last sync: 2020-Dec-03 15:30:53 UTC

All Azure Policy definitions

Category Id DisplayName Description Effect Roles used State
API for FHIR 051cba44-2429-45b9-9649-46cec11c7119 Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default: audit
Allowed: (audit, disabled)
GA
API for FHIR 0fea8f8a-4169-495d-8307-30ec335f387d CORS should not allow every domain to access your API for FHIR Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. Default: audit
Allowed: (audit, disabled)
GA
API for FHIR 1ee56206-5dd1-42ab-b02d-8aae8b1634ce Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Default: Audit
Allowed: (Audit, Disabled)
GA
API Management ef619a2c-cc4d-4d03-b2ba-8c94a834d85b API Management services should use a virtual network Virtual network on API Management services of the specified SKU should be enabled. Default: Audit
Allowed: (Audit, Disabled)
GA
App Configuration ca610c1d-041c-4332-9d88-7ed3094967c7 App Configuration should use a private link Private endpoint connections allow clients on a virtual network to securely access Azure App Configuration over a private link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Configuration 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 App Configuration should use a customer-managed key Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
App Platform af35e2a4-ef96-44e7-a9ae-853dd97032c4 Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default: Audit
Allowed: (Audit, Disabled, Deny)
GA
App Platform 0f2d8593-4667-4932-acca-6a9f187af109 [Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. Default: Audit
Allowed: (Audit, Disabled)
Preview
App Service 7261b898-8a84-4db8-9e04-18527132abb3 Ensure that 'PHP version' is the latest, if used as a part of the WEB app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 843664e0-7563-41ee-a9cb-7522c382d2c4 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
App Service 2b9ad585-36bc-4615-b300-fd4435808332 Managed identity should be used in your Web App Use a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled)
GA
App Service 0c192fe8-9cbb-4516-85b3-0ade8bd03886 Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
GA
App Service ab965db2-d2bf-4b64-8b39-c38ec8179461 [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app PHP cannot be used with Function apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
App Service f9d614c5-c173-4d56-95a7-b4437057d193 Latest TLS version should be used in your Function App Upgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service a4af4a39-4135-47fb-b175-47fbdf85311d Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled)
GA
App Service 0e60b895-3786-45da-8377-9c6b4b6ac5f9 Remote debugging should be turned off for Function Apps Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 74c3584d-afae-46f7-a20a-6f8adba71a16 Ensure that 'Python version' is the latest, if used as a part of the API app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 991310cd-e9f3-47bc-b7b6-f57b557d07db Ensure that 'HTTP Version' is the latest, if used to run the API app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 0820b7b9-23aa-4725-a1ce-ae4558f718e5 CORS should not allow every resource to access your Function Apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 752c6934-9bcc-4749-b004-655e676ae2ac [Deprecated]: Audit enabling of diagnostic logs in App Services Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised Default: Audit
Allowed: (Audit, Disabled)
Deprecated
App Service 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 FTPS only should be required in your API App Enable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 496223c3-ad65-4ecd-878a-bae78737e9ed Ensure that 'Java version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 Authentication should be enabled on your Function app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service cb510bfd-1cba-4d9f-a230-cb0976f4bb71 Remote debugging should be turned off for Web Applications Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac CORS should not allow every resource to access your API App Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service c4ebc54a-46e1-481a-bee2-d4411e95d828 Authentication should be enabled on your API app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service aa81768c-cb87-4ce2-bfaa-00baa10d760c [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
App Service 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc Ensure that 'Java version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service c4d441f8-f9d9-4a9e-9cef-e82117cb3eef Managed identity should be used in your API App Use a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 6ad61431-88ce-4357-a0e1-6da43f292bd7 [Deprecated]: Ensure WEB app is using the latest version of TLS encryption Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
App Service 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 CORS should not allow every resource to access your Web Applications Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e Latest TLS version should be used in your API App Upgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b Latest TLS version should be used in your Web App Upgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 7008174a-fd10-4ef0-817e-fc820a951d73 Ensure that 'Python version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 8c122334-9d20-4eb8-89ea-ac9a705b74ae Ensure that 'HTTP Version' is the latest, if used to run the Web app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 399b2637-a50f-4f95-96f8-3a145476eb15 FTPS only should be required in your Function App Enable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 0da106f2-4ca3-48e8-bc85-c638fe6aea8f Managed identity should be used in your Function App Use a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 10c1859c-e1a7-4df3-ab97-a487fa8059f6 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
App Service b7ddfbdc-1260-477d-91fd-98bd9be789a6 API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled)
GA
App Service 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b FTPS should be required in your Web App Enable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service f0473e7a-a1ba-4e86-afb2-e829e11b01d8 [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
App Service 95bccee9-a7f8-4bec-9ee9-62c3473701fc Authentication should be enabled on your web app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 88999f4c-376a-45c8-bcb3-4058f713cf39 Ensure that 'Java version' is the latest, if used as a part of the API app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 86d97760-d216-4d81-a3ad-163087b2b6c3 [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
App Service eaebaea7-8013-4ceb-9d14-7eb32271373c Ensure Function app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
GA
App Service c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
App Service 58d94fc1-a072-47c2-bd37-9cdb38e77453 [Deprecated]: Ensure Function app is using the latest version of TLS encryption Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
App Service b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0 Diagnostic logs in App Services should be enabled Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 5bb220d9-2698-4ee4-8404-b9c30c9df609 Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
GA
App Service 7238174a-fd10-4ef0-817e-fc820a951d73 Ensure that 'Python version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service e2c1c086-2d84-4019-bff3-c44ccd95113c Ensure that 'HTTP Version' is the latest, if used to run the Function app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service e9c8d085-d9cc-4b17-9cdc-059f1f01f19e Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
App Service 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba Ensure that 'PHP version' is the latest, if used as a part of the API app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Automanage 270610db-8c04-438a-a739-e8e6745b22d3 Enable Automanage - Azure virtual machine best practices Automanage enrolls, configures, and monitors virtual machines with Azure VM best practice services. Use this policy to apply Automanage to your selected scope. Fixed: deployIfNotExists Contributor GA
Automation 3657f5a0-770e-44a3-b44e-9431ba1e9735 Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Azure Data Explorer ec068d99-e9c7-401f-8cef-5bdde4e6ccf1 Double encryption should be enabled on Azure Data Explorer Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Azure Data Explorer f4b53539-8df9-40e4-86c6-6b607703bd4e Disk encryption should be enabled on Azure Data Explorer Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Azure Data Explorer 81e74cea-30fd-40d5-802f-d72103c2aaaa Azure Data Explorer encryption at rest should use a customer-managed key Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Azure Data Explorer 9ad2fd1f-b25f-47a2-aa01-1a5a779e6413 Virtual network injection should be enabled for Azure Data Explorer Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Backup c717fb0c-d118-4c43-ab3d-ece30ac81fb3 [Preview]: Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. Fixed: deployIfNotExists Monitoring Contributor, Log Analytics Contributor Preview
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 [Preview]: Configure backup on VMs with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor, Backup Contributor Preview
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 [Preview]: Configure backup on VMs without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag Fixed: deployIfNotExists Virtual Machine Contributor, Backup Contributor Preview
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on VMs without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor, Backup Contributor GA
Backup 013e242c-8828-4970-87b3-ab247555486d Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e [Preview]: Configure backup on VMs with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag Fixed: deployIfNotExists Virtual Machine Contributor, Backup Contributor Preview
Batch 26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7 Metric alert rules should be configured on Batch accounts Audit configuration of metric alert rules on Batch account to enable the required metric Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Batch 428256e6-1fac-4f48-a757-df34c2b3336d Diagnostic logs in Batch accounts should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Cache 7d092e0a-7acd-40d2-a975-dca21cae48c4 Azure Cache for Redis should reside within a virtual network Azure Cache for Redis has the ability to reside within a virtual network, which is a way for the resource to have a non-public endpoint controlled and managed by the user. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Cache 22bee202-a82f-4305-9a2a-6d7f44d4dedb Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Cognitive Services 46aa9b05-0e60-4eae-a88b-1e9d374fa515 Cognitive Services accounts should use customer owned storage This policy audits any Cognitive Services account not using customer owned storage. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Cognitive Services 67121cc7-ff39-4ab8-b7e3-95b84dab487d Cognitive Services accounts should enable data encryption with customer-managed key Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys for data stored in Cognitive Services. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca Public network access should be disabled for Cognitive Services accounts This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Cognitive Services 11566b39-f7f7-4b82-ab06-68d8700eb0a4 Cognitive Services accounts should use customer owned storage or enable data encryption. This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Cognitive Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Cognitive Services accounts should restrict network access Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Cognitive Services 2bdd0062-9d75-436e-89df-487dd8e4b3c7 Cognitive Services accounts should enable data encryption This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Compute 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 [Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the selected Log Analytics workspace Fixed: deployIfNotExists Log Analytics Contributor Deprecated
Compute 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Fixed: auditIfNotExists GA
Compute cccc23c7-8427-4f53-ad12-b6a63eb452b3 Allowed virtual machine size SKUs This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. Fixed: Deny GA
Compute 2835b622-407b-4114-9198-6f7064cbe0dc Deploy default Microsoft IaaSAntimalware extension for Windows Server This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. Fixed: deployIfNotExists Virtual Machine Contributor GA
Compute 06a78e20-9358-41c9-923c-fb736d382a4d Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks Fixed: audit GA
Compute c43e4a30-77cb-48ab-a4dd-93f175c63b57 Microsoft Antimalware for Azure should be configured to automatically update protection signatures This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Compute 465f0161-0087-490a-9ad9-ad6217f4f43a Require automatic OS image patching on Virtual Machine Scale Sets This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. Fixed: deny GA
Compute 9b597639-28e4-48eb-b506-56b05d366257 Microsoft IaaSAntimalware extension should be deployed on Windows servers This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Compute 1d84d5fb-01f6-4d12-ba4f-4a26081d403d Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Compute c0e996f8-39cf-4af9-9f45-83fbde810432 Only approved VM extensions should be installed This policy governs the virtual machine extensions that are not approved. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Compute 2c89a2e5-7285-40fe-afe0-ae8654b92fb2 Unattached disks should be encrypted This policy audits any unattached disk without encryption enabled. Default: Audit
Allowed: (Audit, Disabled)
GA
Compute 7c1b1214-f927-48bf-8882-84f0af6588b1 Diagnostic logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Container Registry e8eef0a8-67cf-4eb4-9386-14b0e78733d4 Container registries should use private links Audit container registries that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. Public access can then be disabled to ensure that only private links can be used to connect to the registry. For more information, visit: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Disabled)
GA
Container Registry 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 Container registries should be encrypted with a customer-managed key (CMK) Audit or deny container registries that do not have encryption enabled with customer-managed keys (CMK). Azure automatically encrypts registry contents at rest with service-managed keys. You can supplement default encryption with an additional encryption layer using a key that you create and manage in Azure Key Vault. For more information on CMK encryption, please visit: https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Container Registry d0793b48-0edc-4296-a390-4c75d1bdfd71 Container registries should not allow unrestricted network access Audit container registries that do not have any network or firewall (IP) rules configured and so allow all network access by default. Restricting network access protects container registries from potential threats. Container registries with at least one IP / firewall rule or configured virtual network are deemed compliant. For more information on Container Registry network rules, visit: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit, Disabled)
GA
Cosmos DB 4750c32b-89c0-46af-bfcb-2e4541a818d5 Azure Cosmos DB key based metadata write access should be disabled This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. Fixed: append GA
Cosmos DB 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf Azure Cosmos DB throughput should be limited This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. Default: deny
Allowed: (audit, deny, disabled)
GA
Cosmos DB 1f905d99-2ab7-462c-a6b0-f709acca6c8f Azure Cosmos DB account should use customer-managed keys to encrypt data at rest Use customer-managed keys to control the encryption at rest of the data stored in Azure Cosmos DB when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. See https://aka.ms/cosmosdb-cmk Default: audit
Allowed: (audit, deny, disabled)
GA
Cosmos DB 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb Azure Cosmos DB accounts should have firewall rules Audit or deny resources that do not have any IP rules configured and allow all networks by default. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA
Cosmos DB 0473574d-2d43-4217-aefe-941fcdf7e684 Azure Cosmos DB allowed locations This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. Default: deny
Allowed: (deny, audit, disabled)
GA
Cosmos DB b5f04e03-92a3-4b09-9410-2cc5e5047656 Deploy Advanced Threat Protection for Cosmos DB Accounts This policy enables Advanced Threat Protection across Cosmos DB accounts. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin GA
Custom Provider c15c281f-ea5c-44cd-90b8-fc3c14d13f0c Deploy associations for a custom provider Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. Fixed: deployIfNotExists Contributor GA
Data Lake c95c74d9-38fe-4f0d-af86-0c7d626a315c Diagnostic logs in Data Lake Analytics should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Data Lake 057ef27e-665e-4328-8ea3-04b3122bd9fb Diagnostic logs in Azure Data Lake Store should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Data Lake a7ff3161-0087-490a-9ad9-ad6217f4f43a Require encryption on Data Lake Store accounts This policy ensures encryption is enabled on all Data Lake Store accounts Fixed: deny GA
Event Grid 4b90e17e-8448-49db-875e-bd83fb6f804f Azure Event Grid topics should use private links Audit Azure Event Grid topics that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections via private links. For more information, visit https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
GA
Event Grid 9830b652-8523-49cc-b1b3-e17dce1127ca Azure Event Grid domains should use private links Audit Azure Event Grid domains that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections via private links. For more information, visit https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
GA
Event Hub b278e460-7cfc-4451-8294-cccc40a940d7 All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Event Hub 83a214f7-d01a-484b-91a9-ed54470c9a6a Diagnostic logs in Event Hub should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Event Hub f4826e5f-6a27-407c-ae3e-9582eb39891d Authorization rules on the Event Hub instance should be defined Audit existence of authorization rules on Event Hub entities to grant least-privileged access Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
General 5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54 [Deprecated]: Allow resource creation only in India data centers Allows resource creation in the following locations only: West India, South India, Central India Fixed: Deny Deprecated
General e765b5de-1225-4ba3-bd56-1ac6695af988 Allowed locations for resource groups This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. Fixed: deny GA
General 0a914e76-4921-4c19-b460-a2d36003525a Audit resource location matches resource group location Audit that the resource location matches its resource group location Fixed: audit GA
General 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9 Custom subscription owner roles should not exist This policy ensures that no custom subscription owner roles exist. Default: Audit
Allowed: (Audit, Disabled)
GA
General 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 Not allowed resource types This policy enables you to specify the resource types that your organization cannot deploy. Fixed: Deny GA
General c1b9cbed-08e3-427d-b9ce-7c535b1e9b94 [Deprecated]: Allow resource creation only in Asia data centers Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West Fixed: Deny Deprecated
General 94c19f19-8192-48cd-a11b-e37099d3e36b [Deprecated]: Allow resource creation only in European data centers Allows resource creation in the following locations only: North Europe, West Europe Fixed: Deny Deprecated
General a451c1ef-c6ca-483d-87ed-f49761e3ffb5 Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Default: Audit
Allowed: (Audit, Disabled)
GA
General e56962a6-4747-49cd-b67b-bf8b01975c4c Allowed locations This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. Fixed: deny GA
General a08ec900-254a-4555-9bf5-e42af04b5c5c Allowed resource types This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. Fixed: deny GA
General 983211ba-f348-4758-983b-21fa29294869 [Deprecated]: Allow resource creation only in United States data centers Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US Fixed: Deny Deprecated
Guest Configuration 24dde96d-f0b1-425e-884f-4a1421e2dcdc [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration f0633351-c7b2-41ff-9981-508fc08553c2 [Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration c1e289c0-ffad-475d-a924-adc058765d65 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration c21f7060-c148-41cf-a68b-0ab3e14c764c [Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a [Deprecated]: Show audit results from Windows VMs on which the specified services are not installed and 'Running' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration c40c9087-1981-4e73-9f53-39743eda9d05 [Deprecated]: Show audit results from Linux VMs that have accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration ee984370-154a-4ee8-9726-19d900e56fc0 Windows machines should meet requirements for 'Security Options - Accounts' Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 4d1c04de-2172-403f-901b-90608c35c721 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration ec49586f-4939-402d-a29e-6ff502b20592 [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration c8abcef9-fc26-482f-b8db-5fa60ee4586d [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration c5fbc59e-fb6f-494f-81e2-d99a671bdaa8 [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration ebb67efd-3c46-49b0-adfe-5599eb944998 Audit Windows machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists GA
Guest Configuration 29829ec2-489d-4925-81b7-bda06b1718e0 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration c633f6a2-7f8b-4d9e-9456-02f0f04f5505 Audit Windows machines that are not set to the specified time zone Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. Fixed: auditIfNotExists GA
Guest Configuration c648fbbb-591c-4acd-b465-ce9b176ca173 Audit Windows machines that do not have the specified Windows PowerShell execution policy Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 2a7a701e-dff3-4da9-9ec5-42cb98594c0b Windows machines should meet requirements for 'System Audit Policies - Policy Change' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration ec7ac234-2af5-4729-94d2-c557c071799d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration c5b85cba-6e6f-4de4-95e1-f0233cd712ac Audit Windows machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists GA
Guest Configuration ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 8e170edb-e0f5-497a-bb36-48b3280cec6a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration c961dac9-5916-42e8-8fb1-703148323994 [Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 35d9882c-993d-44e6-87d2-db66ce21b636 Windows machines should meet requirements for 'Windows Firewall Properties' Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 42a07bbf-ffcf-459a-b4b1-30ecd118a505 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration e425e402-a050-45e5-b010-bd3f934589fc [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 4221adbc-5c0f-474f-88b7-037a99e6114c Audit Windows VMs with a pending reboot Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. Fixed: auditIfNotExists GA
Guest Configuration d6c69680-54f0-4349-af10-94dd05f4225e Windows machines should meet requirements for 'Security Options - Microsoft Network Client' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration e3d95ab7-f47a-49d8-a347-784177b6c94c [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration e3a77a94-cf41-4ee8-b45c-98be28841c03 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration d7ccd0ca-8d78-42af-a43d-6b7f928accbc [Deprecated]: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 36e17963-7202-494a-80c3-f508211c826b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 40917425-69db-4018-8dae-2a0556cef899 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 3750712b-43d0-478e-9966-d2c26f6141b9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration da0f98fe-a24b-4ad5-af69-bd0400233661 Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd Windows machines should meet requirements for 'Security Options - Network Access' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 Audit Windows machines that do not have the specified Windows PowerShell modules installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 385f5831-96d4-41db-9a3c-cd3af78aaae6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor GA
