last sync: 2023-Jun-07 17:44:43 UTC

All Azure Policy definitions

BuiltIn
77 categories
Azure Landing Zones (ALZ)
15 categories
Community
45 categories
Category Category txt Id Display name Description Effect Roles Rule Aliases Rule ResourceTypes Compliance State Type
API for FHIR API for FHIR 051cba44-2429-45b9-9649-46cec11c7119 Azure API for FHIR should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default
Audit
Allowed
audit, Audit, disabled, Disabled
IF (1)
•Microsoft.HealthcareApis/services/cosmosDbConfiguration.keyVaultKeyUri
IF (1)
•Microsoft.HealthcareApis/services
count: 007
CMMC_2.0_L2_SC.L2-3.13.10, CMMC_L3_SC.3.177, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12
GA BuiltIn
API for FHIR API for FHIR 1ee56206-5dd1-42ab-b02d-8aae8b1634ce Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.HealthcareApis/services/privateEndpointConnections[*]
•Microsoft.HealthcareApis/services/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HealthcareApis/services
count: 038
CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_SS-3, NZISM_Security_Benchmark_v1.1_SS-3
GA BuiltIn
API for FHIR API for FHIR 0fea8f8a-4169-495d-8307-30ec335f387d CORS should not allow every domain to access your API for FHIR Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. Default
Audit
Allowed
audit, Audit, disabled, Disabled
IF (1)
•Microsoft.HealthcareApis/services/corsConfiguration.origins[*]
IF (1)
•Microsoft.HealthcareApis/services
count: 005
CMMC_L3_AC.1.001, CMMC_L3_AC.1.002, CMMC_L3_AC.2.016, CMMC_L3_CM.3.068, CMMC_L3_SC.3.183
GA BuiltIn
API Management API Management ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 API Management APIs should use only encrypted protocols To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. Default
Audit
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.ApiManagement/service/apis/protocols[*]
count: 001
Azure_Security_Benchmark_v3.0_DP-3
GA BuiltIn
API Management API Management c15dcc82-b93c-4dcb-9332-fbf121685b54 API Management calls to API backends should be authenticated Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. Default
Audit
Allowed
Audit, Disabled, Deny
IF (5)
•Microsoft.ApiManagement/service/backends/credentials.authorization.parameter
•Microsoft.ApiManagement/service/backends/credentials.authorization.scheme
•Microsoft.ApiManagement/service/backends/credentials.certificate
•Microsoft.ApiManagement/service/backends/protocol
•Microsoft.ApiManagement/service/backends/url
count: 001
Azure_Security_Benchmark_v3.0_IM-4
GA BuiltIn
API Management API Management 92bb331d-ac71-416a-8c91-02f2cb734ce4 API Management calls to API backends should not bypass certificate thumbprint or name validation To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. Default
Audit
Allowed
Audit, Disabled, Deny
IF (2)
•Microsoft.ApiManagement/service/backends/tls.validateCertificateChain
•Microsoft.ApiManagement/service/backends/tls.validateCertificateName
count: 001
Azure_Security_Benchmark_v3.0_IM-4
GA BuiltIn
API Management API Management b741306c-968e-4b67-b916-5675e5c709f4 API Management direct management endpoint should not be enabled The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. Default
Audit
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.ApiManagement/service/tenant/enabled
count: 001
Azure_Security_Benchmark_v3.0_PV-2
GA BuiltIn
API Management API Management 549814b6-3212-4203-bdc8-1548d342fb67 API Management minimum API version should be set to 2019-12-01 or higher To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.ApiManagement/service/apiVersionConstraint.minApiVersion
•Microsoft.ApiManagement/service/sku.name
IF (1)
•Microsoft.ApiManagement/service
count: 002
Azure_Security_Benchmark_v3.0_IM-8, Azure_Security_Benchmark_v3.0_PV-2
GA BuiltIn
API Management API Management f1cc7827-022c-473e-836e-5a51cae0b249 API Management secret named values should be stored in Azure Key Vault Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. Default
Audit
Allowed
Audit, Disabled, Deny
IF (4)
•Microsoft.ApiManagement/service/namedValues/displayName
•Microsoft.ApiManagement/service/namedValues/keyVault
•Microsoft.ApiManagement/service/namedValues/keyVault.secretIdentifier
•Microsoft.ApiManagement/service/namedValues/secret
count: 002
Azure_Security_Benchmark_v3.0_DP-6, Azure_Security_Benchmark_v3.0_IM-8
GA BuiltIn
API Management API Management 73ef9241-5d81-4cd4-b483-8443d1730fe5 API Management service should use a SKU that supports virtual networks With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.ApiManagement/service/sku.name
IF (1)
•Microsoft.ApiManagement/service
GA BuiltIn
API Management API Management ef619a2c-cc4d-4d03-b2ba-8c94a834d85b API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.ApiManagement/service/sku.name
•Microsoft.ApiManagement/service/virtualNetworkType
IF (1)
•Microsoft.ApiManagement/service
count: 027
Azure_Security_Benchmark_v2.0_NS-1, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7, RMiT_v1.0_10.33
GA BuiltIn
API Management API Management df73bd95-24da-4a4f-96b9-4e8b94b402bd API Management should disable public network access to the service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
IF (1)
•Microsoft.ApiManagement/service/sku.name
THEN-ExistenceCondition (1)
•Microsoft.ApiManagement/service/tenant/enabled
IF (1)
•Microsoft.ApiManagement/service
count: 001
Azure_Security_Benchmark_v3.0_NS-2
GA BuiltIn
API Management API Management ffe25541-3853-4f4e-b71d-064422294b11 API Management should have username and password authentication disabled To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.ApiManagement/service/portalconfigs/enableBasicAuth
GA BuiltIn
API Management API Management 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 API Management subscriptions should not be scoped to all APIs API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. Default
Audit
Allowed
Audit, Disabled, Deny
IF (2)
•Microsoft.ApiManagement/service/subscriptions/scope
•Microsoft.ApiManagement/service/subscriptions/state
count: 001
Azure_Security_Benchmark_v3.0_PA-7
GA BuiltIn
API Management API Management f9869580-d1e9-491a-91b5-d212d8acd27e Audit - Sample Products should be removed from API Management API Management includes two sample products Starter and Unlimited. Accidentally adding APIs to these sample products may expose APIs more than intended. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.ApiManagement/service/products/displayName
GA Community
API Management API Management 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 Configure API Management services to disable access to API Management public service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
API Management Service Contributor
IF (1)
•Microsoft.ApiManagement/service/sku.name
THEN-ExistenceCondition (1)
•Microsoft.ApiManagement/service/tenant/enabled
IF (1)
•Microsoft.ApiManagement/service
GA BuiltIn
API Management API Management 830fdfd0-7e40-405a-89d0-893aae0fc1fb Configure ReadOnly lock for API Management's subnet Deploy ReadOnly resource lock for API Management's configured subnet. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 2
Contributor
User Access Administrator
THEN-ExistenceCondition (1)
•Microsoft.Authorization/locks/level
IF (1)
•Microsoft.ApiManagement/service
THEN-Deployment (1)
•Microsoft.Authorization/locks
GA Community
API Management API Management b525e077-ad27-4116-bdd1-83cfa9c86bfc Deny - Enforcing Internal VPN The policy enforces the API Manager resource to be deployed in an Internal Virtual Private Network. No Public EndPoint, no External VPN. Default
Deny
Allowed
Deny, Audit, Disabled
IF (1)
•Microsoft.ApiManagement/service/virtualNetworkType
IF (1)
•Microsoft.ApiManagement/service
GA Community
API Management API Management 1b0d74ac-4b43-4c39-a15f-594385adc38d Modify API Management to disable username and password authentication To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Modify
Allowed
Modify
count: 1
Contributor
IF (1)
•Microsoft.ApiManagement/service/portalconfigs/enableBasicAuth
THEN-Operations (1)
•Microsoft.ApiManagement/service/portalconfigs/enableBasicAuth
GA BuiltIn
App Configuration App Configuration 3d9f5e4c-9947-4579-9539-2a7695fbc187 App Configuration should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.AppConfiguration/configurationStores/publicNetworkAccess
IF (1)
•Microsoft.AppConfiguration/configurationStores
count: 001
RMiT_v1.0_10.54
GA BuiltIn
App Configuration App Configuration 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 App Configuration should use a customer-managed key Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.AppConfiguration/configurationStores/encryption.keyVaultProperties.keyIdentifier
IF (1)
•Microsoft.AppConfiguration/configurationStores
count: 002
RBI_ITF_NBFC_v2017_3.1.h, RMiT_v1.0_10.53
GA BuiltIn
App Configuration App Configuration 89c8a434-18f0-402c-8147-630a8dea54e0 App Configuration should use a SKU that supports private link When using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.AppConfiguration/configurationStores/sku.name
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration ca610c1d-041c-4332-9d88-7ed3094967c7 App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.AppConfiguration/configurationStores
count: 043
Azure_Security_Benchmark_v2.0_NS-2, Azure_Security_Benchmark_v2.0_NS-3, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7
GA BuiltIn
App Configuration App Configuration b08ab3ca-1062-4db3-8803-eec9cae605d6 App Configuration stores should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.AppConfiguration/configurationStores/disableLocalAuth
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration 72bc14af-4ab8-43af-b4e4-38e7983f9a1f Configure App Configuration stores to disable local authentication methods Disable local authentication methods so that your App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (1)
•Microsoft.AppConfiguration/configurationStores/disableLocalAuth
THEN-Operations (1)
•Microsoft.AppConfiguration/configurationStores/disableLocalAuth
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration 73290fa2-dfa7-4bbb-945d-a5e23b75df2c Configure App Configuration to disable public network access Disable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (1)
•Microsoft.AppConfiguration/configurationStores/publicNetworkAccess
THEN-Operations (1)
•Microsoft.AppConfiguration/configurationStores/publicNetworkAccess
IF (1)
•Microsoft.AppConfiguration/configurationStores
count: 002
RMiT_v1.0_10.33, RMiT_v1.0_11.15
GA BuiltIn
App Configuration App Configuration 7a860e27-9ca2-4fc6-822d-c2d248c300df Configure private DNS zones for private endpoints connected to App Configuration Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
App Configuration App Configuration 614ffa75-862c-456e-ad8b-eaa1b0844b07 Configure private endpoints for App Configuration Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://aka.ms/appconfig/private-endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Contributor
THEN-ExistenceCondition (1)
•Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.AppConfiguration/configurationStores
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
App Platform App Platform 0f2d8593-4667-4932-acca-6a9f187af109 [Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.AppPlatform/Spring/trace.enabled
•Microsoft.AppPlatform/Spring/trace.state
IF (1)
•Microsoft.AppPlatform/Spring
Preview BuiltIn
App Platform App Platform af35e2a4-ef96-44e7-a9ae-853dd97032c4 Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default
Audit
Allowed
Audit, Disabled, Deny
IF (2)
•Microsoft.AppPlatform/Spring/networkProfile.serviceRuntimeSubnetId
•Microsoft.AppPlatform/Spring/sku.tier
IF (1)
•Microsoft.AppPlatform/Spring
count: 022
Azure_Security_Benchmark_v2.0_NS-2, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7
GA BuiltIn
App Service App Service b7ddfbdc-1260-477d-91fd-98bd9be789a6 [Deprecated]: API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should only be accessible over HTTPS', which is scoped to include API apps in addition to Web Apps. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 0c192fe8-9cbb-4516-85b3-0ade8bd03886 [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have 'Client Certificates (Incoming client certificates)' enabled', which is scoped to include API apps in addition to Web Apps. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 324c7761-08db-4474-9661-d1039abc92ee [Deprecated]: API apps should use an Azure file share for its content directory The content directory of an API app should be located on an Azure file share. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use an Azure file shares for its content directory', which is scoped to include API apps in addition to Web Apps. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Web/sites/storageAccountRequired
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 74c3584d-afae-46f7-a20a-6f8adba71a16 [Deprecated]: API apps that use Python should use the latest 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Python should use the latest 'Python version''. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd [Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/vnetRouteAllEnabled
IF (1)
•Microsoft.Web/sites/slots
Deprecated BuiltIn
App Service App Service 33228571-70a4-4fa1-8ca1-26d0aba8d6ef [Deprecated]: App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/vnetRouteAllEnabled
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service d79ab062-dffd-4318-8344-f70de714c0bc [Deprecated]: App Service should disable public network access Disabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Web/sites/config/PublicNetworkAccess
Deprecated BuiltIn
App Service App Service 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7 [Deprecated]: App Services should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/publicNetworkAccess
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 752c6934-9bcc-4749-b004-655e676ae2ac [Deprecated]: Audit enabling of diagnostic logs in App Services Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised Default
Audit
Allowed
Audit, Disabled
IF (3)
•Microsoft.Web/sites/config/detailedErrorLoggingEnabled
•Microsoft.Web/sites/config/httpLoggingEnabled
•Microsoft.Web/sites/config/requestTracingEnabled
Deprecated BuiltIn
App Service App Service c4ebc54a-46e1-481a-bee2-d4411e95d828 [Deprecated]: Authentication should be enabled on your API app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps should have authentication enabled', which is scoped to include API apps in addition to Web apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/siteAuthEnabled
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 81dff7c0-4020-4b58-955d-c076a2136b56 [Deprecated]: Configure App Services to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/publicNetworkAccess
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac [Deprecated]: CORS should not allow every resource to access your API App Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should not have CORS configured to allow every resource to access your apps', which is scoped to include API apps in addition to Web Apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0 [Deprecated]: Diagnostic logs in App Services should be enabled Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (3)
•Microsoft.Web/sites/config/detailedErrorLoggingEnabled
•Microsoft.Web/sites/config/httpLoggingEnabled
•Microsoft.Web/sites/config/requestTracingEnabled
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 58d94fc1-a072-47c2-bd37-9cdb38e77453 [Deprecated]: Ensure Function app is using the latest version of TLS encryption Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.minTlsVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.netFrameworkVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 10c1859c-e1a7-4df3-ab97-a487fa8059f6 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.netFrameworkVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 843664e0-7563-41ee-a9cb-7522c382d2c4 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.netFrameworkVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 991310cd-e9f3-47bc-b7b6-f57b557d07db [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use latest 'HTTP Version'', which is scoped to include API apps in addition to Web Apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.http20Enabled
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 88999f4c-376a-45c8-bcb3-4058f713cf39 [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Java should use the latest 'Java version'', which is scoped to include API apps in addition to Web apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps that use PHP should use the latest 'PHP version'', which is scoped to include API apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service ab965db2-d2bf-4b64-8b39-c38ec8179461 [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app PHP cannot be used with Function apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/config/web.linuxFxVersion
•Microsoft.Web/sites/config/web.phpVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 86d97760-d216-4d81-a3ad-163087b2b6c3 [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.managedServiceIdentityId
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service f0473e7a-a1ba-4e86-afb2-e829e11b01d8 [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.managedServiceIdentityId
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service aa81768c-cb87-4ce2-bfaa-00baa10d760c [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.managedServiceIdentityId
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 6ad61431-88ce-4357-a0e1-6da43f292bd7 [Deprecated]: Ensure WEB app is using the latest version of TLS encryption Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.minTlsVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 [Deprecated]: FTPS only should be required in your API App Enable FTPS enforcement for enhanced security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should require FTPS only', which is scoped to include API apps in addition to Web Apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/ftpsState
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e [Deprecated]: Latest TLS version should be used in your API App Upgrade to the latest TLS version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use the latest TLS version', which is scoped to include API apps in addition to Web Apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service c4d441f8-f9d9-4a9e-9cef-e82117cb3eef [Deprecated]: Managed identity should be used in your API App Use a managed identity for enhanced authentication security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use managed identity', which is scoped to include API apps in addition to Web Apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/config/managedServiceIdentityId
•Microsoft.Web/sites/config/xmanagedServiceIdentityId
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service e9c8d085-d9cc-4b17-9cdc-059f1f01f19e [Deprecated]: Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have remote debugging turned off', which is scoped to include API apps in addition to Web Apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service app-service_allowed-appservicesplan-skus Allowed App Services Plan SKUs This policy enables you to specify a set of App Services Plan SKUs that your organization can deploy. Fixed
Deny
IF (1)
•Microsoft.Web/serverfarms/sku.name
IF (1)
•Microsoft.Web/serverfarms
GA Community
App Service App Service Deny-AppServiceApiApp-http API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Deny
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA ALZ
App Service App Service 24b7a1c6-44fe-40cc-a2e6-242d2ef70e98 App Service app slots should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Web/sites/slots/virtualNetworkSubnetId
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 701a595d-38fb-4a66-ae6d-fb3735217622 App Service app slots should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Web/sites/slots/publicNetworkAccess
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 5747353b-1ca9-42c1-a4dd-b874b894f3d4 App Service app slots should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.Web/sites/slots/vnetContentShareEnabled
•Microsoft.Web/sites/slots/vnetImagePullEnabled
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service f5c0bfb3-acea-47b1-b477-b0edcdf6edc1 App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Web/sites/slots/vnetRouteAllEnabled
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 2f7c08c2-f671-4282-9fdb-597b6ef2c10d App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Web/sites/slots/clientCertEnabled
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service ec71c0bc-6a45-4b1f-9587-80dc83e6898c App Service app slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 847ef871-e2fe-4e6e-907e-4adbf71de5cf App Service app slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service a08ae1ab-8d1d-422b-a123-df82b307ba61 App Service app slots should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service d639b3af-a535-4bef-8dcf-15078cddf5e2 App Service app slots should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service cae7c12e-764b-4c87-841a-fdc6675d196f App Service app slots should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service ae1b9a8c-dfce-4605-bd91-69213b4a26fc App Service app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Web/sites/slots/httpsOnly
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service c285a320-8830-4665-9cc7-bbd05fc7c5c0 App Service app slots should require FTPS only Enable FTPS enforcement for enhanced security. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/ftpsState
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service fd34e936-069e-4fe5-bac6-f7c9824caab6 App Service app slots should use an Azure file share for its content directory The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Web/sites/slots/storageAccountRequired
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 4dcfb8b5-05cd-4090-a931-2ec29057e1fc App Service app slots should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.http20Enabled
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 4a15c15f-90d5-4a1f-8b63-2903944963fd App Service app slots should use managed identity Use a managed identity for enhanced authentication security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/slots/config/managedServiceIdentityId
•Microsoft.Web/sites/slots/config/xmanagedServiceIdentityId
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 4ee5b817-627a-435a-8932-116193268172 App Service app slots should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/minTlsVersion
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 46dad49f-8945-44d7-9bb1-2e1542f627d3 App Service app slots that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service f466b2a6-823d-470d-8ea5-b031e72d79ae App Service app slots that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 9c014953-ef68-4a98-82af-fd0f6b2306c8 App Service app slots that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 72d04c29-f87d-4575-9731-419ff16a2757 App Service apps should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Web/sites/virtualNetworkSubnetId
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 1b5ef780-c53c-4a64-87f3-bb9c8c8094ba App Service apps should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Web/sites/publicNetworkAccess
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 801543d1-1953-4a90-b8b0-8cf6d41473a5 App Service apps should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.Web/sites/vnetContentShareEnabled
•Microsoft.Web/sites/vnetImagePullEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service a691eacb-474d-47e4-b287-b4813ca44222 App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Web/sites/vnetRouteAllEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 95bccee9-a7f8-4bec-9ee9-62c3473701fc App Service apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/siteAuthEnabled
IF (1)
•Microsoft.Web/sites
count: 005
