a303-5babb9c14ac7 Windows machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 3810e389-1d92-4f77-9267-33bdcf0bd225 Windows machines should schedule Windows Defender to perform a scheduled scan every day Windows machines should schedule Windows Defender to perform a scheduled scan every day to ensure that malware is quickly identified to minimize the effect this may have to the environment. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 2454bbee-dc19-442f-83fc-7f3114cafd91 Windows machines should use the default NTP server Setup the 'time.windows.com' as the default NTP Server for all Windows machines to ensure logs across all systems have system clocks that are all in sync. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Windows web servers should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
HDInsight HDInsight b0ab5b05-1c98-40f7-bb9e-dc568e41b501 Azure HDInsight clusters should be injected into a virtual network Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (3)
•Microsoft.HDInsight/clusters/computeProfile.roles[*]
•Microsoft.HDInsight/clusters/computeProfile.roles[*].virtualNetworkProfile.id
•Microsoft.HDInsight/clusters/computeProfile.roles[*].virtualNetworkProfile.subnet
IF (1)
•Microsoft.HDInsight/clusters
GA BuiltIn
HDInsight HDInsight 64d314f6-6062-4780-a861-c23e8951bee5 Azure HDInsight clusters should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.HDInsight/clusters/diskEncryptionProperties.keyName
IF (1)
•Microsoft.HDInsight/clusters
GA BuiltIn
HDInsight HDInsight 1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6 Azure HDInsight clusters should use encryption at host to encrypt data at rest Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.HDInsight/clusters/diskEncryptionProperties.encryptionAtHost
IF (1)
•Microsoft.HDInsight/clusters
GA BuiltIn
HDInsight HDInsight d9da03a1-f3c3-412a-9709-947156872263 Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.HDInsight/clusters/encryptionInTransitProperties.isEncryptionInTransitEnabled
IF (1)
•Microsoft.HDInsight/clusters
GA BuiltIn
HDInsight HDInsight c8cc2f85-e019-4065-9fa3-5e6a2b2dde56 Azure HDInsight should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.HDInsight/clusters/networkProperties.privateLink
THEN-ExistenceCondition (1)
•Microsoft.HDInsight/clusters/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HDInsight/clusters
GA BuiltIn
HDInsight HDInsight 43d6e3bd-fc6a-4b44-8b4d-2151d8736a11 Configure Azure HDInsight clusters to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.HDInsight/clusters
•Microsoft.Network/privateEndpoints
GA BuiltIn
HDInsight HDInsight 2676090a-4baf-46ac-9085-4ac02cc50e3e Configure Azure HDInsight clusters with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (1)
•Microsoft.HDInsight/clusters/networkProperties.privateLink
THEN-ExistenceCondition (1)
•Microsoft.HDInsight/clusters/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HDInsight/clusters
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Health Bot Health Bot 4d080fa5-a6d2-4f98-ba9c-f482d0d335c0 Azure Health Bots should use customer-managed keys to encrypt data at rest Use customer-managed keys (CMK) to manage the encryption at rest of the data of your healthbots. By default, the data is encrypted at rest with service-managed keys, but CMK are commonly required to meet regulatory compliance standards. CMK enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/health-bot/cmk Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.HealthBot/healthBots/keyVaultProperties.keyVaultUri
IF (1)
•Microsoft.HealthBot/healthBots
GA BuiltIn
Healthcare APIs Healthcare APIs fe1c9040-c46a-4e81-9aea-c7850fbb3aa6 CORS should not allow every domain to access your FHIR Service Cross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. Default: Audit
Allowed: (audit, Audit, disabled, Disabled)
IF (1)
•Microsoft.HealthcareApis/workspaces/fhirservices/corsConfiguration.origins[*]
IF (1)
•Microsoft.HealthcareApis/workspaces/fhirservices
GA BuiltIn
Internet of Things Internet of Things 2d7e144b-159c-44fc-95c1-ac3dbf5e6e54 [Preview]: Azure IoT Hub should use customer-managed key to encrypt data at rest Encryption of data at rest in IoT Hub with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Customer-managed keys must be configured during creation of IoT Hub. For more information on how to configure customer-managed keys, see https://aka.ms/iotcmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Devices/IotHubs/encryption.keyVaultProperties[*]
•Microsoft.Devices/IotHubs/encryption.keyVaultProperties[*].keyIdentifier
IF (1)
•Microsoft.Devices/IotHubs
Preview BuiltIn
Internet of Things Internet of Things 47031206-ce96-41f8-861b-6a915f3de284 [Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Devices/provisioningServices/encryption.keyVaultProperties[*]
•Microsoft.Devices/provisioningServices/encryption.keyVaultProperties[*].keyIdentifier
IF (1)
•Microsoft.Devices/provisioningServices
Preview BuiltIn
Internet of Things Internet of Things 27d4c5ec-8820-443f-91fe-1215e96f64b2 Azure Device Update for IoT Hub accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Device Update for IoT Hub accounts, data leakage risks are reduced. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (3)
•Microsoft.DeviceUpdate/accounts/privateEndpointConnections/privateEndpoint
•Microsoft.DeviceUpdate/accounts/privateEndpointConnections/privateLinkServiceConnectionState.status
•Microsoft.DeviceUpdate/accounts/privateEndpointConnections/provisioningState
IF (1)
•Microsoft.DeviceUpdate/accounts
GA BuiltIn
Internet of Things Internet of Things 672d56b3-23a7-4a3c-a233-b77ed7777518 Azure IoT Hub should have local authentication methods disabled for Service Apis Disabling local authentication methods improves security by ensuring that Azure IoT Hub exclusively require Azure Active Directory identities for Service Api authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Devices/IotHubs/disableLocalAuth
IF (1)
•Microsoft.Devices/IotHubs
GA BuiltIn
Internet of Things Internet of Things 27573ebe-7ef3-4472-a8e1-33aef9ea65c5 Configure Azure Device Update for IoT Hub accounts to disable public network access Disabling the public network access property improves security by ensuring your Device Update for IoT Hub can only be accessed from a private endpoint. This policy disables public network access on Device Update for IoT Hub resources. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.DeviceUpdate/accounts/publicNetworkAccess
THEN-Operations (1)
•Microsoft.DeviceUpdate/accounts/publicNetworkAccess
IF (1)
•Microsoft.DeviceUpdate/accounts
GA BuiltIn
Internet of Things Internet of Things a222b93a-e6c2-4c01-817f-21e092455b2a Configure Azure Device Update for IoT Hub accounts to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for Device Updatefor IoT Hub private endpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.DeviceUpdate/accounts
•Microsoft.Network/privateEndpoints
GA BuiltIn
Internet of Things Internet of Things 5b9d063f-c5fd-4750-a489-1258d1fefcbf Configure Azure Device Update for IoT Hub accounts with private endpoint A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Contributor THEN-ExistenceCondition (1)