Guest Configuration dd4680ed-0559-4a6a-ad10-081d14cbb484 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 3d7b154e-2700-4c8c-9e46-cb65ac1578c2 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2 Audit Windows machines that have extra accounts in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. Fixed: auditIfNotExists GA
Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor GA
Guest Configuration ddb53c61-9db4-41d4-a953-2abff5b66c12 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration e0efc13a-122a-47c5-b817-2ccfe5d12615 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 3aa2661b-02d7-4ba6-99bc-dc36b10489fd Windows machines should meet requirements for 'Administrative Templates - Control Panel' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 437a1f8f-8552-47a8-8b12-a2fee3269dd5 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 35781875-8026-4628-b19b-f6efb4d88a1d Windows machines should meet requirements for 'System Audit Policies - Object Access' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 356a906e-05e5-4625-8729-90771e0ee934 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 Windows machines should meet requirements for 'System Audit Policies - Account Logon' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration c96f3246-4382-4264-bf6b-af0b35e23c3c [Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 2d60d3b7-aa10-454c-88a8-de39d99d17c6 [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 2d67222d-05fd-4526-a171-2ee132ad9e83 [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration caf2d518-f029-4f6b-833b-d7081702f253 Windows machines should meet requirements for 'Security Options - Microsoft Network Server' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 498b810c-59cd-4222-9338-352ba146ccf3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 2f262ace-812a-4fd0-b731-b38ba9e9708d Windows machines should meet requirements for 'Security Options - System objects' Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor GA
Guest Configuration cc7cda28-f867-4311-8497-a526129a8d19 [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 30040dab-4e75-4456-8273-14b8f75d91d9 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 492a29ed-d143-4f03-b6a4-705ce081b463 Windows machines should meet requirements for 'Security Options - User Account Control' Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 Audit Windows machines missing any of specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. Fixed: auditIfNotExists GA
Guest Configuration 4ceb8dc2-559c-478b-a15b-733fbf1e3738 Audit Windows machines that do not have a maximum password age of 70 days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 315c850a-272d-4502-8935-b79010405970 [Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration ce2370f6-0ac5-4d85-8ab4-10721cc640b0 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 32b1e4d4-6cd5-47b4-a935-169da8a5c262 [Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration e6ebf138-3d71-4935-a13b-9c7fdddd94df Audit Windows machines on which the specified services are not installed and 'Running' Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. Fixed: auditIfNotExists GA
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor GA
Guest Configuration 33936777-f2ac-45aa-82ec-07958ec9ade4 Windows machines should meet requirements for 'Security Options - Audit' Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration e6955644-301c-44b5-a4c4-528577de6861 Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 3470477a-b35a-49db-aca5-1073d04524fe [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration e5b81f87-9185-4224-bf00-9f505e9f89f3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration d38b4c26-9d2e-47d7-aefe-18d859a8706a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration d3b823c9-e0fc-4453-9fb2-8213b7338523 Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Fixed: auditIfNotExists GA
Guest Configuration d472d2c9-d6a3-4500-9f5f-b15f123005aa Windows machines should meet requirements for 'Security Options - Interactive Logon' Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration cdbf72d9-ac9c-4026-8a3a-491a5ac59293 [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Audit Windows web servers that are not using secure communication protocols Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. Fixed: auditIfNotExists GA
Guest Configuration bc87d811-4a9b-47cc-ae54-0a41abda7768 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 237b38db-ca4d-4259-9e47-7882441ca2c0 Audit Windows machines that do not have a minimum password age of 1 day Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 7e56b49b-5990-4159-a734-511ea19b731c [Deprecated]: Show audit results from Windows VMs that have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 7a031c68-d6ab-406e-a506-697a19c634b0 [Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 9f658460-46b7-43af-8565-94fc0662be38 [Deprecated]: Show audit results from Windows VMs that are not set to the specified time zone This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration a030a57e-4639-4e8f-ade9-a92f33afe7ee [Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 0a9991e6-21be-49f9-8916-a06d934bcf29 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration a1e8dda3-9fd2-4835-aec3-0e55531fde33 [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration a29ee95c-0395-4515-9851-cc04ffe82a91 [Deprecated]: Show audit results from Windows VMs that are not joined to the specified domain This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Audit Windows machines that do not restrict the minimum password length to 14 characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 726671ac-c4de-4908-8c7d-6043ae62e3b6 [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 7229bd6a-693d-478a-87f0-1dc1af06f3b8 [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 7227ebe5-9ff7-47ab-b823-171cd02fb90f [Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 0d9b45ff-9ddd-43fc-bf59-fbd1c8423053 [Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 7066131b-61a6-4917-a7e4-72e8983f0aa6 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 7040a231-fb65-4412-8c0a-b365f4866c24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration fee5cb2b-9d9b-410e-afe3-2902d90d0004 [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 0ecd903d-91e7-4726-83d3-a229d7f2e293 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 6fe4ef56-7576-4dc4-8e9c-26bad4b087ce [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration a9a33475-481d-4b81-9116-0bf02ffe67e8 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 106ccbe4-a791-4f33-a44a-06796944b8d5 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration fcbc55c9-f25a-4e55-a6cb-33acb3be778b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd [Preview]: Linux machines should meet requirements for the Azure security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines should meet the requirements for the Azure security baseline Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
Guest Configuration 6a7a2bcf-f9be-4e35-9734-4f9657a70f1d [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f Audit Windows machines that have the specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. Fixed: auditIfNotExists GA
Guest Configuration 12017595-5a75-4bb1-9d97-4c2c939ea3c3 Windows machines should meet requirements for 'Security Options - System settings' Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration b18175dd-c599-4c64-83ba-bb018a06d35b [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 7e84ba44-6d03-46fd-950e-5efa5a1112fa [Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd Audit Windows machines on which the DSC configuration is not compliant Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. Fixed: auditIfNotExists GA
Guest Configuration 8ff0b18b-262e-4512-857a-48ad0aeb9a78 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 909c958d-1b99-4c74-b88f-46a5c5bc34f9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 8bbd627e-4d25-4906-9a6e-3789780af3ec [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 90ba2ee7-4ca8-4673-84d1-c851c50d3baf [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 8b0de57a-f511-4d45-a277-17cb79cb163b [Deprecated]: Show audit results from Windows VMs with a pending reboot This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 8a39d1f1-5513-4628-b261-f469a5a3341b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 9178b430-2295-406e-bb28-f6a7a2a2f897 [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 02a84be7-c304-421f-9bb7-5d2c26af54ad [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 884b209a-963b-4520-8006-d20cb3c213e0 [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 9328f27e-611e-44a7-a244-39109d7d35ab [Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 934345e1-4dfb-4c70-90d7-41990dc9608b Audit Windows machines that do not contain the specified certificates in Trusted Root Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. Fixed: auditIfNotExists GA
Guest Configuration 87b590fe-4a1d-4697-ae74-d4fe72ab786c [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 1221c620-d201-468c-81e7-2817e6107e84 Windows machines should meet requirements for 'Security Options - Network Security' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 8794ff4f-1a35-4e18-938f-0b22055067cd Windows machines should meet requirements for 'Security Options - Devices' Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 93507a81-10a4-4af0-9ee2-34cf25a96e98 [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Fixed: auditIfNotExists GA
Guest Configuration 94d9aca8-3757-46df-aa51-f218c5f11954 Windows machines should meet requirements for 'System Audit Policies - Account Management' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 86880e5c-df35-43c5-95ad-7e120635775e [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 8537fe96-8cbe-43de-b0ef-131bc72bc22a Windows machines should meet requirements for 'Windows Components' Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 968410dc-5ca0-4518-8a5b-7b55f0530ea9 Windows machines should meet requirements for 'Administrative Templates - System' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 84662df4-0e37-44a6-9ce1-c9d2150db18c Audit Windows machines that are not joined to the specified domain Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. Fixed: auditIfNotExists GA
Guest Configuration 97646672-5efa-4622-9b54-740270ad60bf [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 97b595c8-fd10-400e-8543-28e2b9138b13 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 8316fa92-d69c-4810-8124-62414f560dcf Windows machines should meet requirements for 'System Audit Policies - System' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 985285b7-b97a-419c-8d48-c88cc934c8d8 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 815dcc9f-6662-43f2-9a03-1b83e9876f24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 87845465-c458-45f3-af66-dcd62176f397 Windows machines should meet requirements for 'System Audit Policies - Privilege Use' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 58383b73-94a9-4414-b382-4146eb02611b Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 68511db2-bd02-41c4-ae6b-1900a012968a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 12ae2d24-3805-4b37-9fa9-465968bfbcfa [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration bbcdd8fa-b600-4ee3-85b8-d184e3339652 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration e0a7e899-2ce2-4253-8a13-d808fdeb75af Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 5c028d2a-1889-45f6-b821-31f42711ced8 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 5bb36dda-8a78-4df9-affd-4f05a8612a8a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration f56a3ab2-89d1-44de-ac0d-2ada5962e22a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 [Deprecated]: Show audit results from Linux VMs that have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration f4b245d4-46c9-42be-9b1a-49e2b5b94194 [Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration bde62c94-ccca-4821-a815-92c1d31a76de [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 5b054a0d-39e2-4d53-bea3-9734cad2c69b Audit Windows machines that allow re-use of the previous 24 passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 5aebc8d1-020d-4037-89a0-02043a7524ec [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 1f8c20ce-3414-4496-8b26-0e902a1541da [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration f48b2913-1dc5-4834-8c72-ccc1dfd819bb [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 67e010c1-640d-438e-a3a5-feaccb533a98 Windows machines should meet requirements for 'Administrative Templates - Network' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration beb6ccee-b6b8-4e91-9801-a5fa4260a104 Audit Windows machines that have not restarted within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. Fixed: auditIfNotExists GA
Guest Configuration f3b9ad83-000d-4dc1-bff0-6d54533dd03f [Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration f3b44e5d-1456-475f-9c67-c66c4618e85a [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration bed48b13-6647-468e-aa2f-1af1d3f4dd40 Audit Windows machines on which Windows Defender Exploit Guard is not enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the PowerShell command Get-MPPreference returns configuration details that does not match expected values. Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 21e2995e-683e-497a-9e81-2f42ad07050a [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration bf16e0bb-31e1-4646-8202-60a235cc7e74 Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 58c460e9-7573-4bb2-9676-339c2f2486bb Audit Windows machines on which Windows Serial Console is not enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. Fixed: auditIfNotExists GA
Guest Configuration c04255ee-1b9f-42c1-abaa-bf1553f79930 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 225e937e-d32e-4713-ab74-13ce95b3519a [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration f2143251-70de-4e81-87a8-36cee5a2f29d Windows machines should meet requirements for 'Security Settings - Account Policies' Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration f1f4825d-58fb-4257-8016-8c00e3c9ed9d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 23020aa6-1135-4be2-bae2-149982b06eca [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration f19aa1c1-6b91-4c27-ae6a-970279f03db9 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 5aa11bbc-5c76-4302-80e5-aba46a4282e7 [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration ba12366f-f9a6-42b8-9d98-157d0b1a837b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 Windows machines should meet requirements for 'Security Options - Recovery console' Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 12f7e5d0-42a7-4630-80d8-54fb7cff9bd6 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration faf25c8c-9598-4305-b4de-0aee1317fb31 Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration b2fc8f91-866d-4434-9089-5ebfe38d6fd8 [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration b3802d79-dd88-4bce-b81d-780218e48280 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration b4a4d1eb-0263-441b-84cb-a44073d8372d Windows machines should meet requirements for 'Security Options - Shutdown' Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 6481cc21-ed6e-4480-99dd-ea7c5222e897 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 1417908b-4bff-46ee-a2a6-4acc899320ab Audit Windows machines that contain certificates expiring within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. Fixed: auditIfNotExists GA
Guest Configuration 144f1397-32f9-4598-8c88-118decc3ccba [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Audit Linux machines that are not using SSH key for authentication Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 5e393799-e3ca-4e43-a9a5-0ec4648a57d9 [Deprecated]: Show audit results from Windows VMs that do not have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 630ac30f-a234-4533-ac2d-e0df77acda51 Audit Windows machines network connectivity Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. Fixed: auditIfNotExists GA
Guest Configuration 16390df4-2f73-4b42-af13-c801066763df [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 16f9b37c-4408-4c30-bc17-254958f2e2d6 [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 19be9779-c776-4dfa-8a15-a2fd5dc843d6 Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 5fc23db3-dd4d-4c56-bcc7-43626243e601 Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Guest Configuration 60aeaf73-a074-417a-905f-7ce9df0ff77b [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 60ffe3e2-4604-4460-8f22-0f1da058266c [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 6265018c-d7e2-432f-a75d-094d5f6f4465 Audit Windows machines on which the Log Analytics agent is not connected as expected Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. Fixed: auditIfNotExists GA
Guest Configuration f8036bd0-c10b-4931-86bb-94a878add855 [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration b872a447-cc6f-43b9-bccf-45703cd81607 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration 6141c932-9384-44c6-a395-59e4c057d7c9 Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed: deployIfNotExists Contributor GA
Guest Configuration b821191b-3a12-44bc-9c38-212138a29ff3 [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration 620e58b5-ac75-49b4-993f-a9d4f0459636 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists Deprecated
Guest Configuration f8b0158d-4766-490f-bea0-259e52dba473 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor Deprecated
Guest Configuration e068b215-0026-4354-b347-8fb2766f73a2 Windows machines should meet requirements for 'User Rights Assignment' Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Internet of Things 383856f8-de7f-44a2-81fc-e5135b5c2aa4 Diagnostic logs in IoT Hub should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 [Preview]: Firewall should be enabled on Key Vault The key vault firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the key vault firewall to make sure that only traffic from allowed networks can access your key vault. Default: Audit
Allowed: (Audit, Disabled)
Preview
Key Vault 5f0bc445-3935-4915-9981-011aa2b46147 [Preview]: Private endpoint should be configured for Key Vault Private link provides a way to connect key vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Default: Audit
Allowed: (Audit, Disabled)
Preview
Key Vault cf820ca0-f99e-4f3e-84fb-66e913812d21 Diagnostic logs in Key Vault should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Key Vault ff25f3c8-b739-4538-9d07-3d6d25cfb255 [Preview]: Keys using elliptic curve cryptography should have the specified curve names Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault 75c4f823-d65c-4f29-a733-01d0077fdbcb [Preview]: Keys should be the specified cryptographic type RSA or EC Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault 12ef42cb-9903-4e39-9c26-422d29570417 [Preview]: Certificates should have the specified lifetime action triggers Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default: audit
Allowed: (audit, deny, disabled)
Preview
Key Vault 1151cede-290b-4ba0-8b38-0ad145ac888f [Preview]: Certificates should use allowed key types Manage your organizational compliance requirements by restricting the key types allowed for certificates. Default: audit
Allowed: (audit, deny, disabled)
Preview
Key Vault 5ff38825-c5d8-47c5-b70e-069a21955146 [Preview]: Keys should have more than the specified number of days before expiration If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault cee51871-e572-4576-855c-047c820360f0 [Preview]: Certificates using RSA cryptography should have the specified minimum key size Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default: audit
Allowed: (audit, deny, disabled)
Preview
Key Vault 75262d3e-ba4a-4f43-85f8-9f72c090e5e3 [Preview]: Secrets should have content type set A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault c26e4b24-cf98-4c67-b48b-5a25c4c69eb9 [Preview]: Keys should not be active for longer than the specified number of days Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault 49a22571-d204-4c91-a7b6-09b1a586fbc9 [Preview]: Keys should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault 0a075868-4c26-42ef-914c-5bc007359560 [Preview]: Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default: audit
Allowed: (audit, deny, disabled)
Preview
Key Vault b0eb591a-5e70-4534-a8bf-04b9c489584a [Preview]: Secrets should have more than the specified number of days before expiration If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault 82067dbb-e53b-4e06-b631-546d197452d9 [Preview]: Keys using RSA cryptography should have a specified minimum key size Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault 342e8053-e12e-4c44-be01-c3c2f318400f [Preview]: Secrets should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault a22f4a40-01d3-4c7d-8071-da157eeff341 [Preview]: Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. Default: audit
Allowed: (audit, deny, disabled)
Preview
Key Vault 8e826246-c976-48f6-b03e-619bb92b3d82 [Preview]: Certificates should be issued by the specified integrated certificate authority Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default: audit
Allowed: (audit, deny, disabled)
Preview
Key Vault 98728c90-32c7-4049-8429-847dc0f4fe37 [Preview]: Secrets should have expiration dates set It is a recommended security practice to set expiration dates on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault bd78111f-4953-4367-9fd5-7e08808b54bf [Preview]: Certificates using elliptic curve cryptography should have allowed curve names Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default: audit
Allowed: (audit, deny, disabled)
Preview
Key Vault 587c79fe-dd04-4a5e-9d0b-f89598c7261b [Preview]: Keys should be backed by a hardware security module (HSM) An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault ed7c8c13-51e7-49d1-8a43-8490431a0da2 Deploy Diagnostic Settings for Key Vault to Event Hub Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. Fixed: deployIfNotExists Contributor GA
Key Vault 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d Key vault should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidently deleted key vault for a configurable retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Key Vault e8d99835-8a06-45ae-a8e0-87a91941ccfe [Preview]: Secrets should not be active for longer than the specified number of days If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault f772fb64-8e40-40ad-87bc-7706e1949427 [Preview]: Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: audit
Allowed: (audit, deny, disabled)
Preview
Key Vault 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 [Preview]: Keys should have expiration dates set Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
Key Vault 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key vault should have purge protection enabled Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization may potentially be able to gain access to delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Enforce labels on pods in Kubernetes cluster This policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Enforce HTTPS ingress in Kubernetes cluster This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Fixed: deployIfNotExists Azure Kubernetes Service Contributor Role GA
Kubernetes b2fd3e59-6390-4f2b-8247-ea676bd03e2d [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
Deprecated
Kubernetes 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 [Preview]: Deploy GitOps to Kubernetes cluster This policy deploys a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth from the defined git repo. For instructions on using this policy, visit https://aka.ms/K8sGitOpsPolicy. Fixed: DeployIfNotExists Contributor Preview
Kubernetes 440b515e-a580-421e-abeb-b159a61ddcbc Ensure containers listen only on allowed ports in Kubernetes cluster This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Enforce internal load balancers in Kubernetes cluster This policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes 0a15ec92-a229-4763-bb14-0ea34a568f8d [Preview]: Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Default: Audit