CIS_Azure_1.1.0_9.1, CIS_Azure_1.3.0_9.1, CIS_Azure_1.4.0_9.1, NZ_ISM_v3.5_SS-9, RMiT_v1.0_10.54
GA BuiltIn
App Service App Service 5bb220d9-2698-4ee4-8404-b9c30c9df609 App Service apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
count: 025
Azure_Security_Benchmark_v1.0_1.3, Azure_Security_Benchmark_v2.0_PV-2, Azure_Security_Benchmark_v3.0_PV-2, CIS_Azure_1.1.0_9.4, CIS_Azure_1.3.0_9.4, CIS_Azure_1.4.0_9.4, CMMC_2.0_L2_CM.L2-3.4.1, CMMC_2.0_L2_CM.L2-3.4.2, FedRAMP_High_R4_CM-6, FedRAMP_Moderate_R4_CM-6, hipaa-0662.09sCSPOrganizational.2-09.s, hipaa-0915.09s2Organizational.2-09.s, NIST_SP_800-171_R2_3.4.1, NIST_SP_800-171_R2_3.4.2, NIST_SP_800-53_R4_CM-6, NIST_SP_800-53_R5_CM-6, NZ_ISM_v3.5_SS-9, RBI_CSF_Banks_v2016_13.1, RBI_CSF_Banks_v2016_4.3, RBI_ITF_NBFC_v2017_3.8, RMiT_v1.0_10.20, SOC_2_CC6.8, SOC_2_CC8.1, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_2.4A
GA BuiltIn
App Service App Service 871b205b-57cf-4e1e-a234-492616998bf7 App Service apps should have local authentication methods disabled for FTP deployments Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service aede300b-d67f-480a-ae26-4b3dfb1a1fdc App Service apps should have local authentication methods disabled for SCM site deployments Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service cb510bfd-1cba-4d9f-a230-cb0976f4bb71 App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
count: 046
AU_ISM_1386, Azure_Security_Benchmark_v1.0_1.3, Azure_Security_Benchmark_v2.0_PV-2, Azure_Security_Benchmark_v3.0_PV-2, CCCS_AC-17(1), CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_CM.L2-3.4.1, CMMC_2.0_L2_CM.L2-3.4.2, CMMC_L3_AC.1.001, CMMC_L3_AC.2.013, CMMC_L3_CM.3.068, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_CM-6, FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_CM-6, hipaa-0912.09s1Organizational.4-09.s, hipaa-1194.01l2Organizational.2-01.l, IRS_1075_9.3.1.12, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-171_R2_3.4.1, NIST_SP_800-171_R2_3.4.2, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_CM-6, NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_CM-6, NZ_ISM_v3.5_SS-2, NZISM_Security_Benchmark_v1.1_SS-2, RBI_CSF_Banks_v2016_13.1, RBI_CSF_Banks_v2016_4.3, RBI_ITF_NBFC_v2017_3.1.b, RMiT_v1.0_Appendix_5.7, SOC_2_CC6.8, SOC_2_CC8.1, SWIFT_CSCF_v2021_1.1, SWIFT_CSCF_v2021_1.2, SWIFT_CSCF_v2021_6.2, SWIFT_CSCF_v2021_6.5A, UK_NCSC_CSP_11
GA BuiltIn
App Service App Service 91a78b24-f231-4a8a-8da9-02c35b2b6510 App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.Web/sites
count: 030
Azure_Security_Benchmark_v1.0_2.3, Azure_Security_Benchmark_v2.0_LT-4, Azure_Security_Benchmark_v3.0_LT-3, CIS_Azure_1.3.0_5.3, CIS_Azure_1.4.0_5.3, CMMC_2.0_L2_AU.L2-3.3.1, CMMC_2.0_L2_AU.L2-3.3.2, CMMC_L3_AU.3.048, FedRAMP_High_R4_AU-12, FedRAMP_High_R4_AU-12(1), FedRAMP_High_R4_AU-6(4), FedRAMP_High_R4_AU-6(5), FedRAMP_Moderate_R4_AU-12, hipaa-1209.09aa3System.2-09.aa, NIST_SP_800-171_R2_3.3.1, NIST_SP_800-171_R2_3.3.2, NIST_SP_800-53_R4_AU-12, NIST_SP_800-53_R4_AU-12(1), NIST_SP_800-53_R4_AU-6(4), NIST_SP_800-53_R4_AU-6(5), NIST_SP_800-53_R5_AU-12, NIST_SP_800-53_R5_AU-12(1), NIST_SP_800-53_R5_AU-6(4), NIST_SP_800-53_R5_AU-6(5), NZ_ISM_v3.5_AC-18, NZISM_Security_Benchmark_v1.1_AC-17, RBI_CSF_Banks_v2016_17.1, RBI_CSF_Banks_v2016_6.4, RMiT_v1.0_10.66, SWIFT_CSCF_v2022_6.4
GA BuiltIn
App Service App Service 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites
count: 033
AU_ISM_1424, Azure_Security_Benchmark_v1.0_1.3, Azure_Security_Benchmark_v2.0_PV-2, Azure_Security_Benchmark_v3.0_PV-2, CCCS_AC-4, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_CM.L2-3.4.1, CMMC_2.0_L2_CM.L2-3.4.2, CMMC_L3_AC.1.001, CMMC_L3_AC.1.002, CMMC_L3_CM.3.068, CMMC_L3_SC.3.183, FedRAMP_High_R4_AC-4, FedRAMP_High_R4_CM-6, FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_CM-6, hipaa-0901.09s1Organizational.1-09.s, hipaa-0916.09s2Organizational.4-09.s, IRS_1075_9.3.1.4, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.4.1, NIST_SP_800-171_R2_3.4.2, NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_CM-6, NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_CM-6, NZ_ISM_v3.5_SS-9, NZISM_Security_Benchmark_v1.1_SS-9, RBI_CSF_Banks_v2016_13.1, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.8, SOC_2_CC8.1, SWIFT_CSCF_v2021_6.5A
GA BuiltIn
App Service App Service a4af4a39-4135-47fb-b175-47fbdf85311d App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
count: 051
AU_ISM_1552, Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, CCCS_SC-8(1), CIS_Azure_1.1.0_9.2, CIS_Azure_1.3.0_9.2, CIS_Azure_1.4.0_9.2, CMMC_2.0_L2_SC.L2-3.13.8, CMMC_L3_AC.1.002, CMMC_L3_IA.3.084, CMMC_L3_SC.1.175, CMMC_L3_SC.3.185, CMMC_L3_SC.3.190, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), hipaa-0809.01n2Organizational.1234-01.n, hipaa-0810.01n2Organizational.5-01.n, hipaa-0811.01n2Organizational.6-01.n, hipaa-0812.01n2Organizational.8-01.n, hipaa-0814.01n1Organizational.12-01.n, hipaa-0949.09y2Organizational.5-09.y, hipaa-1403.05i1Organizational.67-05.i, IRS_1075_9.3.16.6, ISO27001-2013_A.10.1.1, NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_SS-9, NZISM_Security_Benchmark_v1.1_SS-9, PCI_DSS_V3.2.1_3.4, PCI_DSS_V3.2.1_4.1, PCI_DSS_V3.2.1_6.5.3, PCI_DSS_v4.0_3.5.1, PCI_DSS_v4.0_6.2.4, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.4, RBI_ITF_NBFC_v2017_3.1.h, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.1, SOC_2_CC6.6, SOC_2_CC6.7, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_2.4A, SWIFT_CSCF_v2021_2.5A, UK_NCSC_CSP_1
GA BuiltIn
App Service App Service 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b App Service apps should require FTPS only Enable FTPS enforcement for enhanced security. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/ftpsState
IF (1)
•Microsoft.Web/sites
count: 024
Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, CIS_Azure_1.3.0_9.10, CIS_Azure_1.4.0_9.10, CMMC_2.0_L2_SC.L2-3.13.8, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_SS-9, NZISM_Security_Benchmark_v1.1_CR-7, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.4, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.1, SOC_2_CC6.6, SOC_2_CC6.7
GA BuiltIn
App Service App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.Web/serverFarms/sku.name
•Microsoft.Web/serverFarms/sku.tier
IF (1)
•Microsoft.Web/serverFarms
GA BuiltIn
App Service App Service dcbc65aa-59f3-4239-8978-3bb869d82604 App Service apps should use an Azure file share for its content directory The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Web/sites/storageAccountRequired
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 8c122334-9d20-4eb8-89ea-ac9a705b74ae App Service apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.http20Enabled
IF (1)
•Microsoft.Web/sites
count: 016
CIS_Azure_1.1.0_9.10, CIS_Azure_1.3.0_9.9, CIS_Azure_1.4.0_9.9, CMMC_2.0_L2_SI.L1-3.14.1, CMMC_L3_SI.1.210, FedRAMP_High_R4_SI-2, FedRAMP_Moderate_R4_SI-2, NIST_SP_800-171_R2_3.14.1, NIST_SP_800-53_R4_SI-2, NIST_SP_800-53_R4_SI-2(6), NIST_SP_800-53_R5_SI-2, NIST_SP_800-53_R5_SI-2(6), NZ_ISM_v3.5_SS-9, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.8, SOC_2_CC8.1
GA BuiltIn
App Service App Service 2b9ad585-36bc-4615-b300-fd4435808332 App Service apps should use managed identity Use a managed identity for enhanced authentication security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/config/managedServiceIdentityId
•Microsoft.Web/sites/config/xmanagedServiceIdentityId
IF (1)
•Microsoft.Web/sites
count: 042
Azure_Security_Benchmark_v1.0_7.12, Azure_Security_Benchmark_v2.0_IM-1, Azure_Security_Benchmark_v2.0_IM-2, Azure_Security_Benchmark_v3.0_IM-3, CIS_Azure_1.1.0_9.5, CIS_Azure_1.3.0_9.5, CIS_Azure_1.4.0_9.5, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, CMMC_2.0_L2_IA.L1-3.5.1, CMMC_2.0_L2_IA.L1-3.5.2, CMMC_2.0_L2_IA.L2-3.5.5, CMMC_2.0_L2_IA.L2-3.5.6, FedRAMP_High_R4_AC-2, FedRAMP_High_R4_AC-3, FedRAMP_High_R4_IA-2, FedRAMP_High_R4_IA-4, FedRAMP_Moderate_R4_AC-2, FedRAMP_Moderate_R4_AC-3, FedRAMP_Moderate_R4_IA-2, FedRAMP_Moderate_R4_IA-4, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-171_R2_3.5.1, NIST_SP_800-171_R2_3.5.2, NIST_SP_800-171_R2_3.5.5, NIST_SP_800-171_R2_3.5.6, NIST_SP_800-53_R4_AC-2, NIST_SP_800-53_R4_AC-3, NIST_SP_800-53_R4_IA-2, NIST_SP_800-53_R4_IA-4, NIST_SP_800-53_R5_AC-2, NIST_SP_800-53_R5_AC-3, NIST_SP_800-53_R5_IA-2, NIST_SP_800-53_R5_IA-4, NZ_ISM_v3.5_AC-2, NZISM_Security_Benchmark_v1.1_AC-2, RBI_CSF_Banks_v2016_6.4, RBI_CSF_Banks_v2016_8.4, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_5.2, SWIFT_CSCF_v2021_5.4
GA BuiltIn
App Service App Service 687aa49d-0982-40f8-bf6b-66d1da97a04b App Service apps should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
count: 039
AU_ISM_1139, Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, Azure_Security_Benchmark_v3.0_NS-8, CIS_Azure_1.1.0_9.3, CIS_Azure_1.3.0_9.3, CIS_Azure_1.4.0_9.3, CMMC_2.0_L2_SC.L2-3.13.8, CMMC_L3_IA.3.084, CMMC_L3_SC.1.175, CMMC_L3_SC.3.185, CMMC_L3_SC.3.190, CMMC_L3_SI.1.210, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), hipaa-0809.01n2Organizational.1234-01.n, hipaa-0810.01n2Organizational.5-01.n, hipaa-0811.01n2Organizational.6-01.n, hipaa-0812.01n2Organizational.8-01.n, hipaa-0814.01n1Organizational.12-01.n, hipaa-0949.09y2Organizational.5-09.y, NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_CR-8, NZISM_Security_Benchmark_v1.1_CR-7, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.1, RBI_CSF_Banks_v2016_13.4, RBI_ITF_NBFC_v2017_3.1.h, RMiT_v1.0_10.68, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_2.6
GA BuiltIn
App Service App Service 496223c3-ad65-4ecd-878a-bae78737e9ed App Service apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 7261b898-8a84-4db8-9e04-18527132abb3 App Service apps that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 7008174a-fd10-4ef0-817e-fc820a951d73 App Service apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 2d048aca-6479-4923-88f5-e2ac295d9af3 App Service Environment apps should not be reachable over public internet To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Web/HostingEnvironments/internalLoadBalancingMode
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service 817dcf37-e83d-4999-a472-644eada2ea1e App Service Environment should be configured with strongest TLS Cipher suites The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Default
Audit
Allowed
Audit, Disabled
IF (3)
•Microsoft.Web/HostingEnvironments/clusterSettings[*]
•Microsoft.Web/HostingEnvironments/clusterSettings[*].name
•Microsoft.Web/HostingEnvironments/clusterSettings[*].value
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service eb4d34ab-0929-491c-bbf3-61e13da19f9a App Service Environment should be provisioned with latest versions Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service fb74e86f-d351-4b8d-b034-93da7391c01f App Service Environment should have internal encryption enabled Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Default
Audit
Allowed
Audit, Disabled
IF (3)
•Microsoft.Web/HostingEnvironments/clusterSettings[*]
•Microsoft.Web/HostingEnvironments/clusterSettings[*].name
•Microsoft.Web/HostingEnvironments/clusterSettings[*].value
IF (1)
•Microsoft.Web/hostingEnvironments
count: 011
CMMC_2.0_L2_SC.L2-3.13.16, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1), RBI_ITF_NBFC_v2017_3.1.h
GA BuiltIn
App Service App Service d6545c6b-dd9d-4265-91e6-0b451e2f1c50 App Service Environment should have TLS 1.0 and 1.1 disabled TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. Default
Audit
Allowed
Audit, Deny, Disabled
IF (3)
•Microsoft.Web/HostingEnvironments/clusterSettings[*]
•Microsoft.Web/HostingEnvironments/clusterSettings[*].name
•Microsoft.Web/HostingEnvironments/clusterSettings[*].value
IF (1)
•Microsoft.Web/hostingEnvironments
count: 001
ACAT_Security_Policies
GA BuiltIn
App Service App Service app-service_audit-appservicesbackend-appgw Apps Require App Gateway Front End Custom policy requires that HTTP(S) triggered apps require App GW Front-End so that inbound ports are not opened on apps Default
auditIfNotExists
Allowed
auditIfNotExists, disabled
THEN-ExistenceCondition (2)
•Microsoft.Network/applicationGateways/backendAddressPools[*].backendAddresses[*]
•Microsoft.Network/applicationGateways/backendAddressPools[*].backendAddresses[*].fqdn
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service Append-AppService-httpsonly AppService append enable https only setting to enforce https setting. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny. Default
Append
Allowed
Append, Disabled
IF (1)
•Microsoft.Web/sites/httpsOnly
THEN-Details (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA ALZ
App Service App Service Append-AppService-latestTLS AppService append sites with minimum TLS version to enforce. Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. Default
Append
Allowed
Append, Disabled
IF (1)
•Microsoft.Web/sites/config/minTlsVersion
THEN-Details (1)
•Microsoft.Web/sites/config/minTlsVersion
GA ALZ
App Service App Service monitoring_app-service-audit-diagnostic-logs Audit enabling of diagnostic logs in App Services Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised Default
Audit
Allowed
Audit, Disabled
IF (3)
•Microsoft.Web/sites/config/detailedErrorLoggingEnabled
•Microsoft.Web/sites/config/httpLoggingEnabled
•Microsoft.Web/sites/config/requestTracingEnabled
GA Community
App Service App Service f493116f-3b7f-4ab3-bf80-0c2af35e46c2 Configure App Service app slots to disable local authentication for FTP deployments Disable local authentication methods for FTP deployments so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 2c034a29-2a5f-4857-b120-f800fe5549ae Configure App Service app slots to disable local authentication for SCM sites Disable local authentication methods for SCM sites so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service c6c3e00e-d414-4ca4-914f-406699bb8eee Configure App Service app slots to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 1
Website Contributor
IF (1)
•Microsoft.Web/sites/slots/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Web/sites/slots/publicNetworkAccess
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service a18c77f2-3d6d-497a-9f61-849a7e8a3b79 Configure App Service app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled
count: 1
Website Contributor
IF (1)
•Microsoft.Web/sites/slots/httpsOnly
THEN-Operations (1)
•Microsoft.Web/sites/slots/httpsOnly
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service cca5adfe-626b-4cc6-8522-f5b6ed2391bd Configure App Service app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 014664e7-e348-41a3-aeb9-566e4ff6a9df Configure App Service app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/minTlsVersion
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 Configure App Service apps to disable local authentication for FTP deployments Disable local authentication methods for FTP deployments so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 5e97b776-f380-4722-a9a3-e7f0be029e79 Configure App Service apps to disable local authentication for SCM sites Disable local authentication methods for SCM sites so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 2374605e-3e0b-492b-9046-229af202562c Configure App Service apps to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 1
Website Contributor
IF (1)
•Microsoft.Web/sites/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Web/sites/publicNetworkAccess
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 0f98368e-36bc-4716-8ac2-8f8067203b63 Configure App Service apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled
count: 1
Website Contributor
IF (1)
•Microsoft.Web/sites/httpsOnly
THEN-Operations (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b Configure App Service apps to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service b318f84a-b872-429b-ac6d-a01b96814452 Configure App Service apps to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Web/sites
GA BuiltIn
App Service App Service ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d Configure App Service apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 242222f3-4985-4e99-b5ef-086d6a6cb01c Configure Function app slots to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 1
Website Contributor
IF (1)
•Microsoft.Web/sites/slots/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Web/sites/slots/publicNetworkAccess
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 08cf2974-d178-48a0-b26d-f6b8e555748b Configure Function app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled
count: 1
Website Contributor
IF (1)
•Microsoft.Web/sites/slots/httpsOnly
THEN-Operations (1)
•Microsoft.Web/sites/slots/httpsOnly
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 70adbb40-e092-42d5-a6f8-71c540a5efdb Configure Function app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service fa3a6357-c6d6-4120-8429-855577ec0063 Configure Function app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/minTlsVersion
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service cd794351-e536-40f4-9750-503a463d8cad Configure Function apps to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 1
Website Contributor
IF (1)
•Microsoft.Web/sites/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Web/sites/publicNetworkAccess
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service a096cbd0-4693-432f-9374-682f485f23f3 Configure Function apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled
count: 1
Website Contributor
IF (1)
•Microsoft.Web/sites/httpsOnly
THEN-Operations (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 25a5046c-c423-4805-9235-e844ae9ef49b Configure Function apps to turn off remote debugging Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 Configure Function apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service app-service_functionapp-enforce-ftps-only Enforce FTPS only or disablement of FTP/FTPS for App Service and Azure Functions Enforce FTPS only or disablement of FTP/FTPS for App Service and Azure Functions Default
AuditIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/ftpsState
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-enforce-https-only-dine Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
THEN-Deployment (1)
•Microsoft.Web/sites
GA Community
App Service App Service Deny-AppServiceFunctionApp-http Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Deny
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA ALZ
App Service App Service app-service_functionapp-enforce-https-only-audit_or_deny Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service 11c82d0c-db9f-4d7b-97c5-f3f9aa957da2 Function app slots should disable public network access Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Web/sites/slots/publicNetworkAccess
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service cf9ca02d-383e-4506-a421-258cc1a5300d Function app slots should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Web/sites/slots/clientCertEnabled
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 89691ef9-8c50-49a8-8950-9c7fba41699e Function app slots should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service a1a22235-dd10-4062-bd55-7d62778f41b0 Function app slots should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 Function app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Web/sites/slots/httpsOnly
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service e1a09430-221d-4d4c-a337-1edb5a1fa9bb Function app slots should require FTPS only Enable FTPS enforcement for enhanced security. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/ftpsState
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 13bcff5d-f0eb-4ce7-913e-83ad6300376b Function app slots should use an Azure file share for its content directory The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Web/sites/slots/storageAccountRequired
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service fa98f1b1-1f56-4179-9faf-93ad82f3458f Function app slots should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.http20Enabled
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service deb528de-8f89-4101-881c-595899253102 Function app slots should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/minTlsVersion
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service e1d1b522-02b0-4d18-a04f-5ab62d20445f Function app slots that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 829b40f3-d3db-4fd2-be46-76663d3aeeb2 Function app slots that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service app-service_functionapp-deployed-to-appserviceenvironment Function apps must be deployed to an App Service Environment (ASE) Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Web/sites/hostingEnvironmentProfile.id
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-private-endpoints-enabled-aine Function apps must have private endpoints enabled A private endpoint connection enables private connectivity to your function app via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-private-endpoints-enabled-dine Function apps must have private endpoints enabled A private endpoint connection enables private connectivity to your function app via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Network Contributor
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Web/sites
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA Community
App Service App Service app-service_functionapp-enforce-connect-to-acr-with-identity Function apps should authenticate to Azure Container Registry using a managed identity Function apps should authenticate to Azure Container Registry using a managed identity Default
AuditIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/acrUseManagedIdentityCreds
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-vnet-injection-enabled Function apps should be injected into a virtual network Injecting function apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/networkConfig/subnetResourceId
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service 969ac98b-88a8-449f-883c-2e9adb123127 Function apps should disable public network access Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Web/sites/publicNetworkAccess
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 Function apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/siteAuthEnabled
IF (1)
•Microsoft.Web/sites
count: 005
CIS_Azure_1.1.0_9.1, CIS_Azure_1.3.0_9.1, CIS_Azure_1.4.0_9.1, NZ_ISM_v3.5_SS-9, RMiT_v1.0_10.54
GA BuiltIn
App Service App Service eaebaea7-8013-4ceb-9d14-7eb32271373c Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
count: 020
Azure_Security_Benchmark_v2.0_PV-2, Azure_Security_Benchmark_v3.0_PV-2, CIS_Azure_1.1.0_9.4, CIS_Azure_1.3.0_9.4, CIS_Azure_1.4.0_9.4, CMMC_2.0_L2_CM.L2-3.4.1, CMMC_2.0_L2_CM.L2-3.4.2, FedRAMP_High_R4_CM-6, FedRAMP_Moderate_R4_CM-6, NIST_SP_800-171_R2_3.4.1, NIST_SP_800-171_R2_3.4.2, NIST_SP_800-53_R4_CM-6, NIST_SP_800-53_R5_CM-6, NZ_ISM_v3.5_SS-9, RBI_CSF_Banks_v2016_13.1, RBI_ITF_NBFC_v2017_3.1.b, RBI_ITF_NBFC_v2017_3.8, RMiT_v1.0_10.20, SOC_2_CC6.8, SOC_2_CC8.1
GA BuiltIn
App Service App Service app-service_functionapp-enforce-client-certs-dine Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
THEN-Deployment (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-enforce-client-certs-audit_or_deny Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-disable-deployment-local-auth-scm Function apps should have local authentication methods for deployment disabled Disabling local authentication methods improves security by ensuring that the app exclusively requires Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-disable-deployment-local-auth-ftp_functionapp-disable-deployment-local-auth-scm Function apps should have local authentication methods for deployment disabled Disabling local authentication methods improves security by ensuring that the app exclusively requires Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service 0e60b895-3786-45da-8377-9c6b4b6ac5f9 Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
count: 047