•Microsoft.DeviceUpdate/accounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DeviceUpdate/accounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Internet of Things Internet of Things 9f8ba900-a70f-486e-9ffc-faf907305376 Configure Azure IoT Hub to disable local authentication Disable local authentication methods so that your Azure IoT Hub exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.Devices/IotHubs/disableLocalAuth
THEN-Operations (1)
•Microsoft.Devices/IotHubs/disableLocalAuth
IF (1)
•Microsoft.Devices/IotHubs
GA BuiltIn
Internet of Things Internet of Things aaa64d2d-2fa3-45e5-b332-0b031b9b30e8 Configure IoT Hub device provisioning instances to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://aka.ms/iotdpsvnet. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Internet of Things Internet of Things 859dfc91-ea35-43a6-8256-31271c363794 Configure IoT Hub device provisioning service instances to disable public network access Disable public network access for your IoT Hub device provisioning instance so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/iotdpsvnet. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.Devices/provisioningServices/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Devices/provisioningServices/publicNetworkAccess
IF (1)
•Microsoft.Devices/provisioningServices
GA BuiltIn
Internet of Things Internet of Things 9b75ea5b-c796-4c99-aaaf-21c204daac43 Configure IoT Hub device provisioning service instances with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to IoT Hub device provisioning service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/iotdpsvnet. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (2)
•Microsoft.Devices/provisioningServices/privateEndpointConnections[*]
•Microsoft.Devices/provisioningServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Devices/provisioningServices
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Internet of Things Internet of Things c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02 Deploy - Configure Azure IoT Hubs to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. Default: DeployIfNotExists
Allowed: (deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Network Contributor, Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Internet of Things Internet of Things bf684997-3909-404e-929c-d4a38ed23b2e Deploy - Configure Azure IoT Hubs with private endpoints A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Contributor THEN-ExistenceCondition (1)
•Microsoft.Devices/IotHubs/PrivateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Devices/IotHubs
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Internet of Things Internet of Things d627d7c6-ded5-481a-8f2e-7e16b1e6faf6 Deploy - Configure IoT Central to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Central private endpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Internet of Things Internet of Things c854b0f0-02d0-4f94-9b42-fd175fbd4d49 Deploy - Configure IoT Central with private endpoints A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT Central to allow services inside your virtual network to reach IoT Central without requiring traffic to be sent to IoT Central's public endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Contributor THEN-ExistenceCondition (1)
•Microsoft.IoTCentral/iotApps/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.IoTCentral/iotApps
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Internet of Things Internet of Things 9ace2dbc-4b71-48b6-b2a7-428b0b2e3944 IoT Central should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your IoT Central application instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/iotcentral-network-security-using-pe. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.IoTCentral/iotApps/privateEndpointConnections[*]
•Microsoft.IoTCentral/iotApps/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.IoTCentral/iotApps
GA BuiltIn
Internet of Things Internet of Things d82101f3-f3ce-4fc5-8708-4c09f4009546 IoT Hub device provisioning service instances should disable public network access Disabling public network access improves security by ensuring that IoT Hub device provisioning service instance isn't exposed on the public internet. Creating private endpoints can limit exposure of the IoT Hub device provisioning instances. Learn more at: https://aka.ms/iotdpsvnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Devices/provisioningServices/publicNetworkAccess
IF (1)
•Microsoft.Devices/provisioningServices
GA BuiltIn
Internet of Things Internet of Things df39c015-56a4-45de-b4a3-efe77bed320d IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.Devices/provisioningServices/privateEndpointConnections[*]
•Microsoft.Devices/provisioningServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Devices/provisioningServices
GA BuiltIn
Internet of Things Internet of Things 114eec6e-5e59-4bad-999d-6eceeb39d582 Modify - Configure Azure IoT Hubs to disable public network access Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.Devices/IotHubs/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Devices/IotHubs/publicNetworkAccess
IF (1)
•Microsoft.Devices/IotHubs
GA BuiltIn
Internet of Things Internet of Things d02e48d5-28d9-40d3-8ab8-301932a6f9cb Modify - Configure IoT Central to disable public network access Disabling the public network access property improves security by ensuring your IoT Central can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.IoTCentral/iotApps/publicNetworkAccess
THEN-Operations (1)
•Microsoft.IoTCentral/iotApps/publicNetworkAccess
IF (1)
•Microsoft.IoTCentral/iotApps
GA BuiltIn
Internet of Things Internet of Things 0d40b058-9f95-4a19-93e3-9b0330baa2a3 Private endpoint should be enabled for IoT Hub Private endpoint connections enforce secure communication by enabling private connectivity to IoT Hub. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.Devices/IotHubs/privateEndpointConnections[*]
•Microsoft.Devices/IotHubs/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Devices/IotHubs
GA BuiltIn
Internet of Things Internet of Things 510ec8b2-cb9e-461d-b7f3-6b8678c31182 Public network access for Azure Device Update for IoT Hub accounts should be disabled Disabling the public network access property improves security by ensuring your Azure Device Update for IoT Hub accounts can only be accessed from a private endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DeviceUpdate/accounts/publicNetworkAccess
IF (1)
•Microsoft.DeviceUpdate/accounts
GA BuiltIn
Internet of Things Internet of Things 2d6830fb-07eb-48e7-8c4d-2a442b35f0fb Public network access on Azure IoT Hub should be disabled Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Devices/IotHubs/publicNetworkAccess
IF (1)
•Microsoft.Devices/IotHubs
GA BuiltIn
Internet of Things Internet of Things cd870362-211d-4cad-9ad9-11e5ea4ebbc1 Public network access should be disabled for IoT Central To improve the security of IoT Central, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/iotcentral-restrict-public-access. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.IoTCentral/iotApps/publicNetworkAccess