Allowed: (Audit, Disabled)
Preview
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Do not allow privileged containers in Kubernetes cluster This policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options This policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType This policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces This policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system This policy ensures containers run with a read only root file system in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation This policy does not allow containers to use privilege escalation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers This policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities This policy ensures containers only use allowed capabilities in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Ensure only allowed container images in Kubernetes cluster This policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles This policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types This policy ensures pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Ensure services listen only on allowed ports in Kubernetes cluster This policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes service 0f636243-1b1c-4d50-880f-310f6199f2cb [Deprecated]: Ensure containers listen only on allowed ports in AKS This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
Deprecated
Kubernetes service 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 [Deprecated]: Do not allow privileged containers in AKS This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
Deprecated
Kubernetes service 5f86cb6e-c4da-441b-807c-44bd0cc14e66 [Deprecated]: Ensure only allowed container images in AKS This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
Deprecated
Kubernetes service 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 [Deprecated]: Enforce HTTPS ingress in AKS This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
Deprecated
Kubernetes service d011d9f7-ba32-4005-b727-b3d09371ca60 [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
Deprecated
Kubernetes service 16c6ca72-89d2-4798-b87e-496f9de7fcb7 [Deprecated]: Enforce labels on pods in AKS This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
Deprecated
Kubernetes service a74d8f00-2fd9-4ce4-968e-0ee1eb821698 [Deprecated]: Enforce internal load balancers in AKS This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
Deprecated
Kubernetes service a2d3ed81-8d11-4079-80a5-1faadc0024f4 [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
Deprecated
Kubernetes service 25dee3db-6ce0-4c02-ab5d-245887b24077 [Deprecated]: Ensure services listen only on allowed ports in AKS This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
Deprecated
Lighthouse 7a8a51a3-ad87-4def-96f3-65a1839242b6 Allow managing tenant ids to onboard through Azure Lighthouse Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. Fixed: deny GA
Lighthouse 76bed37b-484f-430f-a009-fd7592dff818 Audit delegation of scopes to a managing tenant Audit delegation of scopes to a managing tenant via Azure Lighthouse. Default: Audit
Allowed: (Audit, Disabled)
GA
Logic Apps 34f95f76-5386-4de7-b824-0d8478470c9d Diagnostic logs in Logic Apps should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes This policy helps provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes This policy helps provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes This policy helps provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes This policy helps configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes This policy helps provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview
Machine Learning ba769a63-b8cc-4b2d-abf6-ac33c7204be8 Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK) Evaluate Azure Machine Learning workspaces that do not have encryption enabled with customer-managed keys (CMK). Customer-managed keys add an additional layer of security for workspaces. For more information, visit https://aka.ms/azureml-workspaces-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Machine Learning 40cec1dd-a100-4920-b15b-3024fe8901ab Azure Machine Learning workspaces should use private link Evaluate Azure Machine Learning workspaces that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/azureml-workspaces-privatelink. Default: Audit
Allowed: (Audit, Disabled)
GA
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes This policy helps provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview
Managed Application 9db7917b-1607-4e7d-a689-bca978dd0633 Application definition for Managed Application should use customer provided storage account Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. Default: audit
Allowed: (audit, deny, disabled)
GA
Managed Application 17763ad9-70c0-4794-9397-53d765932634 Deploy associations for a managed application Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. Fixed: deployIfNotExists Contributor GA
Monitoring c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 Deploy Diagnostic Settings for Network Security Groups This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. Fixed: deployIfNotExists Monitoring Contributor, Storage Account Contributor GA
Monitoring a70ca396-0a34-413a-88e1-b956c1e683be The Log Analytics agent should be installed on virtual machines This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitoring 7f89b1eb-583c-429a-8828-af049802c1d9 Audit diagnostic setting Audit diagnostic setting for selected resource types Fixed: AuditIfNotExists GA
Monitoring 08ba64b8-738f-4918-9686-730d2ed79c7d Deploy Diagnostic Settings for Search Services to Log Analytics workspace Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor GA
Monitoring 1f6e93e8-6b31-41b1-83f6-36e449a42579 Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor GA
Monitoring f47b5582-33ec-4c5c-87c0-b010a6b2e917 Audit Log Analytics workspace for VM - Report Mismatch Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. Fixed: audit GA
Monitoring bef3f64c-5290-43b7-85b0-9b254eef4c47 Deploy Diagnostic Settings for Key Vault to Log Analytics workspace Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor GA
Monitoring 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Virtual Machine Contributor GA
Monitoring 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor GA
Monitoring 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExists Log Analytics Contributor GA
Monitoring 7796937f-307b-4598-941c-67d3a05ebfe7 Azure subscriptions should have a log profile for Activity Log This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitoring edf3780c-3d70-40fe-b17e-ab72013dafca Deploy Diagnostic Settings for Stream Analytics to Event Hub Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor GA
Monitoring 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf [Preview]: Deploy Log Analytics agent to Linux Azure Arc machines This policy deploys the Log Analytics agent to Linux Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExists Log Analytics Contributor Preview
Monitoring 1c210e94-a481-4beb-95fa-1571b434fb04 Deploy Dependency agent for Windows virtual machines Deploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: deployIfNotExists Log Analytics Contributor GA
Monitoring 4daddf25-4823-43d4-88eb-2419eb6dcc08 Deploy Diagnostic Settings for Data Lake Analytics to Event Hub Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor GA
Monitoring c84e5349-db6d-4769-805e-e14037dab9b5 Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor GA
Monitoring 25763a0a-5783-4f14-969e-79d4933eb74b Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor GA
Monitoring 1a4e592a-6a6e-44a5-9814-e36264ca96e7 Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitoring ef7b61ef-b8e4-4c91-8e78-6946c6b0023f Deploy Diagnostic Settings for Event Hub to Event Hub Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor GA
Monitoring 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 Deploy Log Analytics agent for Linux virtual machine scale sets Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Log Analytics Contributor, Virtual Machine Contributor GA
Monitoring b954148f-4c11-4c38-8221-be76711e194a An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitoring b889a06c-ec72-4b03-910a-cb169ee18721 Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor GA
Monitoring c5447c04-a4d7-4ba8-a263-c9ee321a6858 An activity log alert should exist for specific Policy operations This policy audits specific Policy operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitoring a1dae6c7-13f3-48ea-a149-ff8442661f60 Deploy Diagnostic Settings for Logic Apps to Event Hub Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor GA
Monitoring efbde977-ba53-4479-b8e9-10b957924fbf The Log Analytics agent should be installed on Virtual Machine Scale Sets This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitoring b02aacc0-b073-424e-8298-42b22829ee0a Activity log should be retained for at least one year This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitoring 053d3325-282c-4e5c-b944-24faffd30d77 Deploy Log Analytics agent for Linux VMs Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExists Log Analytics Contributor GA
Monitoring e2dd799a-a932-4e9d-ac17-d473bc3c6c10 Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists GA
Monitoring 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 [Preview]: Deploy Dependency agent to Windows Azure Arc machines This policy deploys the Dependency agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExists Log Analytics Contributor Preview
Monitoring 3d5da587-71bd-41f5-ac95-dd3330c2d58d Deploy Diagnostic Settings for Search Services to Event Hub Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor GA
Monitoring 41388f1c-2db0-4c25-95b2-35d7f5ccbfa9 Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitoring d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e [Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
Monitoring 3c1b3629-c8f8-4bf6-862c-037cb9094038 Deploy Log Analytics agent for Windows virtual machine scale sets Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Log Analytics Contributor, Virtual Machine Contributor GA
Monitoring d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor GA
Monitoring 3be22e3b-d919-47aa-805e-8985dbeb0ad9 Deploy Dependency agent for Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Virtual Machine Contributor GA
Monitoring 842c54e8-c2f9-4d79-ae8d-38d8b8019373 [Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
Monitoring 6b51af03-9277-49a9-a3f8-1c69c9ff7403 Deploy Diagnostic Settings for Service Bus to Event Hub Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor GA
Monitoring 3b980d31-7904-4bb7-8575-5665739a8052 An activity log alert should exist for specific Security operations This policy audits specific Security operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitoring 04d53d87-841c-4f23-8a5b-21564380b55e Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor GA
Monitoring 32133ab0-ee4b-4b44-98d6-042180979d50 [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists Preview
Monitoring 3e596b57-105f-48a6-be97-03e9243bad6e Azure Monitor solution 'Security and Audit' must be deployed This policy ensures that Security and Audit is deployed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitoring deacecc0-9f84-44d2-bb82-46f32d766d43 [Preview]: Deploy Dependency agent to hybrid Linux Azure Arc machines This policy deploys the Dependency agent to Linux Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExists Log Analytics Contributor Preview
Monitoring db51110f-0865-4a6e-b274-e2e07a5b2cd7 Deploy Diagnostic Settings for Batch Account to Event Hub Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor GA
Monitoring 0868462e-646c-4fe3-9ced-a733534b6a2c Deploy Log Analytics agent for Windows VMs Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: deployIfNotExists Log Analytics Contributor GA
Monitoring 11ac78e3-31bc-4f0c-8434-37ab963cea07 Audit Dependency agent deployment - VM Image (OS) unlisted Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists GA
Monitoring fbb99e8e-e444-4da0-9ff1-75c92f5a85b2 Storage account containing the container with activity logs must be encrypted with BYOK This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitoring 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists GA
Monitoring 2f2ee1de-44aa-4762-b6bd-0893fc3f306d [Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
Monitoring 04c4380f-3fae-46e8-96c9-30193528f602 [Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
Monitoring e8d096bc-85de-4c5f-8cfb-857bd1b9d62d Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor GA
Monitoring 69af7d4a-7b18-4044-93a9-2651498ef203 [Preview]: Deploy Log Analytics agent to Windows Azure Arc machines This policy deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExists Log Analytics Contributor Preview
Network ae5d2f14-d830-42b6-9899-df6cfe9c71a3 SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Network c4857be7-912a-4c75-87e6-e30292bcdf78 [Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit, Disabled)
Preview
Network 50b83b09-03da-41c1-b656-c293c914862b A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms and key strengths - https://aka.ms/AA62kb0 Default: Audit
Allowed: (Audit, Disabled)
GA
Network e372f825-a257-4fb8-9175-797a8a8627d6 RDP access from the Internet should be blocked This policy audits any network security rule that allows RDP access from Internet Default: Audit
Allowed: (Audit, Disabled)
GA
Network c251913d-7d24-4958-af87-478ed3b9ba41 Flow log should be configured for every network security group Audit for network security groups to verify if flow log resource is configured. Flow log allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Fixed: audit GA
Network d416745a-506c-48b6-8ab1-83cb814bcaa3 Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Network 235359c5-7c52-4b82-9055-01c75cf9f60e Service Bus should use a virtual network service endpoint This policy audits any Service Bus not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Network 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 Deploy a flow log resource with target network security group Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Fixed: deployIfNotExists Contributor GA
Network 12430be1-6cc8-4527-a9a8-e3d38f250096 Web Application Firewall (WAF) should use the specified mode for Application Gateway Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Network 35f9c03a-cc27-418e-9c0c-539ff999d010 Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. Fixed: deny GA
Network f1776c76-f58c-4245-a8d0-2b207198dc8b Virtual networks should use specified virtual network gateway This policy audits any virtual network if the default route does not point to the specified virtual network gateway. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Network 60d21c4f-21a3-4d94-85f4-b924e6aeeda4 Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit, Disabled)
GA
Network e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9 Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit, Disabled)
GA
Network a9b99dd8-06c5-4317-8629-9d86a3c6e7d9 Deploy network watcher when virtual networks are created This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. Fixed: DeployIfNotExists Network Contributor GA
Network b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. Fixed: auditIfNotExists GA
Network 2d21331d-a4c2-4def-a9ad-ee4e1e023beb App Service should use a virtual network service endpoint This policy audits any App Service not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Network ea4d6841-2173-4317-9747-ff522a45120f Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit, Disabled)
GA
Network 2c89a2e5-7285-40fe-afe0-ae8654b92fab SSH access from the Internet should be blocked This policy audits any network security rule that allows SSH access from Internet Default: Audit
Allowed: (Audit, Disabled)
GA
Network fc5e4038-4584-4632-8c85-c0448d374b2c [Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
Network e345b6c3-24bd-4c93-9bbb-7e5e49a17b78 Azure VPN gateways should not use 'basic' SKU This policy ensures that VPN gateways do not use 'basic' SKU. Default: Audit
Allowed: (Audit, Disabled)
GA
Network 83a86a26-fd1f-447c-b59d-e51f44264114 Network interfaces should not have public IPs This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. Fixed: deny GA
Network be7ed5c8-2660-4136-8216-e6f3412ba909 [Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Deny
Allowed: (Audit, Deny, Disabled)
Deprecated
Network 055aa869-bc98-4af8-bafc-23f1ab6ffe2c Web Application Firewall (WAF) should be enabled for Azure Front Door Service Requires Web Application Firewall (WAF) on any Azure Front Door Service. A Web Application Firewall provides greater security for your other Azure resources. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Network 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 Web Application Firewall (WAF) should be enabled for Application Gateway Requires Web Application Firewall (WAF) on any Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Network d63edb4a-c612-454d-b47d-191a724fcbf0 Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Network 88c0b9da-ce96-4b03-9635-f29a937e2900 Network interfaces should disable IP forwarding This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. Fixed: deny GA
Network f6b68e5a-7207-4638-a1fb-47d90404209e [Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service Mandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. Default: Deny
Allowed: (Audit, Deny, Disabled)
Deprecated
Network 425bea59-a659-4cbb-8d31-34499bd030b8 Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Portal 04c655fe-0ac7-48ae-9a32-3a2e208c7624 Shared dashboards should not have markdown tiles with inline content Disallow creating a shared dashboard that has inline content in markdown tiles and enforce that the content should be stored as a markdown file that's hosted online. If you use inline content in the markdown tile, you cannot manage encryption of the content. By configuring your own storage, you can encrypt, double encrypt and even bring your own keys. Enabling this policy restricts users to use 2020-09-01-preview or above version of shared dashboards REST API. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Regulatory Compliance a7173c52-2b99-4696-a576-63dd5f970ef4 Microsoft Managed Control 1431 - Media Storage Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c Microsoft Managed Control 1027 - Access Enforcement Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance a7211477-c970-446b-b4af-062f37461147 Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance fced5fda-3bdb-4d73-bfea-0e2c80428b66 Microsoft Managed Control 1318 - Authenticator Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance afbd0baf-ff1a-4447-a86f-088a97347c0c Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance a631d8f5-eb81-4f9d-9ee1-74431371e4a3 Microsoft Managed Control 1617 - Application Partitioning Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance afc234b5-456b-4aa5-b3e2-ce89108124cc Microsoft Managed Control 1725 - Error Handling Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance fd00b778-b5b5-49c0-a994-734ea7bd3624 Microsoft Managed Control 1543 - Risk Assessment Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance fd7c4c1d-51ee-4349-9dab-89a7f8c8d102 Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time Source Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8 Microsoft Managed Control 1272 - Alternate Processing Site Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance aeedddb6-6bc0-42d5-809b-80048033419d Microsoft Managed Control 1413 - Nonlocal Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f Microsoft Managed Control 1611 - Developer-Provided Training Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance aae8d54c-4bce-4c04-b3aa-5b65b67caac8 Microsoft Managed Control 1006 - Account Management Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance a9a08d1c-09b1-48f1-90ea-029bbdf7111e Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance aafef03e-fea8-470b-88fa-54bd1fcd7064 Microsoft Managed Control 1461 - Monitoring Physical Access Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c Microsoft Managed Control 1073 - Access Control For Mobile Devices Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance fe2ad78b-8748-4bff-a924-f74dfca93f30 Microsoft Managed Control 1613 - Developer Security Architecture And Design Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance fd73310d-76fc-422d-bda4-3a077149f179 Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance abe8f70b-680f-470c-9b86-a7edfb664ecc Microsoft Managed Control 1323 - Authenticator Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance ff9fbd83-1d8d-4b41-aac2-94cb44b33976 Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance a96f743d-a195-420d-983a-08aa06bc441e Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance af2a93c8-e6dd-4c94-acdd-4a2eedfc478e Microsoft Managed Control 1710 - Security Function Verification Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance ac43352f-df83-4694-8738-cfce549fd08d Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance fff50cf2-28eb-45b4-b378-c99412688907 Microsoft Managed Control 1158 - Security Authorization Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance a96d5098-a604-4cdf-90b1-ef6449a27424 Microsoft Managed Control 1400 - Controlled Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance ad58985d-ab32-4f99-8bd3-b7e134c90229 Microsoft Managed Control 1454 - Physical Access Control Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance fd4e54f7-9ab0-4bae-b6cc-457809948a89 Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance adfe020d-0a97-45f4-a39c-696ef99f3a95 Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance a9172e76-7f56-46e9-93bf-75d69bdb5491 Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance a895fbdb-204d-4302-9689-0a59dc42b3d9 Microsoft Managed Control 1295 - Information System Recovery And Reconstitution Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance a9eae324-d327-4539-9293-b48e122465f8 Microsoft Managed Control 1511 - Personnel Screening Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance a7fcf38d-bb09-4600-be7d-825046eb162a Microsoft Managed Control 1570 - Acquisition Process Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance ae7e1f5e-2d63-4b38-91ef-bce14151cce3 Microsoft Managed Control 1598 - Developer Configuration Management Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance fd4a2ac8-868a-4702-a345-6c896c3361ce Microsoft Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated Alerts And Advisories Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance ad2f8e61-a564-4dfd-8eaa-816f5be8cb34 Microsoft Managed Control 1569 - Acquisition Process Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance aabb155f-e7a5-4896-a767-e918bfae2ee0 Microsoft Managed Control 1539 - Security Categorization Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 9d9e18f7-bad9-4d30-8806-a0c9d5e26208 Microsoft Managed Control 1259 - Contingency Training Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1 Microsoft Managed Control 1238 - User-Installed Software Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 9a3eb0a3-428d-4669-baff-20a14eb4b551 Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 9a16d673-8cf0-4dcf-b1d5-9b3e114fef71 Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 99deec7d-5526-472e-b07c-3645a792026a Microsoft Managed Control 1300 - Identification And Authentication (Organizational Users) Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 9943c16a-c54c-4b4a-ad28-bfd938cdbf57 Microsoft Managed Control 1102 - Audit Events Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 98a4bd5f-6436-46d4-ad00-930b5b1dfed4 Microsoft Managed Control 1076 - Use Of External Information Systems Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 97fceb70-6983-42d0-9331-18ad8253184d Microsoft Managed Control 1378 - Incident Response Plan Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 97ed5bac-a92f-4f6d-a8ed-dc094723597c Microsoft Managed Control 1136 - Audit Record Retention Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 976a74cf-b192-4d35-8cab-2068f272addb Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 9693b564-3008-42bc-9d5d-9c7fe198c011 Microsoft Managed Control 1453 - Physical Access Control Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef Microsoft Managed Control 1717 