AU_ISM_1386, Azure_Security_Benchmark_v1.0_1.3, Azure_Security_Benchmark_v2.0_PV-2, Azure_Security_Benchmark_v3.0_PV-2, CCCS_AC-17(1), CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_CM.L2-3.4.1, CMMC_2.0_L2_CM.L2-3.4.2, CMMC_L3_AC.1.001, CMMC_L3_AC.2.013, CMMC_L3_CM.3.068, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_CM-6, FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_CM-6, hipaa-0913.09s1Organizational.5-09.s, hipaa-1195.01l3Organizational.1-01.l, hipaa-1325.09s1Organizational.3-09.s, IRS_1075_9.3.1.12, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-171_R2_3.4.1, NIST_SP_800-171_R2_3.4.2, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_CM-6, NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_CM-6, NZ_ISM_v3.5_SS-2, NZISM_Security_Benchmark_v1.1_SS-2, RBI_CSF_Banks_v2016_13.1, RBI_CSF_Banks_v2016_4.3, RBI_ITF_NBFC_v2017_3.1.b, RMiT_v1.0_Appendix_5.7, SOC_2_CC6.8, SOC_2_CC8.1, SWIFT_CSCF_v2021_1.1, SWIFT_CSCF_v2021_1.2, SWIFT_CSCF_v2021_6.2, SWIFT_CSCF_v2021_6.5A, UK_NCSC_CSP_11
GA BuiltIn
App Service App Service 0820b7b9-23aa-4725-a1ce-ae4558f718e5 Function apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites
count: 025
Azure_Security_Benchmark_v1.0_1.3, Azure_Security_Benchmark_v2.0_PV-2, Azure_Security_Benchmark_v3.0_PV-2, CMMC_2.0_L2_CM.L2-3.4.1, CMMC_2.0_L2_CM.L2-3.4.2, CMMC_L3_AC.1.001, CMMC_L3_AC.1.002, CMMC_L3_AC.2.016, CMMC_L3_CM.3.068, CMMC_L3_SC.3.183, FedRAMP_High_R4_CM-6, FedRAMP_Moderate_R4_CM-6, hipaa-0902.09s2Organizational.13-09.s, hipaa-0960.09sCSPOrganizational.1-09.s, NIST_SP_800-171_R2_3.4.1, NIST_SP_800-171_R2_3.4.2, NIST_SP_800-53_R4_CM-6, NIST_SP_800-53_R5_CM-6, NZ_ISM_v3.5_SS-9, NZISM_Security_Benchmark_v1.1_SS-9, RBI_CSF_Banks_v2016_13.1, RMiT_v1.0_Appendix_5.7, SOC_2_CC6.8, SOC_2_CC8.1, SWIFT_CSCF_v2021_6.5A
GA BuiltIn
App Service App Service 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
count: 048
AU_ISM_1552, Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, CCCS_SC-8(1), CMMC_2.0_L2_SC.L2-3.13.8, CMMC_L3_AC.1.002, CMMC_L3_IA.3.084, CMMC_L3_SC.1.175, CMMC_L3_SC.3.185, CMMC_L3_SC.3.190, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), hipaa-0809.01n2Organizational.1234-01.n, hipaa-0810.01n2Organizational.5-01.n, hipaa-0811.01n2Organizational.6-01.n, hipaa-0812.01n2Organizational.8-01.n, hipaa-0814.01n1Organizational.12-01.n, hipaa-0949.09y2Organizational.5-09.y, hipaa-1402.05i1Organizational.45-05.i, IRS_1075_9.3.16.6, ISO27001-2013_A.10.1.1, NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_SS-9, NZISM_Security_Benchmark_v1.1_SS-9, PCI_DSS_V3.2.1_3.4, PCI_DSS_V3.2.1_4.1, PCI_DSS_V3.2.1_6.5.3, PCI_DSS_v4.0_3.5.1, PCI_DSS_v4.0_6.2.4, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.4, RBI_ITF_NBFC_v2017_3.1.h, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.1, SOC_2_CC6.6, SOC_2_CC6.7, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_2.4A, SWIFT_CSCF_v2021_2.5A, UK_NCSC_CSP_1
GA BuiltIn
App Service App Service 399b2637-a50f-4f95-96f8-3a145476eb15 Function apps should require FTPS only Enable FTPS enforcement for enhanced security. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/ftpsState
IF (1)
•Microsoft.Web/sites
count: 024
Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, CIS_Azure_1.3.0_9.10, CIS_Azure_1.4.0_9.10, CMMC_2.0_L2_SC.L2-3.13.8, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_SS-9, NZISM_Security_Benchmark_v1.1_CR-7, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.4, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.1, SOC_2_CC6.6, SOC_2_CC6.7
GA BuiltIn
App Service App Service 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 Function apps should use an Azure file share for its content directory The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Web/sites/storageAccountRequired
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service e2c1c086-2d84-4019-bff3-c44ccd95113c Function apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.http20Enabled
IF (1)
•Microsoft.Web/sites
count: 016
CIS_Azure_1.1.0_9.10, CIS_Azure_1.3.0_9.9, CIS_Azure_1.4.0_9.9, CMMC_2.0_L2_SI.L1-3.14.1, CMMC_L3_SI.1.210, FedRAMP_High_R4_SI-2, FedRAMP_Moderate_R4_SI-2, NIST_SP_800-171_R2_3.14.1, NIST_SP_800-53_R4_SI-2, NIST_SP_800-53_R4_SI-2(6), NIST_SP_800-53_R5_SI-2, NIST_SP_800-53_R5_SI-2(6), NZ_ISM_v3.5_SS-9, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.8, SOC_2_CC8.1
GA BuiltIn
App Service App Service 0da106f2-4ca3-48e8-bc85-c638fe6aea8f Function apps should use managed identity Use a managed identity for enhanced authentication security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/config/managedServiceIdentityId
•Microsoft.Web/sites/config/xmanagedServiceIdentityId
IF (1)
•Microsoft.Web/sites
count: 043
Azure_Security_Benchmark_v1.0_7.12, Azure_Security_Benchmark_v2.0_IM-1, Azure_Security_Benchmark_v2.0_IM-2, Azure_Security_Benchmark_v3.0_IM-3, CIS_Azure_1.1.0_9.5, CIS_Azure_1.3.0_9.5, CIS_Azure_1.4.0_9.5, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, CMMC_2.0_L2_IA.L1-3.5.1, CMMC_2.0_L2_IA.L1-3.5.2, CMMC_2.0_L2_IA.L2-3.5.5, CMMC_2.0_L2_IA.L2-3.5.6, FedRAMP_High_R4_AC-2, FedRAMP_High_R4_AC-3, FedRAMP_High_R4_IA-2, FedRAMP_High_R4_IA-4, FedRAMP_Moderate_R4_AC-2, FedRAMP_Moderate_R4_AC-3, FedRAMP_Moderate_R4_IA-2, FedRAMP_Moderate_R4_IA-4, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-171_R2_3.5.1, NIST_SP_800-171_R2_3.5.2, NIST_SP_800-171_R2_3.5.5, NIST_SP_800-171_R2_3.5.6, NIST_SP_800-53_R4_AC-2, NIST_SP_800-53_R4_AC-3, NIST_SP_800-53_R4_IA-2, NIST_SP_800-53_R4_IA-4, NIST_SP_800-53_R5_AC-2, NIST_SP_800-53_R5_AC-3, NIST_SP_800-53_R5_IA-2, NIST_SP_800-53_R5_IA-4, NZ_ISM_v3.5_AC-2, NZISM_Security_Benchmark_v1.1_AC-2, RBI_CSF_Banks_v2016_6.4, RBI_CSF_Banks_v2016_8.4, RMiT_v1.0_10.54, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_5.2, SWIFT_CSCF_v2021_5.4
GA BuiltIn
App Service App Service f9d614c5-c173-4d56-95a7-b4437057d193 Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
count: 042
AU_ISM_1139, Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, Azure_Security_Benchmark_v3.0_NS-8, CIS_Azure_1.1.0_9.3, CIS_Azure_1.3.0_9.3, CIS_Azure_1.4.0_9.3, CMMC_2.0_L2_SC.L2-3.13.8, CMMC_L3_IA.3.084, CMMC_L3_SC.1.175, CMMC_L3_SC.3.185, CMMC_L3_SC.3.190, CMMC_L3_SI.1.210, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), hipaa-0809.01n2Organizational.1234-01.n, hipaa-0810.01n2Organizational.5-01.n, hipaa-0811.01n2Organizational.6-01.n, hipaa-0812.01n2Organizational.8-01.n, hipaa-0814.01n1Organizational.12-01.n, hipaa-0949.09y2Organizational.5-09.y, NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_CR-8, NZISM_Security_Benchmark_v1.1_CR-7, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.1, RBI_CSF_Banks_v2016_13.4, RBI_ITF_NBFC_v2017_3.1.h, RMiT_v1.0_10.68, SOC_2_CC6.1, SOC_2_CC6.6, SOC_2_CC6.7, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_2.6
GA BuiltIn
App Service App Service 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc Function apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 7238174a-fd10-4ef0-817e-fc820a951d73 Function apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service app-service_functionapp-enforce-latest-tls Latest TLS version should be used in your Function App Upgrade to the latest TLS version Default
AuditIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service app-service_functionapp-pull-from-specified-registry Linux function apps should only use a specified Azure Container Registry instance Ensure that Linux function apps can only pull custom images from a specified container registry Default
AuditIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 1
Website Contributor
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service Deny-AppServiceWebApp-http Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Deny
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA ALZ
Attestation Attestation 5e7e928c-8693-4a23-9bf3-1c77b9a8fe97 Azure Attestation providers should disable public network access To improve the security of Azure Attestation Service, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in aka.ms/azureattestation. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Attestation/attestationProviders/publicNetworkAccess
IF (1)
•Microsoft.Attestation/attestationProviders
GA BuiltIn
Attestation Attestation 7b256a2d-058b-41f8-bed9-3f870541c40a Azure Attestation providers should use private endpoints Private endpoints provide a way to connect Azure Attestation providers to your Azure resources without sending traffic over the public internet. By preventing public access, private endpoints help protect against undesired anonymous access. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (3)
•Microsoft.Attestation/attestationProviders/privateEndpointConnections/privateEndpoint
•Microsoft.Attestation/attestationProviders/privateEndpointConnections/privateLinkServiceConnectionState.status
•Microsoft.Attestation/attestationProviders/privateEndpointConnections/provisioningState
IF (1)
•Microsoft.Attestation/attestationProviders
GA BuiltIn
Authorization Authorization 920965ec-47a1-4db9-b85c-8612be3a081f Deploy or audit for a specific role assignment at the subscription scope This policy will validate that a specific role assignment exists or not. It can either audit for the role assignment or deploy it if it does not exist. Default
AuditIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 1
Owner
THEN-ExistenceCondition (2)
•Microsoft.Authorization/roleAssignments/principalId
•Microsoft.Authorization/roleAssignments/roleDefinitionId
IF (1)
•Microsoft.Resources/subscriptions
THEN-Deployment (2)
•Microsoft.Authorization/roleAssignments
•Microsoft.Authorization/roleDefinitions
GA Community
Automanage Automanage 270610db-8c04-438a-a739-e8e6745b22d3 [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Contributor
IF (8)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.id
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (2)
•Microsoft.Automanage/configurationProfileAssignments/accountId
•Microsoft.Automanage/configurationProfileAssignments/configurationProfile
IF (1)
•Microsoft.Compute/virtualMachines
Deprecated BuiltIn
Automanage Automanage e4953962-5ae4-43eb-bb92-d66fd5563487 [Preview]: A managed identity should be enabled on your machines Resources managed by Automanage should have a managed identity. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.HybridCompute/machines
count: 001
Azure Security Baseline
Preview BuiltIn
Automanage Automanage fd4726f4-a5fc-4540-912d-67c96fc992d5 [Preview]: Automanage Configuration Profile Assignment should be Conformant Resources managed by Automanage should have a status of Conformant or ConformantCorrected. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Automanage/configurationProfileAssignments/status
IF (1)
•Microsoft.AzureStackHci/clusters
count: 001
Automanage Best Practices
Preview BuiltIn
Automanage Automanage fb97d6e1-5c98-4743-a439-23e0977bad9e [Preview]: Boot Diagnostics should be enabled on virtual machines Azure virtual machines should have boot diagniostics enabled. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Compute/virtualMachines/diagnosticsProfile.bootDiagnostics.enabled
IF (1)
•Microsoft.Compute/virtualMachines
count: 001
Boot Diagnostics
Preview BuiltIn
Automanage Automanage f889cab7-da27-4c41-a3b0-de1f6f87c550 Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 1
Contributor
IF (9)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.id
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/machines/osSku
THEN-ExistenceCondition (1)
•Microsoft.Automanage/configurationProfileAssignments/configurationProfile
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Automanage Automanage b025cfb4-3702-47c2-9110-87fe0cfcc99b Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 1
Contributor
IF (9)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.id
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/machines/osSku
THEN-ExistenceCondition (1)
•Microsoft.Automanage/configurationProfileAssignments/configurationProfile
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Automanage Automanage 6d02d2f7-e38b-4bdc-96f3-adc0a8726abc Hotpatch should be enabled for Windows Server Azure Edition VMs Minimize reboots and install updates quickly with hotpatch. Learn more at https://docs.microsoft.com/azure/automanage/automanage-hotpatch Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.enableHotpatching
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku
IF (1)
•Microsoft.Compute/virtualMachines
count: 002
RBI_CSF_Banks_v2016_21.2, RBI_CSF_Banks_v2016_5.2
GA BuiltIn
Automation Automation automation_audit-automation-account-variable-encryption Audit encryption of Automation account variables It is important to enable encryption of Automation account variable assets when storing sensitive data Fixed
Audit
IF (1)
•Microsoft.Automation/automationAccounts/variables/isEncrypted
GA Community
Automation Automation dea83a72-443c-4292-83d5-54a2f98749c0 Automation Account should have Managed Identity Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code . Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 3657f5a0-770e-44a3-b44e-9431ba1e9735 Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Automation/automationAccounts/variables/isEncrypted
count: 032
Azure_Security_Benchmark_v1.0_4.8, Azure_Security_Benchmark_v2.0_DP-5, Azure_Security_Benchmark_v3.0_DP-4, CMMC_2.0_L2_SC.L2-3.13.16, CMMC_L3_SC.3.177, CMMC_L3_SC.3.191, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), ISO27001-2013_A.10.1.1, NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1), NZ_ISM_v3.5_CR-3, PCI_DSS_V3.2.1_3.4, PCI_DSS_V3.2.1_4.1, PCI_DSS_V3.2.1_6.5.3, PCI_DSS_v4.0_3.5.1, PCI_DSS_v4.0_6.2.4, RBI_CSF_Banks_v2016_13.4, RBI_ITF_NBFC_v2017_3.1.h, SOC_2_CC6.1, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_2.4A, SWIFT_CSCF_v2021_2.5A, SWIFT_CSCF_v2022_2.1, SWIFT_CSCF_v2022_2.4A, SWIFT_CSCF_v2022_2.5A, UK_NCSC_CSP_2.3
GA BuiltIn
Automation Automation 955a914f-bf86-4f0e-acd5-e0766b0efcb6 Automation accounts should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Automation/automationAccounts/publicNetworkAccess
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 48c5f1cb-14ad-4797-8e3b-f78ab3f8d700 Azure Automation account should have local authentication method disabled Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Automation/automationAccounts/disableLocalAuth
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 56a5ee18-2ae6-4810-86f7-18e39ce5629b Azure Automation accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Automation/automationAccounts/encryption.keySource
IF (1)
•Microsoft.Automation/automationAccounts
count: 006
CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12
GA BuiltIn
Automation Automation 30d1d58e-8f96-47a5-8564-499a3f3cca81 Configure Azure Automation account to disable local authentication Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (1)
•Microsoft.Automation/automationAccounts/disableLocalAuth
THEN-Operations (1)
•Microsoft.Automation/automationAccounts/disableLocalAuth
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 23b36a7c-9d26-4288-a8fd-c1d2fa284d8c Configure Azure Automation accounts to disable public network access Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (1)
•Microsoft.Automation/automationAccounts/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Automation/automationAccounts/publicNetworkAccess
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 6dd01e4f-1be1-4e80-9d0b-d109e04cb064 Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Automation Automation c0c3130e-7dda-4187-aed0-ee4a472eaa60 Configure private endpoint connections on Azure Automation accounts Private endpoint connections allow secure communication by enabling private connectivity to Azure Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Contributor
Network Contributor
THEN-ExistenceCondition (1)
•Microsoft.Automation/automationAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Automation/automationAccounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Automation Automation compute_deploy-dsc-extension Deploy DSC Extension to Azure VM and Arc connected machines Deploys the DSC extension to and assigns configuration artifact from url location. Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (4)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
•Microsoft.HybridCompute/machines/extensions
GA Community
Automation Automation Deny-AA-child-resources No child resources in Automation Account This policy denies the creation of child resources on the Automation Account Default
Deny
Allowed
Audit, Deny, Disabled
GA ALZ
Automation Automation automation_onboard-to-automation-dsc Onboard Azure VM and Arc connected machines to Azure Automation DSC Deploys the DSC extension to onboard nodes to Azure Automation DSC. Does not assign a configuration. Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (4)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
•Microsoft.HybridCompute/machines/extensions
GA Community
Automation Automation 0c2b3618-68a8-4034-a150-ff4abc873462 Private endpoint connections on Automation Accounts should be enabled Private endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Automation/automationAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Azure Active Directory Azure Active Directory 3aa87b5a-7813-4b57-8a43-42dd9df5aaa7 Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.AAD/domainServices/domainSecuritySettings.tlsV1
IF (1)
•Microsoft.AAD/domainServices
GA BuiltIn
Azure Active Directory Azure Active Directory 2e9411a0-0c5a-44b3-9ddb-ff10a1a2bf28 Azure Active Directory should use private link to access Azure services Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.aadiam/privateLinkForAzureAD
GA BuiltIn
Azure Active Directory Azure Active Directory 7e4301f9-5f32-4738-ad9f-7ec2d15563ad Configure Private Link for Azure AD to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure AD. Learn more at: https://aka.ms/privateLinkforAzureADDocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.aadiam/privateLinkForAzureAD
•Microsoft.Network/privateEndpoints
GA BuiltIn
Azure Active Directory Azure Active Directory b923afcf-4c3a-4ed6-8386-1ff64b68de47 Configure Private Link for Azure AD with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Contributor
THEN-ExistenceCondition (1)
•microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.aadiam/privateLinkForAzureAD
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Azure Arc Azure Arc 7eab1da3-2bf0-4ff0-8303-1a4277c380e8 Azure Arc Private Link Scopes should be configured with a private endpoint Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Arc Private Link Scopes, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections[*]
•Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HybridCompute/privateLinkScopes
GA BuiltIn
Azure Arc Azure Arc 898f2439-3333-4713-af25-f1d78bc50556 Azure Arc Private Link Scopes should disable public network access Disabling public network access improves security by ensuring that Azure Arc resources cannot connect via the public internet. Creating private endpoints can limit exposure of Azure Arc resources. Learn more at: https://aka.ms/arc/privatelink. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess
IF (1)
•Microsoft.HybridCompute/privateLinkScopes
GA BuiltIn
Azure Arc Azure Arc 12e7176a-4919-47ef-922b-34eda4c7f0ce Azure Arc-enabled kubernetes clusters should be configured with an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Kubernetes/connectedClusters/privateLinkScopeResourceId
IF (1)
•Microsoft.Kubernetes/connectedClusters
GA BuiltIn
Azure Arc Azure Arc efa3f296-ff2b-4f38-bc0d-5ef12c965b68 Azure Arc-enabled servers should be configured with an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.HybridCompute/machines/privateLinkScopeResourceId
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Azure Arc Azure Arc de0bc8ea-76e2-4fe2-a288-a07556d0e9c4 Configure Azure Arc Private Link Scopes to disable public network access Disable public network access for your Azure Arc Private Link Scope so that associated Azure Arc resources cannot connect to Azure Arc services over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/arc/privatelink. Default
Modify
Allowed
Modify, Disabled
count: 1
Azure Connected Machine Resource Administrator
IF (1)
•Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess
THEN-Operations (1)
•Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess
IF (1)
•Microsoft.HybridCompute/privateLinkScopes
GA BuiltIn
Azure Arc Azure Arc 55c4db33-97b0-437b-8469-c4f4498f5df9 Configure Azure Arc Private Link Scopes to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.HybridCompute/privateLinkScopes
•Microsoft.Network/privateEndpoints
GA BuiltIn
Azure Arc Azure Arc d6eeba80-df61-4de5-8772-bc1b7852ba6b Configure Azure Arc Private Link Scopes with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 3
Azure Connected Machine Resource Administrator
Kubernetes Cluster - Azure Arc Onboarding
Network Contributor
THEN-ExistenceCondition (1)
•Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HybridCompute/privateLinkScopes
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Azure Arc Azure Arc 4002015b-1272-4dfb-8943-fed4aeec39b6 Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default
Modify
Allowed
Modify, Disabled
count: 1
Kubernetes Cluster - Azure Arc Onboarding
IF (1)
•Microsoft.Kubernetes/connectedClusters/privateLinkScopeResourceId
THEN-Operations (2)
•Microsoft.Kubernetes/connectedClusters/privateLinkScopeResourceId
•Microsoft.Kubernetes/connectedClusters/privateLinkState
IF (1)
•Microsoft.Kubernetes/connectedClusters
GA BuiltIn
Azure Arc Azure Arc a3461c8c-6c9d-4e42-a644-40ba8a1abf49 Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default
Modify
Allowed
Modify, Disabled
count: 1
Azure Connected Machine Resource Administrator
IF (1)
•Microsoft.HybridCompute/machines/privateLinkScopeResourceId
THEN-Operations (1)
•Microsoft.HybridCompute/machines/privateLinkScopeResourceId
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Azure Data Explorer Azure Data Explorer 8945ba5e-918e-4a57-8117-fe615d12e3ba All Database Admin on Azure Data Explorer should be disabled Disable all database admin role to restrict granting highly privileged/administrative user role. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Kusto/Clusters/principalAssignments/role
IF (1)
•Microsoft.Kusto/Clusters/principalAssignments
GA BuiltIn
Azure Data Explorer Azure Data Explorer f7735886-8927-431f-b201-c953922512b8 Azure Data Explorer cluster should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.Kusto/Clusters/PrivateEndpointConnections[*]
•Microsoft.Kusto/Clusters/PrivateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Kusto/Clusters
GA BuiltIn
Azure Data Explorer Azure Data Explorer 81e74cea-30fd-40d5-802f-d72103c2aaaa Azure Data Explorer encryption at rest should use a customer-managed key Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. Default
Audit
Allowed
Audit, Deny, Disabled
IF (4)
•Microsoft.Kusto/clusters/keyVaultProperties
•Microsoft.Kusto/clusters/keyVaultProperties.keyName
•Microsoft.Kusto/clusters/keyVaultProperties.keyVaultUri
•Microsoft.Kusto/clusters/keyVaultProperties.keyVersion
IF (1)
•Microsoft.Kusto/Clusters
count: 007
CMMC_2.0_L2_SC.L2-3.13.10, CMMC_L3_SC.3.177, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12
GA BuiltIn
Azure Data Explorer Azure Data Explorer 1fec9658-933f-4b3e-bc95-913ed22d012b Azure Data Explorer should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Kusto/clusters/sku.tier
IF (1)
•Microsoft.Kusto/clusters
GA BuiltIn
Azure Data Explorer Azure Data Explorer a47272e1-1d5d-4b0b-b366-4873f1432fe0 Configure Azure Data Explorer clusters with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. Learn more at: [ServiceSpecificAKA.ms]. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Network Contributor
SQL Server Contributor
THEN-ExistenceCondition (1)
•Microsoft.Kusto/Clusters/PrivateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Kusto/Clusters
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Azure Data Explorer Azure Data Explorer 7b32f193-cb28-4e15-9a98-b9556db0bafa Configure Azure Data Explorer to disable public network access Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters . Default