IF (1)
•Microsoft.IoTCentral/iotApps
GA BuiltIn
Internet of Things Internet of Things 383856f8-de7f-44a2-81fc-e5135b5c2aa4 Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (4)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
IF (1)
•Microsoft.Devices/IotHubs
GA BuiltIn
Key Vault Key Vault 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5 [Preview]: Azure Key Vault Managed HSM keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview BuiltIn
Key Vault Key Vault ad27588c-0198-4c84-81ef-08efd0274653 [Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview BuiltIn
Key Vault Key Vault e58fd0c1-feac-4d12-92db-0a7e9421f53e [Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview BuiltIn
Key Vault Key Vault 86810a98-8e91-4a44-8386-ec66d0de5d57 [Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview BuiltIn
Key Vault Key Vault 19ea9d63-adee-4431-a95e-1913c6c1c75f [Preview]: Azure Key Vault Managed HSM should disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.KeyVault/managedHSMs/createMode
•Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction
IF (1)
•Microsoft.KeyVault/managedHSMs
Preview BuiltIn
Key Vault Key Vault 59fee2f4-d439-4f1b-9b9a-982e1474bfd8 [Preview]: Azure Key Vault Managed HSM should use private link Private link provides a way to connect Azure Key Vault Managed HSM to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link Default: Audit
Allowed: (Audit, Disabled)
IF (3)
•Microsoft.KeyVault/managedHSMs/privateEndpointConnections
•Microsoft.KeyVault/managedHSMs/privateEndpointConnections[*]
•Microsoft.KeyVault/managedHSMs/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.KeyVault/managedHSMs
Preview BuiltIn
Key Vault Key Vault a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 [Preview]: Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.KeyVault/vaults/privateEndpointConnections[*]
•Microsoft.KeyVault/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.KeyVault/vaults
Preview BuiltIn
Key Vault Key Vault 0a075868-4c26-42ef-914c-5bc007359560 [Preview]: Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
Preview BuiltIn
Key Vault Key Vault f772fb64-8e40-40ad-87bc-7706e1949427 [Preview]: Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
Preview BuiltIn
Key Vault Key Vault 84d327c3-164a-4685-b453-900478614456 [Preview]: Configure Azure Key Vault Managed HSM to disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Default: Modify
Allowed: (Modify, Disabled)
Managed HSM contributor IF (1)
•Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction
THEN-Operations (1)
•Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction
IF (1)
•Microsoft.KeyVault/managedHSMs
Preview BuiltIn
Key Vault Key Vault d1d6d8bb-cc7c-420f-8c7d-6f6f5279a844 [Preview]: Configure Azure Key Vault Managed HSM with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Key Vault Managed HSM, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Managed HSM contributor THEN-ExistenceCondition (1)
•Microsoft.KeyVault/managedHSMs/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.KeyVault/managedHSMs
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
Preview BuiltIn
Key Vault Key Vault ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 [Preview]: Configure Azure Key Vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
Preview BuiltIn
Key Vault Key Vault 9d4fad1f-5189-4a42-b29e-cf7929c6b6df [Preview]: Configure Azure Key Vaults with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Key Vault Contributor THEN-ExistenceCondition (1)
•Microsoft.KeyVault/vaults/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.KeyVault/vaults
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
Preview BuiltIn
Key Vault Key Vault 5f0bc445-3935-4915-9981-011aa2b46147 [Preview]: Private endpoint should be configured for Key Vault Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.KeyVault/vaults/privateEndpointConnections
IF (1)
•Microsoft.KeyVault/vaults
Preview BuiltIn
Key Vault Key Vault c39ba22d-4428-4149-b981-70acb31fc383 Azure Key Vault Managed HSM should have purge protection enabled Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.KeyVault/managedHsms/enablePurgeProtection
•Microsoft.KeyVault/managedHsms/enableSoftDelete
IF (1)
•Microsoft.KeyVault/managedHsms
GA BuiltIn
Key Vault Key Vault 405c5871-3e91-4644-8a63-58e19d68ff5b Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.KeyVault/vaults/createMode
•Microsoft.KeyVault/vaults/publicNetworkAccess
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.KeyVault/vaults/createMode
•Microsoft.KeyVault/vaults/networkAcls.defaultAction
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault 8e826246-c976-48f6-b03e-619bb92b3d82 Certificates should be issued by the specified integrated certificate authority Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
GA BuiltIn
Key Vault Key Vault a22f4a40-01d3-4c7d-8071-da157eeff341 Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
GA BuiltIn
Key Vault Key Vault 12ef42cb-9903-4e39-9c26-422d29570417 Certificates should have the specified lifetime action triggers Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
GA BuiltIn
Key Vault Key Vault 1151cede-290b-4ba0-8b38-0ad145ac888f Certificates should use allowed key types Manage your organizational compliance requirements by restricting the key types allowed for certificates. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
GA BuiltIn
Key Vault Key Vault bd78111f-4953-4367-9fd5-7e08808b54bf Certificates using elliptic curve cryptography should have allowed curve names Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
GA BuiltIn
Key Vault Key Vault cee51871-e572-4576-855c-047c820360f0 Certificates using RSA cryptography should have the specified minimum key size Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
GA BuiltIn
Key Vault Key Vault ac673a9a-f77d-4846-b2d8-a57f8e1c01dc Configure key vaults to enable firewall Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Default: Modify
Allowed: (Modify, Disabled)
Key Vault Contributor IF (1)
•Microsoft.KeyVault/vaults/networkAcls.defaultAction
THEN-Operations (1)
•Microsoft.KeyVault/vaults/networkAcls.defaultAction
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault keyvault_deny-access-policies-with-certificate-authorities-roles Deny creation of access policies with certificate authorities roles This policy prevent creation of key vault access policies with certificate authorities roles. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Key Vault Key Vault keyvault_deny-deployment-with-access-to-specific-services-(vm,-arm,-ade) Deny deployment with access to specific services (VM, ARM, ADE) This policy prevent specific services (VM, ARM, ADE) access to kv. Default: audit
Allowed: (audit, deny, disabled)
GA Community
Key Vault Key Vault keyvault_deny-deployment-with-azure-rbac-enabled Deny deployment with Azure RBAC enabled This policy deny deployment with Azure RBAC enabled. Default: audit
Allowed: (audit, deny, disabled)
GA Community