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 961663a1-8a91-4e59-b6f5-1eee57c0f49c Microsoft Managed Control 1163 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 953e6261-a05a-44fd-8246-000e1a3edbb9 Microsoft Managed Control 1526 - Access Agreements Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 9447f354-2c85-4700-93b3-ecdc6cb6a417 Microsoft Managed Control 1371 - Incident Reporting Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 9442dd2c-a07f-46cd-b55a-553b66ba47ca Microsoft Managed Control 1379 - Incident Response Plan Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 9adf7ba7-900a-4f35-8d57-9f34aafc405c Microsoft Managed Control 1049 - System Use Notification Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 942b3e97-6ae3-410e-a794-c9c999b97c0b Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 93e9e233-dd0a-4bde-aea5-1371bce0e002 Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41 Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security Controls Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 92f85ce9-17b7-49ea-85ee-ea7271ea6b82 Microsoft Managed Control 1290 - Information System Backup Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 924e1b2d-c502-478f-bfdb-a7e09a0d5c01 Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 91c97b44-791e-46e9-bad7-ab7c4949edbb Microsoft Managed Control 1069 - Wireless Access | Authentication And Encryption Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 90f01329-a100-43c2-af31-098996135d2b Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source) Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 90e01f69-3074-4de8-ade7-0fef3e7d83e0 Microsoft Managed Control 1355 - Incident Response Training Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 90d8b8ad-8ee3-4db7-913f-2a53fcff5316 Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 90b60a09-133d-45bc-86ef-b206a6134bbe Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 902908fb-25a8-4225-a3a5-5603c80066c9 Microsoft Managed Control 1550 - Vulnerability Scanning Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 8fef824a-29a8-4a4c-88fc-420a39c0d541 Microsoft Managed Control 1147 - Security Assessments Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 8fd7b917-d83b-4379-af60-51e14e316c61 Microsoft Managed Control 1013 - Account Management | Automated System Account Management Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 8fb0966e-be1d-42c3-baca-60df5c0bcc61 Microsoft Managed Control 1668 - Flaw Remediation Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 8f5ad423-50d6-4617-b058-69908f5586c9 Microsoft Managed Control 1517 - Personnel Termination Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 93fd8af1-c161-4bae-9ba9-f62731f76439 Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 9afe2edf-232c-4fdf-8e6a-e867a5c525fd Microsoft Managed Control 1563 - Allocation Of Resources Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 9b1f3a9a-13a1-4b40-8420-36bca6fd8c02 Microsoft Managed Control 1462 - Monitoring Physical Access Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 9ba3ed84-c768-4e18-b87c-34ef1aff1b57 Microsoft Managed Control 1236 - Software Usage Restrictions Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance a328fd72-8ff5-4f96-8c9c-b30ed95db4ab Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance a2cdf6b8-9505-4619-b579-309ba72037ac Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance a2c66299-9017-4d95-8040-8bdbf7901d52 Microsoft Managed Control 1532 - Third-Party Personnel Security Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance a29b5d9f-4953-4afe-b560-203a6410b6b4 Microsoft Managed Control 1059 - Remote Access Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance a2596a9f-e59f-420d-9625-6e0b536348be Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance a2567a23-d1c3-4783-99f3-d471302a4d6b Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance a23d9d53-ad2e-45ef-afd5-e6d10900a737 Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance a20d2eaa-88e2-4907-96a2-8f3a05797e5c Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance a2037b3d-8b04-4171-8610-e6d4f1d08db5 Microsoft Managed Control 1612 - Developer Security Architecture And Design Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance a18adb5b-1db6-4a5b-901a-7d3797d12972 Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance a0f5339c-9292-43aa-a0bc-d27c6b8e30aa Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance a0e45314-57b8-4623-80cd-bbb561f59516 Microsoft Managed Control 1245 - Contingency Plan Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance a0724970-9c75-4a64-a225-a28002953f28 Microsoft Managed Control 1145 - Security Assessments Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 9fd92c17-163a-4511-bb96-bbb476449796 Microsoft Managed Control 1354 - Incident Response Training Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 9f2b2f9e-4ba6-46c3-907f-66db138b6f85 Microsoft Managed Control 1187 - Configuration Change Control Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 9ed5ca00-0e43-434e-a018-7aab91461ba7 Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 9ed09d84-3311-4853-8b67-2b55dfa33d09 Microsoft Managed Control 1494 - System Security Plan Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance 9be2f688-7a61-45e3-8230-e1ec93893f66 Microsoft Managed Control 1525 - Personnel Transfer Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 9c284fc0-268a-4f29-af44-3c126674edb4 Microsoft Managed Control 1138 - Audit Generation Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 9c308b6b-2429-4b97-86cf-081b8e737b04 Microsoft Managed Control 1135 - Non-Repudiation Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 9d0a794f-1444-4c96-9534-e35fc8c39c91 Microsoft Managed Control 1489 - Location Of Information System Components Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 9d1d971e-467e-4278-9633-c74c3d4fecc4 Microsoft Managed Control 1322 - Authenticator Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 9d79001f-95fe-45d0-8736-f217e78c1f57 Microsoft Managed Control 1233 - Configuration Management Plan Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance a450eba6-2efc-4a00-846a-5804a93c6b77 Microsoft Managed Control 1693 - Information System Monitoring | System-Generated Alerts Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 9d9166a8-1722-4b8f-847c-2cf3f2618b3d Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 9dd5b241-03cb-47d3-a5cd-4b89f9c53c92 Microsoft Managed Control 1500 - Rules Of Behavior Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance 9df4277e-8c88-4d5c-9b1a-541d53d15d7b Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 9e5225fe-cdfb-4fce-9aec-0fe20dd53b62 Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 9e61da80-0957-4892-b70c-609d5eaafb6b Microsoft Managed Control 1490 - Security Planning Policy And Procedures Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance 9e7c35d0-12d4-4e0c-80a2-8a352537aefd Microsoft Managed Control 1504 - Information Security Architecture Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance 9e93fa71-42ac-41a7-b177-efbfdc53c69f Microsoft Managed Control 1609 - Development Process, Standards, And Tools Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance fc933d22-04df-48ed-8f87-22a3773d4309 Microsoft Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance dff0b90d-5a6f-491c-b2f8-b90aa402d844 Microsoft Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance b6a8eae8-9854-495a-ac82-d2cd3eac02a6 Microsoft Managed Control 1568 - Acquisition Process Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance b083a535-a66a-41ec-ba7f-f9498bf67cde Microsoft Managed Control 1711 - Security Function Verification Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance e80b6812-0bfa-4383-8223-cdd86a46a890 Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance e7ba2cb3-5675-4468-8b50-8486bdd998a5 Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance e77fcbf2-a1e8-44f1-860e-ed6583761e65 Microsoft Managed Control 1273 - Alternate Processing Site Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance cd0ec6fa-a2e7-4361-aee4-a8688659a9ed Microsoft Managed Control 1443 - Media Use Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance cd9e2f38-259b-462c-bfad-0ad7ab4e65c5 Microsoft Managed Control 1582 - Information System Documentation Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance cdd8d244-18b2-4306-a1d1-df175ae0935f Microsoft Managed Control 1104 - Audit Events Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National Security System Connections Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance ce669c31-9103-4552-ae9c-cdef4e03580d Microsoft Managed Control 1209 - Configuration Settings Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance cf3b3293-667a-445e-a722-fa0b0afc0958 Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance e8f6bddd-6d67-439a-88d4-c5fe39a79341 Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance cf3e4836-f19e-47eb-a8cd-c3ca150452c0 Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications And Anomalous System Behavior Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance e7568697-0c9e-4ea3-9cec-9e567d14f3c6 Microsoft Managed Control 1311 - Identifier Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance e72edbf6-aa61-436d-a227-0f32b77194b3 Microsoft Managed Control 1567 - System Development Life Cycle Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance d03516cf-0293-489f-9b32-a18f2a79f836 Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance d07594d1-0307-4c08-94db-5d71ff31f0f6 Microsoft Managed Control 1724 - Error Handling Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance e6e41554-86b5-4537-9f7f-4fc41a1d1640 Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance e59671ab-9720-4ee2-9c60-170e8c82251e Microsoft Managed Control 1499 - Rules Of Behavior Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance e57b98a0-a011-4956-a79d-5d17ed8b8e48 Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance d0eb15db-dd1c-4d1d-b200-b12dd6cd060c Microsoft Managed Control 1084 - Publicly Accessible Content Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance d17c826b-1dec-43e1-a984-7b71c446649c Microsoft Managed Control 1620 - Denial Of Service Protection Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance cf55fc87-48e1-4676-a2f8-d9a8cf993283 Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 8e5ef485-9e16-4c53-a475-fbb8107eac59 Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance cc5c8616-52ef-4e5e-8000-491634ed9249 Microsoft Managed Control 1374 - Incident Response Assistance Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance cb790345-a51f-43de-934e-98dbfaf9dca5 Microsoft Managed Control 1486 - Alternate Work Site Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance c69b870e-857b-458b-af02-bb234f7a00d3 Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance c6ce745a-670e-47d3-a6c4-3cfe5ef00c10 Microsoft Managed Control 1125 - Audit Reduction And Report Generation Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance eca4d7b2-65e2-4e04-95d4-c68606b063c3 Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance c722e569-cb52-45f3-a643-836547d016e1 Microsoft Managed Control 1619 - Information In Shared Resources Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1 Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance eb627cc6-3a9d-46b5-96b7-5fca49178a37 Microsoft Managed Control 1321 - Authenticator Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance c785ad59-f78f-44ad-9a7f-d1202318c748 Microsoft Managed Control 1353 - Incident Response Training Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance c89ba09f-2e0f-44d0-8095-65b05bd151ef Microsoft Managed Control 1470 - Emergency Shutoff Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance cbb2be76-4891-430b-95a7-ca0b0a3d1300 Microsoft Managed Control 1167 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance c9121abf-e698-4ee9-b1cf-71ee528ff07f Microsoft Managed Control 1018 - Account Management | Role-Based Schemes Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance ea556850-838d-4a37-8ce5-9d7642f95e11 Microsoft Managed Control 1422 - Maintenance Personnel Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance ea3e8156-89a1-45b1-8bd6-938abc79fdfd Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance e9c3371d-c30c-4f58-abd9-30b8a8199571 Microsoft Managed Control 1487 - Alternate Work Site Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance ca94b046-45e2-444f-a862-dc8ce262a516 Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance e98fe9d7-2ed3-44f8-93b7-24dca69783ff Microsoft Managed Control 1200 - Security Impact Analysis Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance ca9a4469-d6df-4ab2-a42f-1213c396f0ec Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance e91927a0-ac1d-44a0-95f8-5185f9dfce9f Microsoft Managed Control 1723 - Information Input Validation Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. Access To Priv. Accts. - Replay Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance e901375c-8f01-4ac8-9183-d5312f47fe63 Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance eab340d0-3d55-4826-a0e5-feebfeb0131d Microsoft Managed Control 1542 - Risk Assessment Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance d1e1d65c-1013-4484-bd54-991332e6a0d2 Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a Microsoft Managed Control 1721 - Spam Protection | Central Management Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance d2b4feae-61ab-423f-a4c5-0e38ac4464d8 Microsoft Managed Control 1106 - Audit Events | Reviews And Updates Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance da3cd269-156f-435b-b472-c3af34c032ed Microsoft Managed Control 1516 - Personnel Termination Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance e3007185-3857-43a9-8237-06ca94f1084c Microsoft Managed Control 1387 - Information Spillage Response Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance dc43e829-3d50-4a0a-aa0f-428d551862aa Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance dce72873-c5f1-47c3-9b4f-6b8207fd5a45 Microsoft Managed Control 1439 - Media Sanitization Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance dd280d4b-50a1-42fb-a479-ece5878acf19 Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance e2f8f6c6-dde4-436b-a79d-bc50e129eb3a Microsoft Managed Control 1161 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance e29e0915-5c2f-4d09-8806-048b749ad763 Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance e214e563-1206-4a43-a56b-ac5880c9c571 Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62 Microsoft Managed Control 1047 - System Use Notification Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance da3bfb53-9c46-4010-b3db-a7ba1296dada Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance e1da06bd-25b6-4127-a301-c313d6873fff Microsoft Managed Control 1722 - Spam Protection | Automatic Updates Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance dd533cb0-b416-4be7-8e86-4d154824dfd7 Microsoft Managed Control 1678 - Malicious Code Protection Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance dd6ac1a1-660e-4810-baa8-74e868e2ed47 Microsoft Managed Control 1391 - Information Spillage Response | Training Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance dd83410c-ecb6-4547-8f14-748c3cbdc7ac Microsoft Managed Control 1146 - Security Assessments Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance ddae2e97-a449-499f-a1c8-aea4a7e52ec9 Microsoft Managed Control 1602 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance e17085c5-0be8-4423-b39b-a52d3d1402e5 Microsoft Managed Control 1686 - Information System Monitoring Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance e12494fa-b81e-4080-af71-7dbacc2da0ec Microsoft Managed Control 1714 - Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance de901f2f-a01a-4456-97f0-33cda7966172 Microsoft Managed Control 1689 - Information System Monitoring Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance deb9797c-22f8-40e8-b342-a84003c924e6 Microsoft Managed Control 1528 - Access Agreements Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance e0de232d-02a0-4652-872d-88afb4ae5e91 Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance dd469ae0-71a8-4adc-aafc-de6949ca3339 Microsoft Managed Control 1715 - Software, Firmware, And Information Integrity | Automated Response To Integrity Violations Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance e327b072-281d-4f75-9c28-4216e5d72f26 Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance d922484a-8cfc-4a6b-95a4-77d6a685407f Microsoft Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance d8ef30eb-a44f-47af-8524-ac19a36d41d2 Microsoft Managed Control 1488 - Alternate Work Site Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance d3531453-b869-4606-9122-29c1cd6e7ed1 Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance e55698b6-3dea-4aa9-99b9-d8218c6ab6e5 Microsoft Managed Control 1023 - Account Management | Usage Conditions Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance d39d4f68-7346-4133-8841-15318a714a24 Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance e54c325e-42a0-4dcf-b105-046e0f6f590f Microsoft Managed Control 1716 - Software, Firmware, And Information Integrity | Integration Of Detection And Response Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance d3bf4251-0818-42db-950b-afd5b25a51c2 Microsoft Managed Control 1249 - Contingency Plan Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance d4142013-7964-4163-a313-a900301c2cef Microsoft Managed Control 1562 - Allocation Of Resources Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance d4558451-e16a-4d2d-a066-fe12a6282bb9 Microsoft Managed Control 1383 - Incident Response Plan Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance d530aad8-4ee2-45f4-b234-c061dae683c0 Microsoft Managed Control 1112 - Response To Audit Processing Failures Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance e539caaa-da8c-41b8-9e1e-449851e2f7a6 Microsoft Managed Control 1421 - Maintenance Personnel Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance e5368258-9684-4567-8126-269f34e65eab Microsoft Managed Control 1381 - Incident Response Plan Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance d57f8732-5cdc-4cda-8d27-ab148e1f3a55 Microsoft Managed Control 1585 - Security Engineering Principles Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance d61880dc-6e38-4f2a-a30c-3406a98f8220 Microsoft Managed Control 1667 - System And Information Integrity Policy And Procedures Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance d630429d-e763-40b1-8fba-d20ba7314afb Microsoft Managed Control 1150 - Security Assessments | External Organizations Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance e51ff84b-e5ea-408f-b651-2ecc2933e4c6 Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance d6976a08-d969-4df2-bb38-29556c2eb48a Microsoft Managed Control 1549 - Vulnerability Scanning Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance e4213689-05e8-4241-9d4e-8dd1cdafd105 Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance e3f1e5a3-25c1-4476-8cb6-3955031f8e65 Microsoft Managed Control 1451 - Physical Access Control Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance d7047705-d719-46a7-8bb0-76ad233eba71 Microsoft Managed Control 1473 - Emergency Power Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance d74fdc92-1cb8-4a34-9978-8556425cd14c Microsoft Managed Control 1529 - Third-Party Personnel Security Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance d77fd943-6ba6-4a21-ba07-22b03e347cc4 Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Issued Profiles Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance d8b43277-512e-40c3-ab00-14b3b6e72238 Microsoft Managed Control 1016 - Account Management | Automated Audit Actions Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance c66a3d1e-465b-4f28-9da5-aef701b59892 Microsoft Managed Control 1190 - Configuration Change Control Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance b07c9b24-729e-4e85-95fc-f224d2d08a80 Microsoft Managed Control 1429 - Media Marking Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance ecf56554-164d-499a-8d00-206b07c27bed Microsoft Managed Control 1622 - Boundary Protection Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance edea4f20-b02c-4115-be75-86c080e5c0ed Microsoft Managed Control 1217 - Least Functionality | Periodic Review Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08 Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network Access To Privileged Accounts Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance f9012d14-e3e6-4d7b-b926-9f37b5537066 Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance f87b8085-dca9-4cf1-8f7b-9822b997797c Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance b73b7b3b-677c-4a2a-b949-ad4dc4acd89f Microsoft Managed Control 1608 - Supply Chain Protection Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance b78ee928-e3c1-4569-ad97-9f8c4b629847 Microsoft Managed Control 1401 - Controlled Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance f86aa129-7c07-4aa4-bbf5-792d93ffd9ea Microsoft Managed Control 1345 - Cryptographic Module Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance f82e3639-fa2b-4e06-a786-932d8379b972 Microsoft Managed Control 1705 - Security Alerts, Advisories, And Directives Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance f7d2ff17-d604-4dd9-b607-9ecf63f28ad2 Microsoft Managed Control 1506 - Personnel Security Policy And Procedures Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance f784d3b0-5f2b-49b7-b9f3-00ba8653ced5 Microsoft Managed Control 1449 - Physical Access Authorizations Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance f9873db2-18ad-46b3-a11a-1a1f8cbf0335 Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert Exfiltration Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance f771f8cb-6642-45cc-9a15-8a41cd5c6977 Microsoft Managed Control 1540 - Security Categorization Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance b958b241-4245-4bd6-bd2d-b8f0779fb543 Microsoft Managed Control 1257 - Contingency Training Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance b95ba3bd-4ded-49ea-9d10-c6f4b680813d Microsoft Managed Control 1186 - Configuration Change Control Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance b9783a99-98fe-4a95-873f-29613309fe9a Microsoft Managed Control 1447 - Physical Access Authorizations Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance f751cdb7-fbee-406b-969b-815d367cb9b3 Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions / Ports / Protocols / Services Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance b9b66a4d-70a1-4b47-8fa1-289cec68c605 Microsoft Managed Control 1625 - Boundary Protection | Access Points Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance b9f3fb54-4222-46a1-a308-4874061f8491 Microsoft Managed Control 1610 - Development Process, Standards, And Tools Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance f714a4e2-b580-47b6-ae8c-f2812d3750f3 Microsoft Managed Control 1214 - Least Functionality Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance baff1279-05e0-4463-9a70-8ba5de4c7aa4 Microsoft Managed Control 1726 - Information Handling And Retention Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance f75cedb2-5def-4b31-973e-b69e8c7bd031 Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance bb02733d-3cc5-4bb0-a6cd-695ba2c2272e Microsoft Managed Control 1166 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance f997df46-cfbb-4cc8-aac8-3fecdaf6a183 Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance f9a165d2-967d-4733-8399-1074270dae2e Microsoft Managed Control 1535 - Personnel Sanctions Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance b11c985b-f2cd-4bd7-85f4-b52426edf905 Microsoft Managed Control 1571 - Acquisition Process Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance b19454ca-0d70-42c0-acf5-ea1c1e5726d1 Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance b23bd715-5d1c-4e5c-9759-9cbdf79ded9d Microsoft Managed Control 1091 - Security Awareness Training Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance b25faf85-8a16-4f28-8e15-d05c0072d64d Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance b26f8610-e615-47c2-abd6-c00b2b0b503a Microsoft Managed Control 1009 - Account Management Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance fb39e62f-6bda-4558-8088-ec03d5670914 Microsoft Managed Control 1222 - Information System Component Inventory Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance b293f881-361c-47ed-b997-bc4e2296bc0b Microsoft