Modify
Allowed
Modify, Disabled
count: 1
SQL Server Contributor
IF (1)
•Microsoft.Kusto/clusters/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Kusto/clusters/publicNetworkAccess
IF (1)
•Microsoft.Kusto/clusters
GA BuiltIn
Azure Data Explorer Azure Data Explorer f4b53539-8df9-40e4-86c6-6b607703bd4e Disk encryption should be enabled on Azure Data Explorer Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Kusto/clusters/enableDiskEncryption
IF (1)
•Microsoft.Kusto/Clusters
count: 014
ACAT_Security_Policies, CMMC_2.0_L2_SC.L2-3.13.16, CMMC_L3_SC.3.177, CMMC_L3_SC.3.191, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1), RBI_ITF_NBFC_v2017_3.1.h
GA BuiltIn
Azure Data Explorer Azure Data Explorer ec068d99-e9c7-401f-8cef-5bdde4e6ccf1 Double encryption should be enabled on Azure Data Explorer Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Kusto/clusters/enableDoubleEncryption
IF (1)
•Microsoft.Kusto/Clusters
count: 012
CMMC_2.0_L2_SC.L2-3.13.16, CMMC_L3_SC.3.177, CMMC_L3_SC.3.191, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1)
GA BuiltIn
Azure Data Explorer Azure Data Explorer 43bc7be6-5e69-4b0d-a2bb-e815557ca673 Public network access on Azure Data Explorer should be disabled Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Kusto/clusters/publicNetworkAccess
IF (1)
•Microsoft.Kusto/clusters
GA BuiltIn
Azure Data Explorer Azure Data Explorer 9ad2fd1f-b25f-47a2-aa01-1a5a779e6413 Virtual network injection should be enabled for Azure Data Explorer Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. Default
Audit
Allowed
Audit, Deny, Disabled
IF (4)
•Microsoft.Kusto/clusters/virtualNetworkConfiguration
•Microsoft.Kusto/clusters/virtualNetworkConfiguration.dataManagementPublicIpId
•Microsoft.Kusto/clusters/virtualNetworkConfiguration.enginePublicIpId
•Microsoft.Kusto/clusters/virtualNetworkConfiguration.subnetId
IF (1)
•Microsoft.Kusto/Clusters
GA BuiltIn
Azure Databricks Azure Databricks b76cbbfe-4af8-44ad-ac54-c460d0907796 Audit - Databricks should use customer-managed key for encrypting DBFS Customer-managed key should be used to encrypt DBFS in Databricks service. The policy marks a resource Noncompliant if the prepareEncryption value is not set to true. The resource is also marked Noncompliant when the keySource value does not exist. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.Databricks/workspaces/parameters.encryption.value.keySource
•Microsoft.Databricks/workspaces/parameters.prepareEncryption.value
IF (1)
•Microsoft.Databricks/workspaces
GA Community
Azure Databricks Azure Databricks 69df3b75-5432-4e6b-bb18-b41c64b09145 Audit - Databricks should use customer-managed key for encrypting managed services Customer-managed key based encryption should be configured for Databricks's managed services. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Databricks/workspaces/encryption.entities.managedServices.keySource
IF (1)
•Microsoft.Databricks/workspaces
GA Community
Azure Databricks Azure Databricks 51c1490f-3319-459c-bbbc-7f391bbed753 Azure Databricks Clusters should disable public IP Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value
IF (1)
•Microsoft.Databricks/workspaces
count: 001
Azure_Security_Benchmark_v3.0_NS-2
GA BuiltIn
Azure Databricks Azure Databricks 9c25c9e4-ee12-4882-afd2-11fb9d87893f Azure Databricks Workspaces should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. Default
Audit
Allowed
Audit, Deny, Disabled
IF (3)
•Microsoft.Databricks/workspaces/parameters.customPrivateSubnetName.value
•Microsoft.Databricks/workspaces/parameters.customPublicSubnetName.value
•Microsoft.Databricks/workspaces/parameters.customVirtualNetworkId.value
IF (1)
•Microsoft.Databricks/workspaces
count: 001
Azure_Security_Benchmark_v3.0_NS-2
GA BuiltIn
Azure Databricks Azure Databricks 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Databricks/workspaces/sku.name
IF (1)
•Microsoft.Databricks/workspaces
GA BuiltIn
Azure Databricks Azure Databricks 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 Azure Databricks Workspaces should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Databricks/workspaces/publicNetworkAccess
IF (1)
•Microsoft.Databricks/workspaces
count: 001
Azure_Security_Benchmark_v3.0_NS-2
GA BuiltIn
Azure Databricks Azure Databricks 258823f2-4595-4b52-b333-cc96192710d8 Azure Databricks Workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.Databricks/workspaces/privateEndpointConnections[*]
•Microsoft.Databricks/workspaces/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Databricks/workspaces
count: 001
Azure_Security_Benchmark_v3.0_NS-2
GA BuiltIn
Azure Databricks Azure Databricks 0eddd7f3-3d9b-4927-a07a-806e8ac9486c Configure Azure Databricks workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.Databricks/workspaces
•Microsoft.Network/privateEndpoints
GA BuiltIn
Azure Databricks Azure Databricks 09210db3-d32c-4b2b-b4e1-f72ae920eb11 Configure Azure Databricks Workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Contributor
THEN-ExistenceCondition (1)
•Microsoft.Databricks/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Databricks/workspaces
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Azure Databricks Azure Databricks 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Log Analytics Contributor
Monitoring Contributor
THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.Databricks/workspaces
GA BuiltIn
Azure Databricks Azure Databricks 138ff14d-b687-4faa-a81c-898c91a87fa2 Resource logs in Azure Databricks Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.Databricks/workspaces
count: 001
Azure_Security_Benchmark_v3.0_LT-3
GA BuiltIn
Azure DNS Azure DNS network_enforce_azfw_dns_servers Enforce Firewall Policy DNS servers This policy prevent settings non authorized dns servers for firewall policies. Default
Audit
Allowed
Deny, Audit, Disabled
IF (1)
•Microsoft.Network/firewallPolicies/dnsSettings.servers[*]
GA Community
Azure DNS Azure DNS network_enforce_vnet_dns_servers Enforce VNET DNS servers This policy prevent settings non authorized dns servers for vnets. Default
Audit
Allowed
Deny, Audit, Disabled
IF (1)
•Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]
GA Community
Azure Edge Hardware Center Azure Edge Hardware Center 08a6b96f-576e-47a2-8511-119a212d344d Azure Edge Hardware Center devices should have double encryption support enabled Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.EdgeOrder/orderItems/orderItemDetails.preferences.encryptionPreferences.doubleEncryptionStatus
•Microsoft.EdgeOrder/orderItems/orderItemDetails.productDetails.productDoubleEncryptionStatus
IF (1)
•Microsoft.EdgeOrder/orderItems
GA BuiltIn
Azure Load Testing Azure Load Testing 65c4f833-1f2e-426c-8780-f6d7593bed7a Azure load testing resource should use customer-managed keys to encrypt data at rest Use customer-managed keys(CMK) to manage the encryption at rest for your Azure Load Testing resource. By default the encryptio is done using Service managed keys, customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/load-testing/how-to-configure-customer-managed-keys?tabs=portal. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.LoadTestService/loadTests/encryption.keyUrl
IF (1)
•Microsoft.LoadTestService/loadtests
GA BuiltIn
Azure Purview Azure Purview 9259053b-ddb8-40ab-842a-0aef19d0ade4 Azure Purview accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.Purview/accounts/privateEndpointConnections[*]
•Microsoft.Purview/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Purview/accounts
GA BuiltIn
Azure Stack Edge Azure Stack Edge b4ac1030-89c5-4697-8e00-28b5ba6a8811 Azure Stack Edge devices should use double-encryption To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
IF (1)
•Microsoft.DataboxEdge/DataBoxEdgeDevices/sku.name
IF (1)
•Microsoft.DataBoxEdge/DataBoxEdgeDevices
count: 010
CMMC_2.0_L2_SC.L2-3.13.16, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1)
GA BuiltIn
Backup Backup 9ebbbba3-4d65-4da9-bb67-b22cfaaff090 [Preview]: Azure Recovery Services vaults should disable public network access Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.RecoveryServices/vaults/publicNetworkAccess
IF (1)
•Microsoft.RecoveryServices/vaults
Preview BuiltIn
Backup Backup 2e94d99a-8a36-4563-bc77-810d8893b671 [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.RecoveryServices/vaults/encryption.infrastructureEncryption
•Microsoft.RecoveryServices/vaults/encryption.keyVaultProperties.keyUri
IF (1)
•Microsoft.RecoveryServices/vaults
count: 010
CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, RBI_ITF_NBFC_v2017_6, RBI_ITF_NBFC_v2017_6.2, RBI_ITF_NBFC_v2017_6.3, RBI_ITF_NBFC_v2017_6.4
Preview BuiltIn
Backup Backup deeddb44-9f94-4903-9fa0-081d524406e3 [Preview]: Azure Recovery Services vaults should use private link for backup Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. Default
Audit
Allowed
Audit, Disabled
IF (4)
•Microsoft.RecoveryServices/vaults/privateEndpointConnections[*]
•Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].id
•Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status
•Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].provisioningState
IF (1)
•Microsoft.RecoveryServices/vaults
count: 005
RBI_CSF_Banks_v2016_14.1, RBI_ITF_NBFC_v2017_6, RBI_ITF_NBFC_v2017_6.2, RBI_ITF_NBFC_v2017_6.3, RBI_ITF_NBFC_v2017_6.4
Preview BuiltIn
Backup Backup 04726aae-4e8d-427c-af7d-ecf56d490022 [Preview]: Configure Azure Recovery Services vaults to disable public network access Disable public network access for your Recovery services vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. Default
Modify
Allowed
Modify, Disabled
count: 1
Backup Contributor
IF (1)
•Microsoft.RecoveryServices/vaults/publicNetworkAccess
THEN-Operations (1)
•Microsoft.RecoveryServices/vaults/publicNetworkAccess
IF (1)
•Microsoft.RecoveryServices/vaults
Preview BuiltIn
Backup Backup 615b01c4-d565-4f6f-8c6e-d130268e3a1a [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 1
Backup Contributor
IF (3)
•Microsoft.Storage/storageAccounts/isHnsEnabled
•Microsoft.Storage/storageAccounts/isNfsV3Enabled
•Microsoft.Storage/storageAccounts/sku.name
THEN-ExistenceCondition (1)
•Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled
IF (1)
•Microsoft.Storage/StorageAccounts
THEN-Deployment (3)
•Microsoft.Resources/deployments
•Microsoft.Storage/storageAccounts
•Microsoft.Storage/storageAccounts/blobServices
Preview BuiltIn
Backup Backup 958dbd4e-0e20-4385-a082-d3f20c2a6ad8 [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 1
Backup Contributor
IF (3)
•Microsoft.Storage/storageAccounts/isHnsEnabled
•Microsoft.Storage/storageAccounts/isNfsV3Enabled
•Microsoft.Storage/storageAccounts/sku.name
THEN-ExistenceCondition (1)
•Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled
IF (1)
•Microsoft.Storage/StorageAccounts
THEN-Deployment (3)
•Microsoft.Resources/deployments
•Microsoft.Storage/storageAccounts
•Microsoft.Storage/storageAccounts/blobServices
Preview BuiltIn
Backup Backup af783da1-4ad1-42be-800d-d19c70038820 [Preview]: Configure Recovery Services vaults to use private DNS zones for backup Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.Network/privateEndpoints
•Microsoft.RecoveryServices/vaults
Preview BuiltIn
Backup Backup 8015d6ed-3641-4534-8d0b-5c67b67ff7de [Preview]: Configure Recovery Services vaults to use private endpoints for backup Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (1)
•Microsoft.RecoveryServices/vaults/backupStorageVersion
IF (1)
•Microsoft.RecoveryServices/vaults
THEN-Deployment (1)
•Microsoft.Network/privateEndpoints
Preview BuiltIn
Backup Backup f19b0c83-716f-4b81-85e3-2dbf057c35d6 [Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. Default
Modify
Allowed
Modify, Disabled
count: 1
Backup Contributor
IF (1)
•Microsoft.RecoveryServices/vaults/restoreSettings.crossSubscriptionRestoreSettings.crossSubscriptionRestoreState
THEN-Operations (1)
•Microsoft.RecoveryServices/vaults/restoreSettings.crossSubscriptionRestoreSettings.crossSubscriptionRestoreState
IF (1)
•Microsoft.RecoveryServices/vaults
Preview BuiltIn
Backup Backup 4d479a11-f2b5-4f0a-bb1e-d2332aa95cda [Preview]: Disable Cross Subscription Restore for Backup Vaults Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. Default
Modify
Allowed
Modify, Disabled
count: 1
Backup Contributor
IF (1)
•Microsoft.DataProtection/backupVaults/featureSettings.crossSubscriptionRestoreSettings.state
THEN-Operations (1)
•Microsoft.DataProtection/backupVaults/featureSettings.crossSubscriptionRestoreSettings.state
IF (1)
•Microsoft.DataProtection/backupVaults
Preview BuiltIn
Backup Backup 2514263b-bc0d-4b06-ac3e-f262c0979018 [Preview]: Immutability must be enabled for backup vaults This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.DataProtection/backupVaults/securitySettings.immutabilitySettings.State
IF (1)
•Microsoft.DataProtection/backupvaults
Preview BuiltIn
Backup Backup 9798d31d-6028-4dee-8643-46102185c016 [Preview]: Soft delete should be enabled for Backup Vaults This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.DataProtection/backupVaults/securitySettings.softDeleteSettings.state
IF (1)
•Microsoft.DataProtection/backupvaults
Preview BuiltIn
Backup Backup 013e242c-8828-4970-87b3-ab247555486d Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
IF (1)
•Microsoft.Compute/imagePublisher
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Details (1)
•Microsoft.RecoveryServices/backupprotecteditems
count: 030
Azure_Security_Benchmark_v1.0_9.1, Azure_Security_Benchmark_v1.0_9.2, Azure_Security_Benchmark_v2.0_BR-1, Azure_Security_Benchmark_v2.0_BR-2, Azure_Security_Benchmark_v3.0_BR-1, Azure_Security_Benchmark_v3.0_BR-2, CMMC_2.0_L2_MP.L2-3.8.9, CMMC_L3_RE.2.137, CMMC_L3_RE.3.139, FedRAMP_High_R4_CP-9, FedRAMP_Moderate_R4_CP-9, hipaa-1620.09l1Organizational.8-09.l, hipaa-1625.09l3Organizational.34-09.l, hipaa-1699.09l1Organizational.10-09.l, NIST_SP_800-171_R2_3.8.9, NIST_SP_800-53_R4_CP-9, NIST_SP_800-53_R5_CP-9, RBI_CSF_Banks_v2016_13.3, RBI_CSF_Banks_v2016_19.5, RBI_ITF_NBFC_v2017_5.2, RBI_ITF_NBFC_v2017_6, RBI_ITF_NBFC_v2017_6.2, RBI_ITF_NBFC_v2017_6.3, RMiT_v1.0_10.30, SOC_2_A1.2, SOC_2_PI1.5, SWIFT_CSCF_v2021_2.5A, SWIFT_CSCF_v2021_6.4, SWIFT_CSCF_v2022_2.5A, SWIFT_CSCF_v2022_6.4
GA BuiltIn
Backup Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 2
Backup Contributor
Virtual Machine Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.RecoveryServices/vaults
GA BuiltIn
Backup Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 2
Backup Contributor
Virtual Machine Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Resources/deployments
GA BuiltIn
Backup Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 2
Backup Contributor
Virtual Machine Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.RecoveryServices/vaults
GA BuiltIn
Backup Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 2
Backup Contributor
Virtual Machine Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Resources/deployments
count: 001
RMiT_v1.0_11.4
GA BuiltIn
Backup Backup c717fb0c-d118-4c43-ab3d-ece30ac81fb3 Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. Fixed
deployIfNotExists
count: 2
Log Analytics Contributor
Monitoring Contributor
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].Category
•Microsoft.Insights/diagnosticSettings/logs[*].Enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.RecoveryServices/vaults
GA BuiltIn
Backup Backup d1ad6c00-a48d-4039-87a9-8662253c303f Resource Lock should be enabled With this policy: any resource that has the tag key LockLevel with the value CanNotDelete means authorized users can read and modify the resource, but they can t delete it. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled, AuditIfNotExists
count: 1
Owner
THEN-ExistenceCondition (2)
•Microsoft.Authorization/locks/level
•Microsoft.Authorization/locks/notes
THEN-Deployment (1)
•Microsoft.Authorization/locks
GA Community
Batch Batch monitoring_batch-account-audit-metric-alert-rules-configuration Audit configuration of metric alert rules on Batch accounts Audit configuration of metric alert rules on Batch account to enable the required metric Fixed
AuditIfNotExists
THEN-ExistenceCondition (3)
•Microsoft.Insights/alertRules/condition.dataSource.metricName
•Microsoft.Insights/alertRules/condition.dataSource.resourceUri
•Microsoft.Insights/alertRules/isEnabled
IF (1)
•Microsoft.Batch/batchAccounts
GA Community
Batch Batch monitoring_audit-enabling-diagnostic-logs-batch-accounts Audit enabling of diagnostic logs in Batch accounts Audit enabling of logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised Fixed
AuditIfNotExists
THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
IF (1)
•Microsoft.Batch/batchAccounts
GA Community
Batch Batch 99e9ccd8-3db9-4592-b0d1-14b1715a4d8a Azure Batch account should use customer-managed keys to encrypt data Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Batch/batchAccounts/encryption.keySource
IF (1)
•Microsoft.Batch/batchAccounts
count: 006
CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12
GA BuiltIn
Batch Batch 1760f9d4-7206-436e-a28f-d9f3a5c8a227 Azure Batch pools should have disk encryption enabled Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption. Default
Audit
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Batch/batchAccounts/pools/deploymentConfiguration.virtualMachineConfiguration.diskEncryptionConfiguration.targets[*]
IF (1)
•Microsoft.Batch/batchAccounts/pools
GA BuiltIn
Batch Batch 6f68b69f-05fe-49cd-b361-777ee9ca7e35 Batch accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*]
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 4dbc2f5c-51cf-4e38-9179-c7028eed2274 Configure Batch accounts to disable local authentication Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (2)
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*]
THEN-Operations (1)
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch c520cefc-285f-40f3-86e2-2efc38ef1f64 Configure Batch accounts to disable public network access Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (1)
•Microsoft.Batch/batchAccounts/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Batch/batchAccounts/publicNetworkAccess
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 0ef5aac7-c064-427a-b87b-d47b3ddcaf73 Configure Batch accounts with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/batch/private-connectivity. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Contributor
IF (1)
•Microsoft.Batch/batchAccounts/publicNetworkAccess
THEN-ExistenceCondition (1)
•Microsoft.Batch/batchAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Batch/batchAccounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Batch Batch 4ec38ebc-381f-45ee-81a4-acbc4be878f8 Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Batch Batch 26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7 Metric alert rules should be configured on Batch accounts Audit configuration of metric alert rules on Batch account to enable the required metric Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (3)
•Microsoft.Insights/alertRules/condition.dataSource.metricName
•Microsoft.Insights/alertRules/condition.dataSource.resourceUri
•Microsoft.Insights/alertRules/isEnabled
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 009a0c92-f5b4-4776-9b66-4ed2b4775563 Private endpoint connections on Batch accounts should be enabled Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at https://docs.microsoft.com/azure/batch/private-connectivity. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Batch/batchAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Batch/batchAccounts
count: 002
NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9
GA BuiltIn
Batch Batch 74c5a0ae-5e48-4738-b093-65e23a060488 Public network access should be disabled for Batch accounts Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Batch/batchAccounts/publicNetworkAccess
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 428256e6-1fac-4f48-a757-df34c2b3336d Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.Batch/batchAccounts
count: 027
Azure_Security_Benchmark_v1.0_2.3, Azure_Security_Benchmark_v2.0_LT-4, Azure_Security_Benchmark_v3.0_LT-3, CIS_Azure_1.3.0_5.3, CIS_Azure_1.4.0_5.3, CMMC_2.0_L2_AU.L2-3.3.1, CMMC_2.0_L2_AU.L2-3.3.2, FedRAMP_High_R4_AU-12, FedRAMP_High_R4_AU-12(1), FedRAMP_High_R4_AU-6(4), FedRAMP_High_R4_AU-6(5), FedRAMP_Moderate_R4_AU-12, hipaa-1205.09aa2System.1-09.aa, NIST_SP_800-171_R2_3.3.1, NIST_SP_800-171_R2_3.3.2, NIST_SP_800-53_R4_AU-12, NIST_SP_800-53_R4_AU-12(1), NIST_SP_800-53_R4_AU-6(4), NIST_SP_800-53_R4_AU-6(5), NIST_SP_800-53_R5_AU-12, NIST_SP_800-53_R5_AU-12(1), NIST_SP_800-53_R5_AU-6(4), NIST_SP_800-53_R5_AU-6(5), NZ_ISM_v3.5_AC-18, NZISM_Security_Benchmark_v1.1_AC-17, SWIFT_CSCF_v2021_6.4, SWIFT_CSCF_v2022_6.4
GA BuiltIn
Bot Service Bot Service 6164527b-e1ee-4882-8673-572f425f5e0a Bot Service endpoint should be a valid HTTPS URI Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
IF (1)
•Microsoft.BotService/botServices/endpoint
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service 51522a96-0869-4791-82f3-981000c2c67f Bot Service should be encrypted with a customer-managed key Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
IF (1)
•Microsoft.BotService/botServices/isCmekEnabled
IF (1)
•Microsoft.BotService/botServices
count: 006
CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12
GA BuiltIn
Bot Service Bot Service 52152f42-0dda-40d9-976e-abb1acdd611e Bot Service should have isolated mode enabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
IF (1)
•Microsoft.BotService/botServices/publicNetworkAccess
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service ffea632e-4e3a-4424-bf78-10e179bb2e1a Bot Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.BotService/botServices/disableLocalAuth
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service 5e8168db-69e3-4beb-9822-57cb59202a9d Bot Service should have public network access disabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.BotService/botServices/publicNetworkAccess
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service ad5621d6-a877-4407-aa93-a950b428315e BotService resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your BotService resource, data leakage risks are reduced. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.BotService/botServices/privateEndpointConnections[*]
•Microsoft.BotService/botServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service 6a4e6f44-f2af-4082-9702-033c9e88b9f8 Configure BotService resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.BotService/botServices
•Microsoft.Network/privateEndpoints
GA BuiltIn
Bot Service Bot Service 29261f8e-efdb-4255-95b8-8215414515d6 Configure BotService resources with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your BotService resource, you can reduce data leakage risks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
THEN-ExistenceCondition (1)
•Microsoft.BotService/botServices/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.BotService/botServices
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Budget Budget Deploy-Budget Deploy a default budget on all subscriptions under the assigned scope Deploy a default budget on all subscriptions under the assigned scope Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 1
Contributor
THEN-ExistenceCondition (3)
•Microsoft.Consumption/budgets/amount
•Microsoft.Consumption/budgets/category
•Microsoft.Consumption/budgets/timeGrain
IF (1)
•Microsoft.Resources/subscriptions
THEN-Deployment (1)
•Microsoft.Consumption/budgets
GA ALZ
Budget Budget Deny-MachineLearning-ComputeCluster-Scale Enforce scale settings for Azure Machine Learning compute clusters Enforce scale settings for Azure Machine Learning compute clusters. Default
Deny
Allowed
Audit, Disabled, Deny
IF (3)
•Microsoft.MachineLearningServices/workspaces/computes/computeType
•Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount
•Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes
GA ALZ
Budget Budget Deny-MachineLearning-Compute-VmSize Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances. Default
Deny
Allowed
Audit, Disabled, Deny
IF (2)