Key Vault Key Vault 951af2fa-529b-416e-ab6e-066fd85ac459 Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].category
•Microsoft.Insights/diagnosticSettings/logs[*].enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault a6d2c800-5230-4a40-bff3-8268b4987d42 Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Event Hub when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.KeyVault/managedHsms
GA BuiltIn
Key Vault Key Vault ed7c8c13-51e7-49d1-8a43-8490431a0da2 Deploy Diagnostic Settings for Key Vault to Event Hub Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. Fixed: deployIfNotExists Contributor THEN-ExistenceCondition (4)
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].enabled
•Microsoft.Insights/diagnosticSettings/metrics[*]
•Microsoft.Insights/diagnosticSettings/metrics[*].enabled
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault keyvault_deploy-soft-delete-and-purge-protection Enable soft-delete and purge protection on Key Vaults This Policy will enable soft-delete and purge protection on all Key Vaults. Fixed: DeployIfNotExists Key Vault Contributor IF (2)
•Microsoft.KeyVault/vaults/enablePurgeProtection
•Microsoft.KeyVault/vaults/enableSoftDelete
THEN-ExistenceCondition (2)
•Microsoft.KeyVault/vaults/enablePurgeProtection
•Microsoft.KeyVault/vaults/enableSoftDelete
IF (1)
•Microsoft.KeyVault/vaults
THEN-Deployment (1)
•Microsoft.KeyVault/vaults
GA Community
Key Vault Key Vault keyvault_enforce-key-vault-firewall-blocking-public-access Enforce key vault firewall blocking public access This policy prevents setting key vault public firewall as allow all or have any vnet/ip rules. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Key Vault Key Vault keyvault_enforce-key-vault-premium-sku Enforce key vault premium SKU This policy enforces premium sku for key vaults. Default: Deny
Allowed: (Deny, Audit, Disabled)
IF (1)
•Microsoft.KeyVault/Vaults/sku.name
GA Community
Key Vault Key Vault key-vault-diagnostic-settings-aine Key Vault - Diagnostic Settings AINE This Azure Policy creates an audit event when all logs and metrics are not send to a specified Log Analytics Workspace Fixed: [parameters('policyEffect')] THEN-ExistenceCondition (7)
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].category
•Microsoft.Insights/diagnosticSettings/logs[*].enabled
•Microsoft.Insights/diagnosticSettings/metrics[*]
•Microsoft.Insights/diagnosticSettings/metrics[*].category
•Microsoft.Insights/diagnosticSettings/metrics[*].enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.KeyVault/vaults
GA Community
Key Vault Key Vault key-vault-diagnostic-settings-dine Key Vault - Diagnostic Settings DINE This Azure Policy creates a deployment to send all logs and metrics to a specified Log Analytics Workspace Fixed: [parameters('policyEffect')] Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (7)
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].category
•Microsoft.Insights/diagnosticSettings/logs[*].enabled
•Microsoft.Insights/diagnosticSettings/metrics[*]
•Microsoft.Insights/diagnosticSettings/metrics[*].category
•Microsoft.Insights/diagnosticSettings/metrics[*].enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.KeyVault/vaults
GA Community
Key Vault Key Vault key-vault-firewall-settings-audit Key Vault - Firewall Settings AUDIT This Azure Policy creates an audit event when the 'Allow access from' setting is not set to 'Private endpoints and selected networks' or when the Firewall does contain any IP addresses outside of the approved ones. Default: Audit
Allowed: ()
IF (2)
•Microsoft.KeyVault/vaults/networkAcls.defaultAction
•Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value
IF (1)
•Microsoft.KeyVault/vaults
GA Community
Key Vault Key Vault key-vault-firewall-settings-deny Key vault - Firewall Settings DENY This Azure Policy denies the deployment of an Azure Key Vault when the 'Allow access from' setting is not set to 'Private endpoints and selected networks' or when the Firewall does contain any IP addresses outside of the approved ones. Default: Deny
Allowed: ()
IF (2)
•Microsoft.KeyVault/vaults/networkAcls.defaultAction
•Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value
IF (1)
•Microsoft.KeyVault/vaults
GA Community
Key Vault Key Vault key-vault-sku-setting-audit Key Vault - SKU Setting AUDIT This Azure Policy creates an audit event when the 'SKU' setting is not included in the 'allowedSKUSetting' parameter. Default: Audit
Allowed: ()
IF (1)
•Microsoft.KeyVault/vaults/sku.name
IF (1)
•Microsoft.KeyVault/vaults
GA Community
Key Vault Key Vault key-vault-sku-setting-deny Key Vault - SKU Setting DENY This Azure Policy denies the creation of an Azure Key Vault when the 'SKU' setting is not included in the 'allowedSKUSetting' parameter. Default: Deny
Allowed: ()
IF (1)
•Microsoft.KeyVault/vaults/sku.name
IF (1)
•Microsoft.KeyVault/vaults
GA Community
Key Vault Key Vault 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 Key Vault keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 98728c90-32c7-4049-8429-847dc0f4fe37 Key Vault secrets should have an expiration date Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key vaults should have purge protection enabled Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (3)
•Microsoft.KeyVault/vaults/createMode
•Microsoft.KeyVault/vaults/enablePurgeProtection
•Microsoft.KeyVault/vaults/enableSoftDelete
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d Key vaults should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.KeyVault/vaults/createMode
•Microsoft.KeyVault/vaults/enableSoftDelete
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault 587c79fe-dd04-4a5e-9d0b-f89598c7261b Keys should be backed by a hardware security module (HSM) An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 75c4f823-d65c-4f29-a733-01d0077fdbcb Keys should be the specified cryptographic type RSA or EC Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 5ff38825-c5d8-47c5-b70e-069a21955146 Keys should have more than the specified number of days before expiration If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 49a22571-d204-4c91-a7b6-09b1a586fbc9 Keys should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault c26e4b24-cf98-4c67-b48b-5a25c4c69eb9 Keys should not be active for longer than the specified number of days Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault ff25f3c8-b739-4538-9d07-3d6d25cfb255 Keys using elliptic curve cryptography should have the specified curve names Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 82067dbb-e53b-4e06-b631-546d197452d9 Keys using RSA cryptography should have a specified minimum key size Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault Append-KV-SoftDelete KeyVault SoftDelete should be enabled This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added. Fixed: append IF (1)
•Microsoft.KeyVault/vaults/enableSoftDelete
THEN-Details (1)
•Microsoft.KeyVault/vaults/enableSoftDelete
IF (1)
•Microsoft.KeyVault/vaults
GA ALZ