Managed Control 1234 - Software Usage Restrictions Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance fb321e6f-16a0-4be3-878f-500956e309c5 Microsoft Managed Control 1086 - Publicly Accessible Content Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance b29ed931-8e21-4779-8458-27916122a904 Microsoft Managed Control 1107 - Content Of Audit Records Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance b6747bf9-2b97-45b8-b162-3c8becb9937d Microsoft Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance facb66e0-1c48-478a-bed5-747a312323e1 Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance b3d8d15b-627a-4219-8c96-4d16f788888b Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance b4319b7e-ea8d-42ff-8a67-ccd462972827 Microsoft Managed Control 1380 - Incident Response Plan Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance b43e946e-a4c8-4b92-8201-4a39331db43c Microsoft Managed Control 1172 - Internal System Connections Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance b45fe972-904e-45a4-ac20-673ba027a301 Microsoft Managed Control 1672 - Flaw Remediation | Central Management Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance b472a17e-c2bc-493f-b50b-42d55a346962 Microsoft Managed Control 1131 - Protection Of Audit Information Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance fa4c2a3d-1294-41a3-9ada-0e540471e9fb Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance fa108498-b3a8-4ffb-9e79-1107e76afad3 Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance b4f9b47a-2116-4e6f-88db-4edbf22753f1 Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance f9ad559e-c12d-415e-9a78-e50fdd7da7ba Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance fa8d221b-d130-4637-ba16-501e666628bb Microsoft Managed Control 1435 - Media Transport Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance bb20548a-c926-4e4d-855c-bcddc6faf95e Microsoft Managed Control 1188 - Configuration Change Control Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance bba2a036-fb3b-4261-b1be-a13dfb5fbcaa Microsoft Managed Control 1533 - Third-Party Personnel Security Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance bc34667f-397e-4a65-9b72-d0358f0b6b09 Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance f0643e0c-eee5-4113-8684-c608d05c5236 Microsoft Managed Control 1531 - Third-Party Personnel Security Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance c171b095-7756-41de-8644-a062a96043f2 Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance c17822dc-736f-4eb4-a97d-e6be662ff835 Microsoft Managed Control 1004 - Account Management Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance effbaeef-5bf4-400d-895e-ef8cbc0e64c7 Microsoft Managed Control 1358 - Incident Response Testing Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance efd7b9ae-1db6-4eb6-b0fe-87e6565f9738 Microsoft Managed Control 1012 - Account Management Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance c1fa9c2f-d439-4ab9-8b83-81fb1934f81d Microsoft Managed Control 1503 - Information Security Architecture Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance ef869332-921d-4c28-9402-3be73e6e50c8 Microsoft Managed Control 1472 - Emergency Shutoff Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance c30690a5-7bf3-467f-b0cd-ef5c7c7449cd Microsoft Managed Control 1176 - Baseline Configuration Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance c39e6fda-ae70-4891-a739-be7bba6d1062 Microsoft Managed Control 1389 - Information Spillage Response Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance c158eb1c-ae7e-4081-8057-d527140c4e0c Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance c3b65b63-09ec-4cb5-8028-7dd324d10eb0 Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance c40f31a7-81e1-4130-99e5-a02ceea2a1d6 Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance c416970d-b12b-49eb-8af4-fb144cd7c290 Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance ef0c8530-efd9-45b8-b753-f03083d06295 Microsoft Managed Control 1314 - Identifier Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance c49c610b-ece4-44b3-988c-2172b70d6e46 Microsoft Managed Control 1235 - Software Usage Restrictions Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance c4aff9e7-2e60-46fa-86be-506b79033fc5 Microsoft Managed Control 1173 - Internal System Connections Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance ef080e67-0d1a-4f76-a0c5-fb9b0358485e Microsoft Managed Control 1089 - Security Awareness Training Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance ee45e02a-4140-416c-82c4-fecfea660b9d Microsoft Managed Control 1189 - Configuration Change Control Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance c53f3123-d233-44a7-930b-f40d3bfeb7d6 Microsoft Managed Control 1600 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance c5f56ac6-4bb2-4086-bc41-ad76344ba2c2 Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance ef212163-3bc4-4e86-bcf8-705127086393 Microsoft Managed Control 1128 - Time Stamps Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance c13da9b4-fe14-4fe2-853a-5997c9d4215a Microsoft Managed Control 1719 - Spam Protection Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance f171df5c-921b-41e9-b12b-50801c315475 Microsoft Managed Control 1028 - Information Flow Enforcement Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance c10fb58b-56a8-489e-9ce3-7ffe24e78e4b Microsoft Managed Control 1676 - Malicious Code Protection Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance bc3f6f7a-057b-433e-9834-e8c97b0194f6 Microsoft Managed Control 1095 - Role-Based Security Training Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance f5fd629f-3075-4cae-ab53-bad65495a4ac Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance f5c66fdc-3d02-4034-9db5-ba57802609de Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance bc90e44f-d83f-4bdf-900f-3d5eb4111b31 Microsoft Managed Control 1427 - Media Protection Policy And Procedures Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance f56be5c3-660b-4c61-9078-f67cf072c356 Microsoft Managed Control 1198 - Configuration Change Control | Security Representative Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance f52f89aa-4489-4ec4-950e-8c96a036baa9 Microsoft Managed Control 1618 - Security Function Isolation Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance bcfb6683-05e5-4ce6-9723-c3fbe9896bdd Microsoft Managed Control 1351 - Incident Response Policy And Procedures Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd Microsoft Managed Control 1469 - Power Equipment And Cabling Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance bd20184c-b4ec-4ce5-8db6-6e86352d183f Microsoft Managed Control 1050 - Concurrent Session Control Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance be5b05e7-0b82-4ebc-9eda-25e447b1a41e Microsoft Managed Control 1360 - Incident Handling Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance f4978d0e-a596-48e7-9f8c-bbf52554ce8d Microsoft Managed Control 1495 - System Security Plan Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance f475ee0e-f560-4c9b-876b-04a77460a404 Microsoft Managed Control 1706 - Security Alerts, Advisories, And Directives Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance f3793f5e-937f-44f7-bfba-40647ef3efa0 Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance beff0acf-7e67-40b2-b1ca-1a0e8205cf1b Microsoft Managed Control 1152 - System Interconnections Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance f35e02aa-0a55-49f8-8811-8abfa7e6f2c0 Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance bf296b8c-f391-4ea4-9198-be3c9d39dd1f Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance f355d62b-39a8-4ba3-abf7-90f71cb3b000 Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance Of Piv Credentials Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance bf6850fe-abba-468e-9ef4-d09ec7d983cd Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance f2d9d3e6-8886-4305-865d-639163e5c305 Microsoft Managed Control 1457 - Physical Access Control Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance f25bc08f-27cb-43b6-9a23-014d00700426 Microsoft Managed Control 1701 - Information System Monitoring | Host-Based Devices Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance c10152dd-78f8-4335-ae2d-ad92cc028da4 Microsoft Managed Control 1124 - Audit Reduction And Report Generation Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance c6108469-57ee-4666-af7e-79ba61c7ae0c Microsoft Managed Control 1670 - Flaw Remediation Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance d1880188-e51a-4772-b2ab-68f5e8bd27f6 Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 81f11e32-a293-4a58-82cd-134af52e2318 Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 8dc459b3-0e77-45af-8d71-cfd8c9654fe2 Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 398eb61e-8111-40d5-a0c9-003df28f1753 Microsoft Managed Control 1246 - Contingency Plan Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 399cd6ee-0e18-41db-9dea-cde3bd712f38 Microsoft Managed Control 1680 - Malicious Code Protection | Central Management Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 39c54140-5902-4079-8bb5-ad31936fe764 Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 3a7b9de4-a8a2-4672-914d-c5f6752aa7f9 Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 3a9eb14b-495a-4ebb-933c-ce4ef5264e32 Microsoft Managed Control 1648 - Collaborative Computing Devices Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 3aa87116-f1a1-4edb-bfbf-14e036f8d454 Microsoft Managed Control 1315 - Identifier Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 3afe6c78-6124-4d95-b85c-eb8c0c9539cb Microsoft Managed Control 1548 - Vulnerability Scanning Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 3b4a3eb2-c25d-40bf-ad41-5094b6f59cee Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 3b68b179-3704-4ff7-b51d-7d65374d165d Microsoft Managed Control 1003 - Account Management Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 3cb9f731-744a-4691-a481-ca77b0411538 Microsoft Managed Control 1621 - Resource Availability Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5 Microsoft Managed Control 1521 - Personnel Termination | Automated Notification Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 3ce328db-aef3-48ed-9f81-2ab7cf839c66 Microsoft Managed Control 1127 - Time Stamps Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 3e495e65-8663-49ca-9b38-9f45e800bc58 Microsoft Managed Control 1385 - Information Spillage Response Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 396ba986-eac1-4d6d-85c4-d3fda6b78272 Microsoft Managed Control 1232 - Configuration Management Plan Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 3e797ca6-2aa8-4333-b335-7036f1110c05 Microsoft Managed Control 1160 - Security Authorization Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 40364c3f-c331-4e29-b1e3-2fbe998ba2f5 Microsoft Managed Control 1561 - Allocation Of Resources Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 4057863c-ca7d-47eb-b1e0-503580cba8a4 Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 4075bedc-c62a-4635-bede-a01be89807f3 Microsoft Managed Control 1637 - Boundary Protection | Fail Secure Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 40a2a83b-74f2-4c02-ae65-f460a5d2792a Microsoft Managed Control 1202 - Access Restrictions For Change Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 40fcc635-52a2-4dbc-9523-80a1f4aa1de6 Microsoft Managed Control 1438 - Media Sanitization Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 4116891d-72f7-46ee-911c-8056cc8dcbd5 Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 411f7e2d-9a0b-4627-a0b9-1700432db47d Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 41256567-1795-4684-b00b-a1308ce43cac Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 41472613-3b05-49f6-8fe8-525af113ce17 Microsoft Managed Control 1263 - Contingency Plan Testing Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 420c1477-aa43-49d0-bd7e-c4abdd9addff Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance 42254fc4-2738-4128-9613-72aaa4f0d9c3 Microsoft Managed Control 1260 - Contingency Training | Simulated Events Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 426c4ac9-ff17-49d0-acd7-a13c157081c0 Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications Traffic Anomalies Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 3f4b171a-a56b-4328-8112-32cf7f947ee1 Microsoft Managed Control 1545 - Risk Assessment Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 42a9a714-8fbb-43ac-b115-ea12d2bd652f Microsoft Managed Control 1174 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 391ff8b3-afed-405e-9f7d-ef2f8168d5da Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 38dfd8a3-5290-4099-88b7-4081f4c4d8ae Microsoft Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 2e3c5583-1729-4d36-8771-59c32f090a22 Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance 2ef3cc79-733e-48ed-ab6f-7bf439e9b406 Microsoft Managed Control 1000 - Access Control Policy And Procedures Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 2f13915a-324c-4ab8-b45c-2eefeeefb098 Microsoft Managed Control 1519 - Personnel Termination Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 2fa15ff1-a693-4ee4-b094-324818dc9a51 Microsoft Managed Control 1144 - Security Assessments Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 2fb740e5-cbc7-4d10-8686-d1bf826652b1 Microsoft Managed Control 1090 - Security Awareness Training Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance 319dc4f0-0fed-4ac9-8fc3-7aeddee82c07 Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 31b752c1-05a9-432a-8fce-c39b56550119 Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 32820956-9c6d-4376-934c-05cd8525be7c Microsoft Managed Control 1587 - External Information System Services Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 3298d6bf-4bc6-4278-a95d-f7ef3ac6e594 Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 32d07d59-2716-4972-b37b-214a67ac4a37 Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 34042a97-ec6d-4263-93d2-8c1c46823b2a Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 347e3b69-7fb7-47df-a8ef-71a1a7b44bca Microsoft Managed Control 1151 - System Interconnections Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 3492d949-0dbb-4589-88b3-7b59601cc764 Microsoft Managed Control 1412 - Nonlocal Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 391af4ab-1117-46b9-b2c7-78bbd5cd995b Microsoft Managed Control 1397 - Controlled Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 34a63848-30cf-4081-937e-ce1a1c885501 Microsoft Managed Control 1475 - Emergency Lighting Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 34cb7e92-fe4c-4826-b51e-8cd203fa5d35 Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 3502c968-c490-4570-8167-1476f955e9b8 Microsoft Managed Control 1210 - Configuration Settings Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 35a4102f-a778-4a2e-98c2-971056288df8 Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 361a77f6-0f9c-4748-8eec-bc13aaaa2455 Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 36220f5b-79a1-4cdb-8c74-2d2449f9a510 Microsoft Managed Control 1313 - Identifier Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 3643717a-3897-4bfd-8530-c7c96b26b2a0 Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 367ae386-db7f-4167-b672-984ff86277c0 Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 36b0ef30-366f-4b1b-8652-a3511df11f53 Microsoft Managed Control 1685 - Information System Monitoring Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 36fbe499-f2f2-41b6-880e-52d7ea1d94a5 Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 37d079e3-d6aa-4263-a069-dd7ac6dd9684 Microsoft Managed Control 1624 - Boundary Protection Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 382016f3-d4ba-4e15-9716-55077ec4dc2a Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 3867f2a9-23bb-4729-851f-c3ad98580caf Microsoft Managed Control 1081 - Information Sharing Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 38b470cc-f939-4a15-80e0-9f0c74f2e2c9 Microsoft Managed Control 1522 - Personnel Transfer Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 34a987fd-2003-45de-a120-014956581f2b Microsoft Managed Control 1060 - Remote Access Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 2e1b855b-a013-481a-aeeb-2bcb129fd35d Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 4344df62-88ab-4637-b97b-bcaf2ec97e7c Microsoft Managed Control 1137 - Audit Generation Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 43684572-e4f1-4642-af35-6b933bc506da Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 4c643c9a-1be7-4016-a5e7-e4bada052920 Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers At Logout Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 4cca950f-c3b7-492a-8e8f-ea39663c14f9 Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 4ce9073a-77fa-48f0-96b1-87aa8e6091c2 Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 4d33f9f1-12d0-46ad-9fbd-8f8046694977 Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 4d52e864-9a3b-41ee-8f03-520815fe5378 Microsoft Managed Control 1156 - Plan Of Action And Milestones Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 4d6a5968-9eef-4c18-8534-376790ab7274 Microsoft Managed Control 1312 - Identifier Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 4db56f68-3f50-45ab-88f3-ca46f5379a94 Microsoft Managed Control 1394 - System Maintenance Policy And Procedures Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 4dfc0855-92c4-4641-b155-a55ddd962362 Microsoft Managed Control 1702 - Information System Monitoring | Indicators Of Compromise Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 4e26f8c3-4bf3-4191-b8fc-d888805101b7 Microsoft Managed Control 1001 - Access Control Policy And Procedures Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 4e319cb6-2ca3-4a58-ad75-e67f484e50ec Microsoft Managed Control 1083 - Publicly Accessible Content Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 4e54c7ef-7457-430b-9a3e-ef8881d4a8e0 Microsoft Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 4e666db5-b2ef-4b06-aac6-09bfce49151b Microsoft Managed Control 1247 - Contingency Plan Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 4e7f4ea4-dd62-44f6-8886-ac6137cf52b0 Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 4c615c2a-dc83-4dda-8220-abce7b50c9bc Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 4e95f70e-181c-4422-9da2-43079710c789 Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 4ebd97f7-b105-4f50-8daf-c51465991240 Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 4ed62522-de00-4dda-9810-5205733d2f34 Microsoft Managed Control 1139 - Audit Generation Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 4f26049b-2c5a-4841-9ff3-d48a26aae475 Microsoft Managed Control 1442 - Media Sanitization | Nondestructive Techniques Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 4f34f554-da4b-4786-8d66-7915c90893da Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 50301354-95d0-4a11-8af5-8039ecf6d38b Microsoft Managed Control 1485 - Delivery And Removal Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 506814fa-b930-4b10-894e-a45b98c40e1a Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric Keys Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 50ad3724-e2ac-4716-afcc-d8eabd97adb9 Microsoft Managed Control 1566 - System Development Life Cycle Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 50fc602d-d8e0-444b-a039-ad138ee5deb0 Microsoft Managed Control 1248 - Contingency Plan Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 5120193e-91fd-4f9d-bc6d-194f94734065 Microsoft Managed Control 1386 - Information Spillage Response Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 518cb545-bfa8-43f8-a108-3b7d5037469a Microsoft Managed Control 1352 - Incident Response Policy And Procedures Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 53397227-5ee3-4b23-9e5e-c8a767ce6928 Microsoft Managed Control 1642 - Network Disconnect Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 5350cbf9-8bdd-4904-b22a-e88be84ca49d Microsoft Managed Control 1467 - Visitor Access Records Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 5352e3e0-e63a-452e-9e5f-9c1d181cff9c Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 4e97ba1d-be5d-4953-8da4-0cccf28f4805 Microsoft Managed Control 1267 - Alternate Storage Site Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 435b2547-6374-4f87-b42d-6e8dbe6ae62a Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 4c090801-59bc-4454-bb33-e0455133486a Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 4a248e1e-040f-43e5-bff2-afc3a57a3923 Microsoft Managed Control 1677 - Malicious Code Protection Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 43ced7c9-cd53-456b-b0da-2522649a4271 Microsoft Managed Control 1544 - Risk Assessment Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 443e8f3d-b51a-45d8-95a7-18b0e42f4dc4 Microsoft Managed Control 1398 - Controlled Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 4455c2e8-c65d-4acf-895e-304916f90b36 Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 44b9a7cd-f36a-491a-a48b-6d04ae7c4221 Microsoft Managed Control 1720 - Spam Protection Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 44bfdadc-8c2e-4c30-9c99-f005986fabcd Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 44dbba23-0b61-478e-89c7-b3084667782f Microsoft Managed Control 1604 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 44e543aa-41db-42aa-98eb-8a5eb1db53f0 Microsoft Managed Control 1712 - Software, Firmware, And Information Integrity Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 450d7ede-823d-4931-a99d-57f6a38807dc Microsoft Managed Control 1310 - Device Identification And Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 45692294-f074-42bd-ac54-16f1a3c07554 Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 45b7b644-5f91-498e-9d89-7402532d3645 Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols / Services In Use Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 45ce2396-5c76-4654-9737-f8792ab3d26b Microsoft Managed Control 1565 - System Development Life Cycle Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 463e5220-3f79-4e24-a63f-343e4096cd22 Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party Registration Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 464dc8ce-2200-4720-87a5-dc5952924cc6 Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users) Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 4b1853e0-8973-446b-b567-09d901d31a09 Microsoft Managed Control 1094 - Role-Based Security Training Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance 465f32da-0ace-4603-8d1b-7be5a3a702de Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 47bc7ea0-7d13-4f7c-a154-b903f7194253 Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 47e10916-6c9e-446b-b0bd-ff5fd439d79d Microsoft Managed Control 1165 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 483e7ca9-82b3-45a2-be97-b93163a0deb7 Microsoft Managed Control 1048 - System Use Notification Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 48540f01-fc11-411a-b160-42807c68896e Microsoft Managed Control 1033 - Separation Of Duties Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 4862a63c-6c74-4a9d-a221-89af3c374503 Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 486b006a-3653-45e8-b41c-a052d3e05456 Microsoft Managed Control 1484 - Water Damage Protection | Automation Support Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 48f2f62b-5743-4415-a143-288adc0e078d Microsoft Managed Control 1669 - Flaw Remediation Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 8de614d8-a8b7-4f70-a62a-6d37089a002c Microsoft Managed Control 1250 - Contingency Plan Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 493a95f3-f2e3-47d0-af02-65e6d6decc2f Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 498f6234-3e20-4b6a-a880-cbd646d973bd Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 49b99653-32cd-405d-a135-e7d60a9aae1f Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 49dbe627-2c1e-438c-979e-dd7a39bbf81d Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 4a1d0394-b9f5-493e-9e83-563fd0ac4df8 Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 4708723f-e099-4af1-bbf9-b6df7642e444 Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69 Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 2dad3668-797a-412e-a798-07d3849a7a79 Microsoft Managed Control 1077 - Use Of External Information Systems Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 2d045bca-a0fd-452e-9f41-4ec33769717c Microsoft Managed Control 1068 - Wireless Access Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 