•Microsoft.MachineLearningServices/workspaces/computes/computeType
•Microsoft.MachineLearningServices/workspaces/computes/vmSize
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes
GA ALZ
Cache Cache 7d092e0a-7acd-40d2-a975-dca21cae48c4 [Deprecated]: Azure Cache for Redis should reside within a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Cache/Redis/subnetId
IF (1)
•Microsoft.Cache/redis
count: 001
Azure_Security_Benchmark_v2.0_NS-2
Deprecated BuiltIn
Cache Cache Append-Redis-sslEnforcement Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
Append
Allowed
Append, Disabled
IF (1)
•Microsoft.Cache/Redis/minimumTlsVersion
THEN-Details (1)
•Microsoft.Cache/Redis/minimumTlsVersion
IF (1)
•Microsoft.Cache/redis
GA ALZ
Cache Cache Append-Redis-disableNonSslPort Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
Append
Allowed
Append, Disabled
IF (1)
•Microsoft.Cache/Redis/enableNonSslPort
THEN-Details (1)
•Microsoft.Cache/Redis/enableNonSslPort
IF (1)
•Microsoft.Cache/redis
GA ALZ
Cache Cache Deny-Redis-http Azure Cache for Redis only secure connections should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default
Deny
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.Cache/Redis/enableNonSslPort
•Microsoft.Cache/Redis/minimumTlsVersion
IF (1)
•Microsoft.Cache/redis
GA ALZ
Cache Cache 470baccb-7e51-4549-8b1a-3e5be069f663 Azure Cache for Redis should disable public network access Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Cache/Redis/publicNetworkAccess
IF (1)
•Microsoft.Cache/Redis
GA BuiltIn
Cache Cache 7803067c-7d34-46e3-8c79-0ca68fc4036d Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Cache/redis/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Cache/redis
count: 037
Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3)
GA BuiltIn
Cache Cache 30b3dfa5-a70d-4c8e-bed6-0083858f663d Configure Azure Cache for Redis to disable public network access Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks. Default
Modify
Allowed
Modify, Disabled
count: 1
Redis Cache Contributor
IF (1)
•Microsoft.Cache/Redis/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Cache/Redis/publicNetworkAccess
IF (1)
•Microsoft.Cache/Redis
GA BuiltIn
Cache Cache e016b22b-e0eb-436d-8fd7-160c4eaed6e2 Configure Azure Cache for Redis to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Cache Cache 5d8094d7-7340-465a-b6fd-e60ab7e48920 Configure Azure Cache for Redis with private endpoints Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Redis Cache Contributor
THEN-ExistenceCondition (1)
•Microsoft.Cache/redis/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Cache/redis
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Cache Cache 22bee202-a82f-4305-9a2a-6d7f44d4dedb Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Cache/Redis/enableNonSslPort
IF (1)
•Microsoft.Cache/redis
count: 046
AU_ISM_1277, AU_ISM_1552, Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, CCCS_SC-8(1), CMMC_2.0_L2_SC.L2-3.13.8, CMMC_L3_AC.1.002, CMMC_L3_SC.1.175, CMMC_L3_SC.3.185, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), hipaa-0809.01n2Organizational.1234-01.n, hipaa-0810.01n2Organizational.5-01.n, hipaa-0811.01n2Organizational.6-01.n, hipaa-0812.01n2Organizational.8-01.n, hipaa-0814.01n1Organizational.12-01.n, hipaa-0946.09y2Organizational.14-09.y, hipaa-1451.05iCSPOrganizational.2-05.i, IRS_1075_9.3.16.6, ISO27001-2013_A.10.1.1, ISO27001-2013_A.13.2.1, NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_PS-4, NZISM_Security_Benchmark_v1.1_PS-4, PCI_DSS_V3.2.1_3.4, PCI_DSS_V3.2.1_4.1, PCI_DSS_V3.2.1_6.5.3, PCI_DSS_v4.0_3.5.1, PCI_DSS_v4.0_6.2.4, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.4, SOC_2_CC6.1, SOC_2_CC6.6, SOC_2_CC6.7, SWIFT_CSCF_v2021_2.4A, SWIFT_CSCF_v2021_2.6, SWIFT_CSCF_v2021_6.5A, UK_NCSC_CSP_1
GA BuiltIn
CDN CDN dfc212af-17ea-423a-9dcb-91e2cb2caa6b Azure Front Door profiles should use Premium tier that supports managed WAF rules and private link Azure Front Door Premium supports Azure managed WAF rules and private link to supported Azure origins. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Cdn/Profiles/sku.name
IF (1)
•Microsoft.Cdn/Profiles
GA BuiltIn
CDN CDN 679da822-78a7-4eff-8fff-a899454a9970 Azure Front Door Standard and Premium should be running minimum TLS version of 1.2 Setting minimal TLS version to 1.2 improves security by ensuring your custom domains are accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they are weak and do not support modern cryptographic algorithms. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Cdn/profiles/customDomains/tlsSettings.minimumTlsVersion
IF (1)
•Microsoft.Cdn/profiles/customDomains
GA BuiltIn
CDN CDN daba2cce-8326-4af3-b049-81a362da024d Secure private connectivity between Azure Front Door Premium and Azure Storage Blob, or Azure App Service Private link ensures private connectivity between AFD Premium and Azure Storage Blob or Azure App Service over the Azure backbone network, without the Azure Storage Blob or the Azure App Service being publicly exposed to the internet. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.Cdn/profiles/originGroups/origins/hostName
•Microsoft.Cdn/profiles/originGroups/origins/sharedPrivateLinkResource.privateLink
IF (1)
•Microsoft.Cdn/profiles/originGroups/origins
GA BuiltIn
ChangeTrackingAndInventory ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5192 [Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Log Analytics Contributor
Monitoring Contributor
IF (1)
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId
IF (1)
•Microsoft.HybridCompute/machines
THEN-Deployment (1)
•Microsoft.Insights/dataCollectionRuleAssociations
Preview BuiltIn
ChangeTrackingAndInventory ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Azure Connected Machine Resource Administrator
IF (1)
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (3)
•Microsoft.HybridCompute/machines/extensions/provisioningState
•Microsoft.HybridCompute/machines/extensions/publisher
•Microsoft.HybridCompute/machines/extensions/type
IF (1)
•Microsoft.HybridCompute/machines
THEN-Deployment (1)
•Microsoft.HybridCompute/machines/extensions
Preview BuiltIn
ChangeTrackingAndInventory ChangeTrackingAndInventory bef2d677-e829-492d-9a3d-f5a20fda818f [Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Log Analytics Contributor
Monitoring Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSku
THEN-ExistenceCondition (1)
•Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Insights/dataCollectionRuleAssociations
Preview BuiltIn
ChangeTrackingAndInventory ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Virtual Machine Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSku
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
Preview BuiltIn
ChangeTrackingAndInventory ChangeTrackingAndInventory 1142b015-2bd7-41e0-8645-a531afe09a1e [Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Log Analytics Contributor
Monitoring Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSku
THEN-ExistenceCondition (1)
•Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
THEN-Deployment (1)
•Microsoft.Insights/dataCollectionRuleAssociations
Preview BuiltIn
ChangeTrackingAndInventory ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Virtual Machine Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSku
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState
•Microsoft.Compute/virtualMachineScaleSets/extensions/publisher
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
THEN-Deployment (1)
•Microsoft.Compute/virtualMachineScaleSets/extensions
Preview BuiltIn
ChangeTrackingAndInventory ChangeTrackingAndInventory ef9fe2ce-a588-4edd-829c-6247069dcfdb [Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Log Analytics Contributor
Monitoring Contributor
IF (1)
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId
IF (1)
•Microsoft.HybridCompute/machines
THEN-Deployment (1)
•Microsoft.Insights/dataCollectionRuleAssociations
Preview BuiltIn
ChangeTrackingAndInventory ChangeTrackingAndInventory a7acfae7-9497-4a3f-a3b5-a16a50abbe2f [Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Azure Connected Machine Resource Administrator
IF (1)
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (3)
•Microsoft.HybridCompute/machines/extensions/provisioningState
•Microsoft.HybridCompute/machines/extensions/publisher
•Microsoft.HybridCompute/machines/extensions/type
IF (1)
•Microsoft.HybridCompute/machines
THEN-Deployment (1)
•Microsoft.HybridCompute/machines/extensions
Preview BuiltIn
ChangeTrackingAndInventory ChangeTrackingAndInventory b6faa975-0add-4f35-8d1c-70bba45c4424 [Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Log Analytics Contributor
Monitoring Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (1)
•Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Insights/dataCollectionRuleAssociations
Preview BuiltIn
ChangeTrackingAndInventory ChangeTrackingAndInventory ad1eeff9-20d7-4c82-a04e-903acab0bfc1 [Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Virtual Machine Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSku
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
Preview BuiltIn
ChangeTrackingAndInventory ChangeTrackingAndInventory 8fd85785-1547-4a4a-bf90-d5483c9571c5 [Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Log Analytics Contributor
Monitoring Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (1)
•Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
THEN-Deployment (1)
•Microsoft.Insights/dataCollectionRuleAssociations
Preview BuiltIn
ChangeTrackingAndInventory ChangeTrackingAndInventory 4485d24b-a9d3-4206-b691-1fad83bc5007 [Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Virtual Machine Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSku
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState
•Microsoft.Compute/virtualMachineScaleSets/extensions/publisher
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
THEN-Deployment (1)
•Microsoft.Compute/virtualMachineScaleSets/extensions
Preview BuiltIn
Cognitive Services Cognitive Services 2bdd0062-9d75-436e-89df-487dd8e4b3c7 [Deprecated]: Cognitive Services accounts should enable data encryption This policy is deprecated. Cognitive Services have data encryption enforced. Default
Disabled
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.CognitiveServices/accounts/encryption
•Microsoft.CognitiveServices/accounts/encryption.keySource
IF (1)
•Microsoft.CognitiveServices/accounts
Deprecated BuiltIn
Cognitive Services Cognitive Services 11566b39-f7f7-4b82-ab06-68d8700eb0a4 [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. This policy is deprecated. Cognitive Services have data encryption enforced. Default
Disabled
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.CognitiveServices/accounts/encryption
•Microsoft.CognitiveServices/accounts/encryption.keySource
IF (1)
•Microsoft.CognitiveServices/accounts
Deprecated BuiltIn
Cognitive Services Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.CognitiveServices/accounts/publicNetworkAccess
IF (1)
•Microsoft.CognitiveServices/accounts
count: 033
Azure_Security_Benchmark_v2.0_NS-1, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, CMMC_2.0_L2_SC.L2-3.13.6, CMMC_L3_AC.1.001, CMMC_L3_AC.1.002, CMMC_L3_AC.2.016, CMMC_L3_CM.3.068, CMMC_L3_SC.1.175, CMMC_L3_SC.3.183, FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-171_R2_3.13.6, NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_GS-2, NZISM_Security_Benchmark_v1.1_GS-2, RBI_CSF_Banks_v2016_14.1
GA BuiltIn
Cognitive Services Cognitive Services 67121cc7-ff39-4ab8-b7e3-95b84dab487d Cognitive Services accounts should enable data encryption with a customer-managed key Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Default
Audit
Allowed
Audit, Deny, Disabled
IF (3)
•Microsoft.CognitiveServices/accounts/capabilities[*]
•Microsoft.CognitiveServices/accounts/capabilities[*].name
•Microsoft.CognitiveServices/accounts/encryption.keySource
IF (1)
•Microsoft.CognitiveServices/accounts
count: 014
Azure_Security_Benchmark_v2.0_DP-5, Azure_Security_Benchmark_v3.0_DP-5, CMMC_2.0_L2_SC.L2-3.13.10, CMMC_L3_SC.3.177, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, NZ_ISM_v3.5_CR-3, NZISM_Security_Benchmark_v1.1_CR-3, RBI_CSF_Banks_v2016_13.4, RBI_CSF_Banks_v2016_21.1, SOC_2_CC6.1
GA BuiltIn
Cognitive Services Cognitive Services 71ef260a-8f18-47b7-abcb-62d0673d94dc Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.CognitiveServices/accounts/disableLocalAuth
IF (1)
•Microsoft.CognitiveServices/accounts
count: 036
CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, CMMC_2.0_L2_IA.L1-3.5.1, CMMC_2.0_L2_IA.L1-3.5.2, CMMC_2.0_L2_IA.L2-3.5.5, CMMC_2.0_L2_IA.L2-3.5.6, FedRAMP_High_R4_AC-2, FedRAMP_High_R4_AC-2(1), FedRAMP_High_R4_AC-2(7), FedRAMP_High_R4_AC-3, FedRAMP_High_R4_IA-2, FedRAMP_High_R4_IA-4, FedRAMP_Moderate_R4_AC-2, FedRAMP_Moderate_R4_AC-2(1), FedRAMP_Moderate_R4_AC-2(7), FedRAMP_Moderate_R4_AC-3, FedRAMP_Moderate_R4_IA-2, FedRAMP_Moderate_R4_IA-4, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-171_R2_3.5.1, NIST_SP_800-171_R2_3.5.2, NIST_SP_800-171_R2_3.5.5, NIST_SP_800-171_R2_3.5.6, NIST_SP_800-53_R4_AC-2, NIST_SP_800-53_R4_AC-2(1), NIST_SP_800-53_R4_AC-2(7), NIST_SP_800-53_R4_AC-3, NIST_SP_800-53_R4_IA-2, NIST_SP_800-53_R4_IA-4, NIST_SP_800-53_R5_AC-2, NIST_SP_800-53_R5_AC-2(1), NIST_SP_800-53_R5_AC-2(7), NIST_SP_800-53_R5_AC-3, NIST_SP_800-53_R5_IA-2, NIST_SP_800-53_R5_IA-4
GA BuiltIn
Cognitive Services Cognitive Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Cognitive Services accounts should restrict network access Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.CognitiveServices/accounts/networkAcls.defaultAction
IF (1)
•Microsoft.CognitiveServices/accounts
count: 033
Azure_Security_Benchmark_v2.0_NS-1, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, CMMC_2.0_L2_SC.L2-3.13.6, CMMC_L3_AC.1.001, CMMC_L3_AC.1.002, CMMC_L3_AC.2.016, CMMC_L3_CM.3.068, CMMC_L3_SC.1.175, CMMC_L3_SC.3.183, FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-171_R2_3.13.6, NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_GS-3, NZISM_Security_Benchmark_v1.1_GS-3, RBI_CSF_Banks_v2016_14.1
GA BuiltIn
Cognitive Services Cognitive Services fe3fd216-4f83-4fc1-8984-2bbec80a3418 Cognitive Services accounts should use a managed identity Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 46aa9b05-0e60-4eae-a88b-1e9d374fa515 Cognitive Services accounts should use customer owned storage Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.CognitiveServices/accounts/capabilities[*]
•Microsoft.CognitiveServices/accounts/capabilities[*].name
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services cddd188c-4b82-4c48-a19d-ddf74ee66a01 Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.CognitiveServices/accounts/privateEndpointConnections[*]
•Microsoft.CognitiveServices/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.CognitiveServices/accounts
count: 036
CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3)
GA BuiltIn
Cognitive Services Cognitive Services 14de9e63-1b31-492e-a5a3-c3f7fd57f555 Configure Cognitive Services accounts to disable local authentication methods Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (1)
•Microsoft.CognitiveServices/accounts/disableLocalAuth
THEN-Operations (1)
•Microsoft.CognitiveServices/accounts/disableLocalAuth
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c Configure Cognitive Services accounts to disable public network access Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
Modify
Allowed
Disabled, Modify
count: 1
Contributor
IF (1)
•Microsoft.CognitiveServices/accounts/publicNetworkAccess
THEN-Operations (1)
•Microsoft.CognitiveServices/accounts/publicNetworkAccess
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services c4bc6f10-cb41-49eb-b000-d5ab82e2a091 Configure Cognitive Services accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.CognitiveServices/accounts
•Microsoft.Network/privateEndpoints
GA BuiltIn
Cognitive Services Cognitive Services db630ad5-52e9-4f4d-9c44-53912fe40053 Configure Cognitive Services accounts with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Cognitive Services Contributor
Network Contributor
THEN-ExistenceCondition (1)
•Microsoft.CognitiveServices/accounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.CognitiveServices/accounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Cognitive Services Cognitive Services 014bf9e4-f49f-4aed-a9b0-c56399f90784 Permit only approved OpenAI models This policy permits only certain types of OpenAI models to be deployed Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.CognitiveServices/accounts/deployments/model.format
•Microsoft.CognitiveServices/accounts/deployments/model.name
GA Community
Cognitive Services Cognitive Services c4f50e79-ce44-4b76-b4e1-58330703e842 Permit only approved types of Cognitive Services This policy permits only certain types of Cognitive Services resources to be deployed. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.CognitiveServices/accounts
GA Community
Compute Compute 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 [Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs This policy deploys the Log Analytics Extension on Ubuntu VMs, and connects to the selected Log Analytics workspace Fixed
deployIfNotExists
count: 1
Log Analytics Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
Deprecated BuiltIn
Compute Compute 7c1b1214-f927-48bf-8882-84f0af6588b1 [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachineScaleSets/extensions/publisher
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
count: 002
Azure_Security_Benchmark_v1.0_2.3, Azure_Security_Benchmark_v2.0_LT-4
Deprecated BuiltIn
Compute Compute 2c89a2e5-7285-40fe-afe0-ae8654b92fb2 [Deprecated]: Unattached disks should be encrypted This policy audits any unattached disk without encryption enabled. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.Compute/disks/diskState
•Microsoft.Compute/disks/encryptionSettingsCollection.enabled
IF (1)
•Microsoft.Compute/disks
count: 001
Azure_Security_Benchmark_v1.0_4.8
Deprecated BuiltIn
Compute Compute cccc23c7-8427-4f53-ad12-b6a63eb452b3 Allowed virtual machine size SKUs This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. Fixed
Deny
IF (1)
•Microsoft.Compute/virtualMachines/sku.name
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Compute Compute compute_audit-classic-vm Audit use of classic virtual machines Use new Azure Resource Manager v2 for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Fixed
Audit
IF (1)
•Microsoft.classicCompute/virtualMachines
GA Community
Compute Compute compute_audit-vmss-autoupgrade Audit Virtual Machine Scale Sets without automatic OS upgrade enabled This policy audits any Virtual Machine Scale Set that does not have automatic OS upgrade enabled. Fixed
audit
IF (1)
•Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
GA Community
Compute Compute 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Fixed
auditIfNotExists
IF (1)
•Microsoft.ClassicCompute/virtualMachines
count: 023
AU_ISM_1511, CCCS_CP-7, CMMC_L3_RE.2.137, CMMC_L3_RE.3.139, FedRAMP_High_R4_CP-7, FedRAMP_Moderate_R4_CP-7, hipaa-1634.12b1Organizational.1-12.b, hipaa-1638.12b2Organizational.345-12.b, IRS_1075_9.3.6.6, NIST_SP_800-53_R4_CP-7, NIST_SP_800-53_R5_CP-7, NZ_ISM_v3.5_ISM-7, NZISM_Security_Benchmark_v1.1_ISM-7, RBI_CSF_Banks_v2016_19.4, RBI_ITF_NBFC_v2017_6, RBI_ITF_NBFC_v2017_6.2, RBI_ITF_NBFC_v2017_6.4, RMiT_v1.0_10.51, SWIFT_CSCF_v2021_2.5A, SWIFT_CSCF_v2021_6.4, SWIFT_CSCF_v2022_2.5A, SWIFT_CSCF_v2022_6.4, UK_NCSC_CSP_5.3
GA BuiltIn
Compute Compute 06a78e20-9358-41c9-923c-fb736d382a4d Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks Fixed
audit
IF (3)
•Microsoft.Compute/virtualMachines/osDisk.uri
•Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl
•Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/VirtualMachineScaleSets
count: 012
CIS_Azure_1.3.0_7.1, CIS_Azure_1.4.0_7.1, ISO27001-2013_A.9.1.2, SOC_2_CC6.8, SOC_2_CC8.1, SWIFT_CSCF_v2021_1.3, SWIFT_CSCF_v2021_2.5A, SWIFT_CSCF_v2021_3.1, SWIFT_CSCF_v2022_1.3, SWIFT_CSCF_v2022_2.5A, SWIFT_CSCF_v2022_3.1, UK_NCSC_CSP_10
GA BuiltIn
Compute Compute a091018b-fd0b-4898-92e1-d0b0a960e1eb audit-vms-based-on-marketplace-acg-images Audit Virtual Machines based on marketplace or Azure Compute Gallery images. createOption value 'FromImage' is used when you are using an image to create the virtual machine. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.createOption
IF (1)
•Microsoft.Compute/virtualMachines
GA Community
Compute Compute b6020716-02c1-4569-b0af-c30bd1e9cb3d audit-vmsss-based-on-marketplace-acg-images Audit Virtual Machine Scale Sets based on marketplace or Azure Compute Gallery images. createOption value 'FromImage' is used when you are using an image to create the virtual machine. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Compute/VirtualMachineScaleSets/osDisk.createOption
IF (1)
•Microsoft.Compute/VirtualMachineScaleSets
GA Community
Compute Compute DeployDefenderForServers COMPUTE - Deploy Defender for Servers Uses a DeployIfNotExists policy to automatically deploy the Defender for Servers Fixed
deployIfNotExists
count: 1
Security Admin
IF (1)
•Microsoft.Resources/subscriptions
THEN-Deployment (1)
•Microsoft.Security/pricings
GA Community
Compute Compute ac34a73f-9fa5-4067-9247-a3ecae514468 Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Owner
THEN-ExistenceCondition (1)
•Microsoft.Resources/links/targetId
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (7)
•Microsoft.Compute/availabilitySets
•Microsoft.Compute/proximityPlacementGroups
•Microsoft.Network/virtualNetworks
•Microsoft.RecoveryServices/replicationEligibilityResults
•Microsoft.RecoveryServices/vaults
•Microsoft.Resources/deployments
•Microsoft.Storage/storageAccounts
GA BuiltIn
Compute Compute bc05b96c-0b36-4ca9-82f0-5c53f96ce05a Configure disk access resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.Compute/diskAccesses
•Microsoft.Network/privateEndpoints
GA BuiltIn
Compute Compute 582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5 Configure disk access resources with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Contributor
THEN-ExistenceCondition (1)
•Microsoft.Compute/diskAccesses/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Compute/diskAccesses
THEN-Deployment (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Compute Compute compute_configure-managed-disks-to-disable-public-access Configure managed disks to disable public access This policy configures managed disks to disable public access. Default
modify
Allowed
deny, audit, disabled, modify
count: 1
Contributor
IF (1)
•Microsoft.Compute/disks/networkAccessPolicy
THEN-Operations (1)
•Microsoft.Compute/disks/networkAccessPolicy
GA Community
Compute Compute 8426280e-b5be-43d9-979e-653d12a08638 Configure managed disks to disable public network access Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (2)
•Microsoft.Compute/disks/networkAccessPolicy
•Microsoft.Compute/disks/publicNetworkAccess
THEN-Operations (3)
•Microsoft.Compute/disks/diskAccessId
•Microsoft.Compute/disks/networkAccessPolicy
•Microsoft.Compute/disks/publicNetworkAccess
IF (1)
•Microsoft.Compute/disks
count: 002
RMiT_v1.0_10.33, RMiT_v1.0_11.15
GA BuiltIn
Compute Compute 950850fa-9a1a-4bd5-941d-01d0d6dbbf4b Create Delete Lock on specified Azure VMs List the VM names under the parameter vmName that you want to create a Delete Lock on./nThen expand the deployment variables and the resources to the amount of VMs given in the vmName array parameter. Make sure the values and deployment variables and resources are always aligned in numbers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 2
Contributor
User Access Administrator
THEN-ExistenceCondition (1)
•Microsoft.Authorization/locks/level
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Authorization/locks
•Microsoft.Compute/virtualMachines
GA Community
Compute Compute 578b0370-4e9e-4a25-b24e-3964c4003955 Deny data access authentication mode Disable data access authentication mode to restrict access to export the disk. https://learn.microsoft.com/en-us/azure/virtual-machines/windows/download-vhd?tabs=azure-portal#secure-downloads-and-uploads-with-azure-ad Default
Deny