Key Vault Key Vault keyvault_prevent-key-vault-access-to-trusted-services Prevent key vault access to trusted services This policy prevents key vault access to trusted services. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Key Vault Key Vault a2a5b911-5617-447e-a49e-59dbe0e0434b Resource logs in Azure Key Vault Managed HSM should be enabled To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.KeyVault/managedHsms
GA BuiltIn
Key Vault Key Vault cf820ca0-f99e-4f3e-84fb-66e913812d21 Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault 75262d3e-ba4a-4f43-85f8-9f72c090e5e3 Secrets should have content type set A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault b0eb591a-5e70-4534-a8bf-04b9c489584a Secrets should have more than the specified number of days before expiration If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 342e8053-e12e-4c44-be01-c3c2f318400f Secrets should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault e8d99835-8a06-45ae-a8e0-87a91941ccfe Secrets should not be active for longer than the specified number of days If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Kubernetes Kubernetes b2fd3e59-6390-4f2b-8247-ea676bd03e2d [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.Kubernetes/connectedClusters
Deprecated BuiltIn
Kubernetes Kubernetes 440b515e-a580-421e-abeb-b159a61ddcbc [Deprecated]: Kubernetes cluster containers should only listen on allowed ports Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes Kubernetes 8dfab9c4-fe7b-49ad-85e4-1e9be085358f [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.Kubernetes/connectedClusters/distribution
THEN-ExistenceCondition (2)
•Microsoft.KubernetesConfiguration/extensions/extensionType
•Microsoft.KubernetesConfiguration/extensions/provisioningState
IF (1)
•Microsoft.Kubernetes/connectedClusters
Preview BuiltIn
Kubernetes Kubernetes 6b2122c1-8120-4ff5-801b-17625a355590 [Preview]: Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.KubernetesConfiguration/extensions/extensionType
IF (1)
•Microsoft.Kubernetes/connectedClusters
Preview BuiltIn
Kubernetes Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor, Log Analytics Contributor IF (1)
•Microsoft.Kubernetes/connectedClusters/distribution
THEN-ExistenceCondition (2)
•Microsoft.KubernetesConfiguration/extensions/extensionType
•Microsoft.KubernetesConfiguration/extensions/provisioningState
IF (1)
•Microsoft.Kubernetes/connectedClusters
THEN-Deployment (4)
•Microsoft.KubernetesConfiguration/extensions
•Microsoft.OperationalInsights/workspaces
•Microsoft.Resources/deployments
•Microsoft.Resources/resourceGroups
Preview BuiltIn
Kubernetes Kubernetes 0adc5395-9169-4b9b-8687-af838d69410a [Preview]: Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Kubernetes Extension Contributor THEN-ExistenceCondition (1)
•Microsoft.KubernetesConfiguration/extensions/extensionType
IF (1)
•Microsoft.Kubernetes/connectedClusters
THEN-Deployment (1)
•Microsoft.KubernetesConfiguration/extensions
Preview BuiltIn
Kubernetes Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Preview]: Kubernetes clusters should gate deployment of vulnerable images Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview BuiltIn
Kubernetes Kubernetes b81f454c-eebb-4e4f-9dfe-dca060e8a8fd [Preview]: Kubernetes clusters should restrict creation of given resource type Given Kubernetes resource type should not be deployed in certain namespace. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview BuiltIn
Kubernetes Kubernetes kubernetes_aks-prevent-load-balancer-profile AKS prevent load balancer profile This policy prevent load balancer profile for aks. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Kubernetes Kubernetes kubernetes_aks-prevent-node-public-ip AKS prevent node public ip This policy prevent node public ip for aks. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/agentPoolProfiles[*]
GA Community
Kubernetes Kubernetes 73868911-4f4a-444f-adbd-5382bf70208a Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed Open Service Mesh extension provides all standard service mesh capabilities for security, traffic management and observability of application services. Learn more here: https://aka.ms/arc-osm-doc Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Owner IF (1)
•Microsoft.Kubernetes/connectedClusters/connectivityStatus
THEN-ExistenceCondition (2)
•Microsoft.KubernetesConfiguration/extensions/extensionType
•Microsoft.KubernetesConfiguration/extensions/provisioningState
IF (1)
•Microsoft.Kubernetes/connectedClusters
THEN-Deployment (2)
•Microsoft.KubernetesConfiguration/extensions
•Microsoft.Resources/deployments
GA BuiltIn
Kubernetes Kubernetes 46238e2f-3f6f-4589-9f3f-77bed4116e67 Azure Kubernetes Clusters should use Azure CNI Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/networkProfile.networkPlugin
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 89f2d532-c53c-4f8f-9afa-4927b1114a0d Azure Kubernetes Service Clusters should disable Command Invoke Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/apiServerAccessProfile.disableRunCommand
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 450d2877-ebea-41e8-b00c-e286317d21bf Azure Kubernetes Service Clusters should enable Azure Active Directory integration AKS-managed Azure Active Directory integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/aadProfile
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes a1840de2-8088-4ea8-b153-b4c723e9cb01 Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/securityProfile.defender.securityMonitoring.enabled
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 993c2fcd-2b29-49d2-9eb0-df2c3a730c32 Azure Kubernetes Service Clusters should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/disableLocalAccounts
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes da6e2401-19da-4532-9141-fb8fbde08431 Azure Kubernetes Service Clusters should use managed identities Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.ContainerService/managedClusters/servicePrincipalProfile
•Microsoft.ContainerService/managedClusters/servicePrincipalProfile.clientId
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 040732e8-d947-40b8-95d6-854c95024bf8 Azure Kubernetes Service Private Clusters should be enabled Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 0a15ec92-a229-4763-bb14-0ea34a568f8d Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/addonProfiles.azurePolicy.enabled
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/diskEncryptionSetID
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Azure Active Directory integrated AKS clusters. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Kubernetes Service Contributor Role, Azure Kubernetes Service Policy Add-on Deployment IF (1)
•Microsoft.ContainerService/managedClusters/aadProfile
THEN-ExistenceCondition (1)
•Microsoft.ContainerService/managedClusters/aadProfile.adminGroupObjectIDs[*]
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (2)
•Microsoft.ContainerService/managedClusters
•Microsoft.Resources/deployments
GA BuiltIn
Kubernetes Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor, Log Analytics Contributor THEN-ExistenceCondition (1)
•Microsoft.ContainerService/managedClusters/securityProfile.defender.securityMonitoring.enabled