0a2ee16e-ab1f-414a-800b-d1608835862b Microsoft Managed Control 1654 - Voice Over Internet Protocol Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 0a560d32-8075-4fec-9615-9f7c853f4ea9 Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 0a77fcc7-b8d8-451a-ab52-56197913c0c7 Microsoft Managed Control 1428 - Media Access Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 0abbac52-57cf-450d-8408-1208d0dd9e90 Microsoft Managed Control 1044 - Unsuccessful Logon Attempts Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 0afce0b3-dd9f-42bb-af28-1e4284ba8311 Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 0b1aa965-7502-41f9-92be-3e2fe7cc392a Microsoft Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 0b291ee8-3140-4cad-beb7-568c077c78ce Microsoft Managed Control 1020 - Account Management | Role-Based Schemes Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 0b653845-2ad9-4e09-a4f3-5a7c1d78353d Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 0be51298-f643-4556-88af-d7db90794879 Microsoft Managed Control 1239 - User-Installed Software Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 0ca96127-2f87-46ab-a4fc-0d2a786df1c8 Microsoft Managed Control 1496 - System Security Plan Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance 0d58f734-c052-40e9-8b2f-a1c2bff0b815 Microsoft Managed Control 1518 - Personnel Termination Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 0d87c70b-5012-48e9-994b-e70dd4b8def0 Microsoft Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity Checks Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 0d943a9c-a6f1-401f-a792-740cdb09c451 Microsoft Managed Control 1466 - Visitor Access Records Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 09828c65-e323-422b-9774-9d5c646124da Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network Access To Non-Privileged Accounts Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 0dced7ab-9ce5-4137-93aa-14c13e06ab17 Microsoft Managed Control 1718 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 0f3c4ac2-3e35-4906-a80b-473b12a622d7 Microsoft Managed Control 1476 - Fire Protection Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 0f4f6750-d1ab-4a4c-8dfd-af3237682665 Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 0f559588-5e53-4b14-a7c4-85d28ebc2234 Microsoft Managed Control 1430 - Media Marking Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 0f935dab-83d6-47b8-85ef-68b8584161b9 Microsoft Managed Control 1574 - Acquisition Process Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 0fb8d3ce-9e96-481c-9c68-88d4e3019310 Microsoft Managed Control 1164 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 0fc3db37-e59a-48c1-84e9-1780cedb409e Microsoft Managed Control 1017 - Account Management | Inactivity Logout Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 100c82ba-42e9-4d44-a2ba-94b209248583 Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance 10984b4e-c93e-48d7-bf20-9c03b04e9eca Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 11158848-f679-4e9b-aa7b-9fb07d945071 Microsoft Managed Control 1230 - Configuration Management Plan Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 1140e542-b80d-4048-af45-3f7245be274b Microsoft Managed Control 1432 - Media Storage Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 121eab72-390e-4629-a7e2-6d6184f57c6b Microsoft Managed Control 1655 - Voice Over Internet Protocol Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 12623e7e-4736-4b2e-b776-c1600f35f93a Microsoft Managed Control 1681 - Malicious Code Protection | Automatic Updates Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 129eb39f-d79a-4503-84cd-92f036b5e429 Microsoft Managed Control 1240 - User-Installed Software Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e Microsoft Managed Control 1601 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 12e30ee3-61e6-4509-8302-a871e8ebb91e Microsoft Managed Control 1666 - System And Information Integrity Policy And Procedures Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 0925f098-7877-450b-8ba4-d1e55f2d8795 Microsoft Managed Control 1159 - Security Authorization Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 07557aa0-e02f-4460-9a81-8ecd2fed601a Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 00379355-8932-4b52-b63a-3bc6daf3451a Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 0062eb8b-dc75-4718-8ea5-9bb4a9606655 Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 01524fa8-4555-48ce-ba5f-c3b8dcef5147 Microsoft Managed Control 1142 - Security Assessment And Authorization Policy And Procedures Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 01910bab-8639-4bd0-84ef-cc53b24d79ba Microsoft Managed Control 1099 - Security Training Records Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance 01f7726b-db54-45c2-bcb5-9bd7a43796ee Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 025992d6-7fee-4137-9bbf-2ffc39c0686c Microsoft Managed Control 1709 - Security Function Verification Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 027cae1c-ec3e-4492-9036-4168d540c42a Microsoft Managed Control 1052 - Session Lock Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 02a5ed00-6d2e-4e97-9a98-46c32c057329 Microsoft Managed Control 1034 - Least Privilege Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 02ce1b22-412a-4528-8630-c42146f917ed Microsoft Managed Control 1623 - Boundary Protection Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 02dd141a-a2b2-49a7-bcbd-ca31142f6211 Microsoft Managed Control 1515 - Personnel Termination Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 03188d8f-1ae5-4fe1-974d-2d7d32ef937d Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 03752212-103c-4ab8-a306-7e813022ca9d Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 03996055-37a4-45a5-8b70-3f1caa45f87d Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 0882d488-8e80-4466-bc0f-0cd15b6cb66d Microsoft Managed Control 1583 - Information System Documentation Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 03ad326e-d7a1-44b1-9a76-e17492efc9e4 Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 03ed3be1-7276-4452-9a5d-e4168565ac67 Microsoft Managed Control 1361 - Incident Handling Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 042ba2a1-8bb8-45f4-b080-c78cf62b90e9 Microsoft Managed Control 1594 - Developer Configuration Management Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 04f5fb00-80bb-48a9-a75b-4cb4d4c97c36 Microsoft Managed Control 1572 - Acquisition Process Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 05460fe2-301f-4ed1-8174-d62c8bb92ff4 Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 05938e10-cdbd-4a54-9b2b-1cbcfc141ad0 Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a Microsoft Managed Control 1223 - Information System Component Inventory Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 05a289ce-6a20-4b75-a0f3-dc8601b6acd0 Microsoft Managed Control 1640 - Transmission Confidentiality And Integrity Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 05ae08cc-a282-413b-90c7-21a2c60b8404 Microsoft Managed Control 1420 - Maintenance Personnel Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 063b540e-4bdc-4e7a-a569-3a42ddf22098 Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver) Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 063c3f09-e0f0-4587-8fd5-f4276fae675f Microsoft Managed Control 1688 - Information System Monitoring Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 068260be-a5e6-4b0a-a430-cd27071c226a Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 068a88d4-e520-434e-baf0-9005a8164e6a Microsoft Managed Control 1455 - Physical Access Control Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 06c45c30-ae44-4f0f-82be-41331da911cc Microsoft Managed Control 1366 - Incident Handling | Information Correlation Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 03b78f5e-4877-4303-b0f4-eb6583f25768 Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 2d44b6fa-1134-4ea6-ad4e-9edb68f65429 Microsoft Managed Control 1704 - Security Alerts, Advisories, And Directives Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 131a2706-61e9-4916-a164-00e052056462 Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) | Acceptance Of PIV Creds. From Other Agys. Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 13579d0e-0ab0-4b26-b0fb-d586f6d7ed20 Microsoft Managed Control 1184 - Configuration Change Control Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 232ab24b-810b-4640-9019-74a7d0d6a980 Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 23f6e984-3053-4dfc-ab48-543b764781f5 Microsoft Managed Control 1268 - Alternate Storage Site Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 243ec95e-800c-49d4-ba52-1fdd9f6b8b57 Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 244e0c05-cc45-4fe7-bf36-42dcf01f457d Microsoft Managed Control 1231 - Configuration Management Plan Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 24d480ef-11a0-4b1b-8e70-4e023bf2be23 Microsoft Managed Control 1082 - Information Sharing Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 25b96717-c912-4c00-9143-4e487f411726 Microsoft Managed Control 1372 - Incident Reporting Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 26692e88-71b7-4a5f-a8ac-9f31dd05bd8e Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 26d292cc-b0b8-4c29-9337-68abc758bf7b Microsoft Managed Control 1649 - Collaborative Computing Devices Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 276af98f-4ff9-4e69-99fb-c9b2452fb85f Microsoft Managed Control 1396 - Controlled Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 27a69937-af92-4198-9b86-08d355c7e59a Microsoft Managed Control 1074 - Access Control For Mobile Devices Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 2823de66-332f-4bfd-94a3-3eb036cd3b67 Microsoft Managed Control 1527 - Access Agreements Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 283a4e29-69d5-4c94-b99e-29acf003c899 Microsoft Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 28aab8b4-74fd-4b7c-9080-5a7be525d574 Microsoft Managed Control 1436 - Media Transport Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 22b469b3-fccf-42da-aa3b-a28e6fb113ce Microsoft Managed Control 1493 - System Security Plan Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance 28cfa30b-7f72-47ce-ba3b-eed26c8d2c82 Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 28e633fd-284e-4ea7-88b4-02ca157ed713 Microsoft Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 292a7c44-37fa-4c68-af7c-9d836955ded2 Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 2a39ac75-622b-4c88-9a3f-45b7373f7ef7 Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 2aee175f-cd16-4825-939a-a85349d96210 Microsoft Managed Control 1274 - Alternate Processing Site Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 2b909c26-162f-47ce-8e15-0c1f55632eac Microsoft Managed Control 1603 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 2c18f06b-a68d-41c3-8863-b8cd3acb5f8f Microsoft Managed Control 1434 - Media Transport Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 2c251a55-31eb-4e53-99c6-e9c43c393ac2 Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 2c7c575a-d4c5-4f6f-bd49-dee97a8cba55 Microsoft Managed Control 1388 - Information Spillage Response Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 2c895fe7-2d8e-43a2-838c-3a533a5b355e Microsoft Managed Control 1344 - Authenticator Feedback Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 2ce1ea7e-4038-4e53-82f4-63e8859333c1 Microsoft Managed Control 1546 - Vulnerability Scanning Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 2ce63a52-e47b-4ae2-adbb-6e40d967f9e6 Microsoft Managed Control 1414 - Nonlocal Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 2cf42a28-193e-41c5-98df-7688e7ef0a88 Microsoft Managed Control 1679 - Malicious Code Protection Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 28e62650-c7c2-4786-bdfa-17edc1673902 Microsoft Managed Control 1148 - Security Assessments | Independent Assessors Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 134d7a13-ba3e-41e2-b236-91bfcfa24e01 Microsoft Managed Control 1450 - Physical Access Authorizations Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 22589a07-0007-486a-86ca-95355081ae2a Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 21f639bc-f42b-46b1-8f40-7a2a389c291a Microsoft Managed Control 1426 - Media Protection Policy And Procedures Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 13d117e0-38b0-4bbb-aaab-563be5dd10ba Microsoft Managed Control 1085 - Publicly Accessible Content Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 13d8f903-0cd6-449f-a172-50f6579c182b Microsoft Managed Control 1404 - Maintenance Tools Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 13fcf812-ec82-4eda-9b89-498de9efd620 Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 15495367-cf68-464c-bbc3-f53ca5227b7a Microsoft Managed Control 1157 - Plan Of Action And Milestones Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 1571dd40-dafc-4ef4-8f55-16eba27efc7b Microsoft Managed Control 1491 - Security Planning Policy And Procedures Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance 157f0ef9-143f-496d-b8f9-f8c8eeaad801 Microsoft Managed Control 1564 - System Development Life Cycle Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 165cb91f-7ea8-4ab7-beaf-8636b98c9d15 Microsoft Managed Control 1662 - Fail In Known State Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 16bfdb59-db38-47a5-88a9-2e9371a638cf Microsoft Managed Control 1684 - Information System Monitoring Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 16feeb31-6377-437e-bbab-d7f73911896d Microsoft Managed Control 1103 - Audit Events Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 17200329-bf6c-46d8-ac6d-abf4641c2add Microsoft Managed Control 1007 - Account Management Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 17641f70-94cd-4a5d-a613-3d1143e20e34 Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Approved Products Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 1845796a-7581-49b2-ae20-443121538e19 Microsoft Managed Control 1325 - Authenticator Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 18a767cc-1947-4338-a240-bc058c81164f Microsoft Managed Control 1480 - Temperature And Humidity Controls Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 2256e638-eb23-480f-9e15-6cf1af0a76b3 Microsoft Managed Control 1399 - Controlled Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 18cc35ed-a429-486d-8d59-cb47e87304ed Microsoft Managed Control 1369 - Incident Monitoring Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 1a437f5b-9ad6-4f28-8861-de404d511ae4 Microsoft Managed Control 1071 - Wireless Access | Restrict Configurations By Users Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 1ca29e41-34ec-4e70-aba9-6248aca18c31 Microsoft Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 1cb067d5-c8b5-4113-a7ee-0a493633924b Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source) Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 1d01ba6c-289f-42fd-a408-494b355b6222 Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 1d50f99d-1356-49c0-934a-45f742ba7783 Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance 1d7658b2-e827-49c3-a2ae-6d2bd0b45874 Microsoft Managed Control 1538 - Security Categorization Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 1dc784b5-4895-4d27-9d40-a06b032bd1ee Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 1e0414e7-6ef5-4182-8076-aa82fbb53341 Microsoft Managed Control 1595 - Developer Configuration Management Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 2006457a-48b3-4f7b-8d2e-1532287f9929 Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 201d3740-bd16-4baf-b4b8-7cda352228b7 Microsoft Managed Control 1650 - Public Key Infrastructure Certificates Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 21839937-d241-4fa5-95c6-b669253d9ab9 Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 21de687c-f15e-4e51-bf8d-f35c8619965b Microsoft Managed Control 1111 - Response To Audit Processing Failures Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 21e25e01-0ae0-41be-919e-04ce92b8e8b8 Microsoft Managed Control 1596 - Developer Configuration Management Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 19b9439d-865d-4474-b17d-97d2702fdb66 Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 53c76a39-2097-408a-b237-b279f7b4614d Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 0004bbf0-5099-4179-869e-e9ffe5fb0945 Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 544a208a-9c3f-40bc-b1d1-d7e144495c14 Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 7327b708-f0e0-457d-9d2a-527fcc9c9a65 Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 733ba9e3-9e7c-440a-a7aa-6196a90a2870 Microsoft Managed Control 1456 - Physical Access Control Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 742b549b-7a25-465f-b83c-ea1ffb4f4e0e Microsoft Managed Control 1581 - Information System Documentation Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 74ae9b8e-e7bb-4c9c-992f-c535282f7a2c Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 7522ed84-70d5-4181-afc0-21e50b1b6d0e Microsoft Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 75603f96-80a1-4757-991d-5a1221765ddd Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 7582b19c-9dba-438e-aed8-ede59ac35ba3 Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0 Microsoft Managed Control 1459 - Access Control For Transmission Medium Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 769efd9b-3587-4e22-90ce-65ddcd5bd969 Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 76e85d08-8fbb-4112-a1c1-93521e6a9254 Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 76f500cc-4bca-4583-bda1-6d084dc21086 Microsoft Managed Control 1508 - Position Risk Designation Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 7741669e-d4f6-485a-83cb-e70ce7cbbc20 Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 77f56280-e367-432a-a3b9-8ca2aa636a26 Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 7814506c-382c-4d33-a142-249dd4a0dbff Microsoft Managed Control 1258 - Contingency Training Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 7818b8f4-47c6-441a-90ae-12ce04e99893 Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 78255758-6d45-4bf0-a005-7016bc03b13c Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5 Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network Services Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 784663a8-1eb0-418a-a98c-24d19bc1bb62 Microsoft Managed Control 1010 - Account Management Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 7894fe6a-f5cb-44c8-ba90-c3f254ff9484 Microsoft Managed Control 1216 - Least Functionality | Periodic Review Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 78e8e649-50f6-4fe3-99ac-fedc2e63b03f Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System Components Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 791cfc15-6974-42a0-9f4c-2d4b82f4a78c Microsoft Managed Control 1647 - Cryptographic Protection Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 79da5b09-0e7e-499e-adda-141b069c7998 Microsoft Managed Control 1510 - Position Risk Designation Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 79fbc228-461c-4a45-9004-a865ca0728a7 Microsoft Managed Control 1384 - Information Spillage Response Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 7a0bdeeb-15f4-47e8-a1da-9f769f845fdf Microsoft Managed Control 1093 - Role-Based Security Training Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance 7a1e2c88-13de-4959-8ee7-47e3d74f1f48 Microsoft Managed Control 1708 - Security Function Verification Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 731856d8-1598-4b75-92de-7d46235747c0 Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 72f1cb4e-2439-4fe8-88ea-b8671ce3c268 Microsoft Managed Control 1524 - Personnel Transfer Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 7207a023-a517-41c5-9df2-09d4c6845a05 Microsoft Managed Control 1395 - System Maintenance Policy And Procedures Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 71bb965d-4047-4623-afd4-b8189a58df5d Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time Source Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 69c7bee8-bc19-4129-a51e-65a7b39d3e7c Microsoft Managed Control 1699 - Information System Monitoring | Privileged Users Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 69d2a238-20ab-4206-a6dc-f302bf88b1b8 Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring Information Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 6a13a8f8-c163-4b1b-8554-d63569dab937 Microsoft Managed Control 1244 - Contingency Plan Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 6a3ee9b2-3977-459c-b8ce-2db583abd9f7 Microsoft Managed Control 1019 - Account Management | Role-Based Schemes Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 6a8b9dc8-6b00-4701-aa96-bba3277ebf50 Microsoft Managed Control 1211 - Configuration Settings Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b Microsoft Managed Control 1653 - Mobile Code Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 6b93a801-fe25-4574-a60d-cb22acffae00 Microsoft Managed Control 1031 - Separation Of Duties Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 6c59a207-6aed-41dc-83a2-e1ff66e4a4db Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local Access To Non-Privileged Accounts Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 6d1eb6ed-bf13-4046-b993-b9e2aef0f76c Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 6d4820bc-8b61-4982-9501-2123cb776c00 Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 6d8d492c-dd7a-46f7-a723-fa66a425b87c Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 7a724864-956a-496c-b778-637cb1d762cf Microsoft Managed Control 1289 - Information System Backup Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912 Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 6db63528-c9ba-491c-8a80-83e1e6977a50 Microsoft Managed Control 1651 - Mobile Code Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 6e3b2fbd-8f37-4766-a64d-3f37703dcb51 Microsoft Managed Control 1586 - External Information System Services Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 6e40d9de-2ad4-4cb5-8945-23143326a502 Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 6e8f9566-29f1-49cd-b61f-f8628a3cf993 Microsoft Managed Control 1530 - Third-Party Personnel Security Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 6f3ce1bb-4f77-4695-8355-70b08d54fdda Microsoft Managed Control 1460 - Access Control For Output Devices Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 6f54c732-71d4-4f93-a696-4e373eca3a77 Microsoft Managed Control 1320 - Authenticator Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 6fdefbf4-93e7-4513-bc95-c1858b7093e0 Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 54205576-cec9-463f-ba44-b4b3f5d0a84c Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 70792197-9bfc-4813-905a-bd33993e327f Microsoft Managed Control 1509 - Position Risk Designation Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 70f6af82-7be6-44aa-9b15-8b9231b2e434 Microsoft Managed Control 1541 - Risk Assessment Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 71475fb4-49bd-450b-a1a5-f63894c24725 Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For Real-Time Analysis Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 717a1c78-a267-4f56-ac58-ee6c54dc4339 Microsoft Managed Control 1481 - Temperature And Humidity Controls Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 6dab4254-c30d-4bb7-ae99-1d21586c063c Microsoft Managed Control 1175 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 7a87fc7f-301e-49f3-ba2a-4d74f424fa97 Microsoft Managed Control 1687 - Information System Monitoring Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 7ac22808-a2e8-41c4-9d46-429b50738914 Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 7ad5f307-e045-46f7-8214-5bdb7e973737 Microsoft Managed Control 1492 - System Security Plan Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance 854db8ac-6adf-42a0-bef3-b73f764f40b9 Microsoft Managed Control 1580 - Information System Documentation Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 855ced56-417b-4d74-9d5f-dd1bc81e22d6 Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) | Acceptance Of Third-Party Credentials Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 85c32733-7d23-4948-88da-058e2c56b60f Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 8605fc00-1bf5-4fb3-984e-c95cec4f231d Microsoft Managed Control 1326 - Authenticator Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 86ccd1bf-e7ad-4851-93ce-6ec817469c1e Microsoft Managed Control 1507 - Personnel Security Policy And Procedures Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 86dc819f-15e1-43f9-a271-41ae58d4cecc Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 86ec7f9b-9478-40ff-8cfd-6a0d510081a8 Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 8713a0ed-0d1e-4d10-be82-83dffb39830e Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 874e7880-a067-42a7-bcbe-1a340f54c8cc Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 87f7cd82-2e45-4d0f-9e2f-586b0962d142 Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 881299bf-2a5b-4686-a1b2-321d33679953 Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document / Verify Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 852981b4-a380-4704-aa1e-2e52d63445e5 Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 8829f8f5-e8be-441e-85c9-85b72a5d0ef3 Microsoft Managed Control 1356 - Incident Response Training | Simulated Events Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 88817b58-8472-4f6c-81fa-58ce42b67f51 Microsoft Managed Control 1501 - Rules Of Behavior Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance 88fc93e8-4745-4785-b5a5-b44bb92c44ff Microsoft Managed Control 1215 - Least Functionality Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 898d4fe8-f743-4333-86b7-0c9245d93e7d Microsoft Managed Control 1411 - Nonlocal Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 8a29d47b-8604-4667-84ef-90d203fcb305 Microsoft Managed Control 1092 - Security Awareness Training | Insider Threat Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance 8b2b263e-cd05-4488-bcbf-4debec7a17d9 Microsoft Managed Control 1534 - Personnel Sanctions Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12 Microsoft Managed Control 1170 - Penetration Testing Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203 Microsoft Managed Control 1458 - Physical Access Control | Information System Access Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 8c79fee4-88dd-44ce-bbd4-4de88948c4f8 Microsoft Managed Control 1683 - Information System Monitoring Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 8ce14753-66e5-465d-9841-26ef55c09c0d Microsoft Managed Control 1316 - Identifier Management | Identify User Status Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 8cfea2b3-7f77-497e-ac20-0752f2ff6eee Microsoft Managed Control 1324 - Authenticator Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 8d096fe0-f510-4486-8b4d-d17dc230980b Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f Microsoft Managed Control 1288 - Information System Backup Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 8877f519-c166-47b7-81b7-8a8eb4ff3775 Microsoft Managed Control 1317 - Authenticator Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 6998e84a-2d29-4e10-8962-76754d4f772d Microsoft Managed Control 1652 - Mobile Code Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 84e622c8-4bed-417c-84c6-b2fb0dd73682 Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. Access To Non-Priv. Accts. - Replay Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 845f6359-b764-4b40-b579-657aefe23c44 Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 7b694eed-7081-43c6-867c-41c76c961043 Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 7c6de11b-5f51-4f7c-8d83-d2467c8a816e Microsoft Managed Control 1143 - Security Assessment And Authorization Policy And Procedures Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339 Microsoft Managed Control 1051 - Session Lock Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0 Microsoft Managed Control 1279 - Telecommunications Services Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of Planned Audit Record Content Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 7daef997-fdd3-461b-8807-a608a6dd70f1 Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 7dd0e9ce-1772-41fb-a50a-99977071f916 Microsoft Managed Control 1471 - Emergency Shutoff Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 7e6a54f3-883f-43d5-87c4-172dfd64a1f5 Microsoft Managed Control 1011 - Account Management Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 7ecda928-9df4-4dd7-8f44-641a91e470e8 Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound Communications Traffic Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 7f26a61b-a74d-467c-99cf-63644db144f7 Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 7f2c513b-eb16-463b-b469-c10e5fa94f0a Microsoft Managed Control 1520 - Personnel Termination Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 7f37f71b-420f-49bf-9477-9c0196974ecf Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 84914fb4-12da-4c53-a341-a9fd463bed10 Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 7fbfe680-6dbb-4037-963c-a621c5635902 Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 80ca0a27-918a-4604-af9e-723a27ee51e8 Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local Access To Privileged Accounts Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 813a10a7-3943-4fe3-8678-00dc52db5490 Microsoft Managed Control 1505 - Information Security Architecture Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance 8154e3b3-cc52-40be-9407-7756581d71f6 Microsoft Managed Control 1614 - Developer Security Architecture And Design Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 81817e1c-5347-48dd-965a-40159d008229 Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote Access - Separate Device Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 819dc6da-289d-476e-8500-7e341ef8677d Microsoft Managed Control 1287 - Information System Backup Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 82409f9e-1f32-4775-bf07-b99d53a91b06 Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 825d6494-e583-42f2-a3f2-6458e6f0004f Microsoft Managed Control 1448 - Physical Access Authorizations Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 82c76455-4d3f-4e09-a654-22e592107e74 Microsoft Managed Control 1452 - Physical Access Control Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 831e510e-db41-4c72-888e-a0621ab62265 Microsoft Managed Control 1262 - Contingency Plan Testing Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 8356cfc6-507a-4d20-b818-08038011cd07 Microsoft Managed Control 1008 - Account Management Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 841392b3-40da-4473-b328-4cde49db67b3 Microsoft Managed Control 1382 - Incident Response Plan Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 84363adb-dde3-411a-9fc1-36b56737f822 Microsoft Managed Control 1098 - Security Training Records Microsoft implements this Awareness and Training control Fixed: audit GA
Regulatory Compliance 804faf7d-b687-40f7-9f74-79e28adf4205 Microsoft Managed Control 1703 - Security Alerts, Advisories, And Directives Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 697175a7-9715-4e89-b98b-c6f605888fa3 Microsoft Managed Control 1727 - Memory Protection Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 704e136a-4fe0-427c-b829-cd69957f5d2b Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 65aeceb5-a59c-4cb1-8d82-9c474be5d431 Microsoft Managed Control 1261 - Contingency Plan Testing Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 5ea87673-d06b-456f-a324-8abcee5c159f Microsoft Managed Control 1208 - Configuration Settings Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 5cb81060-3c8a-4968-bcdc-395a1801f6c1 Microsoft Managed Control 1483 - Water Damage Protection Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 59721f87-ae25-4db0-a2a4-77cc5b25d495 Microsoft Managed Control 1463 - Monitoring Physical Access Microsoft implements this Physical and Environmental Protection control Fixed: audit GA
Regulatory Compliance 5983d99c-f39b-4c32-a3dc-170f19f6941b Microsoft Managed Control 1425 - Timely Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 5a8324ad-f599-429b-aaed-f9c6e8c987a8 Microsoft Managed Control 1512 - Personnel Screening Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 62b638c5-29d7-404b-8d93-f21e4b1ce198 Microsoft Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 5aa85661-d618-46b8-a20f-ca40a86f0751 Microsoft Managed Control 1032 - Separation Of Duties Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 5afa8cab-1ed7-4e40-884c-64e0ac2059cc Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 5b070cab-0fb8-4e48-ad29-fc90b4c2797c Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 5e47bc51-35d1-44b8-92af-e2f2d8b67635 Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 5b626abc-26d4-4e22-9de8-3831818526b1 Microsoft Managed Control 1005 - Account Management Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 63096613-ce83-43e5-96f4-e588e8813554 Microsoft Managed Control 1660 - Session Authenticity Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 593ce201-54b2-4dd0-b34f-c308005d7780 Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 65592b16-4367-42c5-a26e-d371be450e17 Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 632024c2-8079-439d-a7f6-90af1d78cc65 Microsoft Managed Control 1002 - Account Management Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 5b73f57b-587d-4470-a344-0b0ae805f459 Microsoft Managed Control 1105 - Audit Events Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 5b879b41-2728-41c5-ad24-9ee2c37cbe65 Microsoft Managed Control 1433 - Media Transport Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 5bbda922-0172-4095-89e6-5b4a0bf03af7 Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 5c5bbef7-a316-415b-9b38-29753ce8e698 Microsoft Managed Control 1671 - Flaw Remediation Microsoft implements this System and Information Integrity control Fixed: audit GA
Regulatory Compliance 633988b9-cf2f-4323-8394-f0d2af9cd6e1 Microsoft Managed Control 1498 - Rules Of Behavior Microsoft implements this Planning control Fixed: audit GA
Regulatory Compliance 6519d7f3-e8a2-4ff3-a935-9a9497152ad7 Microsoft Managed Control 1441 - Media Sanitization | Equipment Testing Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 5c5e54f6-0127-44d0-8b61-f31dc8dd6190 Microsoft Managed Control 1067 - Wireless Access Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 6420cd73-b939-43b7-9d99-e8688fea053c Microsoft Managed Control 1185 - Configuration Change Control Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 5df3a55c-8456-44d4-941e-175f79332512 Microsoft Managed Control 1665 - Process Isolation Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 5dee936c-8037-4df1-ab35-6635733da48c Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 5e2b3730-8c14-4081-8893-19dbb5de7348 Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans Microsoft implements this Contingency Planning control Fixed: audit GA
Regulatory Compliance 5f18c885-ade3-48c5-80b1-8f9216019c18 Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information For Security Controls Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 5d169442-d6ef-439b-8dca-46c2c3248214 Microsoft Managed Control 1362 - Incident Handling Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 60171210-6dde-40af-a144-bf2670518bfa Microsoft Managed Control 1663 - Protection Of Information At Rest Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 5577a310-2551-49c8-803b-36e0d5e55601 Microsoft Managed Control 1523 - Personnel Transfer Microsoft implements this Personnel Security control Fixed: audit GA
Regulatory Compliance 562afd61-56be-4313-8fe4-b9564aa4ba7d Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 61a1dd98-b259-4840-abd5-fbba7ee0da83 Microsoft Managed Control 1415 - Nonlocal Maintenance Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 55419419-c597-4cd4-b51e-009fd2266783 Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 68b250ec-2e4f-4eee-898a-117a9fda7016 Microsoft Managed Control 1597 - Developer Configuration Management Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 6182bfa7-0f2a-43f5-834a-a2ddf31c13c7 Microsoft Managed Control 1110 - Audit Storage Capacity Microsoft implements this Audit and Accountability control Fixed: audit GA
Regulatory Compliance 56d970ee-4efc-49c8-8a4e-5916940d784c Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification Microsoft implements this Configuration Management control Fixed: audit GA
Regulatory Compliance 57149289-d52b-4f40-9fe6-5233c1ef80f7 Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities Microsoft implements this Maintenance control Fixed: audit GA
Regulatory Compliance 5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592 Microsoft Managed Control 1162 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 5807e1b4-ba5e-4718-8689-a0ca05a191b2 Microsoft Managed Control 1054 - Session Termination Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 554d2dd6-f3a8-4ad5-b66f-5ce23bd18892 Microsoft Managed Control 1045 - Unsuccessful Logon Attempts Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 68434bd1-e14b-4031-9edb-a4adf5f84a67 Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers Microsoft implements this Incident Response control Fixed: audit GA
Regulatory Compliance 68ebae26-e0e0-4ecb-8379-aabf633b51e9 Microsoft Managed Control 1588 - External Information System Services Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52 Microsoft Managed Control 1547 - Vulnerability Scanning Microsoft implements this Risk Assessment control Fixed: audit GA
Regulatory Compliance 67de62b4-a737-4781-8861-3baed3c35069 Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control Fixed: audit GA
Regulatory Compliance 66f7ae57-5560-4fc5-85c9-659f204e7a42 Microsoft Managed Control 1319 - Authenticator Management Microsoft implements this Identification and Authentication control Fixed: audit GA
Regulatory Compliance 58c93053-7b98-4cf0-b99f-1beb985416c2 Microsoft Managed Control 1573 - Acquisition Process Microsoft implements this System and Services Acquisition control Fixed: audit GA
Regulatory Compliance 666143df-f5e0-45bd-b554-135f0f93e44e Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner Microsoft implements this Media Protection control Fixed: audit GA
Regulatory Compliance 61cf3125-142c-4754-8a16-41ab4d529635 Microsoft Managed Control 1153 - System Interconnections Microsoft implements this Security Assessment and Authorization control Fixed: audit GA
Regulatory Compliance 68f837d0-8942-4b1e-9b31-be78b247bda8 Microsoft Managed Control 1070 - Wireless Access | Disable Wireless Networking Microsoft implements this Access Control control Fixed: audit GA
Regulatory Compliance 5864522b-ff1d-4979-a9f8-58bee1fb174c Microsoft Managed Control 1584 - Information System Documentation Microsoft implements this System and Services Acquisition control Fixed: audit GA
Search b4330a05-a843-4bc8-bf9a-cacce50c67f4 Diagnostic logs in Search services should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center a1181c5f-672a-477a-979a-7d58aa086233 Security Center standard pricing tier should be selected The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center Default: Audit
Allowed: (Audit, Disabled)
GA
Security Center 22730e10-96f6-4aac-ad84-9383d35b5917 Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 5df82f4f-773a-4a2d-97a2-422a806f1a55 [Deprecated]: Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 9daedab3-fb2d-461e-b861-71790eead4f6 All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 1de7b11d-1870-41a5-8181-507e7c663cfb [Deprecated]: Audit API Applications that are not using latest supported .NET Framework Use the latest supported .NET Framework version for the latest security classes. Using older classes and types can make your application vulnerable. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center f6de0be7-9a8a-4b8a-b349-43cf02d22f7c Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 224da9fe-0d38-4e79-adb3-0a6e2af942ac [Deprecated]: Audit API Apps that are not using custom domains Use of custom domains protects a API app from common attacks such as phishing and other DNS-related attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 48893b84-a2c8-4d9a-badf-835d5d1b7d53 [Deprecated]: Audit IP restrictions configuration for an API App IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects an API app from common attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 1a833ff1-d297-4a0f-9944-888428f8e0ff [Deprecated]: Access to App Services should be restricted Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that are too broad Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 External accounts with read permissions should be removed from your subscription External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 5e3315e0-a414-4efb-a4d2-c7bd2b0443d2 [Deprecated]: Audit Web Applications that are not using latest supported .NET Framework Use the latest supported .NET Framework version for the latest security classes. Using older classes and types can make your application vulnerable. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 475aae12-b88a-4572-8b36-9b712b2b3a17 Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security data Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 201ea587-7c90-41c3-910f-c280ae01cfd6 [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center cdfcce10-4578-4ecd-9703-530938e4abcb Deploy export to Event Hub for Azure Security Center alerts and recommendations Enable export to Event Hub of Azure Security Center alerts and/or recommendations. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExists Contributor GA
Security Center 5f0f936f-2f01-4bf5-b6be-d423792fa562 Vulnerabilities in Azure Container Registry images should be remediated Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center f8456c1c-aa66-4dfb-861a-25d127b775c9 External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center dd2ea520-6b06-45c3-806e-ea297c23e06a [Deprecated]: Audit Web Applications that are not using custom domains Use of custom domains protects a web application from common attacks such as phishing and other DNS-related attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center c85538c1-b527-4ce4-bdb4-1dabcb3fd90d [Deprecated]: API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 9bfe3727-0a17-471f-a2fe-eddd6b668745 [Deprecated]: Audit API Applications that are not using latest supported Java Framework Use the latest supported Java version for the latest security classes. Using older classes and types can make your application vulnerable. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 001802d1-4969-4c82-a700-c29c6c6f9bbd [Deprecated]: Audit Web Sockets state for a Function App The Web Sockets protocol is vulnerable to different types of security threats. Use of Web Sockets within an Function app must be carefully reviewed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 8e7da0a5-0a0e-4bbc-bfc0-7773c018b616 Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor GA
Security Center c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 Azure Defender for container registries should be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center c3f317a7-a95c-4547-b7e7-11017ebdf2fe System updates on virtual machine scale sets should be installed Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 523b5cd1-3e23-492f-a539-13118b6d1e3a Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 9297c21d-2ed6-4474-b48f-163f75654ce3 MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 501541f7-f7e7-4cd6-868c-4190fdad3ac9 A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 A security contact email address should be provided for your subscription Enter an email address to receive notifications when Azure Security Center detects compromised resources Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 4f11b553-d42e-4e3a-89be-32ca364cad4c A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 86b3d65f-7626-441e-b690-81a8b71cff60 System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 08b17839-76c6-4015-90e0-33d9d54d219c [Deprecated]: Audit Web Applications that are not using latest supported PHP Framework Use the latest supported PHP version for the latest security classes. Using older classes and types can make your application vulnerable. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 09024ccc-0c5f-475e-9457-b7c0d9ed487b There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 0961003e-5a0a-4549-abde-af6a37f2724d Disk encryption should be applied on virtual machines Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center bb91dfba-c30d-4263-9add-9c2384e659a6 Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 0b15565f-aa9e-48ba-8619-45960f2c314d Email notification to subscription owner for high severity alerts should be enabled Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center be0a7681-bed4-48dc-9ff3-f0171ee170b6 [Deprecated]: Audit Web Applications that are not using latest supported Java Framework Use the latest supported Java version for the latest security classes. Using older classes and types can make your application vulnerable. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center ffb6f416-7bd2-4488-8828-56585fef2be9 Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendations Enable export to Log Analytics workspace of Azure Security Center alerts and/or recommendations. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExists Contributor GA
Security Center 0e246bcf-5f6f-4f87-bc6f-775d4712c7ea Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Default: Audit
Allowed: (Audit, Disabled)
GA
Security Center feedbf84-6b99-488c-acc2-71c829aa5ffc Vulnerabilities on your SQL databases should be remediated Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 0e6763cc-5078-4e64-889d-ff4d9a839047 Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 46544d7b-1f0d-46f5-81da-5c1351de1b06 [Deprecated]: Audit Web Applications that are not using latest supported Python Framework Use the latest supported Python version for the latest security classes. Using older classes and types can make your application vulnerable. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 4da35fc9-c9e7-4960-aec9-797fe7d9051d Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center bd352bd5-2853-4985-bf0d-73806b4a5744 IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 80e94a21-c6cd-4c95-a2c7-beb5704e61c0 Deploy - Configure suppression rules for Azure Security Center alerts Suppress Azure Security Center alerts to reduce alerts fatigue by deploying suppression rules on your management group or subscription. Fixed: deployIfNotExists Security Admin GA
Security Center 123a3936-f020-408a-ba0c-47873faf1534 Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center fb893a29-21bb-418c-a157-e99480ec364c Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Default: Audit
Allowed: (Audit, Disabled)
GA
Security Center 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 5c607a2e-c700-4744-8254-d77e7c9eb5e4 External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center bc0378bb-d7ab-4614-a0f6-5a6e3f02d644 [Deprecated]: Audit API Applications that are not using latest supported Python Framework Use the latest supported Python version for the latest security classes. Using older classes and types can make your application vulnerable. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 5a913c68-0590-402c-a531-e57e19379da3 Operating system version should be the most current version for your cloud service roles Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center f1525828-9a90-4fcf-be48-268cdd02361e Deploy Workflow Automation for Azure Security Center alerts Enable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExists Contributor GA