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.Compute/disks/dataAccessAuthmode
IF (1)
•Microsoft.Compute/disks
GA Community
Compute Compute compute_deny-new-linux-vm-ssh-with-password Deny SSH Auth on New VMs This policy denies a deployment when any Linux VMs use password-only authentication for SSH. Fixed
deny
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.disablePasswordAuthentication
IF (1)
•Microsoft.Compute/virtualMachines
GA Community
Compute Compute compute_deploy-hybrid-benefit-windows Deploy Azure Hybrid Benefit for Windows. This policy ensures virtual machines are configured for Azure Hybrid Benefit for Windows Client and Server - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/hybrid-use-benefit-licensing#ways-to-use-azure-hybrid-benefit-for-windows-server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Virtual Machine Contributor
IF (2)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
THEN-ExistenceCondition (1)
•Microsoft.Compute/virtualMachines/licenseType
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines
GA Community
Compute Compute monitoring_deploy-oms-agent-based-on-region-linux Deploy default Log Analytics VM Extension for Linux VMs. This policy deploys Log Analytics VM Extensions on Linux VMs in specific regions, and connects to the selected Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Log Analytics Contributor
IF (1)
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/settings.workspaceId
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.compute/virtualmachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA Community
Compute Compute compute_deploy-oms-vm-extension-windows-vm Deploy default Log Analytics VM Extension for Windows VMs. This policy deploys Log Analytics VM Extensions on Windows VMs, and connects to the selected Log Analytics workspace. Fixed
deployIfNotExists
count: 1
Log Analytics Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA Community
Compute Compute monitoring_deploy-oms-agent-based-on-region-windows Deploy default Log Analytics VM Extension for Windows VMs. This policy deploys Log Analytics VM Extensions on Windows VMs in specific regions, and connects to the selected Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Log Analytics Contributor
IF (1)
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/settings.workspaceId
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.compute/virtualmachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA Community
Compute Compute 2835b622-407b-4114-9198-6f7064cbe0dc Deploy default Microsoft IaaSAntimalware extension for Windows Server This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. Fixed
deployIfNotExists
count: 1
Virtual Machine Contributor
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
count: 001
hipaa-0201.09j1Organizational.124-09.j
GA BuiltIn
Compute Compute hybridusebenefits_deploy-hybrid-use-windows-server Deploy hybrid use for Windows Server This Policy will enable HUB for Windows Server Fixed
deployIfNotExists
count: 1
Owner
IF (1)
•Microsoft.Compute/virtualMachines/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.Compute/virtualMachines/licenseType
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines
GA Community
Compute Compute 3552f7c0-c20f-4f13-aa60-3ded12935d28 Deploy Microsoft IaaSAntimalware extension for Custom Windows Images This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. This policy is used for custom images. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 1
Virtual Machine Contributor
IF (1)
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA Community
Compute Compute Deploy-Vm-autoShutdown Deploy Virtual Machine Auto Shutdown Schedule Deploys an auto shutdown schedule to a virtual machine Fixed
deployIfNotExists
count: 1
Virtual Machine Contributor
THEN-ExistenceCondition (2)
•Microsoft.DevTestLab/schedules/targetResourceId
•Microsoft.DevTestLab/schedules/taskType
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.DevTestLab/schedules
GA ALZ
Compute Compute compute_deploy-or-audit-auto-shutdown-by-tag-value-on-vm Deploy VM auto shutdown Default
audit
Allowed
audit, Deny, DeployIfNotExists, Disabled
count: 1
Virtual Machine Contributor
THEN-ExistenceCondition (2)
•Microsoft.DevTestLab/labs/virtualMachines/schedules/status
•Microsoft.DevTestLab/labs/virtualMachines/schedules/targetResourceId
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.devtestlab/schedules
GA Community
Compute Compute f39f5f49-4abf-44de-8c70-0756997bfb51 Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.Compute/diskAccesses/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Compute/diskAccesses
count: 036
CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3)
GA BuiltIn
Compute Compute compute_deploy-vmss-autoosupgrade Enable automatic OS upgrade on Virtual Machine Scale Sets This policy enables automatic OS upgrade on Virtual Machine Scale Sets. New scale sets will have automatic OS upgrade enabled automatically. Existing scale sets that are not opted into automatic OS upgrade will be marked as non-compliant and can be enabled through policy remediation. Fixed
deployIfNotExists
count: 1
Virtual Machine Contributor
IF (1)
•Microsoft.Compute/imageVersion
THEN-ExistenceCondition (1)
•Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
THEN-Deployment (1)
•Microsoft.Compute/virtualMachineScaleSets
GA Community
Compute Compute ca91455f-eace-4f96-be59-e6e2c35b4816 Managed disks should be double encrypted with both platform-managed and customer-managed keys High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Compute/diskEncryptionSets/encryptionType
IF (1)
•Microsoft.Compute/diskEncryptionSets
count: 006
CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12
GA BuiltIn
Compute Compute 8405fdab-1faf-48aa-b702-999c9c172094 Managed disks should disable public network access Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.Compute/disks/networkAccessPolicy
•Microsoft.Compute/disks/publicNetworkAccess
IF (1)
•Microsoft.Compute/disks
count: 002
RMiT_v1.0_10.33, RMiT_v1.0_11.15
GA BuiltIn
Compute Compute d461a302-a187-421a-89ac-84acdb4edc04 Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. Default
Audit
Allowed
Audit, Deny, Disabled
IF (9)
•Microsoft.Compute/disks/encryption.diskEncryptionSetId
•Microsoft.Compute/disks/managedBy
•Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId
•Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.osDiskImage.diskEncryptionSetId
•Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id
•Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.managedDisk.diskEncryptionSet.id
IF (5)
•Microsoft.Compute/disks
•Microsoft.Compute/galleries/images/versions
•Microsoft.Compute/images
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachineScaleSets
count: 003
RBI_ITF_NBFC_v2017_3.1.h, RMiT_v1.0_10.53, RMiT_v1.0_11.15
GA BuiltIn
Compute Compute c43e4a30-77cb-48ab-a4dd-93f175c63b57 Microsoft Antimalware for Azure should be configured to automatically update protection signatures This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
IF (1)
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
count: 016
Azure_Security_Benchmark_v1.0_2.8, Azure_Security_Benchmark_v1.0_8.3, CMMC_2.0_L2_SI.L1-3.14.2, CMMC_2.0_L2_SI.L1-3.14.4, CMMC_2.0_L2_SI.L1-3.14.5, CMMC_L3_SI.1.210, CMMC_L3_SI.1.211, CMMC_L3_SI.1.212, CMMC_L3_SI.1.213, hipaa-0201.09j1Organizational.124-09.j, NIST_SP_800-171_R2_3.14.2, NIST_SP_800-171_R2_3.14.4, NIST_SP_800-171_R2_3.14.5, RMiT_v1.0_10.63, SWIFT_CSCF_v2021_6.1, SWIFT_CSCF_v2022_6.1
GA BuiltIn
Compute Compute 9b597639-28e4-48eb-b506-56b05d366257 Microsoft IaaSAntimalware extension should be deployed on Windows servers This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
count: 013
AU_ISM_1288, AU_ISM_1417, CMMC_2.0_L2_SI.L1-3.14.2, CMMC_2.0_L2_SI.L1-3.14.4, CMMC_2.0_L2_SI.L1-3.14.5, CMMC_L3_SI.1.211, CMMC_L3_SI.1.213, NIST_SP_800-171_R2_3.14.2, NIST_SP_800-171_R2_3.14.4, NIST_SP_800-171_R2_3.14.5, RMiT_v1.0_Appendix_5.7, SWIFT_CSCF_v2021_6.1, SWIFT_CSCF_v2022_6.1
GA BuiltIn
Compute Compute d7a36be7-42bc-4ea9-8029-2e8d4b8d175b Not allowed VM Extensions This policy governs which VM extensions that are explicitly denied. Default
Deny
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines/extensions
GA Community
Compute Compute c0e996f8-39cf-4af9-9f45-83fbde810432 Only approved VM extensions should be installed This policy governs the virtual machine extensions that are not approved. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines/extensions
count: 006
CIS_Azure_1.1.0_7.4, CIS_Azure_1.3.0_7.4, CIS_Azure_1.4.0_7.4, RMiT_v1.0_11.4, SOC_2_CC6.8, SOC_2_CC8.1
GA BuiltIn
Compute Compute compute_only_approved_vmss_extensions_should_be_installed Only approved VMSS extensions should be installed This policy governs the virtual machine scale set extensions that are not approved. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.extensionProfile.extensions[*].type
GA Community
Compute Compute 702dd420-7fcc-42c5-afe8-4026edd20fe0 OS and data disks should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. Default
Audit
Allowed
Audit, Deny, Disabled
IF (10)
•Microsoft.Compute/disks/encryption.diskEncryptionSetId
•Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*]
•Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId
•Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id
•Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.id
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.managedDisk.diskEncryptionSet.id
IF (5)
•Microsoft.Compute/disks
•Microsoft.Compute/galleries/images/versions
•Microsoft.Compute/images
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachineScaleSets
count: 007
CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, RMiT_v1.0_10.53
GA BuiltIn
Compute Compute 63b4e328-7369-4a72-a5ad-0884d7fb1d04 Prevent deployment of Windows VM or VMSS without BYOL The policy checks if VMs or VM Scale Sets based on Microsoft operation system is using BYOL for Azure Hybrid Benefit. The decision, if VM is based on Microsoft OS or not, is based on the following policy: [Preview]: Azure Security agent should be installed on your Windows virtual machines - Microsoft Azure https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbb2c6c6d-14bc-4443-bef3-c6be0adc6076 Default
Audit
Allowed
Audit, Deny, Disabled
IF (3)
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/licenseType
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
IF (1)
•Microsoft.Compute/virtualMachines
GA Community
Compute Compute 465f0161-0087-490a-9ad9-ad6217f4f43a Require automatic OS image patching on Virtual Machine Scale Sets This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. Fixed
deny
IF (2)
•Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade
•Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
GA BuiltIn
Compute Compute compute_blocked-disk-skus undefined Default
Audit
Allowed
Deny, Audit, Disabled
IF (1)
•Microsoft.Compute/disks
GA Community
Compute Compute compute_allowed-disk-skus undefined Default
Audit
Allowed
Deny, Audit, Disabled
IF (1)
•Microsoft.Compute/disks/sku.name
IF (1)
•Microsoft.Compute/disks
GA Community
Compute Compute compute_allowed-vm-os undefined Fixed
deny
IF (4)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSku
•Microsoft.Compute/licenseType
IF (1)
•Microsoft.Compute/VirtualMachineScaleSets
GA Community
Compute Compute fc4d8e41-e223-45ea-9bf5-eada37891d87 Virtual machines and virtual machine scale sets should have encryption at host enabled Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.encryptionAtHost
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachineScaleSets
count: 012
CMMC_2.0_L2_SC.L2-3.13.16, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1), RMiT_v1.0_11.2, RMiT_v1.0_11.20
GA BuiltIn
Compute Compute 1d84d5fb-01f6-4d12-ba4f-4a26081d403d Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.ClassicCompute/virtualMachines
•Microsoft.Compute/virtualMachines
count: 020
Azure_Security_Benchmark_v1.0_6.9, Azure_Security_Benchmark_v2.0_AM-3, Azure_Security_Benchmark_v3.0_AM-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, FedRAMP_High_R4_AC-3, FedRAMP_Moderate_R4_AC-3, hipaa-0835.09n1Organizational.1-09.n, ISO27001-2013_A.9.1.2, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-53_R4_AC-3, NIST_SP_800-53_R5_AC-3, PCI_DSS_V3.2.1_10.3, PCI_DSS_V3.2.1_10.5.4, PCI_DSS_v4.0_10.2.2, PCI_DSS_v4.0_10.3.3, RBI_CSF_Banks_v2016_13.1, RMiT_v1.0_10.27, UK_NCSC_CSP_10
GA BuiltIn
Compute Compute compute_vm-use-allowed-images VM use allowed Images This policy prevents unauthorized images for VMs. Default
audit
Allowed
deny, audit, disabled
IF (4)
•Microsoft.Compute/virtualMachines/imageOffer
•Microsoft.Compute/virtualMachines/imagePublisher
•Microsoft.Compute/virtualMachines/imageSku
•Microsoft.Compute/virtualMachines/imageVersion
GA Community
Compute Compute 97d4dc8b-b0bd-42da-aa83-bbf98c0c7ef7 VMAccess virtual machine extension for Linux The VMAccess virtual machine extensions for Linux allows the user to reset the password/ssh of a selected user or the ability to create a new local users with sudo access. https://github.com/Azure/azure-linux-extensions/blob/master/VMAccess/README.md Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines/extensions
GA Community
Container Apps Container Apps 2b585559-a78e-4cc4-b1aa-fb169d2f6b96 Authentication should be enabled on Container Apps Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.App/containerApps/authConfigs/platform.enabled
IF (1)
•Microsoft.App/containerApps
GA BuiltIn
Container Apps Container Apps 8b346db6-85af-419b-8557-92cee2c0f9bb Container App environments should use network injection Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. Default
Audit
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.App/managedEnvironments/vnetConfiguration.infrastructureSubnetId
IF (1)
•Microsoft.App/managedEnvironments
GA BuiltIn
Container Apps Container Apps 7c9f3fbb-739d-4844-8e42-97e3be6450e0 Container App should configure with volume mount Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.App/containerApps
GA BuiltIn
Container Apps Container Apps d074ddf8-01a5-4b5e-a2b8-964aed452c0a Container Apps environment should disable public network access Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.App/managedEnvironments/vnetConfiguration
•Microsoft.App/managedEnvironments/vnetConfiguration.internal
IF (1)
•Microsoft.App/managedEnvironments
GA BuiltIn
Container Apps Container Apps 783ea2a8-b8fd-46be-896a-9ae79643a0b1 Container Apps should disable external network access Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.App/containerApps/configuration.ingress
•Microsoft.App/containerApps/configuration.ingress.external
IF (1)
•Microsoft.App/containerApps
GA BuiltIn
Container Apps Container Apps 0e80e269-43a4-4ae9-b5bc-178126b8a5cb Container Apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.App/containerApps/configuration.ingress.allowInsecure
IF (1)
•Microsoft.App/containerApps
GA BuiltIn
Container Apps Container Apps b874ab2d-72dd-47f1-8cb5-4a306478a4e7 Managed Identity should be enabled for Container Apps Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.App/containerApps
GA BuiltIn
Container Instance Container Instance 8af8f826-edcb-4178-b35f-851ea6fea615 Azure Container Instance container group should deploy into a virtual network Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. Default
Audit
Allowed
Audit, Disabled, Deny
IF (3)
•Microsoft.ContainerInstance/containerGroups/ipAddress.type
•Microsoft.ContainerInstance/containerGroups/networkProfile.id
•Microsoft.ContainerInstance/containerGroups/subnetIds[*].id
IF (1)
•Microsoft.ContainerInstance/containerGroups
count: 001
RMiT_v1.0_10.33
GA BuiltIn
Container Instance Container Instance 0aa61e00-0a01-4a3c-9945-e93cffedf0e6 Azure Container Instance container group should use customer-managed key for encryption Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default
Audit
Allowed
Audit, Disabled, Deny
IF (2)
•Microsoft.ContainerInstance/containerGroups/encryptionProperties.keyName
•Microsoft.ContainerInstance/containerGroups/encryptionProperties.vaultBaseUrl
IF (1)
•Microsoft.ContainerInstance/containerGroups
count: 007
CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, RMiT_v1.0_10.53
GA BuiltIn
Container Instances Container Instances 21c469fa-a887-4363-88a9-60bfd6911a15 Configure diagnostics for container group to log analytics workspace Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed. Default
Append
Allowed
Append, Disabled
IF (2)
•Microsoft.ContainerInstance/containerGroups/diagnostics.logAnalytics.workspaceId
•Microsoft.ContainerInstance/containerGroups/diagnostics.logAnalytics.workspaceKey
IF (1)
•Microsoft.ContainerInstance/containerGroups
GA BuiltIn
Container Registry Container Registry cced2946-b08a-44fe-9fd9-e4ed8a779897 Configure container registries to disable anonymous authentication. Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (1)
•Microsoft.ContainerRegistry/registries/anonymousPullEnabled
THEN-Operations (1)
•Microsoft.ContainerRegistry/registries/anonymousPullEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry 785596ed-054f-41bc-aaec-7f3d0ba05725 Configure container registries to disable ARM audience token authentication. Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (2)
•Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy
•Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy.status
THEN-Operations (1)
•Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy.status
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry 79fdfe03-ffcb-4e55-b4d0-b925b8241759 Configure container registries to disable local admin account. Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (1)
•Microsoft.ContainerRegistry/registries/adminUserEnabled
THEN-Operations (1)
•Microsoft.ContainerRegistry/registries/adminUserEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry a3701552-92ea-433e-9d17-33b7f1208fc9 Configure Container registries to disable public network access Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (1)
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
THEN-Operations (1)
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
IF (1)
•Microsoft.ContainerRegistry/registries
count: 002
RMiT_v1.0_10.33, RMiT_v1.0_11.15
GA BuiltIn
Container Registry Container Registry a9b426fe-8856-4945-8600-18c5dd1cca2a Configure container registries to disable repository scoped access token. Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Modify
Allowed
Modify, Disabled
count: 1
Contributor
IF (1)
•Microsoft.ContainerRegistry/registries/tokens/status
THEN-Operations (1)
•Microsoft.ContainerRegistry/registries/tokens/status
IF (1)
•Microsoft.ContainerRegistry/registries/tokens
GA BuiltIn
Container Registry Container Registry e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 Configure Container registries to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Container Registry Container Registry d85c6833-7d33-4cf5-a915-aaa2de84405f Configure Container registries with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Contributor
IF (1)
•Microsoft.ContainerRegistry/registries/sku.name
THEN-ExistenceCondition (1)
•Microsoft.ContainerRegistry/registries/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.ContainerRegistry/registries
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Container Registry Container Registry containerregistry_container-registries-prevent-access-to-trusted-services Container Registries prevent access to trusted services This policy configures container registry acr_firewall_bypass to prevent access to trusted services Default
Deny
Allowed
Audit, Deny, Disabled
GA Community
Container Registry Container Registry containerregistry_container-registries-prevent-managed-identity Container Registries prevent managed identity This policy configures container registry to prevent managed identity Default
Deny
Allowed
Audit, Deny, Disabled
GA Community
Container Registry Container Registry 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 Container registries should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.ContainerRegistry/registries/encryption.status
IF (1)
•Microsoft.ContainerRegistry/registries
count: 016
Azure_Security_Benchmark_v2.0_DP-5, Azure_Security_Benchmark_v3.0_DP-5, CMMC_2.0_L2_SC.L2-3.13.10, CMMC_L3_SC.3.177, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, NZ_ISM_v3.5_CR-3, NZISM_Security_Benchmark_v1.1_CR-3, RBI_CSF_Banks_v2016_13.4, RBI_CSF_Banks_v2016_21.1, RMiT_v1.0_10.53, SOC_2_CC6.1, SWIFT_CSCF_v2021_2.5A
GA BuiltIn
Container Registry Container Registry 9f2dea28-e834-476c-99c5-3507b4728395 Container registries should have anonymous authentication disabled. Disable anonymous pull for your registry so that data is not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.ContainerRegistry/registries/anonymousPullEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry 42781ec6-6127-4c30-bdfa-fb423a0047d3 Container registries should have ARM audience token authentication disabled. Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy
•Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy.status
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry 524b0254-c285-4903-bee6-bb8126cde579 Container registries should have exports disabled Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.ContainerRegistry/registries/policies.exportPolicy.status
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry dc921057-6b28-4fbe-9b83-f7bec05db6c2 Container registries should have local admin account disabled. Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.ContainerRegistry/registries/adminUserEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry ff05e24e-195c-447e-b322-5e90c9f9f366 Container registries should have repository scoped access token disabled. Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.ContainerRegistry/registries/tokens/status
IF (1)
•Microsoft.ContainerRegistry/registries/tokens
GA BuiltIn
Container Registry Container Registry bd560fc0-3c69-498a-ae9f-aa8eb7de0e13 Container registries should have SKUs that support Private Links Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.ContainerRegistry/registries/sku.name
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry d0793b48-0edc-4296-a390-4c75d1bdfd71 Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
IF (1)
•Microsoft.ContainerRegistry/registries
count: 035
Azure_Security_Benchmark_v2.0_NS-1, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, CMMC_2.0_L2_SC.L2-3.13.6, CMMC_L3_AC.1.001, CMMC_L3_AC.1.002, CMMC_L3_AC.2.016, CMMC_L3_CM.3.068, CMMC_L3_SC.1.175, CMMC_L3_SC.3.183, FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-171_R2_3.13.6, NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_GS-3, NZISM_Security_Benchmark_v1.1_GS-3, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7, RMiT_v1.0_10.33
GA BuiltIn
Container Registry Container Registry e8eef0a8-67cf-4eb4-9386-14b0e78733d4 Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.ContainerRegistry/registries/privateEndpointConnections[*]
•Microsoft.ContainerRegistry/registries/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.ContainerRegistry/registries
count: 044
Azure_Security_Benchmark_v2.0_NS-2, Azure_Security_Benchmark_v2.0_NS-3, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7, SWIFT_CSCF_v2021_1.1
GA BuiltIn
Container Registry Container Registry containerregistry_container-registry-admin-user-filter Enforce Admin User is disabled on all Container Registry instances This policy ensures Admin User is disabled on all Container Registry instances Fixed
deny
IF (1)
•Microsoft.ContainerRegistry/registries/adminUserEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA Community
Container Registry Container Registry 0fdf0491-d080-4575-b627-ad0e843cba0f Public network access should be disabled for Container registries Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
IF (1)
•Microsoft.ContainerRegistry/registries
count: 001
RMiT_v1.0_10.33
GA BuiltIn