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (4)
•Microsoft.ContainerService/managedClusters
•Microsoft.OperationalInsights/workspaces
•Microsoft.Resources/deployments
•Microsoft.Resources/resourceGroups
GA BuiltIn
Kubernetes Kubernetes f9175d5f-abc8-1dc3-bd3c-5d7476ada3d1 Configure installation of Flux extension on Kubernetes cluster Install Flux extension on Kubernetes cluster to enable deployment of 'fluxconfigurations' in the cluster Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (5)
•Microsoft.KubernetesConfiguration/extensions/autoUpgradeMinorVersion
•Microsoft.KubernetesConfiguration/extensions/extensionType
•Microsoft.KubernetesConfiguration/extensions/provisioningState
•Microsoft.KubernetesConfiguration/extensions/releaseTrain
•Microsoft.KubernetesConfiguration/extensions/version
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (1)
•Microsoft.KubernetesConfiguration/extensions
GA BuiltIn
Kubernetes Kubernetes 5174c1db-ca42-e0d4-b320-4f1cf6a1fa93 Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires a Bucket SecretKey stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (8)
•Microsoft.KubernetesConfiguration/fluxConfigurations/bucket.accessKey
•Microsoft.KubernetesConfiguration/fluxConfigurations/bucket.bucketName
•Microsoft.KubernetesConfiguration/fluxConfigurations/bucket.insecure
•Microsoft.KubernetesConfiguration/fluxConfigurations/bucket.syncIntervalInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/bucket.timeoutInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/bucket.url
•Microsoft.KubernetesConfiguration/fluxConfigurations/namespace
•Microsoft.KubernetesConfiguration/fluxConfigurations/scope
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (1)
•Microsoft.KubernetesConfiguration/fluxConfigurations
GA BuiltIn
Kubernetes Kubernetes 2630c91f-8a20-8f43-14a2-2485b648e2a9 Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS CA Certificate. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (10)
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.httpsCAFile
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.branch
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.commit
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.semver
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.tag
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.syncIntervalInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.timeoutInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.url
•Microsoft.KubernetesConfiguration/fluxConfigurations/namespace
•Microsoft.KubernetesConfiguration/fluxConfigurations/scope
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (1)
•Microsoft.KubernetesConfiguration/fluxConfigurations
GA BuiltIn
Kubernetes Kubernetes bf1a31be-3b79-5ba8-c9e0-9a8c9ad9f749 Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (10)
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.httpsCAFile
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.httpsUser
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.branch
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.commit
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.semver
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.tag
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.syncIntervalInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.url
•Microsoft.KubernetesConfiguration/fluxConfigurations/namespace
•Microsoft.KubernetesConfiguration/fluxConfigurations/scope
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (1)
•Microsoft.KubernetesConfiguration/fluxConfigurations
GA BuiltIn
Kubernetes Kubernetes b6c7fd52-4723-5f4d-a157-3d39bd16a1d7 Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (10)
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.localAuthRef
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.branch
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.commit
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.semver
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.tag
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.syncIntervalInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.timeoutInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.url
•Microsoft.KubernetesConfiguration/fluxConfigurations/namespace
•Microsoft.KubernetesConfiguration/fluxConfigurations/scope
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (1)
•Microsoft.KubernetesConfiguration/fluxConfigurations
GA BuiltIn
Kubernetes Kubernetes 9e980dca-f3e1-8da3-6717-ad37b1ca6b27 Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a SSH private key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (10)
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.branch
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.commit
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.semver
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.tag
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.sshKnownHosts
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.syncIntervalInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.timeoutInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.url
•Microsoft.KubernetesConfiguration/fluxConfigurations/namespace
•Microsoft.KubernetesConfiguration/fluxConfigurations/scope
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (1)
•Microsoft.KubernetesConfiguration/fluxConfigurations
GA BuiltIn
Kubernetes Kubernetes 83ea2fd1-9eaf-2f6d-f672-cd7b2ac798f6 Configure Kubernetes clusters with Flux v2 configuration using public Git repository Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires no secrets. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (9)
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.branch
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.commit
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.semver
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.repositoryRef.tag
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.syncIntervalInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.timeoutInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/gitRepository.url
•Microsoft.KubernetesConfiguration/fluxConfigurations/namespace
•Microsoft.KubernetesConfiguration/fluxConfigurations/scope
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (1)
•Microsoft.KubernetesConfiguration/fluxConfigurations
GA BuiltIn
Kubernetes Kubernetes b8c1d6c1-6137-97c6-9c34-d4627e54ca26 Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (8)
•Microsoft.KubernetesConfiguration/fluxConfigurations/bucket.bucketName
•Microsoft.KubernetesConfiguration/fluxConfigurations/bucket.insecure
•Microsoft.KubernetesConfiguration/fluxConfigurations/bucket.localAuthRef
•Microsoft.KubernetesConfiguration/fluxConfigurations/bucket.syncIntervalInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/bucket.timeoutInSeconds
•Microsoft.KubernetesConfiguration/fluxConfigurations/bucket.url
•Microsoft.KubernetesConfiguration/fluxConfigurations/namespace
•Microsoft.KubernetesConfiguration/fluxConfigurations/scope
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (1)
•Microsoft.KubernetesConfiguration/fluxConfigurations
GA BuiltIn
Kubernetes Kubernetes a6f560f4-f582-4b67-b123-a37dcd1bf7ea Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Contributor THEN-ExistenceCondition (5)
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 Configure Kubernetes clusters with specified GitOps configuration using no secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Contributor THEN-ExistenceCondition (5)
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes c050047b-b21b-4822-8a2d-c1e37c3c0c6a Configure Kubernetes clusters with specified GitOps configuration using SSH secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: DeployIfNotExists
Allowed: (auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled)
Contributor THEN-ExistenceCondition (6)
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/sshKnownHostsContents
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 6c66c325-74c8-42fd-a286-a74b0e2939d8 Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (7)
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].category
•Microsoft.Insights/diagnosticSettings/logs[*].enabled
•Microsoft.Insights/diagnosticSettings/metrics[*]
•Microsoft.Insights/diagnosticSettings/metrics[*].category
•Microsoft.Insights/diagnosticSettings/metrics[*].enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Kubernetes Service Contributor Role, Azure Kubernetes Service Policy Add-on Deployment THEN-ExistenceCondition (1)
•Microsoft.ContainerService/managedClusters/addonProfiles.azurePolicy.enabled
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (2)
•Microsoft.ContainerService/managedClusters
•Microsoft.Resources/deployments
GA BuiltIn
Kubernetes Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Kubernetes Service Contributor Role, Azure Kubernetes Service Policy Add-on Deployment THEN-ExistenceCondition (1)
•Microsoft.ContainerService/managedClusters/apiServerAccessProfile.disableRunCommand
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (2)
•Microsoft.ContainerService/managedClusters
•Microsoft.Resources/deployments
GA BuiltIn
Kubernetes Kubernetes kubernetes_enforce-aks-aad-support Enforce AKS aad support This policy enforces aad support for AKS. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Kubernetes Kubernetes kubernetes_enforce-aks-network-plugin Enforce AKS network plugin This policy enforces network plugin for AKS. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/networkProfile.networkPlugin
GA Community
Kubernetes Kubernetes kubernetes_enforce-aks-outbound-type Enforce AKS outbound type This policy enforces outbound type for AKS. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/networkProfile.outboundType
GA Community
Kubernetes Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes kubernetes_allowed-external-ips Ensure only allowed External IPs are used in Kubernetes Cluster This policy ensures only allowed external ips are used in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 57dde185-5c62-4063-b965-afbb201e9c1c Kubernetes cluster Windows containers should only run with approved user and domain user group Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: Deny
Allowed: (audit, Audit, deny, Deny, disabled, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 9a5f4e39-e427-4d5d-ae73-93db00328bec Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 245fc9df-fa96-4414-9a0b-3738c2f7341c Resource logs in Azure Kubernetes Service should be enabled Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 41425d9f-d1a5-499a-9932-f8ed8453932c Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.ContainerService/managedClusters/agentPoolProfiles[*]
•Microsoft.ContainerService/managedClusters/agentPoolProfiles[*].enableEncryptionAtHost
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes PSP Kubernetes PSP kubernetes_block-default-namespace Block usage of the default namespace in a Kubernetes cluster This policy blocks usage of the default namespace in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_allowed-host-paths Control allowed Host Paths on volumes in a Kubernetes Cluster This policy controls valid host paths that are allowed to be used by hostPath volumes in a Kubernetes Cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_allowed-proc-mount-types Control allowed Proc Mount Type on pods in a Kubernetes Cluster This policy controls valid ProcMount types on pods in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_host-network-ports Control whether a Pod may use the Host Network, and allow Host Ports in a Kubernetes Cluster This policy controls whether pod may use the host network, and allows host ports in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_allowed-users Control which user ID containers are run with in a Kubernetes Cluster This policy controls allowed user IDs for containers to run with in a Kubernetes Cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_container-no-privilege-escalation Do not allow container privilege escalation in Kubernetes cluster This policy does not allow containers to use privilege escalation in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_block-host-namespace Do not allow sharing of host process ID and IPC namespaces in a Kubernetes Cluster This policy blocks pod containers from sharing the host process ID namespace and IPC namespace in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_container-disallowed-capabilities Ensure disallowed capabilities are not used in Kubernetes Cluster This policy ensures specified security capabilities are not used inside a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_enforce-apparmor-profile Ensure only allowed app armor profiles are used in Kubernetes Cluster This policy ensures containers define an App Armor profile and only use allowed App Armor profiles. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_container-allowed-capabilities Ensure only allowed capabilities are used in Kubernetes Cluster This policy ensures specified security capabilities are defined and removed inside a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_selinux Ensure only allowed SELinux options are used in a Kubernetes cluster This policy ensures only allowed SELinux options are used in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_allowed-volume-types Ensure only allowed Volume Types are used in Kubernetes Cluster This policy ensures only allowed volume types are used in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_allowed-seccomp-profiles Ensure Pods use only allowed Seccomp Profiles in a Kubernetes Cluster This policy ensures Pods in a Kubernetes cluster only use allowed Seccomp Profiles. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_read-only-root-filesystem Ensure Read-Only Access to Root Filesystem in a Kubernetes Cluster This policy ensures pods only have read-only access to the root filesystem in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_forbidden-sysctl-interfaces Forbid Pods in Kubernetes Cluster from using forbidden Sysctl Interfaces This policy forbids pods in a Kubernetes cluster from using specified Sysctl Interfaces. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_block-automount-token Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes service Kubernetes service 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 [Deprecated]: Do not allow privileged containers in AKS This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 [Deprecated]: Enforce HTTPS ingress in AKS This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service a74d8f00-2fd9-4ce4-968e-0ee1eb821698 [Deprecated]: Enforce internal load balancers in AKS This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service 16c6ca72-89d2-4798-b87e-496f9de7fcb7 [Deprecated]: Enforce labels on pods in AKS This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service d011d9f7-ba32-4005-b727-b3d09371ca60 [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service 0f636243-1b1c-4d50-880f-310f6199f2cb [Deprecated]: Ensure containers listen only on allowed ports in AKS This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service a2d3ed81-8d11-4079-80a5-1faadc0024f4 [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service 5f86cb6e-c4da-441b-807c-44bd0cc14e66 [Deprecated]: Ensure only allowed container images in AKS This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service 25dee3db-6ce0-4c02-ab5d-245887b24077 [Deprecated]: Ensure services listen only on allowed ports in AKS This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service kubernetesservice_append-aks-api-ip-restrictions Append AKS API IP Restrictions This policy will restrict access to the AKS API server as documented here: https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges Fixed: append THEN-Details (1)
•Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges
IF (1)
•Microsoft.ContainerService/managedClusters
GA Community
Lab Services Lab Services a6e9cf2d-7d76-440e-b795-8da246bd3aab Lab Services should enable all options for auto shutdown This policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (7)
•Microsoft.LabServices/labPlans/defaultAutoShutdownProfile.shutdownOnDisconnect
•Microsoft.LabServices/labPlans/defaultAutoShutdownProfile.shutdownOnIdle
•Microsoft.LabServices/labPlans/defaultAutoShutdownProfile.shutdownWhenNotConnected
•Microsoft.LabServices/labs/autoShutdownProfile.shutdownOnDisconnect
•Microsoft.LabServices/labs/autoShutdownProfile.shutdownOnIdle
•Microsoft.LabServices/labs/autoShutdownProfile.shutdownWhenNotConnected
•Microsoft.LabServices/labs/labPlanId
IF (2)
•Microsoft.LabServices/labplans
•Microsoft.LabServices/labs
GA BuiltIn
Lab Services Lab Services e8a5a3eb-1ab6-4657-a701-7ae432cf14e1 Lab Services should not allow template virtual machines for labs This policy prevents creation and customization of a template virtual machines for labs managed through Lab Services. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.LabServices/labs/labPlanId
•Microsoft.LabServices/labs/virtualMachineProfile.createOption
IF (1)
•Microsoft.LabServices/labs
GA BuiltIn
Lab Services Lab Services 0fd9915e-cab3-4f24-b200-6e20e1aa276a Lab Services should require non-admin user for labs This policy requires non-admin user accounts to be created for the labs managed through lab-services. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.LabServices/labs/labPlanId
•Microsoft.LabServices/labs/virtualMachineProfile.nonAdminUser.username
IF (1)
•Microsoft.LabServices/labs
GA BuiltIn
Lab Services Lab Services 3e13d504-9083-4912-b935-39a085db2249 Lab Services should restrict allowed virtual machine SKU sizes This policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.LabServices/labs/labPlanId
•Microsoft.LabServices/labs/virtualMachineProfile.sku.name
IF (1)
•Microsoft.LabServices/labs
GA BuiltIn
Lighthouse Lighthouse 7a8a51a3-ad87-4def-96f3-65a1839242b6 Allow managing tenant ids to onboard through Azure Lighthouse Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. Fixed: deny IF (1)
•Microsoft.ManagedServices/registrationDefinitions/managedByTenantId
IF (1)
•Microsoft.ManagedServices/registrationDefinitions
GA BuiltIn
Lighthouse Lighthouse 76bed37b-484f-430f-a009-fd7592dff818 Audit delegation of scopes to a managing tenant Audit delegation of scopes to a managing tenant via Azure Lighthouse. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.ManagedServices/registrationAssignments
GA BuiltIn
Load Balancer Load Balancer loadbalancer_deny-load-balancer-outbound-rules Deny load balancer outbound rules This policy deny load balancer outbound rules. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Load Balancer Load Balancer loadbalancer_enforce-disabling-of-snat-in-load-balancer-rules Enforce disabling of snat in load balancer rules This policy enforce disabling of snat in load balancer rules. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Network/loadBalancers/loadBalancingRules[*]
GA Community
Load Balancer Load Balancer loadbalancer_enforce-lb-private-ip-addresses-only-in-frontend-configuration Enforce load balancer private ip addresses only in frontend configuration This policy enforces private ip addresses only in frontend configuration. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Load Balancer Load Balancer loadbalancer_enforce-load-balancer-regional-tier Enforce load balancer regional TIER This policy enforces regional tier for load balancers. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Network/loadBalancers/sku.tier
GA Community
Load Balancer Load Balancer loadbalancer_enforce-load-balancer-standard-sku Enforce load balancer standard SKU This policy enforces standard sku for load balancers. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Network/loadBalancers/sku.name
GA Community
Logic Apps Logic Apps 1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5 Logic Apps Integration Service Environment should be encrypted with customer-managed keys Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Logic/integrationServiceEnvironments/encryptionConfiguration
IF (1)
•Microsoft.Logic/integrationServiceEnvironments
GA BuiltIn
Logic Apps Logic Apps dc595cb1-1cde-45f6-8faf-f88874e1c0e1 Logic Apps should be deployed into Integration Service Environment Deploying Logic Apps into Integration Service Environment in a virtual network unlocks advanced Logic Apps networking and security features and provides you with greater control over your network configuration. Learn more at: https://aka.ms/integration-service-environment. Deploying into Integration Service Environment also allows encryption with customer-managed keys which provides enhanced data protection by allowing you to manage your encryption keys. This is often to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Logic/workflows/integrationServiceEnvironment
IF (1)
•Microsoft.Logic/workflows
GA BuiltIn
Logic Apps Logic Apps 34f95f76-5386-4de7-b824-0d8478470c9d Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.Logic/workflows
GA BuiltIn
Machine Learning Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview BuiltIn
Machine Learning Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview BuiltIn
Machine Learning Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview BuiltIn
Machine Learning Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an