Security Center 47a6b606-51aa-4496-8bb7-64b11cf66adc Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center b48334a4-911b-4084-b1ab-3e6a4e50b951 [Deprecated]: Audit Web Sockets state for an API App The Web Sockets protocol is vulnerable to different types of security threats. Use of Web Sockets within an API app must be carefully reviewed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center a8bef009-a5c9-4d0f-90d7-6018734e8a16 [Deprecated]: Monitor unencrypted SQL databases in Azure Security Center Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent Data Encryption on SQL databases should be enabled' Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center b4d66858-c922-44e3-9566-5cdb7a7be744 A security contact phone number should be provided for your subscription Enter a phone number to receive notifications when Azure Security Center detects compromised resources Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center e8cbc669-f12d-49eb-93e7-9273119e9933 Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 2fde8a98-6892-426a-83ba-050e640c0ce0 [Deprecated]: Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 308fbb08-4ab8-4e67-9b29-592e93fb94fa Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center e797f851-8be7-4c40-bb56-2e3395215b0e [Deprecated]: Audit Web Sockets state for a Web Application The Web Sockets protocol is vulnerable to different types of security threats. Use of Web Sockets within a web application must be carefully reviewed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center d62cfe2b-3ab0-4d41-980d-76803b58ca65 Log Analytics agent health issues should be resolved on your machines Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 760a85ff-6162-42b3-8d70-698e268f648c Vulnerabilities should be remediated by a Vulnerability Assessment solution Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center aa633080-8b72-40c4-a2d7-d00c03e80bed MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center e71308d3-144b-4262-b144-efdc3cc90517 Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center e67687e8-08d5-4e7f-8226-5b4753bba008 [Deprecated]: Audit Web Applications that are not using latest supported Node.js Framework Use the latest supported Node.js version for the latest security classes. Using older classes and types can make your application vulnerable. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 655cb504-bcee-4362-bd4c-402e6aa38759 [Deprecated]: Audit missing blob encryption for storage accounts This policy is no longer necessary because storage blob encryption is enabled by default and cannot be turned off. Default: Audit
Allowed: (Audit, Disabled)
Deprecated
Security Center 6581d072-105e-4418-827f-bd446d56421b Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 6e2593d9-add6-4083-9c9b-4b7d2188c899 Email notification for high severity alerts should be enabled Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risks Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 44452482-524f-4bf4-b852-0bff7cc4a3ed [Deprecated]: Monitor permissive network access in Azure Security Center Network Security Groups with too permissive rules will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 6df2fee6-a9ed-4fef-bced-e13be1b25f1c Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor GA
Security Center ac076320-ddcf-4066-b451-6154267e8ad2 Enable Azure Security Center on your subscription Identifies existing subscriptions that are not monitored by Azure Security Center (ASC). Subscriptions not monitored by ASC will be registered to the free pricing tier. Subscriptions already monitored by ASC (free or standard), will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. Fixed: deployIfNotExists Security Admin GA
Security Center ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Default: Audit
Allowed: (Audit, Disabled)
GA
Security Center e3576e28-8b17-4677-84c3-db2990658d64 MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 664346d9-be92-43fb-a219-d595eeb76a90 [Deprecated]: Audit IP restrictions configuration for a Function App IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 6646a0bd-e110-40ca-bb97-84fcee63c414 Service principals should be used to protect your subscriptions instead of management certificates Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 6b1cbf55-e8b6-442f-ba4c-7246b6381474 Deprecated accounts should be removed from your subscription Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center af6cd1bd-1635-48cb-bde7-5b15693900b9 Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center af8051bf-258b-44e2-a2bf-165330459f9d [Deprecated]: Monitor unaudited SQL servers in Azure Security Center SQL servers which don't have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: 'Auditing should be enabled on advanced data security settings on SQL Server' Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 6a8450e2-6c61-43b4-be65-62e3a197bffe [Deprecated]: Audit IP restrictions configuration for a Web Application IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center 3abeb944-26af-43ee-b83d-32aaf060fb94 [Deprecated]: Pod Security Policies should be defined on Kubernetes Services Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access. Default: Disabled
Allowed: (Audit, Disabled)
Deprecated
Security Center 3fe37002-5d00-4b37-a301-da09e3a0ca66 [Deprecated]: Audit API Applications that are not using latest supported PHP Framework Use the latest supported PHP version for the latest security classes. Using older classes and types can make your application vulnerable. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Security Center b0f33259-77d7-4c9e-aac6-3aabcfae693c Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center abcc6037-1fc4-47f6-aac5-89706589be24 [Deprecated]: Automatic provisioning of security monitoring agent Installs security agent on VMs for advanced security alerts and preventions in Azure Security Center. Applies only for subscriptions that use Azure Security Center. Fixed: AuditIfNotExists Deprecated
Security Center a7aca53f-2ed4-4466-a25e-0b45ade68efd Azure DDoS Protection Standard should be enabled DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349 [Preview]: Sensitive data in your SQL databases should be classified Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
Security Center 2913021d-f2fd-4f3d-b958-22354e2bdbcb Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center a4fe33eb-e377-4efb-ab31-0784311bc499 Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 26a828e1-e88f-464e-bbb3-c134a282b9de Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center ebb62a0c-3560-49e1-89ed-27e074e9f8ad Deprecated accounts with owner permissions should be removed from your subscription Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center 73d6ab6c-2475-4850-afd6-43795f3492ef Deploy Workflow Automation for Azure Security Center recommendations Enable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExists Contributor GA
Security Center a3a6ea0c-e018-4933-9ef0-5aaa1501449b Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Security Center d1cb47db-b7a1-4c46-814e-aad1c0e84f3c [Deprecated]: Audit Function Apps that are not using custom domains Use of custom domains protects a Function app from common attacks such as phishing and other DNS-related attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Deprecated
Service Bus a1817ec0-a368-432a-8057-8371e17ac6ee All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Service Bus f8d36e2f-389b-4ee4-898d-21aeb69a0f45 Diagnostic logs in Service Bus should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Service Fabric 617c02be-7f02-4efd-8836-3180d47b6c68 Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Service Fabric b54ed75b-3e1a-44ac-a333-05ba39b99ff0 Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
SignalR 53503636-bcc9-4748-9663-5348217f160f Azure SignalR Service should use private links Audit Azure SignalR Service resources that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/asrs/privatelink. Default: Audit
Allowed: (Audit, Disabled)
GA
SQL 86a912f6-9a06-4e26-b447-11b16ba8659f Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases Fixed: DeployIfNotExists SQL DB Contributor GA
SQL ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 Deploy Threat Detection on SQL servers This policy ensures that Threat Detection is enabled on SQL Servers. Fixed: DeployIfNotExists SQL Security Manager GA
SQL 0a1302fb-a631-4106-9753-f3d494733990 Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 Advanced data security should be enabled on SQL Managed Instance Audit each SQL Managed Instance without advanced data security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 Advanced data security should be enabled on your SQL servers Audit SQL servers without Advanced Data Security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL 1b8ca024-1d5c-4dec-8995-b1a932b41780 Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Fixed: audit GA
SQL 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 Bring your own key data protection should be enabled for MySQL servers Using customer-managed keys for encrypting data at rest in your Azure Database for MySQL database servers enables implementing a separation of duties in the management of keys and data. When you configure a customer-managed key, the key is used to protect and control access to the key that encrypts your data. You have full control and responsibility for the key lifecycle, including rotation and management. The use of customer-managed keys is sometimes required for compliance purposes. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL c8343d2f-fdc9-4a97-b76f-fc71d1163bfc [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
Deprecated
SQL b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13 SQL Database should avoid using GRS backup redundancy Databases should avoid using GRS storage for backups if data residency rules require data to stay within a specific region. Default: Deny
Allowed: (Deny, Disabled)
GA
SQL 3375856c-3824-4e0e-ae6a-79e011dd4c47 MySQL server should use a virtual network service endpoint Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MySQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MySQL has virtual network service endpoint being used. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL 9677b740-f641-4f3c-b9c5-466005c85278 [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
Deprecated
SQL 1b7aa243-30e4-4c9e-bca8-d0d3022b634a Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL aeb23562-188d-47cb-80b8-551f16ef9fff [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings Audit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
Deprecated
SQL 32e6bbec-16b6-44c2-be37-c5b672d103cf Azure SQL Database should have the minimal TLS version of 1.2 Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default: Audit
Allowed: (Audit, Disabled)
GA
SQL 24fba194-95d6-48c0-aea7-f65bf859c598 Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
SQL 3c14b034-bcb6-4905-94e7-5b8e98a47b65 PostgreSQL server should use a virtual network service endpoint Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL 464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf [Deprecated]: Require SQL Server version 12.0 This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version other than 12.0. Fixed: Deny Deprecated
SQL 6134c3db-786f-471e-87bc-8f479dc890f6 Deploy Advanced Data Security on SQL servers This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. Fixed: DeployIfNotExists SQL Security Manager, Storage Account Contributor GA
SQL dfbd9a64-6114-48de-a47d-90574dc2e489 MariaDB server should use a virtual network service endpoint Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MariaDB while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MariaDB has virtual network service endpoint being used. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL 5345bb39-67dc-4960-a1bf-427e16b9a0bd Connection throttling should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL d158790f-bfb0-486c-8631-2dc6b4e8e6af Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default: Audit
Allowed: (Audit, Disabled)
GA
SQL 06a78e20-9358-41c9-923c-fb736d382a12 [Deprecated]: Audit SQL DB Level Audit Setting Audit DB level audit setting for SQL databases Fixed: AuditIfNotExists Deprecated
SQL 3a58212a-c829-4f13-9872-6371df2fd0b4 Infrastructure encryption should be enabled for Azure Database for MySQL servers Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
SQL 77e8b146-0078-4fb2-b002-e112381199f0 Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. Fixed: AuditIfNotExists GA
SQL 048248b0-55cd-46da-b1ff-39efd52db260 SQL Managed Instance TDE protector should be encrypted with your own key Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL 3965c43d-b5f4-482e-b74a-d89ee0e0b3a8 [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts Ensure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
Deprecated
SQL 0564d078-92f5-4f97-8398-b9f58a51f70b Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL 7595c971-233d-4bcf-bd18-596129188c49 Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL d9844e8a-1437-4aeb-a32c-0c992f056095 Public network access should be disabled for MySQL servers Disabling the public network access property improves security by ensuring your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Disabled)
GA
SQL 89099bee-89e0-4b26-a5f4-165451757743 SQL servers should be configured with auditing retention days greater than 90 days. Audit SQL servers configured with an auditing retention period of less than 90 days. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL 1f314764-cb73-4fc9-b863-8eca98ac36e9 An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL 0d134df8-db83-46fb-ad72-fe0c9428c8dd SQL server TDE protector should be encrypted with your own key Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL 7698e800-9299-47a6-b3b6-5a0fee576eed Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Fixed: audit GA
SQL 7ff426e2-515f-405a-91c8-4f2333442eb5 SQL Auditing settings should have Action-Groups configured to capture critical activities The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL d38fc420-0735-4ef3-ac11-c806f651a570 Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL b52376f7-9612-48a1-81cd-1ffe4b61032c Public network access should be disabled for PostgreSQL servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Disabled)
GA
SQL 0ec47710-77ff-4a3d-9181-6aa50af424d0 Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Default: Audit
Allowed: (Audit, Disabled)
GA
SQL a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server, except Synapse, and save them in an audit log. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL e802a67a-daf5-4436-9ea6-f6d821dd0c5d Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default: Audit
Allowed: (Audit, Disabled)
GA
SQL a8793640-60f7-487c-b5c3-1d37215905c4 SQL Managed Instance should have the minimal TLS version of 1.2 Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default: Audit
Allowed: (Audit, Disabled)
GA
SQL eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3 Log duration should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
SQL 9a7c7a7d-49e5-4213-bea8-6a502b6272e0 Deploy Diagnostic Settings for Azure SQL Database to Event Hub Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. Fixed: DeployIfNotExists Contributor GA
SQL 17k78e20-9358-41c9-923c-fb736d382a12 Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL a9934fd7-29f2-4e6d-ab3d-607ea38e9079 SQL Managed Instances should avoid using GRS backup redundancy Managed Instances should avoid using GRS storage for backups if data residency rules require data to stay within a specific region. Default: Deny
Allowed: (Deny, Disabled)
GA
SQL 48af4db5-9b8b-401c-8e74-076be876a430 Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Default: Audit
Allowed: (Audit, Disabled)
GA
SQL 18adea5e-f416-4d0f-8aa8-d24321e3e274 Bring your own key data protection should be enabled for PostgreSQL servers Using customer-managed keys for encrypting data at rest in your Azure Database for PostgreSQL database servers enables implementing a separation of duties in the management of keys and data. When you configure a customer-managed key, the key is used to protect and control access to the key that encrypts your data. You have full control and responsibility for the key lifecycle, including rotation and management. The use of customer-managed keys is sometimes required for compliance purposes. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL eb6f77b9-bd53-4e35-a23d-7f65d5f0e442 Log connections should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL f4c68484-132f-41f9-9b6d-3e4b1cb55036 Deploy Auditing on SQL servers This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same region as the SQL server to store audit records. Fixed: DeployIfNotExists SQL Security Manager, Storage Account Contributor GA
SQL c9299215-ae47-4f50-9c54-8a392f68a052 Public network access should be disabled for MySQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
SQL e756b945-1b1b-480b-8de8-9a0859d5f7ad [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
Deprecated
SQL 82339799-d096-41ae-8538-b108becf0970 Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Default: Audit
Allowed: (Audit, Disabled)
GA
SQL bda18df3-5e41-4709-add9-2554ce68c966 [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
Deprecated
SQL fdccbe47-f3e3-4213-ad5d-ea459b2fa077 Public network access should be disabled for MariaDB servers Disabling the public network access property improves security by ensuring your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Disabled)
GA
SQL eb6f77b9-bd53-4e35-a23d-7f65d5f0e446 Disconnections should be logged for PostgreSQL database servers. This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d Log checkpoints should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Storage 37e0d2fe-28a5-43d6-a273-67d37d1f5606 Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Storage 7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f [Deprecated]: Require blob encryption for storage accounts This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by default, and can no longer be disabled. Fixed: deny Deprecated
Storage 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 [Preview]: Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default: audit
Allowed: (audit, deny, disabled)
Preview
Storage 404c3081-a854-4457-ae30-26a93ef643f9 Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Storage 6edd7eda-6dd8-40f7-810d-67160c639cd9 Storage account should use a private link connection Private links enforce secure communication, by providing private connectivity to the storage account Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Storage c9d007d0-c057-4772-b18c-01e546713bcd Storage accounts should allow access from trusted Microsoft services Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Storage 4733ea7b-a883-42fe-8cac-97454c2a9e4a Storage accounts should have infrastructure encryption Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Storage 6fac406b-40ca-413b-bf8e-0bf964659c25 Storage account should use customer-managed key for encryption Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit, Disabled)
GA
Storage 34c877ad-507e-4c82-993e-3452a6e0ad3c Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Storage 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method to IP-based filtering. Disallowing IP-based filtering prevents public IPs from accessing your storage accounts. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Storage 361c2074-3595-4e5d-8cab-4f21dffc835c Deploy Advanced Threat Protection on Storage Accounts This policy enables Advanced Threat Protection on Storage Accounts. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin GA
Storage 7433c107-6db4-4ad1-b57a-a76dce0154a1 Allowed storage account SKUs This policy enables you to specify a set of storage account SKUs that your organization can deploy. Fixed: Deny GA
Storage bf045164-79ba-4215-8f95-f8048dc1780b Geo-redundant storage should be enabled for Storage Accounts This policy audits any Storage Account with geo-redundant storage not enabled. Default: Audit
Allowed: (Audit, Disabled)
GA
Stream Analytics f9be5368-9bf5-4b84-9e0a-7850da98bb46 Diagnostic logs in Azure Stream Analytics should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Stream Analytics 87ba29ef-1ab3-4d82-b763-87fcd4f531f7 Azure Stream Analytics jobs should use customer-managed keys to encrypt data Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. Default: audit
Allowed: (audit, deny, disabled)
GA
Synapse 56fd377d-098c-4f02-8406-81eb055902b8 IP firewall rules on Azure Synapse workspaces should be removed Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace. Default: Audit
Allowed: (Audit, Disabled)
GA
Synapse f7d52b2d-e161-4dfa-a82b-55e564167385 Azure Synapse workspaces should use customer-managed keys to encrypt data at rest Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Synapse 2d9dbfa3-927b-4cf0-9d0f-08747f971650 Managed workspace virtual network on Azure Synapse workspaces should be enabled Enabling a managed workspace virtual network ensures that your workspace is network isolated from other workspaces. Data integration and Spark resources deployed in this virtual network also provides user level isolation for Spark activities. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Synapse 72d11df1-dd8a-41f7-8925-b05b960ebafc Private endpoint connections on Azure Synapse workspaces should be enabled Private endpoints can be configured to connect privately to an Azure Synapse workspace. This is used to enforce a secure communication channel to Azure Synapse workspace. Default: Audit
Allowed: (Audit, Disabled)
GA
Synapse 3a003702-13d2-4679-941b-937e58c443f0 Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants Protect your Synapse workspace by only allowing connections to resources in approved Azure Active Directory (Azure AD) tenants. The approved Azure AD tenants can be defined during policy assignment. Default: Audit
Allowed: (Audit, Disabled, Deny)
GA
Tags 8ce3da23-7156-49e4-b145-24f95f9dcb46 Require a tag and its value on resource groups Enforces a required tag and its value on resource groups. Fixed: deny GA
Tags 96d9a89c-0d67-41fc-899d-2b9599f76a24 Add a tag to subscriptions Adds the specified tag and value to subscriptions via a remediation task. If the tag exists with a different value it will not be changed. See https://aka.ms/azurepolicyremediation for more information on policy remediation. Fixed: modify Tag Contributor GA
Tags cd3aa116-8754-49c9-a813-ad46512ece54 Inherit a tag from the resource group Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Fixed: modify Contributor GA
Tags cd8dc879-a2ae-43c3-8211-1877c5755064 [Deprecated]: Allow resource creation if 'department' tag set Allows resource creation only if the 'department' tag is set Fixed: Deny Deprecated
Tags 1e30110a-5ceb-460c-a204-c1c3969c6d62 Require a tag and its value on resources Enforces a required tag and its value. Does not apply to resource groups. Fixed: deny GA
Tags d157c373-a6c4-483d-aaad-570756956268 Add or replace a tag on resource groups Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task. Fixed: modify Contributor GA
Tags 9ea02ca2-71db-412d-8b00-7c7ca9fcd32d Append a tag and its value from the resource group Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Fixed: append GA
Tags 2a0e14a6-b0a6-4fab-991a-187a4f81c498 Append a tag and its value to resources Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Fixed: append GA
Tags b27a0cbd-a167-4dfa-ae64-4337be671140 Inherit a tag from the subscription Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Fixed: modify Contributor GA
Tags 96670d01-0a4d-4649-9c89-2d3abc0a5025 Require a tag on resource groups Enforces existence of a tag on resource groups. Fixed: deny GA
Tags ea3f2387-9b95-492a-a190-fcdc54f7b070 Inherit a tag from the resource group if missing Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Fixed: modify Contributor GA
Tags 49c88fc8-6fd1-46fd-a676-f12d1d3a4c71 Append a tag and its value to resource groups Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Fixed: append GA
Tags 4f9dc7db-30c1-420c-b61a-e1d640128d26 Add a tag to resources Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups. Fixed: modify Contributor GA
Tags 871b6d14-10aa-478d-b590-94f262ecfa99 Require a tag on resources Enforces existence of a tag. Does not apply to resource groups. Fixed: deny GA
Tags 5ffd78d9-436d-4b41-a421-5baa819e3008 Add or replace a tag on resources Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does not modify tags on resource groups. Fixed: modify Contributor GA
Tags 61a4d60b-7326-440e-8051-9f94394d4dd1 Add or replace a tag on subscriptions Adds or replaces the specified tag and value on subscriptions via a remediation task. Existing resource groups can be remediated by triggering a remediation task. See https://aka.ms/azurepolicyremediation for more information on policy remediation. Fixed: modify Tag Contributor GA
Tags ac7e5fc0-c029-4b12-91d4-a8500ce697f9 [Deprecated]: Allow resource creation if 'environment' tag value in allowed values Allows resource creation if the 'environment' tag is set to one of the following values: production, dev, test, staging Fixed: Deny Deprecated
Tags 726aca4c-86e9-4b04-b0c5-073027359532 Add a tag to resource groups Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Fixed: modify Contributor GA
Tags 40df99da-1232-49b1-a39a-6da8d878f469 Inherit a tag from the subscription if missing Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Fixed: modify Contributor GA
VM Image Builder 2154edb9-244f-4741-9970-660785bccdaa VM Image Builder templates should use private link Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may expose resources directly to the internet and increase the potential attack surface. Default: Audit
Allowed: (Audit, Disabled)
GA