Cosmos DB Cosmos DB cosmosdb_audit-cosmosdb-throughput Audit Cosmos DB Throughput Exceeding Max This policy audits when Cosmos DB shared or dedicated throughput exceeds a maximum. The policy audits Cosmos DB resources in accounts of any API (SQL, Cassandra, Gremlin, MongoDB, Table), where throughput can be provisioned either at the database/keyspace/table level or at the collection/container/graph/table level. Fixed
Audit
IF (9)
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.throughput
GA Community
Cosmos DB Cosmos DB cosmosdb_cosmos-db-multiple-write-locations Audit or Deny Cosmos DB | Multiple Write Locations not set as required This policy audits or denies when a Cosmos DB account does not have the required multiple write locations setting. Default
Audit
Allowed
Audit, Deny
IF (1)
•Microsoft.DocumentDB/databaseAccounts/enableMultipleWriteLocations
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA Community
Cosmos DB Cosmos DB 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default
Deny
Allowed
Audit, Deny, Disabled
IF (4)
•Microsoft.DocumentDB/databaseAccounts/ipRangeFilter
•Microsoft.DocumentDB/databaseAccounts/ipRules
•Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled
•Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess
IF (1)
•Microsoft.DocumentDB/databaseAccounts
count: 028
Azure_Security_Benchmark_v2.0_NS-1, Azure_Security_Benchmark_v2.0_NS-4, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, CMMC_2.0_L2_SC.L2-3.13.6, FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-171_R2_3.13.6, NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_GS-3, NZISM_Security_Benchmark_v1.1_GS-3, RBI_ITF_NBFC_v2017_5
GA BuiltIn
Cosmos DB Cosmos DB 9d83ccb1-f313-46ce-9d39-a198bfdb51a0 Azure Cosmos DB accounts should not exceed the maximum number of days allowed since last account key regeneration. Regenerate your keys in the specified time to keep your data more protected. Default
Audit
Allowed
Audit, Disabled
IF (4)
•Microsoft.DocumentDB/databaseAccounts/keysMetadata.primaryMasterKey.generationTime
•Microsoft.DocumentDB/databaseAccounts/keysMetadata.primaryReadonlyMasterKey.generationTime
•Microsoft.DocumentDB/databaseAccounts/keysMetadata.secondaryMasterKey.generationTime
•Microsoft.DocumentDB/databaseAccounts/keysMetadata.secondaryReadonlyMasterKey.generationTime
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 1f905d99-2ab7-462c-a6b0-f709acca6c8f Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
IF (1)
•Microsoft.DocumentDB/databaseAccounts/keyVaultKeyUri
IF (1)
•Microsoft.DocumentDB/databaseAccounts
count: 014
Azure_Security_Benchmark_v2.0_DP-5, Azure_Security_Benchmark_v3.0_DP-5, CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, NZ_ISM_v3.5_CR-3, NZISM_Security_Benchmark_v1.1_CR-3, RBI_CSF_Banks_v2016_13.4, RBI_CSF_Banks_v2016_21.1, RBI_ITF_NBFC_v2017_3.1.h, SOC_2_CC6.1
GA BuiltIn
Cosmos DB Cosmos DB 0473574d-2d43-4217-aefe-941fcdf7e684 Azure Cosmos DB allowed locations This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
IF (1)
•Microsoft.DocumentDB/databaseAccounts/Locations[*]
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 4750c32b-89c0-46af-bfcb-2e4541a818d5 Azure Cosmos DB key based metadata write access should be disabled This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. Fixed
append
IF (1)
•Microsoft.DocumentDB/databaseAccounts/disableKeyBasedMetadataWriteAccess
THEN-Details (1)
•Microsoft.DocumentDB/databaseAccounts/disableKeyBasedMetadataWriteAccess
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 797b37f7-06b8-444c-b1ad-fc62867f335a Azure Cosmos DB should disable public network access Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf Azure Cosmos DB throughput should be limited This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
IF (27)
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/options
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/options
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/options
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/options
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/options
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/options
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/options
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/options
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/tables/options
•Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.throughput
GA BuiltIn
Cosmos DB Cosmos DB dc2d41d1-4ab1-4666-a3e1-3d51c43e0049 Configure Cosmos DB database accounts to disable local authentication Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default
Modify
Allowed
Modify, Disabled
count: 1
DocumentDB Account Contributor
IF (2)
•Microsoft.DocumentDB/databaseAccounts/capabilities[*].name
•Microsoft.DocumentDB/databaseAccounts/disableLocalAuth
THEN-Operations (1)
•Microsoft.DocumentDB/databaseAccounts/disableLocalAuth
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB da69ba51-aaf1-41e5-8651-607cd0b37088 Configure CosmosDB accounts to disable public network access Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Default
Modify
Allowed
Modify, Disabled
count: 2
Contributor
DocumentDB Account Contributor
IF (1)
•Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess
THEN-Operations (1)
•Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB a63cc0bd-cda4-4178-b705-37dc439d3e0f Configure CosmosDB accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.DocumentDb/databaseAccounts
•Microsoft.Network/privateEndpoints
GA BuiltIn
Cosmos DB Cosmos DB b609e813-3156-4079-91fa-a8494c1471c4 Configure CosmosDB accounts with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your CosmosDB account, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Contributor
DocumentDB Account Contributor
THEN-ExistenceCondition (1)
•Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DocumentDB/databaseAccounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Cosmos DB Cosmos DB 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 Cosmos DB database accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.DocumentDB/databaseAccounts/capabilities[*].name
•Microsoft.DocumentDB/databaseAccounts/disableLocalAuth
IF (1)
•Microsoft.DocumentDB/databaseAccounts
count: 001
Azure_Security_Benchmark_v3.0_IM-1
GA BuiltIn
Cosmos DB Cosmos DB 58440f8a-10c5-4151-bdce-dfbaad4a20b7 CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections[*]
•Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DocumentDB/databaseAccounts
count: 036
CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3)
GA BuiltIn
Cosmos DB Cosmos DB b5f04e03-92a3-4b09-9410-2cc5e5047656 Deploy Advanced Threat Protection for Cosmos DB Accounts This policy enables Advanced Threat Protection across Cosmos DB accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Security Admin
THEN-ExistenceCondition (1)
•Microsoft.Security/advancedThreatProtectionSettings/isEnabled
IF (1)
•Microsoft.DocumentDB/databaseAccounts
count: 001
CMMC_L3_IR.2.093
GA BuiltIn
Cosmos DB Cosmos DB cosmosdb_cosmos-db-vnet-filter Enforce Virtual Network Filtering on Cosmos DB accounts This policy ensures Virtual Network Filtering is enabled on all Cosmos DB accounts Fixed
deny
IF (1)
•Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA Community
Cost Optimization Cost Optimization costoptimization_unused-app-service-plans-driving-cost-should-be-avoided Unused App Service plans driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.Web/serverFarms/numberOfSites
•Microsoft.Web/serverFarms/sku.tier
IF (1)
•Microsoft.Web/serverfarms
GA Community
Cost Optimization Cost Optimization Audit-ServerFarms-UnusedResourcesCostOptimization Unused App Service plans driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.Web/serverFarms/numberOfSites
•Microsoft.Web/serverFarms/sku.tier
IF (1)
•Microsoft.Web/serverfarms
GA ALZ
Cost Optimization Cost Optimization Audit-Disks-UnusedResourcesCostOptimization Unused Disks driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Compute/disks/diskState
IF (1)
•Microsoft.Compute/disks
GA ALZ
Cost Optimization Cost Optimization costoptimization_unused-disks-driving-cost-should-be-avoided Unused Disks driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Compute/disks/diskState
IF (1)
•Microsoft.Compute/disks
GA Community
Cost Optimization Cost Optimization Audit-PublicIpAddresses-UnusedResourcesCostOptimization Unused Public IP addresses driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. Default
Audit
Allowed
Audit, Disabled
IF (4)
•Microsoft.Network/publicIPAddresses/ipConfiguration
•Microsoft.Network/publicIPAddresses/natGateway
•Microsoft.Network/publicIPAddresses/publicIPPrefix
•Microsoft.Network/publicIPAddresses/sku.name
IF (1)
•Microsoft.network/publicIpAddresses
GA ALZ
Cost Optimization Cost Optimization costoptimization_unused-public-ip-addresses-driving-cost-should-be-avoided Unused Public IP addresses driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. Default
Audit
Allowed
Audit, Disabled
IF (4)
•Microsoft.Network/publicIPAddresses/ipConfiguration
•Microsoft.Network/publicIPAddresses/natGateway
•Microsoft.Network/publicIPAddresses/publicIPPrefix
•Microsoft.Network/publicIPAddresses/sku.name
IF (1)
•Microsoft.network/publicIpAddresses
GA Community
Custom Provider Custom Provider c15c281f-ea5c-44cd-90b8-fc3c14d13f0c Deploy associations for a custom provider Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. Fixed
deployIfNotExists
count: 1
Contributor
THEN-Deployment (1)
•Microsoft.Resources/deployments
GA BuiltIn
Data Box Data Box c349d81b-9985-44ae-a8da-ff98d108ede8 Azure Data Box jobs should enable double encryption for data at rest on the device Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.DataBox/jobs/details.preferences.encryptionPreferences.doubleEncryption
•Microsoft.Databox/jobs/sku.name
IF (1)
•Microsoft.DataBox/jobs
count: 012
CMMC_2.0_L2_SC.L2-3.13.16, CMMC_L3_SC.3.177, CMMC_L3_SC.3.191, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1)
GA BuiltIn
Data Box Data Box 86efb160-8de7-451d-bc08-5d475b0aadae Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.DataBox/jobs/details.keyEncryptionKey.kekType
•Microsoft.Databox/jobs/sku.name
IF (1)
•Microsoft.DataBox/jobs
count: 006
CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12
GA BuiltIn
Data Factory Data Factory 3d02a511-74e5-4dab-a5fd-878704d4a61a [Preview]: Azure Data Factory pipelines should only communicate with allowed domains To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Deny
Allowed
Deny, Disabled
Preview BuiltIn
Data Factory Data Factory 4ec52d6d-beb7-40c4-9a9e-fe753254690e Azure data factories should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.DataFactory/factories/encryption.vaultBaseUrl
IF (1)
•Microsoft.DataFactory/factories
count: 006
CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12
GA BuiltIn
Data Factory Data Factory 85bb39b5-2f66-49f8-9306-77da3ac5130f Azure Data Factory integration runtime should have a limit for number of cores To manage your resources and costs, limit the number of cores for an integration runtime. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.dataFlowProperties.coreCount
•Microsoft.DataFactory/factories/integrationruntimes/type
IF (1)
•Microsoft.DataFactory/factories/integrationRuntimes
GA BuiltIn
Data Factory Data Factory 6809a3d0-d354-42fb-b955-783d207c62a8 Azure Data Factory linked service resource type should be in allow list Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.DataFactory/factories/linkedservices/type
GA BuiltIn
Data Factory Data Factory 127ef6d7-242f-43b3-9eef-947faf1725d0 Azure Data Factory linked services should use Key Vault for storing secrets To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. Default
Audit
Allowed
Audit, Deny, Disabled
IF (30)
•Microsoft.DataFactory/factories/linkedservices/AmazonMWS.typeProperties.mwsAuthToken.type
•Microsoft.DataFactory/factories/linkedservices/AmazonMWS.typeProperties.secretKey.type
•Microsoft.DataFactory/factories/linkedservices/AmazonS3.typeProperties.secretAccessKey.type
•Microsoft.DataFactory/factories/linkedservices/AzureBlobStorage.typeProperties.servicePrincipalKey
•Microsoft.DataFactory/factories/linkedservices/AzureBlobStorage.typeProperties.servicePrincipalKey.type
•Microsoft.DataFactory/factories/linkedservices/AzureSearch.typeProperties.key.type
•Microsoft.DataFactory/factories/linkedservices/AzureSqlDW.typeProperties.servicePrincipalKey.type
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.accountKey
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri.type
•Microsoft.DataFactory/factories/linkedservices/CosmosDb.typeProperties.accountKey.type
•Microsoft.DataFactory/factories/linkedservices/Dynamics.typeProperties.servicePrincipalCredential
•Microsoft.DataFactory/factories/linkedservices/Dynamics.typeProperties.servicePrincipalCredential.type
•Microsoft.DataFactory/factories/linkedservices/GoogleAdWords.typeProperties.developerToken.type
•Microsoft.DataFactory/factories/linkedservices/GoogleBigQuery.typeProperties.clientSecret.type
•Microsoft.DataFactory/factories/linkedservices/GoogleBigQuery.typeProperties.refreshToken.type
•Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken
•Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken.type
•Microsoft.DataFactory/factories/linkedservices/OData.typeProperties.servicePrincipalEmbeddedCert.type
•Microsoft.DataFactory/factories/linkedservices/OData.typeProperties.servicePrincipalEmbeddedCertPassword.type
•Microsoft.DataFactory/factories/linkedservices/Odbc.typeProperties.credential.type
•Microsoft.DataFactory/factories/linkedservices/Salesforce.typeProperties.securityToken.type
•Microsoft.DataFactory/factories/linkedservices/Sftp.typeProperties.passPhrase.type
•Microsoft.DataFactory/factories/linkedservices/Sftp.typeProperties.privateKeyContent.type
•Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password
•Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password.type
•Microsoft.DataFactory/factories/linkedservices/type
•Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString
•Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString.type
•Microsoft.DataFactory/factories/linkedservices/typeProperties.encryptedCredential
GA BuiltIn
Data Factory Data Factory f78ccdb4-7bf4-4106-8647-270491d2978a Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Default
Audit
Allowed
Audit, Deny, Disabled
IF (7)
•Microsoft.DataFactory/factories/linkedservices/AzureSqlDW.typeProperties.servicePrincipalKey
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.accountKey
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri
•Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken
•Microsoft.DataFactory/factories/linkedservices/type
•Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString
•Microsoft.DataFactory/factories/linkedservices/typeProperties.encryptedCredential
GA BuiltIn
Data Factory Data Factory 77d40665-3120-4348-b539-3192ec808307 Azure Data Factory should use a Git repository for source control Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.DataFactory/factories/repoConfiguration.repositoryName
IF (1)
•Microsoft.DataFactory/factories
GA BuiltIn
Data Factory Data Factory 8b0323be-cc25-4b61-935d-002c3798c6ea Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.DataFactory/factories/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DataFactory/factories
count: 036
CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3)
GA BuiltIn
Data Factory Data Factory 08b1442b-7789-4130-8506-4f99a97226a7 Configure Data Factories to disable public network access Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default
Modify
Allowed
Modify, Disabled
count: 1
Data Factory Contributor
IF (1)
•Microsoft.DataFactory/factories/publicNetworkAccess
THEN-Operations (1)
•Microsoft.DataFactory/factories/publicNetworkAccess
IF (1)
•Microsoft.DataFactory/factories
GA BuiltIn
Data Factory Data Factory 86cd96e1-1745-420d-94d4-d3f2fe415aa4 Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Data Factory Data Factory 496ca26b-f669-4322-a1ad-06b7b5e41882 Configure private endpoints for Data factories Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Data Factory Contributor
Network Contributor
THEN-ExistenceCondition (1)
•Microsoft.DataFactory/factories/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DataFactory/factories
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Data Factory Data Factory 67a1def3-5e6d-4d07-adc0-e929bba328a6 Prevent-DataFactory-ManagedSSISRuntime Prevent creation of Managed SSIS runtime for Azure Data Factory Default
Deny
Allowed
Audit, Disabled, Deny
IF (2)
•Microsoft.DataFactory/factories/integrationruntimes/type
•Microsoft.DataFactory/factories/integrationruntimes/typeProperties.ssisProperties
IF (1)
•Microsoft.DataFactory/factories/integrationruntimes
GA Community
Data Factory Data Factory 1cf164be-6819-4a50-b8fa-4bcaa4f98fb6 Public network access on Azure Data Factory should be disabled Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.DataFactory/factories/publicNetworkAccess
IF (1)
•Microsoft.DataFactory/factories
GA BuiltIn
Data Factory Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default
Audit
Allowed
Audit, Deny, Disabled
IF (3)
•Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.vnetProperties.vnetId
•Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.customerVirtualNetwork.subnetId
•Microsoft.DataFactory/factories/integrationruntimes/type
IF (1)
•Microsoft.DataFactory/factories/integrationRuntimes
GA BuiltIn
Data Lake Data Lake monitoring_audit-enabling-diagnostic-logs-data-lake-analytics Audit enabling of diagnostic logs in Data Lake Analytics Audit enabling of logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised Fixed
AuditIfNotExists
THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
IF (1)
•Microsoft.DataLakeAnalytics/accounts
GA Community
Data Lake Data Lake datalake_data-lake-store-encryption Enforce encryption on Data Lake Store accounts This policy ensures encryption is enabled on all Data Lake Store accounts Fixed
deny
IF (1)
•Microsoft.DataLakeStore/accounts/encryptionState
IF (1)
•Microsoft.DataLakeStore/accounts
GA Community
Data Lake Data Lake a7ff3161-0087-490a-9ad9-ad6217f4f43a Require encryption on Data Lake Store accounts This policy ensures encryption is enabled on all Data Lake Store accounts Fixed
deny
IF (1)
•Microsoft.DataLakeStore/accounts/encryptionState
IF (1)
•Microsoft.DataLakeStore/accounts
count: 003
CMMC_L3_SC.3.177, CMMC_L3_SC.3.191, hipaa-0304.09o3Organizational.1-09.o
GA BuiltIn
Data Lake Data Lake 057ef27e-665e-4328-8ea3-04b3122bd9fb Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.DataLakeStore/accounts
count: 027
Azure_Security_Benchmark_v1.0_2.3, Azure_Security_Benchmark_v2.0_LT-4, Azure_Security_Benchmark_v3.0_LT-3, CIS_Azure_1.3.0_5.3, CIS_Azure_1.4.0_5.3, CMMC_2.0_L2_AU.L2-3.3.1, CMMC_2.0_L2_AU.L2-3.3.2, FedRAMP_High_R4_AU-12, FedRAMP_High_R4_AU-12(1), FedRAMP_High_R4_AU-6(4), FedRAMP_High_R4_AU-6(5), FedRAMP_Moderate_R4_AU-12, hipaa-1202.09aa1System.1-09.aa, NIST_SP_800-171_R2_3.3.1, NIST_SP_800-171_R2_3.3.2, NIST_SP_800-53_R4_AU-12, NIST_SP_800-53_R4_AU-12(1), NIST_SP_800-53_R4_AU-6(4), NIST_SP_800-53_R4_AU-6(5), NIST_SP_800-53_R5_AU-12, NIST_SP_800-53_R5_AU-12(1), NIST_SP_800-53_R5_AU-6(4), NIST_SP_800-53_R5_AU-6(5), NZ_ISM_v3.5_AC-18, NZISM_Security_Benchmark_v1.1_AC-17, RBI_CSF_Banks_v2016_17.1, SWIFT_CSCF_v2021_6.4
GA BuiltIn
Data Lake Data Lake c95c74d9-38fe-4f0d-af86-0c7d626a315c Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.DataLakeAnalytics/accounts
count: 027
Azure_Security_Benchmark_v1.0_2.3, Azure_Security_Benchmark_v2.0_LT-4, Azure_Security_Benchmark_v3.0_LT-3, CIS_Azure_1.3.0_5.3, CIS_Azure_1.4.0_5.3, CMMC_2.0_L2_AU.L2-3.3.1, CMMC_2.0_L2_AU.L2-3.3.2, FedRAMP_High_R4_AU-12, FedRAMP_High_R4_AU-12(1), FedRAMP_High_R4_AU-6(4), FedRAMP_High_R4_AU-6(5), FedRAMP_Moderate_R4_AU-12, hipaa-1210.09aa3System.3-09.aa, NIST_SP_800-171_R2_3.3.1, NIST_SP_800-171_R2_3.3.2, NIST_SP_800-53_R4_AU-12, NIST_SP_800-53_R4_AU-12(1), NIST_SP_800-53_R4_AU-6(4), NIST_SP_800-53_R4_AU-6(5), NIST_SP_800-53_R5_AU-12, NIST_SP_800-53_R5_AU-12(1), NIST_SP_800-53_R5_AU-6(4), NIST_SP_800-53_R5_AU-6(5), NZ_ISM_v3.5_AC-18, NZISM_Security_Benchmark_v1.1_AC-17, RBI_CSF_Banks_v2016_17.1, SWIFT_CSCF_v2021_6.4
GA BuiltIn
Databricks Databricks Deny-Databricks-VirtualNetwork Deny Databricks workspaces without Vnet injection Enforces the use of vnet injection for Databricks workspaces. Default
Deny
Allowed
Audit, Disabled, Deny
IF (3)
•Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value
•Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value
•Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value
IF (1)
•Microsoft.Databricks/workspaces
GA ALZ
Databricks Databricks Deny-Databricks-Sku Deny non-premium Databricks sku Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD. Default
Deny
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.DataBricks/workspaces/sku.name
IF (1)
•Microsoft.Databricks/workspaces
GA ALZ
Databricks Databricks Deny-Databricks-NoPublicIp Deny public IPs for Databricks cluster Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. Default
Deny
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value
IF (1)
•Microsoft.Databricks/workspaces
GA ALZ
DB for MySQL DB for MySQL dbformysql_db-for-mysql-ssl-enforce-filter Enforce SSL on all DB for MySQL instances This policy ensures SSL is enforced on all DB for MySQL instances Fixed
deny
IF (1)
•Microsoft.DBforMySQL/servers/sslEnforcement
IF (1)
•Microsoft.DBforMySQL/servers
GA Community
Desktop Virtualization Desktop Virtualization c25dcf31-878f-4eba-98eb-0818fdc6a334 Azure Virtual Desktop hostpools should disable public network access Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.DesktopVirtualization/hostPools/publicNetworkAccess
IF (1)
•Microsoft.DesktopVirtualization/hostpools
GA BuiltIn
Desktop Virtualization Desktop Virtualization a22065a3-3b04-46ff-b84c-2d30e5c300d0 Azure Virtual Desktop hostpools should disable public network access only on session hosts Disabling public network access for your Azure Virtual Desktop hostpool session hosts, but allowing public access for end users improves security by limiting exposure to the public internet. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.DesktopVirtualization/hostPools/publicNetworkAccess
IF (1)
•Microsoft.DesktopVirtualization/hostpools
GA BuiltIn
Desktop Virtualization Desktop Virtualization ca950cd7-02f7-422e-8c23-91ff40f169c1 Azure Virtual Desktop service should use private link Using Azure Private Link with your Azure Virtual Desktop resources can improve security and keep your data safe. Learn more about private links at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Disabled
IF (4)
•Microsoft.DesktopVirtualization/hostpools/privateEndpointConnections[*]
•Microsoft.DesktopVirtualization/hostpools/privateEndpointConnections[*].privateLinkServiceConnectionState.status
•Microsoft.DesktopVirtualization/workspaces/privateEndpointConnections[*]
•Microsoft.DesktopVirtualization/workspaces/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (2)
•Microsoft.DesktopVirtualization/hostpools
•Microsoft.DesktopVirtualization/workspaces
GA BuiltIn
Desktop Virtualization Desktop Virtualization 87ac3038-c07a-4b92-860d-29e270a4f3cd Azure Virtual Desktop workspaces should disable public network access Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.DesktopVirtualization/workspaces/publicNetworkAccess
IF (1)
•Microsoft.DesktopVirtualization/workspaces
GA BuiltIn
Desktop Virtualization Desktop Virtualization 9427df23-0f42-4e1e-bf99-a6133d841c4a Configure Azure Virtual Desktop hostpool resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.DesktopVirtualization/hostpools
•Microsoft.Network/privateEndpoints
GA BuiltIn
Desktop Virtualization Desktop Virtualization 2a0913ff-51e7-47b8-97bb-ea17127f7c8d Configure Azure Virtual Desktop hostpools to disable public network access Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled
count: 1
Desktop Virtualization Host Pool Contributor
IF (1)
•Microsoft.DesktopVirtualization/hostPools/publicNetworkAccess
THEN-Operations (1)
•Microsoft.DesktopVirtualization/hostPools/publicNetworkAccess
IF (1)
•Microsoft.DesktopVirtualization/hostpools
GA BuiltIn
Desktop Virtualization Desktop Virtualization e84e8a9a-f43e-46e3-9458-bbcfb2d7e429 Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts Disable public network access for your Azure Virtual Desktop hostpool session hosts, but allow public access for end users. This allows users to still access AVD service while ensuring the session host is only accessible through private routes. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled
count: 1
Desktop Virtualization Host Pool Contributor
IF (1)
•Microsoft.DesktopVirtualization/hostPools/publicNetworkAccess
THEN-Operations (1)
•Microsoft.DesktopVirtualization/hostPools/publicNetworkAccess
IF (1)
•Microsoft.DesktopVirtualization/hostpools
GA BuiltIn
Desktop Virtualization Desktop Virtualization 7b331e6b-6096-4395-a754-758a64505f19 Configure Azure Virtual Desktop hostpools with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Contributor
THEN-ExistenceCondition (2)
•Microsoft.DesktopVirtualization/hostPools/privateEndpointConnections[*]
•Microsoft.DesktopVirtualization/hostPools/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DesktopVirtualization/hostpools
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Desktop Virtualization Desktop Virtualization 34804460-d88b-4922-a7ca-537165e060ed Configure Azure Virtual Desktop workspace resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.DesktopVirtualization/workspaces
•Microsoft.Network/privateEndpoints
GA BuiltIn
Desktop Virtualization Desktop Virtualization ce6ebf1d-0b94-4df9-9257-d8cacc238b4f Configure Azure Virtual Desktop workspaces to disable public network access Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled
count: 1
Desktop Virtualization Workspace Contributor
IF (1)
•Microsoft.DesktopVirtualization/workspaces/publicNetworkAccess
THEN-Operations (1)
•Microsoft.DesktopVirtualization/workspaces/publicNetworkAccess
IF (1)
•Microsoft.DesktopVirtualization/workspaces
GA BuiltIn
Desktop Virtualization Desktop Virtualization 02aa841c-42e8-492f-a43d-1f2c67e58d41 Configure Azure Virtual Desktop workspaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Contributor
THEN-ExistenceCondition (2)
•Microsoft.DesktopVirtualization/workspaces/privateEndpointConnections[*]
•Microsoft.DesktopVirtualization/workspaces/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DesktopVirtualization/workspaces
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
DevTestLabs DevTestLabs aca94a15-a131-4a06-ab0e-89f57e28cc5c Allowed DevTestLabs Repo URL prefix Fixed
deny
IF (1)
•Microsoft.DevTestLab/labs/artifactSources/uri
GA Community
Disks Disks bf5a4fd6-c74a-49bf-8f3c-f875b7aa4488 Audit OS and data disks encrypted without a customer-managed key Audit if the OS or data disk is encrypted without a customer-managed key. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Compute/disks/encryption.type
IF (1)
•Microsoft.Compute/disks
GA Community
Event Grid Event Grid f8f774be-6aee-492a-9e29-486ef81f3a68 Azure Event Grid domains should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.EventGrid/domains/publicNetworkAccess
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 8bfadddb-ee1c-4639-8911-a38cb8e0b3bd Azure Event Grid domains should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.EventGrid/domains/disableLocalAuth
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 9830b652-8523-49cc-b1b3-e17dce1127ca Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.EventGrid/domains/privateEndpointConnections[*]
•Microsoft.EventGrid/domains/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventGrid/domains
count: 043
Azure_Security_Benchmark_v2.0_NS-2, Azure_Security_Benchmark_v2.0_NS-3, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7
GA BuiltIn
Event Grid Event Grid 8632b003-3545-4b29-85e6-b2b96773df1e Azure Event Grid partner namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.EventGrid/partnerNamespaces/disableLocalAuth
IF (1)
•Microsoft.EventGrid/partnerNamespaces
GA BuiltIn
Event Grid Event Grid 1adadefe-5f21-44f7-b931-a59b54ccdb45 Azure Event Grid topics should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.EventGrid/topics/publicNetworkAccess
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Grid Event Grid ae9fb87f-8a17-4428-94a4-8135d431055c Azure Event Grid topics should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.EventGrid/topics/disableLocalAuth
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Grid Event Grid 4b90e17e-8448-49db-875e-bd83fb6f804f Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.EventGrid/topics/privateEndpointConnections[*]
•Microsoft.EventGrid/topics/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventGrid/topics
count: 043
Azure_Security_Benchmark_v2.0_NS-2, Azure_Security_Benchmark_v2.0_NS-3, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7
GA BuiltIn
Event Grid Event Grid 8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1 Configure Azure Event Grid domains to disable local authentication Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default
Modify
Allowed
Modify, Disabled
count: 1
EventGrid Contributor
IF (1)
•Microsoft.EventGrid/domains/disableLocalAuth
THEN-Operations (1)
•Microsoft.EventGrid/domains/disableLocalAuth
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 2dd0e8b9-4289-4bb0-b813-1883298e9924 Configure Azure Event Grid partner namespaces to disable local authentication Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default
Modify
Allowed
Modify, Disabled
count: 1
EventGrid Contributor
IF (1)
•Microsoft.EventGrid/partnerNamespaces/disableLocalAuth
THEN-Operations (1)
•Microsoft.EventGrid/partnerNamespaces/disableLocalAuth
IF (1)
•Microsoft.EventGrid/partnerNamespaces
GA BuiltIn
Event Grid Event Grid 1c8144d9-746a-4501-b08c-093c8d29ad04 Configure Azure Event Grid topics to disable local authentication Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default
Modify
Allowed
Modify, Disabled
count: 1
EventGrid Contributor
IF (1)
•Microsoft.EventGrid/topics/disableLocalAuth
THEN-Operations (1)
•Microsoft.EventGrid/topics/disableLocalAuth
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Grid Event Grid d389df0a-e0d7-4607-833c-75a6fdac2c2d Deploy - Configure Azure Event Grid domains to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
deployIfNotExists, DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Event Grid Event Grid 36f4658a-848a-467b-881c-e6fa20cf75fc Deploy - Configure Azure Event Grid domains with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
EventGrid Contributor
Network Contributor
THEN-ExistenceCondition (1)
•Microsoft.EventGrid/domains/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventGrid/domains
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Event Grid Event Grid baf19753-7502-405f-8745-370519b20483 Deploy - Configure Azure Event Grid topics to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
deployIfNotExists, DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Event Grid Event Grid 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca Deploy - Configure Azure Event Grid topics with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
EventGrid Contributor
Network Contributor
THEN-ExistenceCondition (1)
•Microsoft.EventGrid/topics/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventGrid/topics
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Event Grid Event Grid eventgrid_enforce-event-grid-sys-topic-handler-type-to-be-storage-account Enforce event grid system topic handler type to be storage account This policy enforce event grid system topic handler type to be storage account. Default
Deny
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.EventGrid/systemTopics/eventSubscriptions/destination.endpointType
GA Community
Event Grid Event Grid eventgrid_enforce-event-grid-system-topic-source-type-be-storage-account Enforce event grid system topic source type to be storage account This policy enforce event grid system topic source type to be storage account. Default
Deny
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.EventGrid/systemTopics/topicType
GA Community
Event Grid Event Grid 898e9824-104c-4965-8e0e-5197588fa5d4 Modify - Configure Azure Event Grid domains to disable public network access Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default
Modify
Allowed
Modify, Disabled
count: 1
EventGrid Contributor
IF (1)
•Microsoft.EventGrid/domains/publicNetworkAccess
THEN-Operations (1)
•Microsoft.EventGrid/domains/publicNetworkAccess
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 36ea4b4b-0f7f-4a54-89fa-ab18f555a172 Modify - Configure Azure Event Grid topics to disable public network access Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default
Modify
Allowed
Modify, Disabled
count: 1
EventGrid Contributor
IF (1)
•Microsoft.EventGrid/topics/publicNetworkAccess
THEN-Operations (1)
•Microsoft.EventGrid/topics/publicNetworkAccess
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Hub Event Hub b278e460-7cfc-4451-8294-cccc40a940d7 All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.EventHub/namespaces/authorizationRules
GA BuiltIn
Event Hub Event Hub eventhub_audit-event-hub-authorization Audit authorization rules on Event Hub namespaces Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least previlege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Fixed
Audit
IF (1)
•Microsoft.EventHub/namespaces/authorizationRules
GA Community
Event Hub Event Hub monitoring_event-hub-diagnostic-logs-audit Audit enabling of diagnostic logs in Event Hub Audit enabling of logs and retain them up to a year. This enables recreation of activity trails for investigation purposes when a security incident occurs or your network is compromised Fixed
AuditIfNotExists
THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
IF (1)
•Microsoft.EventHub/namespaces
GA Community
Event Hub Event Hub eventhub_event-hub-entity-authorization-rules-audit Audit existence of authorization rules on Event Hub entities Audit existence of authorization rules on Event Hub entities to grant least-privileged access Fixed
AuditIfNotExists
IF (1)
•Microsoft.EventHub/namespaces/eventhubs
THEN-Details (1)
•Microsoft.EventHub/namespaces/eventHubs/authorizationRules
GA Community
Event Hub Event Hub f4826e5f-6a27-407c-ae3e-9582eb39891d Authorization rules on the Event Hub instance should be defined Audit existence of authorization rules on Event Hub entities to grant least-privileged access Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
IF (1)
•Microsoft.EventHub/namespaces/eventhubs
THEN-Details (1)
•Microsoft.EventHub/namespaces/eventHubs/authorizationRules
count: 001
RMiT_v1.0_10.55
GA BuiltIn
Event Hub Event Hub 5d4e3c65-4873-47be-94f3-6f8b953a3598 Azure Event Hub namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default
Audit
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.EventHub/namespaces/disableLocalAuth
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub 57f35901-8389-40bb-ac49-3ba4f86d889d Configure Azure Event Hub namespaces to disable local authentication Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default
Modify
Allowed
Modify, Disabled
count: 1
Azure Event Hubs Data Owner
IF (1)
•Microsoft.EventHub/namespaces/disableLocalAuth
THEN-Operations (1)
•Microsoft.EventHub/namespaces/disableLocalAuth
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub ed66d4f5-8220-45dc-ab4a-20d1749c74e6 Configure Event Hub namespaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 1
Network Contributor
IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Event Hub Event Hub 91678b7c-d721-4fc5-b179-3cdf74e96b1c Configure Event Hub namespaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 2
Azure Event Hubs Data Owner
Network Contributor
THEN-ExistenceCondition (1)
•Microsoft.EventHub/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventHub/namespaces
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Event Hub Event Hub 33e7e8f1-ea02-4dd0-911d-0fbe0d54d427 Deny - Configure Event Hubs to allow only certain SKUs The policy denies the Basic SKU because one can only create private endpoint connections with Standard or Premium SKU. Default
Deny
Allowed
Audit, Disabled, Deny
IF (1)
•Microsoft.EventHub/namespaces/sku.name
IF (1)
•Microsoft.EventHub/namespaces
GA Community
Event Hub Event Hub f6006471-31cf-4887-a7cb-42724faed672 Deny - Configure Event Hubs to disable public network access The policy denies accessing the resource through public network. Only private endpoints are supported. Default
Deny
Allowed
Deny, Audit, Disabled
IF (1)
•Microsoft.EventHub/namespaces/publicNetworkAccess
IF (1)
•Microsoft.EventHub/namespaces
GA Community
Event Hub Event Hub b47a96dc-ce80-49f5-8718-bee39c051a4b Deny - Configure Event Hubs to use availability zones The policy enforces the usage of regions with availability zones. With availability zones high availability is provided. Default
Deny
Allowed
Disabled, Audit, Deny
IF (1)
•Microsoft.EventHub/namespaces/zoneRedundant
IF (1)
•Microsoft.EventHub/namespaces
GA Community
Event Hub Event Hub 0602787f-9896-402a-a6e1-39ee63ee435e Event Hub Namespaces should disable public network access Azure Event Hub should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service Default
Audit
Allowed
Audit, Deny, Disabled
GA BuiltIn
Event Hub Event Hub 836cd60e-87f3-4e6a-a27c-29d687f01a4c Event Hub namespaces should have double encryption enabled Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default
Audit
Allowed
Audit, Deny, Disabled
IF (2)
•Microsoft.EventHub/namespaces/clusterArmId
•Microsoft.EventHub/namespaces/encryption.requireInfrastructureEncryption
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub audit-deny-eh-minimum-tls-version-policyDef Event Hub namespaces should have the specified minimum TLS version Configure a minimum TLS version for secure communication between the client application and the Event Hub Namespace. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2. Default
Deny
Allowed
Audit, Deny, Disabled
IF (1)
•Microsoft.EventHub/namespaces/minimumTlsVersion
IF (1)
•Microsoft.EventHub/namespaces
GA Community
Event Hub Event Hub a1ad735a-e96f-45d2-a7b2-9a4932cab7ec Event Hub namespaces should use a customer-managed key for encryption Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. Default
Audit
Allowed
Audit, Disabled
IF (2)
•Microsoft.EventHub/namespaces/clusterArmId
•Microsoft.EventHub/namespaces/encryption.keySource
IF (1)
•Microsoft.EventHub/namespaces
count: 007
CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, RMiT_v1.0_10.53
GA BuiltIn
Event Hub Event Hub b8564268-eb4a-4337-89be-a19db070c59d Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (1)
•Microsoft.EventHub/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventHub/namespaces
count: 036
CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3)
GA BuiltIn
Event Hub Event Hub 83a214f7-d01a-484b-91a9-ed54470c9a6a Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.EventHub/namespaces
count: 028
Azure_Security_Benchmark_v1.0_2.3, Azure_Security_Benchmark_v2.0_LT-4, Azure_Security_Benchmark_v3.0_LT-3, CIS_Azure_1.3.0_5.3, CIS_Azure_1.4.0_5.3, CMMC_2.0_L2_AU.L2-3.3.1, CMMC_2.0_L2_AU.L2-3.3.2, FedRAMP_High_R4_AU-12, FedRAMP_High_R4_AU-12(1), FedRAMP_High_R4_AU-6(4), FedRAMP_High_R4_AU-6(5), FedRAMP_Moderate_R4_AU-12, hipaa-1207.09aa2System.4-09.aa, NIST_SP_800-171_R2_3.3.1, NIST_SP_800-171_R2_3.3.2, NIST_SP_800-53_R4_AU-12, NIST_SP_800-53_R4_AU-12(1), NIST_SP_800-53_R4_AU-6(4), NIST_SP_800-53_R4_AU-6(5), NIST_SP_800-53_R5_AU-12, NIST_SP_800-53_R5_AU-12(1), NIST_SP_800-53_R5_AU-6(4), NIST_SP_800-53_R5_AU-6(5), NZ_ISM_v3.5_AC-18, NZISM_Security_Benchmark_v1.1_AC-17, RBI_CSF_Banks_v2016_17.1, RMiT_v1.0_11.18, SWIFT_CSCF_v2021_6.4
GA BuiltIn
Fluid Relay Fluid Relay 46388f67-373c-4018-98d3-2b83172dd13a Fluid Relay should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Fluid Relay server. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. Learn more at https://docs.microsoft.com/azure/azure-fluid-relay/concepts/customer-managed-keys. Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.FluidRelay/fluidRelayServers/encryption.customerManagedKeyEncryption
IF (1)
•Microsoft.FluidRelay/fluidRelayServers
GA BuiltIn
General General c1b9cbed-08e3-427d-b9ce-7c535b1e9b94 [Deprecated]: Allow resource creation only in Asia data centers Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West Fixed
Deny
Deprecated BuiltIn
General General 94c19f19-8192-48cd-a11b-e37099d3e36b [Deprecated]: Allow resource creation only in European data centers Allows resource creation in the following locations only: North Europe, West Europe Fixed
Deny
Deprecated BuiltIn
General General 5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54 [Deprecated]: Allow resource creation only in India data centers Allows resource creation in the following locations only: West India, South India, Central India Fixed
Deny
Deprecated BuiltIn
General General 983211ba-f348-4758-983b-21fa29294869 [Deprecated]: Allow resource creation only in United States data centers Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US Fixed
Deny
Deprecated BuiltIn
General General 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9 [Deprecated]: Custom subscription owner roles should not exist This policy is deprecated. Default
Audit
Allowed
Audit, Disabled
IF (4)
•Microsoft.Authorization/roleDefinitions/assignableScopes[*]
•Microsoft.Authorization/roleDefinitions/permissions.actions[*]
•Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]
•Microsoft.Authorization/roleDefinitions/type
IF (1)
•Microsoft.Authorization/roleDefinitions
count: 001
Azure_Security_Benchmark_v2.0_PA-7
Deprecated BuiltIn
General General e56962a6-4747-49cd-b67b-bf8b01975c4c Allowed locations This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. Fixed
deny
IF (1)
•Microsoft.AzureActiveDirectory/b2cDirectories
GA BuiltIn
General General e765b5de-1225-4ba3-bd56-1ac6695af988 Allowed locations for resource groups This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. Fixed
deny
IF (1)
•Microsoft.Resources/subscriptions/resourceGroups
GA BuiltIn
General General a08ec900-254a-4555-9bf5-e42af04b5c5c Allowed resource types This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. Fixed
deny
GA BuiltIn
General General 0a914e76-4921-4c19-b460-a2d36003525a Audit resource location matches resource group location Audit that the resource location matches its resource group location Fixed
audit
count: 001
RMiT_v1.0_10.49
GA BuiltIn
General General a451c1ef-c6ca-483d-87ed-f49761e3ffb5 Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Default
Audit
Allowed
Audit, Disabled
IF (1)
•Microsoft.Authorization/roleDefinitions/type
IF (1)
•Microsoft.Authorization/roleDefinitions
count: 046
Azure_Security_Benchmark_v1.0_4.6, Azure_Security_Benchmark_v2.0_PA-7, Azure_Security_Benchmark_v3.0_PA-7, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, CMMC_2.0_L2_AC.L2-3.1.5, CMMC_L3_AC.3.018, FedRAMP_High_R4_AC-2, FedRAMP_High_R4_AC-2(7), FedRAMP_High_R4_AC-6, FedRAMP_High_R4_AC-6(7), FedRAMP_Moderate_R4_AC-2, FedRAMP_Moderate_R4_AC-2(7), FedRAMP_Moderate_R4_AC-6, hipaa-1148.01c2System.78-01.c, hipaa-1230.09c2Organizational.1-09.c, IRS_1075_9.3.1.2, ISO27001-2013_A.9.2.3, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-171_R2_3.1.5, NIST_SP_800-53_R4_AC-2, NIST_SP_800-53_R4_AC-2(7), NIST_SP_800-53_R4_AC-6, NIST_SP_800-53_R4_AC-6(7), NIST_SP_800-53_R5_AC-2, NIST_SP_800-53_R5_AC-2(7), NIST_SP_800-53_R5_AC-6, NIST_SP_800-53_R5_AC-6(7), NZ_ISM_v3.5_AC-18, NZISM_Security_Benchmark_v1.1_AC-17, PCI_DSS_V3.2.1_3.2, PCI_DSS_V3.2.1_7.2.1, PCI_DSS_V3.2.1_8.3.1, PCI_DSS_v4.0_3.3.3, PCI_DSS_v4.0_7.3.1, PCI_DSS_v4.0_8.4.1, RBI_CSF_Banks_v2016_8.1, RBI_CSF_Banks_v2016_8.5, RBI_CSF_Banks_v2016_8.8, RBI_ITF_NBFC_v2017_3.1.a, RBI_ITF_NBFC_v2017_3.1.f, RMiT_v1.0_10.55, RMiT_v1.0_10.60, RMiT_v1.0_10.62, SOC_2_CC6.3
GA BuiltIn
General General 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 Not allowed resource types Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. Default
Deny
Allowed
Audit, Deny, Disabled
count: 001
RMiT_v1.0_11.4
GA BuiltIn
Guest Configuration Guest Configuration faf25c8c-9598-4305-b4de-0aee1317fb31 [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5fc23db3-dd4d-4c56-bcc7-43626243e601 [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
Deprecated BuiltIn
Guest Configuration Guest Configuration ec49586f-4939-402d-a29e-6ff502b20592 [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f19aa1c1-6b91-4c27-ae6a-970279f03db9 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 4d1c04de-2172-403f-901b-90608c35c721 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 3470477a-b35a-49db-aca5-1073d04524fe [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 884b209a-963b-4520-8006-d20cb3c213e0 [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7a031c68-d6ab-406e-a506-697a19c634b0 [Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ec7ac234-2af5-4729-94d2-c557c071799d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f1f4825d-58fb-4257-8016-8c00e3c9ed9d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 985285b7-b97a-419c-8d48-c88cc934c8d8 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 40917425-69db-4018-8dae-2a0556cef899 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e5b81f87-9185-4224-bf00-9f505e9f89f3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 498b810c-59cd-4222-9338-352ba146ccf3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 6481cc21-ed6e-4480-99dd-ea7c5222e897 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 3750712b-43d0-478e-9966-d2c26f6141b9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration bbcdd8fa-b600-4ee3-85b8-d184e3339652 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 86880e5c-df35-43c5-95ad-7e120635775e [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f56a3ab2-89d1-44de-ac0d-2ada5962e22a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 36e17963-7202-494a-80c3-f508211c826b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 1f8c20ce-3414-4496-8b26-0e902a1541da [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 12ae2d24-3805-4b37-9fa9-465968bfbcfa [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 437a1f8f-8552-47a8-8b12-a2fee3269dd5 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e425e402-a050-45e5-b010-bd3f934589fc [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e3d95ab7-f47a-49d8-a347-784177b6c94c [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c1e289c0-ffad-475d-a924-adc058765d65 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 0a9991e6-21be-49f9-8916-a06d934bcf29 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 42a07bbf-ffcf-459a-b4b1-30ecd118a505 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c04255ee-1b9f-42c1-abaa-bf1553f79930 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 8e170edb-e0f5-497a-bb36-48b3280cec6a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 97b595c8-fd10-400e-8543-28e2b9138b13 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ce2370f6-0ac5-4d85-8ab4-10721cc640b0 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f8b0158d-4766-490f-bea0-259e52dba473 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 815dcc9f-6662-43f2-9a03-1b83e9876f24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7040a231-fb65-4412-8c0a-b365f4866c24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 909c958d-1b99-4c74-b88f-46a5c5bc34f9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 144f1397-32f9-4598-8c88-118decc3ccba [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 93507a81-10a4-4af0-9ee2-34cf25a96e98 [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration b821191b-3a12-44bc-9c38-212138a29ff3 [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration d38b4c26-9d2e-47d7-aefe-18d859a8706a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 68511db2-bd02-41c4-ae6b-1900a012968a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5bb36dda-8a78-4df9-affd-4f05a8612a8a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 32b1e4d4-6cd5-47b4-a935-169da8a5c262 [Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 6a7a2bcf-f9be-4e35-9734-4f9657a70f1d [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 726671ac-c4de-4908-8c7d-6043ae62e3b6 [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists
count: 1
Contributor
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines