last sync: 2022-Jan-20 18:36:44 UTC

All Azure Policy definitions

BuiltIn
61 categories
Enterprise-Scale
13 categories
Community
22 categories
Category Category txt Id DisplayName Description Effect Roles Rule Aliases Rule ResourceTypes State Type
API for FHIR API for FHIR 051cba44-2429-45b9-9649-46cec11c7119 Azure API for FHIR should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default: audit
Allowed: (audit, disabled)
IF (1)
•Microsoft.HealthcareApis/services/cosmosDbConfiguration.keyVaultKeyUri
IF (1)
•Microsoft.HealthcareApis/services
GA BuiltIn
API for FHIR API for FHIR 1ee56206-5dd1-42ab-b02d-8aae8b1634ce Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.HealthcareApis/services/privateEndpointConnections[*]
•Microsoft.HealthcareApis/services/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HealthcareApis/services
GA BuiltIn
API for FHIR API for FHIR 0fea8f8a-4169-495d-8307-30ec335f387d CORS should not allow every domain to access your API for FHIR Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. Default: audit
Allowed: (audit, disabled)
IF (1)
•Microsoft.HealthcareApis/services/corsConfiguration.origins[*]
IF (1)
•Microsoft.HealthcareApis/services
GA BuiltIn
API Management API Management 73ef9241-5d81-4cd4-b483-8443d1730fe5 API Management service should use a SKU that supports virtual networks With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ApiManagement/service/sku.name
IF (1)
•Microsoft.ApiManagement/service
GA BuiltIn
API Management API Management df73bd95-24da-4a4f-96b9-4e8b94b402bd API Management services should disable public network access To improve the security of API Management services, ensure that endpoints aren't exposed to the public internet. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.ApiManagement/service/sku.name
THEN-ExistenceCondition (1)
•Microsoft.ApiManagement/service/tenant/enabled
IF (1)
•Microsoft.ApiManagement/service
GA BuiltIn
API Management API Management ef619a2c-cc4d-4d03-b2ba-8c94a834d85b API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.ApiManagement/service/sku.name
•Microsoft.ApiManagement/service/virtualNetworkType
IF (1)
•Microsoft.ApiManagement/service
GA BuiltIn
API Management API Management 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 Configure API Management services to disable public network access To improve the security of API Management services, disable public endpoints. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
API Management Service Contributor IF (1)
•Microsoft.ApiManagement/service/sku.name
THEN-ExistenceCondition (1)
•Microsoft.ApiManagement/service/tenant/enabled
IF (1)
•Microsoft.ApiManagement/service
GA BuiltIn
App Configuration App Configuration 3d9f5e4c-9947-4579-9539-2a7695fbc187 App Configuration should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.AppConfiguration/configurationStores/publicNetworkAccess
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 App Configuration should use a customer-managed key Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.AppConfiguration/configurationStores/encryption.keyVaultProperties.keyIdentifier
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration 89c8a434-18f0-402c-8147-630a8dea54e0 App Configuration should use a SKU that supports private link When using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.AppConfiguration/configurationStores/sku.name
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration ca610c1d-041c-4332-9d88-7ed3094967c7 App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration b08ab3ca-1062-4db3-8803-eec9cae605d6 App Configuration stores should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.AppConfiguration/configurationStores/disableLocalAuth
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration 72bc14af-4ab8-43af-b4e4-38e7983f9a1f Configure App Configuration stores to disable local authentication methods Disable local authentication methods so that your App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.AppConfiguration/configurationStores/disableLocalAuth
THEN-Operations (1)
•Microsoft.AppConfiguration/configurationStores/disableLocalAuth
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration 73290fa2-dfa7-4bbb-945d-a5e23b75df2c Configure App Configuration to disable public network access Disable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.AppConfiguration/configurationStores/publicNetworkAccess
THEN-Operations (1)
•Microsoft.AppConfiguration/configurationStores/publicNetworkAccess
IF (1)
•Microsoft.AppConfiguration/configurationStores
GA BuiltIn
App Configuration App Configuration 7a860e27-9ca2-4fc6-822d-c2d248c300df Configure private DNS zones for private endpoints connected to App Configuration Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
App Configuration App Configuration 614ffa75-862c-456e-ad8b-eaa1b0844b07 Configure private endpoints for App Configuration Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (1)
•Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.AppConfiguration/configurationStores
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
App Platform App Platform 0f2d8593-4667-4932-acca-6a9f187af109 [Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.AppPlatform/Spring/trace.enabled
•Microsoft.AppPlatform/Spring/trace.state
IF (1)
•Microsoft.AppPlatform/Spring
Preview BuiltIn
App Platform App Platform af35e2a4-ef96-44e7-a9ae-853dd97032c4 Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (2)
•Microsoft.AppPlatform/Spring/networkProfile.serviceRuntimeSubnetId
•Microsoft.AppPlatform/Spring/sku.tier
IF (1)
•Microsoft.AppPlatform/Spring
GA BuiltIn
App Service App Service d79ab062-dffd-4318-8344-f70de714c0bc [Deprecated]: App Service should disable public network access Disabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/config/PublicNetworkAccess
Deprecated BuiltIn
App Service App Service 752c6934-9bcc-4749-b004-655e676ae2ac [Deprecated]: Audit enabling of diagnostic logs in App Services Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised Default: Audit
Allowed: (Audit, Disabled)
IF (3)
•Microsoft.Web/sites/config/detailedErrorLoggingEnabled
•Microsoft.Web/sites/config/httpLoggingEnabled
•Microsoft.Web/sites/config/requestTracingEnabled
Deprecated BuiltIn
App Service App Service b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0 [Deprecated]: Diagnostic logs in App Services should be enabled Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (3)
•Microsoft.Web/sites/config/detailedErrorLoggingEnabled
•Microsoft.Web/sites/config/httpLoggingEnabled
•Microsoft.Web/sites/config/requestTracingEnabled
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 58d94fc1-a072-47c2-bd37-9cdb38e77453 [Deprecated]: Ensure Function app is using the latest version of TLS encryption Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.minTlsVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.netFrameworkVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 10c1859c-e1a7-4df3-ab97-a487fa8059f6 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.netFrameworkVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 843664e0-7563-41ee-a9cb-7522c382d2c4 [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.netFrameworkVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service ab965db2-d2bf-4b64-8b39-c38ec8179461 [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app PHP cannot be used with Function apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/config/web.linuxFxVersion
•Microsoft.Web/sites/config/web.phpVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 86d97760-d216-4d81-a3ad-163087b2b6c3 [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.managedServiceIdentityId
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service f0473e7a-a1ba-4e86-afb2-e829e11b01d8 [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.managedServiceIdentityId
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service aa81768c-cb87-4ce2-bfaa-00baa10d760c [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.managedServiceIdentityId
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service 6ad61431-88ce-4357-a0e1-6da43f292bd7 [Deprecated]: Ensure WEB app is using the latest version of TLS encryption Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.minTlsVersion
IF (1)
•Microsoft.Web/sites
Deprecated BuiltIn
App Service App Service app-service_allowed-appservicesplan-skus Allowed App Services Plan SKUs This policy enables you to specify a set of App Services Plan SKUs that your organization can deploy. Fixed: Deny IF (1)
•Microsoft.Web/serverfarms/sku.name
IF (1)
•Microsoft.Web/serverfarms
GA Community
App Service App Service Deny-AppServiceApiApp-http API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA ESLZ
App Service App Service b7ddfbdc-1260-477d-91fd-98bd9be789a6 API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 324c7761-08db-4474-9661-d1039abc92ee API apps should use an Azure file share for its content directory The content directory of an API app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/storageAccountRequired
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 72d04c29-f87d-4575-9731-419ff16a2757 App Service Apps should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Web/sites/virtualNetworkSubnetId
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 33228571-70a4-4fa1-8ca1-26d0aba8d6ef App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/vnetRouteAllEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Web/serverFarms/sku.family
IF (1)
•Microsoft.Web/serverFarms
GA BuiltIn
App Service App Service 2d048aca-6479-4923-88f5-e2ac295d9af3 App Service Environment apps should not be reachable over public internet To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Web/HostingEnvironments/internalLoadBalancingMode
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service 817dcf37-e83d-4999-a472-644eada2ea1e App Service Environment should be configured with strongest TLS Cipher suites The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Default: Audit
Allowed: (Audit, Disabled)
IF (3)
•Microsoft.Web/HostingEnvironments/clusterSettings[*]
•Microsoft.Web/HostingEnvironments/clusterSettings[*].name
•Microsoft.Web/HostingEnvironments/clusterSettings[*].value
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service eb4d34ab-0929-491c-bbf3-61e13da19f9a App Service Environment should be provisioned with latest versions Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service d6545c6b-dd9d-4265-91e6-0b451e2f1c50 App Service Environment should disable TLS 1.0 and 1.1 TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (3)
•Microsoft.Web/HostingEnvironments/clusterSettings[*]
•Microsoft.Web/HostingEnvironments/clusterSettings[*].name
•Microsoft.Web/HostingEnvironments/clusterSettings[*].value
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service fb74e86f-d351-4b8d-b034-93da7391c01f App Service Environment should enable internal encryption Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Default: Audit
Allowed: (Audit, Disabled)
IF (3)
•Microsoft.Web/HostingEnvironments/clusterSettings[*]
•Microsoft.Web/HostingEnvironments/clusterSettings[*].name
•Microsoft.Web/HostingEnvironments/clusterSettings[*].value
IF (1)
•Microsoft.Web/hostingEnvironments
GA BuiltIn
App Service App Service 871b205b-57cf-4e1e-a234-492616998bf7 App Service should have local authentication methods disabled for FTP deployments Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service aede300b-d67f-480a-ae26-4b3dfb1a1fdc App Service should have local authentication methods disabled for SCM site deployments Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 687aa49d-0982-40f8-bf6b-66d1da97a04b App Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service ec71c0bc-6a45-4b1f-9587-80dc83e6898c App Service slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 847ef871-e2fe-4e6e-907e-4adbf71de5cf App Service slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7 App Services should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/publicNetworkAccess
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service app-service_audit-appservicesbackend-appgw Apps Require App Gateway Front End Custom policy requires that HTTP(S) triggered apps require App GW Front-End so that inbound ports are not opened on apps Default: auditIfNotExists
Allowed: (auditIfNotExists, disabled)
THEN-ExistenceCondition (2)
•Microsoft.Network/applicationGateways/backendAddressPools[*].backendAddresses[*]
•Microsoft.Network/applicationGateways/backendAddressPools[*].backendAddresses[*].fqdn
IF (1)
•Microsoft.Web/sites
GA Community
App Service App Service Append-AppService-httpsonly AppService append enable https only setting to enforce https setting. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny. Default: Append
Allowed: (Append, Disabled)
IF (1)
•Microsoft.Web/sites/httpsOnly
THEN-Details (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA ESLZ
App Service App Service Append-AppService-latestTLS AppService append sites with minimum TLS version to enforce. Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. Default: Append
Allowed: (Append, Disabled)
IF (1)
•Microsoft.Web/sites/config/minTlsVersion
THEN-Details (1)
•Microsoft.Web/sites/config/minTlsVersion
GA ESLZ
App Service App Service c4ebc54a-46e1-481a-bee2-d4411e95d828 Authentication should be enabled on your API app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/siteAuthEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 Authentication should be enabled on your Function app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/siteAuthEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 95bccee9-a7f8-4bec-9ee9-62c3473701fc Authentication should be enabled on your web app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/siteAuthEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service f493116f-3b7f-4ab3-bf80-0c2af35e46c2 Configure App Service slots to disable local authentication for FTP deployments. Disable local authentication methods for FTP deployments so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 2c034a29-2a5f-4857-b120-f800fe5549ae Configure App Service slots to disable local authentication for SCM sites. Disable local authentication methods for SCM sites so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites/slots
GA BuiltIn
App Service App Service 5e97b776-f380-4722-a9a3-e7f0be029e79 Configure App Service to disable local authentication for SCM sites. Disable local authentication methods for SCM sites so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 Configure App Service to disable local authentication on FTP deployments. Disable local authentication methods for FTP deployments so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 81dff7c0-4020-4b58-955d-c076a2136b56 Configure App Services to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/publicNetworkAccess
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service b318f84a-b872-429b-ac6d-a01b96814452 Configure App Services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac CORS should not allow every resource to access your API App Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 0820b7b9-23aa-4725-a1ce-ae4558f718e5 CORS should not allow every resource to access your Function Apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 CORS should not allow every resource to access your Web Applications Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.cors.allowedOrigins[*]
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 0c192fe8-9cbb-4516-85b3-0ade8bd03886 Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 991310cd-e9f3-47bc-b7b6-f57b557d07db Ensure that 'HTTP Version' is the latest, if used to run the API app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.http20Enabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service e2c1c086-2d84-4019-bff3-c44ccd95113c Ensure that 'HTTP Version' is the latest, if used to run the Function app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.http20Enabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 8c122334-9d20-4eb8-89ea-ac9a705b74ae Ensure that 'HTTP Version' is the latest, if used to run the Web app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.http20Enabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 88999f4c-376a-45c8-bcb3-4058f713cf39 Ensure that 'Java version' is the latest, if used as a part of the API app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc Ensure that 'Java version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 496223c3-ad65-4ecd-878a-bae78737e9ed Ensure that 'Java version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba Ensure that 'PHP version' is the latest, if used as a part of the API app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 7261b898-8a84-4db8-9e04-18527132abb3 Ensure that 'PHP version' is the latest, if used as a part of the WEB app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 74c3584d-afae-46f7-a20a-6f8adba71a16 Ensure that 'Python version' is the latest, if used as a part of the API app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 7238174a-fd10-4ef0-817e-fc820a951d73 Ensure that 'Python version' is the latest, if used as a part of the Function app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 7008174a-fd10-4ef0-817e-fc820a951d73 Ensure that 'Python version' is the latest, if used as a part of the Web app Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.linuxFxVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 5bb220d9-2698-4ee4-8404-b9c30c9df609 Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 FTPS only should be required in your API App Enable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/ftpsState
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 399b2637-a50f-4f95-96f8-3a145476eb15 FTPS only should be required in your Function App Enable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/ftpsState
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b FTPS should be required in your Web App Enable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/ftpsState
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service Deny-AppServiceFunctionApp-http Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA ESLZ
App Service App Service 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service eaebaea7-8013-4ceb-9d14-7eb32271373c Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/clientCertEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 Function apps should use an Azure file share for its content directory The content directory of a function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/storageAccountRequired
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e Latest TLS version should be used in your API App Upgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service f9d614c5-c173-4d56-95a7-b4437057d193 Latest TLS version should be used in your Function App Upgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b Latest TLS version should be used in your Web App Upgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/minTlsVersion
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service c4d441f8-f9d9-4a9e-9cef-e82117cb3eef Managed identity should be used in your API App Use a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/config/managedServiceIdentityId
•Microsoft.Web/sites/config/xmanagedServiceIdentityId
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 0da106f2-4ca3-48e8-bc85-c638fe6aea8f Managed identity should be used in your Function App Use a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/config/managedServiceIdentityId
•Microsoft.Web/sites/config/xmanagedServiceIdentityId
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 2b9ad585-36bc-4615-b300-fd4435808332 Managed identity should be used in your Web App Use a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (2)
•Microsoft.Web/sites/config/managedServiceIdentityId
•Microsoft.Web/sites/config/xmanagedServiceIdentityId
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service e9c8d085-d9cc-4b17-9cdc-059f1f01f19e Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 0e60b895-3786-45da-8377-9c6b4b6ac5f9 Remote debugging should be turned off for Function Apps Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service cb510bfd-1cba-4d9f-a230-cb0976f4bb71 Remote debugging should be turned off for Web Applications Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Web/sites/config/web.remoteDebuggingEnabled
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service 91a78b24-f231-4a8a-8da9-02c35b2b6510 Resource logs in App Services should be enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service a4af4a39-4135-47fb-b175-47fbdf85311d Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA BuiltIn
App Service App Service Deny-AppServiceWebApp-http Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Web/sites/httpsOnly
IF (1)
•Microsoft.Web/sites
GA ESLZ
App Service App Service dcbc65aa-59f3-4239-8978-3bb869d82604 Web apps should use an Azure file share for its content directory The content directory of a web app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Web/sites/storageAccountRequired
IF (1)
•Microsoft.Web/sites
GA BuiltIn
Attestation Attestation 7b256a2d-058b-41f8-bed9-3f870541c40a Azure Attestation providers should use private endpoints Private endpoints provide a way to connect Azure Attestation providers to your Azure resources without sending traffic over the public internet. By preventing public access, private endpoints help protect against undesired anonymous access. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (3)
•Microsoft.Attestation/attestationProviders/privateEndpointConnections/privateEndpoint
•Microsoft.Attestation/attestationProviders/privateEndpointConnections/privateLinkServiceConnectionState.status
•Microsoft.Attestation/attestationProviders/privateEndpointConnections/provisioningState
IF (1)
•Microsoft.Attestation/attestationProviders
GA BuiltIn
Automanage Automanage 270610db-8c04-438a-a739-e8e6745b22d3 Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (8)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.id
•Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (2)
•Microsoft.Automanage/configurationProfileAssignments/accountId
•Microsoft.Automanage/configurationProfileAssignments/configurationProfile
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Automation Automation 3657f5a0-770e-44a3-b44e-9431ba1e9735 Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Automation/automationAccounts/variables/isEncrypted
GA BuiltIn
Automation Automation 955a914f-bf86-4f0e-acd5-e0766b0efcb6 Automation accounts should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Automation/automationAccounts/publicNetworkAccess
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 48c5f1cb-14ad-4797-8e3b-f78ab3f8d700 Azure Automation account should have local authentication method disabled Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Automation/automationAccounts/disableLocalAuth
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 56a5ee18-2ae6-4810-86f7-18e39ce5629b Azure Automation accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Automation/automationAccounts/encryption.keySource
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 30d1d58e-8f96-47a5-8564-499a3f3cca81 Configure Azure Automation account to disable local authentication Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.Automation/automationAccounts/disableLocalAuth
THEN-Operations (1)
•Microsoft.Automation/automationAccounts/disableLocalAuth
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 23b36a7c-9d26-4288-a8fd-c1d2fa284d8c Configure Azure Automation accounts to disable public network access Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.Automation/automationAccounts/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Automation/automationAccounts/publicNetworkAccess
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Automation Automation 6dd01e4f-1be1-4e80-9d0b-d109e04cb064 Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Automation Automation c0c3130e-7dda-4187-aed0-ee4a472eaa60 Configure private endpoint connections on Azure Automation accounts Private endpoint connections allow secure communication by enabling private connectivity to Azure Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Contributor THEN-ExistenceCondition (1)
•Microsoft.Automation/automationAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Automation/automationAccounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Automation Automation Deny-AA-child-resources No child resources in Automation Account This policy denies the creation of child resources on the Automation Account Default: Deny
Allowed: (Audit, Deny, Disabled)
GA ESLZ
Automation Automation 0c2b3618-68a8-4034-a150-ff4abc873462 Private endpoint connections on Automation Accounts should be enabled Private endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Automation/automationAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Automation/automationAccounts
GA BuiltIn
Azure Active Directory Azure Active Directory 3aa87b5a-7813-4b57-8a43-42dd9df5aaa7 Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.AAD/domainServices/domainSecuritySettings.tlsV1
IF (1)
•Microsoft.AAD/domainServices
GA BuiltIn
Azure Arc Azure Arc 7eab1da3-2bf0-4ff0-8303-1a4277c380e8 Azure Arc Private Link Scopes should be configured with a private endpoint Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Arc Private Link Scopes, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections[*]
•Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HybridCompute/privateLinkScopes
GA BuiltIn
Azure Arc Azure Arc 898f2439-3333-4713-af25-f1d78bc50556 Azure Arc Private Link Scopes should disable public network access Disabling public network access improves security by ensuring that Azure Arc resources cannot connect via the public internet. Creating private endpoints can limit exposure of Azure Arc resources. Learn more at: https://aka.ms/arc/privatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess
IF (1)
•Microsoft.HybridCompute/privateLinkScopes
GA BuiltIn
Azure Arc Azure Arc efa3f296-ff2b-4f38-bc0d-5ef12c965b68 Azure Arc-enabled servers should be configured with an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.HybridCompute/machines/privateLinkScopeResourceId
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Azure Arc Azure Arc de0bc8ea-76e2-4fe2-a288-a07556d0e9c4 Configure Azure Arc Private Link Scopes to disable public network access Disable public network access for your Azure Arc Private Link Scope so that associated Azure Arc resources cannot connect to Azure Arc services over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/arc/privatelink. Default: Modify
Allowed: (Modify, Disabled)
Azure Connected Machine Resource Administrator IF (1)
•Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess
THEN-Operations (1)
•Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess
IF (1)
•Microsoft.HybridCompute/privateLinkScopes
GA BuiltIn
Azure Arc Azure Arc 55c4db33-97b0-437b-8469-c4f4498f5df9 Configure Azure Arc Private Link Scopes to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.HybridCompute/privateLinkScopes
•Microsoft.Network/privateEndpoints
GA BuiltIn
Azure Arc Azure Arc d6eeba80-df61-4de5-8772-bc1b7852ba6b Configure Azure Arc Private Link Scopes with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Azure Connected Machine Resource Administrator THEN-ExistenceCondition (1)
•Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HybridCompute/privateLinkScopes
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Azure Arc Azure Arc a3461c8c-6c9d-4e42-a644-40ba8a1abf49 Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default: Modify
Allowed: (Modify, Disabled)
Azure Connected Machine Resource Administrator IF (1)
•Microsoft.HybridCompute/machines/privateLinkScopeResourceId
THEN-Operations (1)
•Microsoft.HybridCompute/machines/privateLinkScopeResourceId
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Azure Data Explorer Azure Data Explorer 81e74cea-30fd-40d5-802f-d72103c2aaaa Azure Data Explorer encryption at rest should use a customer-managed key Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (4)
•Microsoft.Kusto/clusters/keyVaultProperties
•Microsoft.Kusto/clusters/keyVaultProperties.keyName
•Microsoft.Kusto/clusters/keyVaultProperties.keyVaultUri
•Microsoft.Kusto/clusters/keyVaultProperties.keyVersion
IF (1)
•Microsoft.Kusto/Clusters
GA BuiltIn
Azure Data Explorer Azure Data Explorer f4b53539-8df9-40e4-86c6-6b607703bd4e Disk encryption should be enabled on Azure Data Explorer Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Kusto/clusters/enableDiskEncryption
IF (1)
•Microsoft.Kusto/Clusters
GA BuiltIn
Azure Data Explorer Azure Data Explorer ec068d99-e9c7-401f-8cef-5bdde4e6ccf1 Double encryption should be enabled on Azure Data Explorer Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Kusto/clusters/enableDoubleEncryption
IF (1)
•Microsoft.Kusto/Clusters
GA BuiltIn
Azure Data Explorer Azure Data Explorer 9ad2fd1f-b25f-47a2-aa01-1a5a779e6413 Virtual network injection should be enabled for Azure Data Explorer Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (4)
•Microsoft.Kusto/clusters/virtualNetworkConfiguration
•Microsoft.Kusto/clusters/virtualNetworkConfiguration.dataManagementPublicIpId
•Microsoft.Kusto/clusters/virtualNetworkConfiguration.enginePublicIpId
•Microsoft.Kusto/clusters/virtualNetworkConfiguration.subnetId
IF (1)
•Microsoft.Kusto/Clusters
GA BuiltIn
Azure DNS Azure DNS network_enforce_azfw_dns_servers Enforce Firewall Policy DNS servers This policy prevent settings non authorized dns servers for firewall policies. Default: Audit
Allowed: (Deny, Audit, Disabled)
IF (1)
•Microsoft.Network/firewallPolicies/dnsSettings.servers[*]
GA Community
Azure DNS Azure DNS network_enforce_vnet_dns_servers Enforce VNET DNS servers This policy prevent settings non authorized dns servers for vnets. Default: Audit
Allowed: (Deny, Audit, Disabled)
IF (1)
•Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]
GA Community
Azure DNS Azure DNS compute_only_approved_vmss_extensions_should_be_installed Only approved VMSS extensions should be installed This policy governs the virtual machine scale set extensions that are not approved. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.extensionProfile.extensions[*].type
GA Community
Azure Edge Hardware Center Azure Edge Hardware Center 08a6b96f-576e-47a2-8511-119a212d344d Azure Edge Hardware Center devices should have double encryption support enabled Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.EdgeOrder/orderItems/orderItemDetails.preferences.encryptionPreferences.doubleEncryptionStatus
•Microsoft.EdgeOrder/orderItems/orderItemDetails.productDetails.productDoubleEncryptionStatus
IF (1)
•Microsoft.EdgeOrder/orderItems
GA BuiltIn
Azure Purview Azure Purview 9259053b-ddb8-40ab-842a-0aef19d0ade4 Azure Purview accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.Purview/accounts/privateEndpointConnections[*]
•Microsoft.Purview/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Purview/accounts
GA BuiltIn
Azure Stack Edge Azure Stack Edge b4ac1030-89c5-4697-8e00-28b5ba6a8811 Azure Stack Edge devices should use double-encryption To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.DataboxEdge/DataBoxEdgeDevices/sku.name
IF (1)
•Microsoft.DataBoxEdge/DataBoxEdgeDevices
GA BuiltIn
Backup Backup 2e94d99a-8a36-4563-bc77-810d8893b671 [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.RecoveryServices/vaults/encryption.infrastructureEncryption
•Microsoft.RecoveryServices/vaults/encryption.keyVaultProperties.keyUri
IF (1)
•Microsoft.RecoveryServices/vaults
Preview BuiltIn
Backup Backup deeddb44-9f94-4903-9fa0-081d524406e3 [Preview]: Azure Recovery Services vaults should use private link for backup Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. Default: Audit
Allowed: (Audit, Disabled)
IF (4)
•Microsoft.RecoveryServices/vaults/privateEndpointConnections[*]
•Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].id
•Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status
•Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].provisioningState
IF (1)
•Microsoft.RecoveryServices/vaults
Preview BuiltIn
Backup Backup 615b01c4-d565-4f6f-8c6e-d130268e3a1a [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Backup Contributor IF (3)
•Microsoft.Storage/storageAccounts/isHnsEnabled
•Microsoft.Storage/storageAccounts/isNfsV3Enabled
•Microsoft.Storage/storageAccounts/sku.name
THEN-ExistenceCondition (1)
•Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled
IF (1)
•Microsoft.Storage/StorageAccounts
THEN-Deployment (3)
•Microsoft.Resources/deployments
•Microsoft.Storage/storageAccounts
•Microsoft.Storage/storageAccounts/blobServices
Preview BuiltIn
Backup Backup 958dbd4e-0e20-4385-a082-d3f20c2a6ad8 [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Backup Contributor IF (3)
•Microsoft.Storage/storageAccounts/isHnsEnabled
•Microsoft.Storage/storageAccounts/isNfsV3Enabled
•Microsoft.Storage/storageAccounts/sku.name
THEN-ExistenceCondition (1)
•Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled
IF (1)
•Microsoft.Storage/StorageAccounts
THEN-Deployment (3)
•Microsoft.Resources/deployments
•Microsoft.Storage/storageAccounts
•Microsoft.Storage/storageAccounts/blobServices
Preview BuiltIn
Backup Backup af783da1-4ad1-42be-800d-d19c70038820 [Preview]: Configure Recovery Services vaults to use private DNS zones for backup Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.Network/privateEndpoints
•Microsoft.RecoveryServices/vaults
Preview BuiltIn
Backup Backup 013e242c-8828-4970-87b3-ab247555486d Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.Compute/imagePublisher
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Details (1)
•Microsoft.RecoveryServices/backupprotecteditems
GA BuiltIn
Backup Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor, Backup Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.RecoveryServices/vaults
GA BuiltIn
Backup Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor, Backup Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Resources/deployments
GA BuiltIn
Backup Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor, Backup Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.RecoveryServices/vaults
GA BuiltIn
Backup Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor, Backup Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Resources/deployments
GA BuiltIn
Backup Backup c717fb0c-d118-4c43-ab3d-ece30ac81fb3 Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. Fixed: deployIfNotExists Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].Category
•Microsoft.Insights/diagnosticSettings/logs[*].Enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.RecoveryServices/vaults
GA BuiltIn
Batch Batch 99e9ccd8-3db9-4592-b0d1-14b1715a4d8a Azure Batch account should use customer-managed keys to encrypt data Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Batch/batchAccounts/encryption.keySource
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 1760f9d4-7206-436e-a28f-d9f3a5c8a227 Azure Batch pools should have disk encryption enabled Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Batch/batchAccounts/pools/deploymentConfiguration.virtualMachineConfiguration.diskEncryptionConfiguration.targets[*]
IF (1)
•Microsoft.Batch/batchAccounts/pools
GA BuiltIn
Batch Batch 6f68b69f-05fe-49cd-b361-777ee9ca7e35 Batch accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*]
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 4dbc2f5c-51cf-4e38-9179-c7028eed2274 Configure Batch accounts to disable local authentication Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (2)
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*]
THEN-Operations (1)
•Microsoft.Batch/batchAccounts/allowedAuthenticationModes
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 0ef5aac7-c064-427a-b87b-d47b3ddcaf73 Configure Batch accounts with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/batch/private-connectivity. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (1)
•Microsoft.Batch/batchAccounts/publicNetworkAccess
THEN-ExistenceCondition (1)
•Microsoft.Batch/batchAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Batch/batchAccounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Batch Batch 4ec38ebc-381f-45ee-81a4-acbc4be878f8 Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Batch Batch 26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7 Metric alert rules should be configured on Batch accounts Audit configuration of metric alert rules on Batch account to enable the required metric Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (3)
•Microsoft.Insights/alertRules/condition.dataSource.metricName
•Microsoft.Insights/alertRules/condition.dataSource.resourceUri
•Microsoft.Insights/alertRules/isEnabled
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 009a0c92-f5b4-4776-9b66-4ed2b4775563 Private endpoint connections on Batch accounts should be enabled Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at https://docs.microsoft.com/azure/batch/private-connectivity. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Batch/batchAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 74c5a0ae-5e48-4738-b093-65e23a060488 Public network access should be disabled for Batch accounts Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Batch/batchAccounts/publicNetworkAccess
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Batch Batch 428256e6-1fac-4f48-a757-df34c2b3336d Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Bot Service Bot Service 6164527b-e1ee-4882-8673-572f425f5e0a Bot Service endpoint should be a valid HTTPS URI Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.BotService/botServices/endpoint
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service 51522a96-0869-4791-82f3-981000c2c67f Bot Service should be encrypted with a customer-managed key Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.BotService/botServices/isCmekEnabled
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service 52152f42-0dda-40d9-976e-abb1acdd611e Bot Service should have isolated mode enabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.BotService/botServices/publicNetworkAccess
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service ffea632e-4e3a-4424-bf78-10e179bb2e1a Bot Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.BotService/botServices/disableLocalAuth
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service ad5621d6-a877-4407-aa93-a950b428315e BotService resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your BotService resource, data leakage risks are reduced. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.BotService/botServices/privateEndpointConnections[*]
•Microsoft.BotService/botServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.BotService/botServices
GA BuiltIn
Bot Service Bot Service 6a4e6f44-f2af-4082-9702-033c9e88b9f8 Configure BotService resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.BotService/botServices
•Microsoft.Network/privateEndpoints
GA BuiltIn
Bot Service Bot Service 29261f8e-efdb-4255-95b8-8215414515d6 Configure BotService resources with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your BotService resource, you can reduce data leakage risks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor THEN-ExistenceCondition (1)
•Microsoft.BotService/botServices/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.BotService/botServices
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Budget Budget Deploy-Budget Deploy a default budget on all subscriptions under the assigned scope Deploy a default budget on all subscriptions under the assigned scope Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (3)
•Microsoft.Consumption/budgets/amount
•Microsoft.Consumption/budgets/category
•Microsoft.Consumption/budgets/timeGrain
IF (1)
•Microsoft.Resources/subscriptions
THEN-Deployment (1)
•Microsoft.Consumption/budgets
GA ESLZ
Budget Budget Deny-MachineLearning-ComputeCluster-Scale Enforce scale settings for Azure Machine Learning compute clusters Enforce scale settings for Azure Machine Learning compute clusters. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (3)
•Microsoft.MachineLearningServices/workspaces/computes/computeType
•Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount
•Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes
GA ESLZ
Budget Budget Deny-MachineLearning-Compute-VmSize Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (2)
•Microsoft.MachineLearningServices/workspaces/computes/computeType
•Microsoft.MachineLearningServices/workspaces/computes/vmSize
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes
GA ESLZ
Cache Cache Append-Redis-sslEnforcement Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default: Append
Allowed: (Append, Disabled)
IF (1)
•Microsoft.Cache/Redis/minimumTlsVersion
THEN-Details (1)
•Microsoft.Cache/Redis/minimumTlsVersion
IF (1)
•Microsoft.Cache/redis
GA ESLZ
Cache Cache Append-Redis-disableNonSslPort Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default: Append
Allowed: (Append, Disabled, Modify)
IF (1)
•Microsoft.Cache/Redis/enableNonSslPort
THEN-Details (1)
•Microsoft.Cache/Redis/enableNonSslPort
IF (1)
•Microsoft.Cache/redis
GA ESLZ
Cache Cache Deny-Redis-http Azure Cache for Redis only secure connections should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Cache/Redis/enableNonSslPort
•Microsoft.Cache/Redis/minimumTlsVersion
IF (1)
•Microsoft.Cache/redis
GA ESLZ
Cache Cache 470baccb-7e51-4549-8b1a-3e5be069f663 Azure Cache for Redis should disable public network access Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Cache/Redis/publicNetworkAccess
IF (1)
•Microsoft.Cache/Redis
GA BuiltIn
Cache Cache 7d092e0a-7acd-40d2-a975-dca21cae48c4 Azure Cache for Redis should reside within a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Cache/Redis/subnetId
IF (1)
•Microsoft.Cache/redis
GA BuiltIn
Cache Cache 7803067c-7d34-46e3-8c79-0ca68fc4036d Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Cache/redis/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Cache/redis
GA BuiltIn
Cache Cache 30b3dfa5-a70d-4c8e-bed6-0083858f663d Configure Azure Cache for Redis to disable public network access Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks. Default: Modify
Allowed: (Modify, Disabled)
Redis Cache Contributor IF (1)
•Microsoft.Cache/Redis/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Cache/Redis/publicNetworkAccess
IF (1)
•Microsoft.Cache/Redis
GA BuiltIn
Cache Cache e016b22b-e0eb-436d-8fd7-160c4eaed6e2 Configure Azure Cache for Redis to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Cache Cache 5d8094d7-7340-465a-b6fd-e60ab7e48920 Configure Azure Cache for Redis with private endpoints Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Redis Cache Contributor THEN-ExistenceCondition (1)
•Microsoft.Cache/redis/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Cache/redis
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Cache Cache 22bee202-a82f-4305-9a2a-6d7f44d4dedb Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Cache/Redis/enableNonSslPort
IF (1)
•Microsoft.Cache/redis
GA BuiltIn
Cognitive Services Cognitive Services 2bdd0062-9d75-436e-89df-487dd8e4b3c7 [Deprecated]: Cognitive Services accounts should enable data encryption This policy is deprecated. Cognitive Services have data encryption enforced. Default: Disabled
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.CognitiveServices/accounts/encryption
•Microsoft.CognitiveServices/accounts/encryption.keySource
IF (1)
•Microsoft.CognitiveServices/accounts
Deprecated BuiltIn
Cognitive Services Cognitive Services 11566b39-f7f7-4b82-ab06-68d8700eb0a4 [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. This policy is deprecated. Cognitive Services have data encryption enforced. Default: Disabled
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.CognitiveServices/accounts/encryption
•Microsoft.CognitiveServices/accounts/encryption.keySource
IF (1)
•Microsoft.CognitiveServices/accounts
Deprecated BuiltIn
Cognitive Services Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca Cognitive Services accounts should disable public network access Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (3)
•Microsoft.CognitiveServices/accounts/capabilities[*]
•Microsoft.CognitiveServices/accounts/capabilities[*].name
•Microsoft.CognitiveServices/accounts/publicNetworkAccess
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 67121cc7-ff39-4ab8-b7e3-95b84dab487d Cognitive Services accounts should enable data encryption with a customer-managed key Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (3)
•Microsoft.CognitiveServices/accounts/capabilities[*]
•Microsoft.CognitiveServices/accounts/capabilities[*].name
•Microsoft.CognitiveServices/accounts/encryption.keySource
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 71ef260a-8f18-47b7-abcb-62d0673d94dc Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.CognitiveServices/accounts/disableLocalAuth
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Cognitive Services accounts should restrict network access Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (3)
•Microsoft.CognitiveServices/accounts/capabilities[*]
•Microsoft.CognitiveServices/accounts/capabilities[*].name
•Microsoft.CognitiveServices/accounts/networkAcls.defaultAction
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services fe3fd216-4f83-4fc1-8984-2bbec80a3418 Cognitive Services accounts should use a managed identity Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 46aa9b05-0e60-4eae-a88b-1e9d374fa515 Cognitive Services accounts should use customer owned storage Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.CognitiveServices/accounts/capabilities[*]
•Microsoft.CognitiveServices/accounts/capabilities[*].name
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services cddd188c-4b82-4c48-a19d-ddf74ee66a01 Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Audit
Allowed: (Audit, Disabled)
IF (4)
•Microsoft.CognitiveServices/accounts/capabilities[*]
•Microsoft.CognitiveServices/accounts/capabilities[*].name
•Microsoft.CognitiveServices/accounts/privateEndpointConnections[*]
•Microsoft.CognitiveServices/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 14de9e63-1b31-492e-a5a3-c3f7fd57f555 Configure Cognitive Services accounts to disable local authentication methods Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.CognitiveServices/accounts/disableLocalAuth
THEN-Operations (1)
•Microsoft.CognitiveServices/accounts/disableLocalAuth
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c Configure Cognitive Services accounts to disable public network access Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Modify
Allowed: (Disabled, Modify)
Contributor IF (3)
•Microsoft.CognitiveServices/accounts/capabilities[*]
•Microsoft.CognitiveServices/accounts/capabilities[*].name
•Microsoft.CognitiveServices/accounts/publicNetworkAccess
THEN-Operations (1)
•Microsoft.CognitiveServices/accounts/publicNetworkAccess
IF (1)
•Microsoft.CognitiveServices/accounts
GA BuiltIn
Cognitive Services Cognitive Services c4bc6f10-cb41-49eb-b000-d5ab82e2a091 Configure Cognitive Services accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.CognitiveServices/accounts
•Microsoft.Network/privateEndpoints
GA BuiltIn
Cognitive Services Cognitive Services db630ad5-52e9-4f4d-9c44-53912fe40053 Configure Cognitive Services accounts with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Cognitive Services Contributor IF (2)
•Microsoft.CognitiveServices/accounts/capabilities[*]
•Microsoft.CognitiveServices/accounts/capabilities[*].name
THEN-ExistenceCondition (1)
•Microsoft.CognitiveServices/accounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.CognitiveServices/accounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Compute Compute 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 [Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs This policy deploys the Log Analytics Extension on Ubuntu VMs, and connects to the selected Log Analytics workspace Fixed: deployIfNotExists Log Analytics Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
Deprecated BuiltIn
Compute Compute 2c89a2e5-7285-40fe-afe0-ae8654b92fb2 [Deprecated]: Unattached disks should be encrypted This policy audits any unattached disk without encryption enabled. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.Compute/disks/diskState
•Microsoft.Compute/disks/encryptionSettingsCollection.enabled
IF (1)
•Microsoft.Compute/disks
Deprecated BuiltIn
Compute Compute cccc23c7-8427-4f53-ad12-b6a63eb452b3 Allowed virtual machine size SKUs This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. Fixed: Deny IF (1)
•Microsoft.Compute/virtualMachines/sku.name
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Compute Compute 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Fixed: auditIfNotExists IF (1)
•Microsoft.ClassicCompute/virtualMachines
GA BuiltIn
Compute Compute 06a78e20-9358-41c9-923c-fb736d382a4d Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks Fixed: audit IF (3)
•Microsoft.Compute/virtualMachines/osDisk.uri
•Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl
•Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/VirtualMachineScaleSets
GA BuiltIn
Compute Compute ac34a73f-9fa5-4067-9247-a3ecae514468 Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Owner THEN-ExistenceCondition (1)
•Microsoft.Resources/links/targetId
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (7)
•Microsoft.Compute/availabilitySets
•Microsoft.Compute/proximityPlacementGroups
•Microsoft.Network/virtualNetworks
•Microsoft.RecoveryServices/replicationEligibilityResults
•Microsoft.RecoveryServices/vaults
•Microsoft.Resources/deployments
•Microsoft.Storage/storageAccounts
GA BuiltIn
Compute Compute bc05b96c-0b36-4ca9-82f0-5c53f96ce05a Configure disk access resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.Compute/diskAccesses
•Microsoft.Network/privateEndpoints
GA BuiltIn
Compute Compute 582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5 Configure disk access resources with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (1)
•Microsoft.Compute/diskAccesses/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Compute/diskAccesses
THEN-Deployment (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Compute Compute compute_configure-managed-disks-to-disable-public-access Configure managed disks to disable public access This policy configures managed disks to disable public access. Default: modify
Allowed: (deny, audit, disabled, modify)
Contributor IF (1)
•Microsoft.Compute/disks/networkAccessPolicy
THEN-Operations (1)
•Microsoft.Compute/disks/networkAccessPolicy
GA Community
Compute Compute 8426280e-b5be-43d9-979e-653d12a08638 Configure managed disks to disable public network access Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.Compute/disks/networkAccessPolicy
THEN-Operations (2)
•Microsoft.Compute/disks/diskAccessId
•Microsoft.Compute/disks/networkAccessPolicy
IF (1)
•Microsoft.Compute/disks
GA BuiltIn
Compute Compute monitoring_deploy-oms-agent-based-on-region-linux Deploy default Log Analytics VM Extension for Linux VMs. This policy deploys Log Analytics VM Extensions on Linux VMs in specific regions, and connects to the selected Log Analytics workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor IF (1)
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/settings.workspaceId
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.compute/virtualmachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA Community
Compute Compute monitoring_deploy-oms-agent-based-on-region-windows Deploy default Log Analytics VM Extension for Windows VMs. This policy deploys Log Analytics VM Extensions on Windows VMs in specific regions, and connects to the selected Log Analytics workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor IF (1)
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/settings.workspaceId
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.compute/virtualmachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA Community
Compute Compute 2835b622-407b-4114-9198-6f7064cbe0dc Deploy default Microsoft IaaSAntimalware extension for Windows Server This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. Fixed: deployIfNotExists Virtual Machine Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Compute Compute hybridusebenefits_deploy-hybrid-use-windows-server Deploy hybrid use for Windows Server This Policy will enable HUB for Windows Server Fixed: deployIfNotExists Owner IF (1)
•Microsoft.Compute/virtualMachines/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.Compute/virtualMachines/licenseType
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines
GA Community
Compute Compute compute_deploy-or-audit-auto-shutdown-by-tag-value-on-vm Deploy VM auto shutdown Default: audit
Allowed: (audit, Deny, DeployIfNotExists, Disabled)
Virtual Machine Contributor THEN-ExistenceCondition (2)
•Microsoft.DevTestLab/labs/virtualMachines/schedules/status
•Microsoft.DevTestLab/labs/virtualMachines/schedules/targetResourceId
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.devtestlab/schedules
GA Community
Compute Compute f39f5f49-4abf-44de-8c70-0756997bfb51 Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Compute/diskAccesses/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Compute/diskAccesses
GA BuiltIn
Compute Compute ca91455f-eace-4f96-be59-e6e2c35b4816 Managed disks should be double encrypted with both platform-managed and customer-managed keys High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Compute/diskEncryptionSets/encryptionType
IF (1)
•Microsoft.Compute/diskEncryptionSets
GA BuiltIn
Compute Compute 8405fdab-1faf-48aa-b702-999c9c172094 Managed disks should disable public network access Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Compute/disks/networkAccessPolicy
IF (1)
•Microsoft.Compute/disks
GA BuiltIn
Compute Compute d461a302-a187-421a-89ac-84acdb4edc04 Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (9)
•Microsoft.Compute/disks/encryption.diskEncryptionSetId
•Microsoft.Compute/disks/managedBy
•Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId
•Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.osDiskImage.diskEncryptionSetId
•Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id
•Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.managedDisk.diskEncryptionSet.id
IF (5)
•Microsoft.Compute/disks
•Microsoft.Compute/galleries/images/versions
•Microsoft.Compute/images
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachineScaleSets
GA BuiltIn
Compute Compute c43e4a30-77cb-48ab-a4dd-93f175c63b57 Microsoft Antimalware for Azure should be configured to automatically update protection signatures This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Compute Compute 9b597639-28e4-48eb-b506-56b05d366257 Microsoft IaaSAntimalware extension should be deployed on Windows servers This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Compute Compute c0e996f8-39cf-4af9-9f45-83fbde810432 Only approved VM extensions should be installed This policy governs the virtual machine extensions that are not approved. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Compute Compute 702dd420-7fcc-42c5-afe8-4026edd20fe0 OS and data disks should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (10)
•Microsoft.Compute/disks/encryption.diskEncryptionSetId
•Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*]
•Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId
•Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id
•Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.id
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.managedDisk.diskEncryptionSet.id
IF (5)
•Microsoft.Compute/disks
•Microsoft.Compute/galleries/images/versions
•Microsoft.Compute/images
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachineScaleSets
GA BuiltIn
Compute Compute 465f0161-0087-490a-9ad9-ad6217f4f43a Require automatic OS image patching on Virtual Machine Scale Sets This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. Fixed: deny IF (2)
•Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade
•Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
GA BuiltIn
Compute Compute 7c1b1214-f927-48bf-8882-84f0af6588b1 Resource logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachineScaleSets/extensions/publisher
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
GA BuiltIn
Compute Compute fc4d8e41-e223-45ea-9bf5-eada37891d87 Virtual machines and virtual machine scale sets should have encryption at host enabled Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost
•Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.encryptionAtHost
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachineScaleSets
GA BuiltIn
Compute Compute 1d84d5fb-01f6-4d12-ba4f-4a26081d403d Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.ClassicCompute/virtualMachines
•Microsoft.Compute/virtualMachines
GA BuiltIn
Container Instance Container Instance 8af8f826-edcb-4178-b35f-851ea6fea615 Azure Container Instance container group should deploy into a virtual network Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.ContainerInstance/containerGroups/networkProfile.id
IF (1)
•Microsoft.ContainerInstance/containerGroups
GA BuiltIn
Container Instance Container Instance 0aa61e00-0a01-4a3c-9945-e93cffedf0e6 Azure Container Instance container group should use customer-managed key for encryption Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (2)
•Microsoft.ContainerInstance/containerGroups/encryptionProperties.keyName
•Microsoft.ContainerInstance/containerGroups/encryptionProperties.vaultBaseUrl
IF (1)
•Microsoft.ContainerInstance/containerGroups
GA BuiltIn
Container Registry Container Registry 79fdfe03-ffcb-4e55-b4d0-b925b8241759 Configure container registries to disable local authentication. Disable local authentication so that your container registries exclusively require Azure Active Directory identities for authentication. Learn more about at: https://aka.ms/acr/authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.ContainerRegistry/registries/adminUserEnabled
THEN-Operations (1)
•Microsoft.ContainerRegistry/registries/adminUserEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry a3701552-92ea-433e-9d17-33b7f1208fc9 Configure Container registries to disable public network access Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
THEN-Operations (1)
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 Configure Container registries to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Container Registry Container Registry d85c6833-7d33-4cf5-a915-aaa2de84405f Configure Container registries with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (1)
•Microsoft.ContainerRegistry/registries/sku.name
THEN-ExistenceCondition (1)
•Microsoft.ContainerRegistry/registries/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.ContainerRegistry/registries
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Container Registry Container Registry containerregistry_container-registries-prevent-access-to-trusted-services Container Registries prevent access to trusted services This policy configures container registry acr_firewall_bypass to prevent access to trusted services Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Container Registry Container Registry containerregistry_container-registries-prevent-managed-identity Container Registries prevent managed identity This policy configures container registry to prevent managed identity Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Container Registry Container Registry 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 Container registries should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerRegistry/registries/encryption.status
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry 524b0254-c285-4903-bee6-bb8126cde579 Container registries should have exports disabled Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.ContainerRegistry/registries/policies.exportPolicy.status
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry dc921057-6b28-4fbe-9b83-f7bec05db6c2 Container registries should have local authentication methods disabled. Disabling local authentication methods improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerRegistry/registries/adminUserEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry bd560fc0-3c69-498a-ae9f-aa8eb7de0e13 Container registries should have SKUs that support Private Links Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerRegistry/registries/sku.name
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry d0793b48-0edc-4296-a390-4c75d1bdfd71 Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry e8eef0a8-67cf-4eb4-9386-14b0e78733d4 Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.ContainerRegistry/registries/privateEndpointConnections[*]
•Microsoft.ContainerRegistry/registries/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Container Registry Container Registry containerregistry_container-registry-admin-user-filter Enforce Admin User is disabled on all Container Registry instances This policy ensures Admin User is disabled on all Container Registry instances Fixed: deny IF (1)
•Microsoft.ContainerRegistry/registries/adminUserEnabled
IF (1)
•Microsoft.ContainerRegistry/registries
GA Community
Container Registry Container Registry 0fdf0491-d080-4575-b627-ad0e843cba0f Public network access should be disabled for Container registries Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerRegistry/registries/publicNetworkAccess
IF (1)
•Microsoft.ContainerRegistry/registries
GA BuiltIn
Cosmos DB Cosmos DB 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (4)
•Microsoft.DocumentDB/databaseAccounts/ipRangeFilter
•Microsoft.DocumentDB/databaseAccounts/ipRules
•Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled
•Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 1f905d99-2ab7-462c-a6b0-f709acca6c8f Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.DocumentDB/databaseAccounts/keyVaultKeyUri
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 0473574d-2d43-4217-aefe-941fcdf7e684 Azure Cosmos DB allowed locations This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. Default: deny
Allowed: (deny, audit, disabled)
IF (1)
•Microsoft.DocumentDB/databaseAccounts/Locations[*]
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 4750c32b-89c0-46af-bfcb-2e4541a818d5 Azure Cosmos DB key based metadata write access should be disabled This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. Fixed: append IF (1)
•Microsoft.DocumentDB/databaseAccounts/disableKeyBasedMetadataWriteAccess
THEN-Details (1)
•Microsoft.DocumentDB/databaseAccounts/disableKeyBasedMetadataWriteAccess
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 797b37f7-06b8-444c-b1ad-fc62867f335a Azure Cosmos DB should disable public network access Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf Azure Cosmos DB throughput should be limited This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. Default: deny
Allowed: (audit, deny, disabled)
IF (27)
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/options
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/options
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/options
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/options
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/options
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/options
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/options
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/options
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.throughput
•Microsoft.DocumentDB/databaseAccounts/tables/options
•Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.provisionedThroughputSettings
•Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.throughput
GA BuiltIn
Cosmos DB Cosmos DB dc2d41d1-4ab1-4666-a3e1-3d51c43e0049 Configure Cosmos DB database accounts to disable local authentication Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default: Modify
Allowed: (Modify, Disabled)
DocumentDB Account Contributor IF (1)
•Microsoft.DocumentDB/databaseAccounts/disableLocalAuth
THEN-Operations (1)
•Microsoft.DocumentDB/databaseAccounts/disableLocalAuth
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB da69ba51-aaf1-41e5-8651-607cd0b37088 Configure CosmosDB accounts to disable public network access Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Default: Modify
Allowed: (Modify, Disabled)
Contributor, DocumentDB Account Contributor IF (1)
•Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess
THEN-Operations (1)
•Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB a63cc0bd-cda4-4178-b705-37dc439d3e0f Configure CosmosDB accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Cosmos DB Cosmos DB b609e813-3156-4079-91fa-a8494c1471c4 Configure CosmosDB accounts with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your CosmosDB account, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor, DocumentDB Account Contributor THEN-ExistenceCondition (1)
•Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DocumentDB/databaseAccounts
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Cosmos DB Cosmos DB 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 Cosmos DB database accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DocumentDB/databaseAccounts/disableLocalAuth
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB 58440f8a-10c5-4151-bdce-dfbaad4a20b7 CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections[*]
•Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Cosmos DB Cosmos DB b5f04e03-92a3-4b09-9410-2cc5e5047656 Deploy Advanced Threat Protection for Cosmos DB Accounts This policy enables Advanced Threat Protection across Cosmos DB accounts. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin THEN-ExistenceCondition (1)
•Microsoft.Security/advancedThreatProtectionSettings/isEnabled
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA BuiltIn
Custom Provider Custom Provider c15c281f-ea5c-44cd-90b8-fc3c14d13f0c Deploy associations for a custom provider Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. Fixed: deployIfNotExists Contributor THEN-Deployment (1)
•Microsoft.Resources/deployments
GA BuiltIn
Data Box Data Box c349d81b-9985-44ae-a8da-ff98d108ede8 Azure Data Box jobs should enable double encryption for data at rest on the device Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.DataBox/jobs/details.preferences.encryptionPreferences.doubleEncryption
•Microsoft.Databox/jobs/sku.name
IF (1)
•Microsoft.DataBox/jobs
GA BuiltIn
Data Box Data Box 86efb160-8de7-451d-bc08-5d475b0aadae Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.DataBox/jobs/details.keyEncryptionKey.kekType
•Microsoft.Databox/jobs/sku.name
IF (1)
•Microsoft.DataBox/jobs
GA BuiltIn
Data Factory Data Factory 85bb39b5-2f66-49f8-9306-77da3ac5130f [Preview]: Azure Data Factory integration runtime should have a limit for number of cores To manage your resources and costs, limit the number of cores for an integration runtime. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.dataFlowProperties.coreCount
•Microsoft.DataFactory/factories/integrationruntimes/type
IF (1)
•Microsoft.DataFactory/factories/integrationRuntimes
Preview BuiltIn
Data Factory Data Factory 6809a3d0-d354-42fb-b955-783d207c62a8 [Preview]: Azure Data Factory linked service resource type should be in allow list Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DataFactory/factories/linkedservices/type
Preview BuiltIn
Data Factory Data Factory 127ef6d7-242f-43b3-9eef-947faf1725d0 [Preview]: Azure Data Factory linked services should use Key Vault for storing secrets To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (30)
•Microsoft.DataFactory/factories/linkedservices/AmazonMWS.typeProperties.mwsAuthToken.type
•Microsoft.DataFactory/factories/linkedservices/AmazonMWS.typeProperties.secretKey.type
•Microsoft.DataFactory/factories/linkedservices/AmazonS3.typeProperties.secretAccessKey.type
•Microsoft.DataFactory/factories/linkedservices/AzureBlobStorage.typeProperties.servicePrincipalKey
•Microsoft.DataFactory/factories/linkedservices/AzureBlobStorage.typeProperties.servicePrincipalKey.type
•Microsoft.DataFactory/factories/linkedservices/AzureSearch.typeProperties.key.type
•Microsoft.DataFactory/factories/linkedservices/AzureSqlDW.typeProperties.servicePrincipalKey.type
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.accountKey
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri.type
•Microsoft.DataFactory/factories/linkedservices/CosmosDb.typeProperties.accountKey.type
•Microsoft.DataFactory/factories/linkedservices/Dynamics.typeProperties.servicePrincipalCredential
•Microsoft.DataFactory/factories/linkedservices/Dynamics.typeProperties.servicePrincipalCredential.type
•Microsoft.DataFactory/factories/linkedservices/GoogleAdWords.typeProperties.developerToken.type
•Microsoft.DataFactory/factories/linkedservices/GoogleBigQuery.typeProperties.clientSecret.type
•Microsoft.DataFactory/factories/linkedservices/GoogleBigQuery.typeProperties.refreshToken.type
•Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken
•Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken.type
•Microsoft.DataFactory/factories/linkedservices/OData.typeProperties.servicePrincipalEmbeddedCert.type
•Microsoft.DataFactory/factories/linkedservices/OData.typeProperties.servicePrincipalEmbeddedCertPassword.type
•Microsoft.DataFactory/factories/linkedservices/Odbc.typeProperties.credential.type
•Microsoft.DataFactory/factories/linkedservices/Salesforce.typeProperties.securityToken.type
•Microsoft.DataFactory/factories/linkedservices/Sftp.typeProperties.passPhrase.type
•Microsoft.DataFactory/factories/linkedservices/Sftp.typeProperties.privateKeyContent.type
•Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password
•Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password.type
•Microsoft.DataFactory/factories/linkedservices/type
•Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString
•Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString.type
•Microsoft.DataFactory/factories/linkedservices/typeProperties.encryptedCredential
Preview BuiltIn
Data Factory Data Factory f78ccdb4-7bf4-4106-8647-270491d2978a [Preview]: Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (7)
•Microsoft.DataFactory/factories/linkedservices/AzureSqlDW.typeProperties.servicePrincipalKey
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.accountKey
•Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri
•Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken
•Microsoft.DataFactory/factories/linkedservices/type
•Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString
•Microsoft.DataFactory/factories/linkedservices/typeProperties.encryptedCredential
Preview BuiltIn
Data Factory Data Factory 77d40665-3120-4348-b539-3192ec808307 [Preview]: Azure Data Factory should use a Git repository for source control Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DataFactory/factories/repoConfiguration.repositoryName
IF (1)
•Microsoft.DataFactory/factories
Preview BuiltIn
Data Factory Data Factory 4ec52d6d-beb7-40c4-9a9e-fe753254690e Azure data factories should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DataFactory/factories/encryption.vaultBaseUrl
IF (1)
•Microsoft.DataFactory/factories
GA BuiltIn
Data Factory Data Factory 8b0323be-cc25-4b61-935d-002c3798c6ea Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.DataFactory/factories/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DataFactory/factories
GA BuiltIn
Data Factory Data Factory 08b1442b-7789-4130-8506-4f99a97226a7 Configure Data Factories to disable public network access Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default: Modify
Allowed: (Modify, Disabled)
Data Factory Contributor IF (1)
•Microsoft.DataFactory/factories/publicNetworkAccess
THEN-Operations (1)
•Microsoft.DataFactory/factories/publicNetworkAccess
IF (1)
•Microsoft.DataFactory/factories
GA BuiltIn
Data Factory Data Factory 86cd96e1-1745-420d-94d4-d3f2fe415aa4 Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Data Factory Data Factory 496ca26b-f669-4322-a1ad-06b7b5e41882 Configure private endpoints for Data factories Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Data Factory Contributor THEN-ExistenceCondition (1)
•Microsoft.DataFactory/factories/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.DataFactory/factories
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Data Factory Data Factory 1cf164be-6819-4a50-b8fa-4bcaa4f98fb6 Public network access on Azure Data Factory should be disabled Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.DataFactory/factories/publicNetworkAccess
IF (1)
•Microsoft.DataFactory/factories
GA BuiltIn
Data Factory Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.vnetProperties.vnetId
•Microsoft.DataFactory/factories/integrationruntimes/type
IF (1)
•Microsoft.DataFactory/factories/integrationRuntimes
GA BuiltIn
Data Lake Data Lake a7ff3161-0087-490a-9ad9-ad6217f4f43a Require encryption on Data Lake Store accounts This policy ensures encryption is enabled on all Data Lake Store accounts Fixed: deny IF (1)
•Microsoft.DataLakeStore/accounts/encryptionState
IF (1)
•Microsoft.DataLakeStore/accounts
GA BuiltIn
Data Lake Data Lake 057ef27e-665e-4328-8ea3-04b3122bd9fb Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.DataLakeStore/accounts
GA BuiltIn
Data Lake Data Lake c95c74d9-38fe-4f0d-af86-0c7d626a315c Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.DataLakeAnalytics/accounts
GA BuiltIn
Databricks Databricks Deny-Databricks-VirtualNetwork Deny Databricks workspaces without Vnet injection Enforces the use of vnet injection for Databricks workspaces. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (3)
•Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value
•Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value
•Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value
IF (1)
•Microsoft.Databricks/workspaces
GA ESLZ
Databricks Databricks Deny-Databricks-Sku Deny non-premium Databricks sku Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.DataBricks/workspaces/sku.name
IF (1)
•Microsoft.Databricks/workspaces
GA ESLZ
Databricks Databricks Deny-Databricks-NoPublicIp Deny public IPs for Databricks cluster Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value
IF (1)
•Microsoft.Databricks/workspaces
GA ESLZ
DB for MySQL DB for MySQL dbformysql_db-for-mysql-ssl-enforce-filter Enforce SSL on all DB for MySQL instances This policy ensures SSL is enforced on all DB for MySQL instances Fixed: deny IF (1)
•Microsoft.DBforMySQL/servers/sslEnforcement
IF (1)
•Microsoft.DBforMySQL/servers
GA Community
DevTestLabs DevTestLabs aca94a15-a131-4a06-ab0e-89f57e28cc5c Allowed DevTestLabs Repo URL prefix Fixed: deny IF (1)
•Microsoft.DevTestLab/labs/artifactSources/uri
GA Community
Event Grid Event Grid f8f774be-6aee-492a-9e29-486ef81f3a68 Azure Event Grid domains should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/domains/publicNetworkAccess
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 8bfadddb-ee1c-4639-8911-a38cb8e0b3bd Azure Event Grid domains should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/domains/disableLocalAuth
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 9830b652-8523-49cc-b1b3-e17dce1127ca Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.EventGrid/domains/privateEndpointConnections[*]
•Microsoft.EventGrid/domains/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 8632b003-3545-4b29-85e6-b2b96773df1e Azure Event Grid partner namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/partnerNamespaces/disableLocalAuth
IF (1)
•Microsoft.EventGrid/partnerNamespaces
GA BuiltIn
Event Grid Event Grid 1adadefe-5f21-44f7-b931-a59b54ccdb45 Azure Event Grid topics should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/topics/publicNetworkAccess
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Grid Event Grid ae9fb87f-8a17-4428-94a4-8135d431055c Azure Event Grid topics should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/topics/disableLocalAuth
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Grid Event Grid 4b90e17e-8448-49db-875e-bd83fb6f804f Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.EventGrid/topics/privateEndpointConnections[*]
•Microsoft.EventGrid/topics/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Grid Event Grid 8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1 Configure Azure Event Grid domains to disable local authentication Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor IF (1)
•Microsoft.EventGrid/domains/disableLocalAuth
THEN-Operations (1)
•Microsoft.EventGrid/domains/disableLocalAuth
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 2dd0e8b9-4289-4bb0-b813-1883298e9924 Configure Azure Event Grid partner namespaces to disable local authentication Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor IF (1)
•Microsoft.EventGrid/partnerNamespaces/disableLocalAuth
THEN-Operations (1)
•Microsoft.EventGrid/partnerNamespaces/disableLocalAuth
IF (1)
•Microsoft.EventGrid/partnerNamespaces
GA BuiltIn
Event Grid Event Grid 1c8144d9-746a-4501-b08c-093c8d29ad04 Configure Azure Event Grid topics to disable local authentication Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor IF (1)
•Microsoft.EventGrid/topics/disableLocalAuth
THEN-Operations (1)
•Microsoft.EventGrid/topics/disableLocalAuth
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Grid Event Grid d389df0a-e0d7-4607-833c-75a6fdac2c2d Deploy - Configure Azure Event Grid domains to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. Default: deployIfNotExists
Allowed: (deployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Event Grid Event Grid 36f4658a-848a-467b-881c-e6fa20cf75fc Deploy - Configure Azure Event Grid domains with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, EventGrid Contributor THEN-ExistenceCondition (1)
•Microsoft.EventGrid/domains/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventGrid/domains
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Event Grid Event Grid baf19753-7502-405f-8745-370519b20483 Deploy - Configure Azure Event Grid topics to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. Default: deployIfNotExists
Allowed: (deployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Event Grid Event Grid 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca Deploy - Configure Azure Event Grid topics with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, EventGrid Contributor THEN-ExistenceCondition (1)
•Microsoft.EventGrid/topics/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventGrid/topics
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Event Grid Event Grid eventgrid_enforce-event-grid-sys-topic-handler-type-to-be-storage-account Enforce event grid system topic handler type to be storage account This policy enforce event grid system topic handler type to be storage account. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/systemTopics/eventSubscriptions/destination.endpointType
GA Community
Event Grid Event Grid eventgrid_enforce-event-grid-system-topic-source-type-be-storage-account Enforce event grid system topic source type to be storage account This policy enforce event grid system topic source type to be storage account. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventGrid/systemTopics/topicType
GA Community
Event Grid Event Grid 898e9824-104c-4965-8e0e-5197588fa5d4 Modify - Configure Azure Event Grid domains to disable public network access Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor IF (1)
•Microsoft.EventGrid/domains/publicNetworkAccess
THEN-Operations (1)
•Microsoft.EventGrid/domains/publicNetworkAccess
IF (1)
•Microsoft.EventGrid/domains
GA BuiltIn
Event Grid Event Grid 36ea4b4b-0f7f-4a54-89fa-ab18f555a172 Modify - Configure Azure Event Grid topics to disable public network access Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor IF (1)
•Microsoft.EventGrid/topics/publicNetworkAccess
THEN-Operations (1)
•Microsoft.EventGrid/topics/publicNetworkAccess
IF (1)
•Microsoft.EventGrid/topics
GA BuiltIn
Event Hub Event Hub b278e460-7cfc-4451-8294-cccc40a940d7 All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventHub/namespaces/authorizationRules
GA BuiltIn
Event Hub Event Hub f4826e5f-6a27-407c-ae3e-9582eb39891d Authorization rules on the Event Hub instance should be defined Audit existence of authorization rules on Event Hub entities to grant least-privileged access Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.EventHub/namespaces/eventhubs
THEN-Details (1)
•Microsoft.EventHub/namespaces/eventHubs/authorizationRules
GA BuiltIn
Event Hub Event Hub 5d4e3c65-4873-47be-94f3-6f8b953a3598 Azure Event Hub namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.EventHub/namespaces/disableLocalAuth
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub 57f35901-8389-40bb-ac49-3ba4f86d889d Configure Azure Event Hub namespaces to disable local authentication Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default: Modify
Allowed: (Modify, Disabled)
Azure Event Hubs Data Owner IF (1)
•Microsoft.EventHub/namespaces/disableLocalAuth
THEN-Operations (1)
•Microsoft.EventHub/namespaces/disableLocalAuth
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub ed66d4f5-8220-45dc-ab4a-20d1749c74e6 Configure Event Hub namespaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Event Hub Event Hub 91678b7c-d721-4fc5-b179-3cdf74e96b1c Configure Event Hub namespaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Azure Event Hubs Data Owner THEN-ExistenceCondition (1)
•Microsoft.EventHub/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventHub/namespaces
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Event Hub Event Hub 836cd60e-87f3-4e6a-a27c-29d687f01a4c Event Hub namespaces should have double encryption enabled Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.EventHub/namespaces/clusterArmId
•Microsoft.EventHub/namespaces/encryption.requireInfrastructureEncryption
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub a1ad735a-e96f-45d2-a7b2-9a4932cab7ec Event Hub namespaces should use a customer-managed key for encryption Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.EventHub/namespaces/clusterArmId
•Microsoft.EventHub/namespaces/encryption.keySource
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub b8564268-eb4a-4337-89be-a19db070c59d Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.EventHub/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Event Hub Event Hub 83a214f7-d01a-484b-91a9-ed54470c9a6a Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
General General c1b9cbed-08e3-427d-b9ce-7c535b1e9b94 [Deprecated]: Allow resource creation only in Asia data centers Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West Fixed: Deny Deprecated BuiltIn
General General 94c19f19-8192-48cd-a11b-e37099d3e36b [Deprecated]: Allow resource creation only in European data centers Allows resource creation in the following locations only: North Europe, West Europe Fixed: Deny Deprecated BuiltIn
General General 5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54 [Deprecated]: Allow resource creation only in India data centers Allows resource creation in the following locations only: West India, South India, Central India Fixed: Deny Deprecated BuiltIn
General General 983211ba-f348-4758-983b-21fa29294869 [Deprecated]: Allow resource creation only in United States data centers Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US Fixed: Deny Deprecated BuiltIn
General General e56962a6-4747-49cd-b67b-bf8b01975c4c Allowed locations This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. Fixed: deny IF (1)
•Microsoft.AzureActiveDirectory/b2cDirectories
GA BuiltIn
General General e765b5de-1225-4ba3-bd56-1ac6695af988 Allowed locations for resource groups This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. Fixed: deny IF (1)
•Microsoft.Resources/subscriptions/resourceGroups
GA BuiltIn
General General a08ec900-254a-4555-9bf5-e42af04b5c5c Allowed resource types This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. Fixed: deny GA BuiltIn
General General 0a914e76-4921-4c19-b460-a2d36003525a Audit resource location matches resource group location Audit that the resource location matches its resource group location Fixed: audit GA BuiltIn
General General a451c1ef-c6ca-483d-87ed-f49761e3ffb5 Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.Authorization/roleDefinitions/type
IF (1)
•Microsoft.Authorization/roleDefinitions
GA BuiltIn
General General 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9 Custom subscription owner roles should not exist This policy ensures that no custom subscription owner roles exist. Default: Audit
Allowed: (Audit, Disabled)
IF (4)
•Microsoft.Authorization/roleDefinitions/assignableScopes[*]
•Microsoft.Authorization/roleDefinitions/permissions.actions[*]
•Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]
•Microsoft.Authorization/roleDefinitions/type
IF (1)
•Microsoft.Authorization/roleDefinitions
GA BuiltIn
General General 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 Not allowed resource types Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Guest Configuration Guest Configuration faf25c8c-9598-4305-b4de-0aee1317fb31 [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5fc23db3-dd4d-4c56-bcc7-43626243e601 [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
Deprecated BuiltIn
Guest Configuration Guest Configuration ec49586f-4939-402d-a29e-6ff502b20592 [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f19aa1c1-6b91-4c27-ae6a-970279f03db9 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 4d1c04de-2172-403f-901b-90608c35c721 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 3470477a-b35a-49db-aca5-1073d04524fe [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 884b209a-963b-4520-8006-d20cb3c213e0 [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7a031c68-d6ab-406e-a506-697a19c634b0 [Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ec7ac234-2af5-4729-94d2-c557c071799d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f1f4825d-58fb-4257-8016-8c00e3c9ed9d [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 985285b7-b97a-419c-8d48-c88cc934c8d8 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 40917425-69db-4018-8dae-2a0556cef899 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e5b81f87-9185-4224-bf00-9f505e9f89f3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 498b810c-59cd-4222-9338-352ba146ccf3 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 6481cc21-ed6e-4480-99dd-ea7c5222e897 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 3750712b-43d0-478e-9966-d2c26f6141b9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration bbcdd8fa-b600-4ee3-85b8-d184e3339652 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 86880e5c-df35-43c5-95ad-7e120635775e [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f56a3ab2-89d1-44de-ac0d-2ada5962e22a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 36e17963-7202-494a-80c3-f508211c826b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 1f8c20ce-3414-4496-8b26-0e902a1541da [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 12ae2d24-3805-4b37-9fa9-465968bfbcfa [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 437a1f8f-8552-47a8-8b12-a2fee3269dd5 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e425e402-a050-45e5-b010-bd3f934589fc [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e3d95ab7-f47a-49d8-a347-784177b6c94c [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c1e289c0-ffad-475d-a924-adc058765d65 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 0a9991e6-21be-49f9-8916-a06d934bcf29 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 42a07bbf-ffcf-459a-b4b1-30ecd118a505 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c04255ee-1b9f-42c1-abaa-bf1553f79930 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 8e170edb-e0f5-497a-bb36-48b3280cec6a [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 97b595c8-fd10-400e-8543-28e2b9138b13 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ce2370f6-0ac5-4d85-8ab4-10721cc640b0 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f8b0158d-4766-490f-bea0-259e52dba473 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 815dcc9f-6662-43f2-9a03-1b83e9876f24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7040a231-fb65-4412-8c0a-b365f4866c24 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 909c958d-1b99-4c74-b88f-46a5c5bc34f9 [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 144f1397-32f9-4598-8c88-118decc3ccba [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 93507a81-10a4-4af0-9ee2-34cf25a96e98 [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration b821191b-3a12-44bc-9c38-212138a29ff3 [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration d38b4c26-9d2e-47d7-aefe-18d859a8706a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 68511db2-bd02-41c4-ae6b-1900a012968a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5bb36dda-8a78-4df9-affd-4f05a8612a8a [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 32b1e4d4-6cd5-47b4-a935-169da8a5c262 [Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 6a7a2bcf-f9be-4e35-9734-4f9657a70f1d [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 726671ac-c4de-4908-8c7d-6043ae62e3b6 [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 315c850a-272d-4502-8935-b79010405970 [Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c21f7060-c148-41cf-a68b-0ab3e14c764c [Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c5fbc59e-fb6f-494f-81e2-d99a671bdaa8 [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 106ccbe4-a791-4f33-a44a-06796944b8d5 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 356a906e-05e5-4625-8729-90771e0ee934 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 16390df4-2f73-4b42-af13-c801066763df [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 12f7e5d0-42a7-4630-80d8-54fb7cff9bd6 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e0efc13a-122a-47c5-b817-2ccfe5d12615 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 90ba2ee7-4ca8-4673-84d1-c851c50d3baf [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 23020aa6-1135-4be2-bae2-149982b06eca [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 8ff0b18b-262e-4512-857a-48ad0aeb9a78 [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f4b245d4-46c9-42be-9b1a-49e2b5b94194 [Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f0633351-c7b2-41ff-9981-508fc08553c2 [Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c96f3246-4382-4264-bf6b-af0b35e23c3c [Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration b2fc8f91-866d-4434-9089-5ebfe38d6fd8 [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
•Microsoft.hybridcompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
Deprecated BuiltIn
Guest Configuration Guest Configuration 0ecd903d-91e7-4726-83d3-a229d7f2e293 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachines/extensions
Deprecated BuiltIn
Guest Configuration Guest Configuration 2d67222d-05fd-4526-a171-2ee132ad9e83 [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration b18175dd-c599-4c64-83ba-bb018a06d35b [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration fee5cb2b-9d9b-410e-afe3-2902d90d0004 [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c40c9087-1981-4e73-9f53-39743eda9d05 [Deprecated]: Show audit results from Linux VMs that have accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 [Deprecated]: Show audit results from Linux VMs that have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration d7ccd0ca-8d78-42af-a43d-6b7f928accbc [Deprecated]: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 87b590fe-4a1d-4697-ae74-d4fe72ab786c [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 97646672-5efa-4622-9b54-740270ad60bf [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7229bd6a-693d-478a-87f0-1dc1af06f3b8 [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration a1e8dda3-9fd2-4835-aec3-0e55531fde33 [Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration b872a447-cc6f-43b9-bccf-45703cd81607 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 21e2995e-683e-497a-9e81-2f42ad07050a [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 3d7b154e-2700-4c8c-9e46-cb65ac1578c2 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c8abcef9-fc26-482f-b8db-5fa60ee4586d [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration fcbc55c9-f25a-4e55-a6cb-33acb3be778b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 6fe4ef56-7576-4dc4-8e9c-26bad4b087ce [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 30040dab-4e75-4456-8273-14b8f75d91d9 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5c028d2a-1889-45f6-b821-31f42711ced8 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ba12366f-f9a6-42b8-9d98-157d0b1a837b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration e3a77a94-cf41-4ee8-b45c-98be28841c03 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 620e58b5-ac75-49b4-993f-a9d4f0459636 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 8a39d1f1-5513-4628-b261-f469a5a3341b [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 29829ec2-489d-4925-81b7-bda06b1718e0 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration ddb53c61-9db4-41d4-a953-2abff5b66c12 [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration bc87d811-4a9b-47cc-ae54-0a41abda7768 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 225e937e-d32e-4713-ab74-13ce95b3519a [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration a9a33475-481d-4b81-9116-0bf02ffe67e8 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration b3802d79-dd88-4bce-b81d-780218e48280 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 60aeaf73-a074-417a-905f-7ce9df0ff77b [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration dd4680ed-0559-4a6a-ad10-081d14cbb484 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7066131b-61a6-4917-a7e4-72e8983f0aa6 [Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c961dac9-5916-42e8-8fb1-703148323994 [Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 9178b430-2295-406e-bb28-f6a7a2a2f897 [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 8bbd627e-4d25-4906-9a6e-3789780af3ec [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration bde62c94-ccca-4821-a815-92c1d31a76de [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f3b44e5d-1456-475f-9c67-c66c4618e85a [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration cc7cda28-f867-4311-8497-a526129a8d19 [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7227ebe5-9ff7-47ab-b823-171cd02fb90f [Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration a030a57e-4639-4e8f-ade9-a92f33afe7ee [Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 02a84be7-c304-421f-9bb7-5d2c26af54ad [Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a [Deprecated]: Show audit results from Windows VMs on which the specified services are not installed and 'Running' This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 0d9b45ff-9ddd-43fc-bf59-fbd1c8423053 [Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration cdbf72d9-ac9c-4026-8a3a-491a5ac59293 [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration a29ee95c-0395-4515-9851-cc04ffe82a91 [Deprecated]: Show audit results from Windows VMs that are not joined to the specified domain This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 9f658460-46b7-43af-8565-94fc0662be38 [Deprecated]: Show audit results from Windows VMs that are not set to the specified time zone This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 9328f27e-611e-44a7-a244-39109d7d35ab [Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f3b9ad83-000d-4dc1-bff0-6d54533dd03f [Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 24dde96d-f0b1-425e-884f-4a1421e2dcdc [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5aa11bbc-5c76-4302-80e5-aba46a4282e7 [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f48b2913-1dc5-4834-8c72-ccc1dfd819bb [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5e393799-e3ca-4e43-a9a5-0ec4648a57d9 [Deprecated]: Show audit results from Windows VMs that do not have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration f8036bd0-c10b-4931-86bb-94a878add855 [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 16f9b37c-4408-4c30-bc17-254958f2e2d6 [Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 5aebc8d1-020d-4037-89a0-02043a7524ec [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 2d60d3b7-aa10-454c-88a8-de39d99d17c6 [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7e84ba44-6d03-46fd-950e-5efa5a1112fa [Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 7e56b49b-5990-4159-a734-511ea19b731c [Deprecated]: Show audit results from Windows VMs that have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 8b0de57a-f511-4d45-a277-17cb79cb163b [Deprecated]: Show audit results from Windows VMs with a pending reboot This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 60ffe3e2-4604-4460-8f22-0f1da058266c [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
Deprecated BuiltIn
Guest Configuration Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Guest Configuration Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modify Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Guest Configuration Guest Configuration ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration e6955644-301c-44b5-a4c4-528577de6861 Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration d3b823c9-e0fc-4453-9fb2-8213b7338523 Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 Audit Windows machines missing any of specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 630ac30f-a234-4533-ac2d-e0df77acda51 Audit Windows machines network connectivity Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd Audit Windows machines on which the DSC configuration is not compliant Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 6265018c-d7e2-432f-a75d-094d5f6f4465 Audit Windows machines on which the Log Analytics agent is not connected as expected Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration e6ebf138-3d71-4935-a13b-9c7fdddd94df Audit Windows machines on which the specified services are not installed and 'Running' Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 58c460e9-7573-4bb2-9676-339c2f2486bb Audit Windows machines on which Windows Serial Console is not enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 5b054a0d-39e2-4d53-bea3-9734cad2c69b Audit Windows machines that allow re-use of the previous 24 passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 84662df4-0e37-44a6-9ce1-c9d2150db18c Audit Windows machines that are not joined to the specified domain Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration c633f6a2-7f8b-4d9e-9456-02f0f04f5505 Audit Windows machines that are not set to the specified time zone Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 1417908b-4bff-46ee-a2a6-4acc899320ab Audit Windows machines that contain certificates expiring within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 934345e1-4dfb-4c70-90d7-41990dc9608b Audit Windows machines that do not contain the specified certificates in Trusted Root Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 4ceb8dc2-559c-478b-a15b-733fbf1e3738 Audit Windows machines that do not have a maximum password age of 70 days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 237b38db-ca4d-4259-9e47-7882441ca2c0 Audit Windows machines that do not have a minimum password age of 1 day Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration bf16e0bb-31e1-4646-8202-60a235cc7e74 Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration c648fbbb-591c-4acd-b465-ce9b176ca173 Audit Windows machines that do not have the specified Windows PowerShell execution policy Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (7)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.ConnectedVMwarevSphere/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 Audit Windows machines that do not have the specified Windows PowerShell modules installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Audit Windows machines that do not restrict the minimum password length to 14 characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration da0f98fe-a24b-4ad5-af69-bd0400233661 Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration ebb67efd-3c46-49b0-adfe-5599eb944998 Audit Windows machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2 Audit Windows machines that have extra accounts in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration beb6ccee-b6b8-4e91-9801-a5fa4260a104 Audit Windows machines that have not restarted within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration c5b85cba-6e6f-4de4-95e1-f0233cd712ac Audit Windows machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f Audit Windows machines that have the specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 4221adbc-5c0f-474f-88b7-037a99e6114c Audit Windows VMs with a pending reboot Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. Fixed: auditIfNotExists IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 6141c932-9384-44c6-a395-59e4c057d7c9 Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed: deployIfNotExists Contributor IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
THEN-Deployment (2)
•Microsoft.Compute/virtualMachines
•Microsoft.hybridcompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Guest Configuration Guest Configuration 385f5831-96d4-41db-9a3c-cd3af78aaae6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExists Contributor IF (5)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Guest Configuration Guest Configuration Deploy-Windows-DomainJoin Deploy Windows Domain Join Extension with keyvault configuration Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA ESLZ
Guest Configuration Guest Configuration 1e7fed80-8321-4605-b42c-65fc300f23a3 Linux machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 73db37c4-f180-4b0f-ab2c-8ee96467686b Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 480d0f91-30af-4a76-9afb-f5710ac52b09 Private endpoints for Guest Configuration assignments should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.GuestConfiguration/guestConfigurationAssignments
GA BuiltIn
Guest Configuration Guest Configuration bed48b13-6647-468e-aa2f-1af1d3f4dd40 Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 4078e558-bda6-41fb-9b3c-361e8875200d Windows machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (1)
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 3aa2661b-02d7-4ba6-99bc-dc36b10489fd Windows machines should meet requirements for 'Administrative Templates - Control Panel' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration e0a7e899-2ce2-4253-8a13-d808fdeb75af Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 67e010c1-640d-438e-a3a5-feaccb533a98 Windows machines should meet requirements for 'Administrative Templates - Network' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 968410dc-5ca0-4518-8a5b-7b55f0530ea9 Windows machines should meet requirements for 'Administrative Templates - System' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration ee984370-154a-4ee8-9726-19d900e56fc0 Windows machines should meet requirements for 'Security Options - Accounts' Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 33936777-f2ac-45aa-82ec-07958ec9ade4 Windows machines should meet requirements for 'Security Options - Audit' Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 8794ff4f-1a35-4e18-938f-0b22055067cd Windows machines should meet requirements for 'Security Options - Devices' Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration d472d2c9-d6a3-4500-9f5f-b15f123005aa Windows machines should meet requirements for 'Security Options - Interactive Logon' Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration d6c69680-54f0-4349-af10-94dd05f4225e Windows machines should meet requirements for 'Security Options - Microsoft Network Client' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration caf2d518-f029-4f6b-833b-d7081702f253 Windows machines should meet requirements for 'Security Options - Microsoft Network Server' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd Windows machines should meet requirements for 'Security Options - Network Access' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 1221c620-d201-468c-81e7-2817e6107e84 Windows machines should meet requirements for 'Security Options - Network Security' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 Windows machines should meet requirements for 'Security Options - Recovery console' Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration b4a4d1eb-0263-441b-84cb-a44073d8372d Windows machines should meet requirements for 'Security Options - Shutdown' Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 2f262ace-812a-4fd0-b731-b38ba9e9708d Windows machines should meet requirements for 'Security Options - System objects' Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 12017595-5a75-4bb1-9d97-4c2c939ea3c3 Windows machines should meet requirements for 'Security Options - System settings' Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 492a29ed-d143-4f03-b6a4-705ce081b463 Windows machines should meet requirements for 'Security Options - User Account Control' Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration f2143251-70de-4e81-87a8-36cee5a2f29d Windows machines should meet requirements for 'Security Settings - Account Policies' Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 Windows machines should meet requirements for 'System Audit Policies - Account Logon' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 94d9aca8-3757-46df-aa51-f218c5f11954 Windows machines should meet requirements for 'System Audit Policies - Account Management' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 58383b73-94a9-4414-b382-4146eb02611b Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 19be9779-c776-4dfa-8a15-a2fd5dc843d6 Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 35781875-8026-4628-b19b-f6efb4d88a1d Windows machines should meet requirements for 'System Audit Policies - Object Access' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 2a7a701e-dff3-4da9-9ec5-42cb98594c0b Windows machines should meet requirements for 'System Audit Policies - Policy Change' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 87845465-c458-45f3-af66-dcd62176f397 Windows machines should meet requirements for 'System Audit Policies - Privilege Use' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 8316fa92-d69c-4810-8124-62414f560dcf Windows machines should meet requirements for 'System Audit Policies - System' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration e068b215-0026-4354-b347-8fb2766f73a2 Windows machines should meet requirements for 'User Rights Assignment' Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 8537fe96-8cbe-43de-b0ef-131bc72bc22a Windows machines should meet requirements for 'Windows Components' Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 35d9882c-993d-44e6-87d2-db66ce21b636 Windows machines should meet requirements for 'Windows Firewall Properties' Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc Windows machines should meet requirements of the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (1)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration f79fef0d-0050-4c18-a303-5babb9c14ac7 Windows machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
Guest Configuration Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Windows web servers should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (6)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
•Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration
•Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (2)
•Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus
•Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.HybridCompute/machines
GA BuiltIn
HDInsight HDInsight b0ab5b05-1c98-40f7-bb9e-dc568e41b501 Azure HDInsight clusters should be injected into a virtual network Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (3)
•Microsoft.HDInsight/clusters/computeProfile.roles[*]
•Microsoft.HDInsight/clusters/computeProfile.roles[*].virtualNetworkProfile.id
•Microsoft.HDInsight/clusters/computeProfile.roles[*].virtualNetworkProfile.subnet
IF (1)
•Microsoft.HDInsight/clusters
GA BuiltIn
HDInsight HDInsight 64d314f6-6062-4780-a861-c23e8951bee5 Azure HDInsight clusters should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.HDInsight/clusters/diskEncryptionProperties.keyName
IF (1)
•Microsoft.HDInsight/clusters
GA BuiltIn
HDInsight HDInsight 1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6 Azure HDInsight clusters should use encryption at host to encrypt data at rest Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.HDInsight/clusters/diskEncryptionProperties.encryptionAtHost
IF (1)
•Microsoft.HDInsight/clusters
GA BuiltIn
HDInsight HDInsight d9da03a1-f3c3-412a-9709-947156872263 Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.HDInsight/clusters/encryptionInTransitProperties.isEncryptionInTransitEnabled
IF (1)
•Microsoft.HDInsight/clusters
GA BuiltIn
HDInsight HDInsight c8cc2f85-e019-4065-9fa3-5e6a2b2dde56 Azure HDInsight should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.HDInsight/clusters/networkProperties.privateLink
THEN-ExistenceCondition (1)
•Microsoft.HDInsight/clusters/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HDInsight/clusters
GA BuiltIn
HDInsight HDInsight 43d6e3bd-fc6a-4b44-8b4d-2151d8736a11 Configure Azure HDInsight clusters to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.HDInsight/clusters
•Microsoft.Network/privateEndpoints
GA BuiltIn
HDInsight HDInsight 2676090a-4baf-46ac-9085-4ac02cc50e3e Configure Azure HDInsight clusters with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (1)
•Microsoft.HDInsight/clusters/networkProperties.privateLink
THEN-ExistenceCondition (1)
•Microsoft.HDInsight/clusters/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.HDInsight/clusters
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Healthcare APIs Healthcare APIs fe1c9040-c46a-4e81-9aea-c7850fbb3aa6 CORS should not allow every domain to access your FHIR Service Cross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. Default: audit
Allowed: (audit, disabled)
IF (1)
•Microsoft.HealthcareApis/workspaces/fhirservices/corsConfiguration.origins[*]
IF (1)
•Microsoft.HealthcareApis/workspaces/fhirservices
GA BuiltIn
Internet of Things Internet of Things 2d7e144b-159c-44fc-95c1-ac3dbf5e6e54 [Preview]: Azure IoT Hub should use customer-managed key to encrypt data at rest Encryption of data at rest in IoT Hub with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Customer-managed keys must be configured during creation of IoT Hub. For more information on how to configure customer-managed keys, see https://aka.ms/iotcmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Devices/IotHubs/encryption.keyVaultProperties[*]
•Microsoft.Devices/IotHubs/encryption.keyVaultProperties[*].keyIdentifier
IF (1)
•Microsoft.Devices/IotHubs
Preview BuiltIn
Internet of Things Internet of Things 47031206-ce96-41f8-861b-6a915f3de284 [Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Devices/provisioningServices/encryption.keyVaultProperties[*]
•Microsoft.Devices/provisioningServices/encryption.keyVaultProperties[*].keyIdentifier
IF (1)
•Microsoft.Devices/provisioningServices
Preview BuiltIn
Internet of Things Internet of Things 27d4c5ec-8820-443f-91fe-1215e96f64b2 Azure Device Update for IoT Hub accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Device Update for IoT Hub accounts, data leakage risks are reduced. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (3)
•Microsoft.DeviceUpdate/accounts/privateEndpointConnections/privateEndpoint
•Microsoft.DeviceUpdate/accounts/privateEndpointConnections/privateLinkServiceConnectionState.status
•Microsoft.DeviceUpdate/accounts/privateEndpointConnections/provisioningState
IF (1)
•Microsoft.DeviceUpdate/accounts
GA BuiltIn
Internet of Things Internet of Things 672d56b3-23a7-4a3c-a233-b77ed7777518 Azure IoT Hub should have local authentication methods disabled for Service Apis Disabling local authentication methods improves security by ensuring that Azure IoT Hub exclusively require Azure Active Directory identities for Service Api authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Devices/IotHubs/disableLocalAuth
IF (1)
•Microsoft.Devices/IotHubs
GA BuiltIn
Internet of Things Internet of Things 9f8ba900-a70f-486e-9ffc-faf907305376 Configure Azure IoT Hub to disable local authentication Disable local authentication methods so that your Azure IoT Hub exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.Devices/IotHubs/disableLocalAuth
THEN-Operations (1)
•Microsoft.Devices/IotHubs/disableLocalAuth
IF (1)
•Microsoft.Devices/IotHubs
GA BuiltIn
Internet of Things Internet of Things aaa64d2d-2fa3-45e5-b332-0b031b9b30e8 Configure IoT Hub device provisioning instances to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://aka.ms/iotdpsvnet. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Internet of Things Internet of Things 859dfc91-ea35-43a6-8256-31271c363794 Configure IoT Hub device provisioning service instances to disable public network access Disable public network access for your IoT Hub device provisioning instance so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/iotdpsvnet. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.Devices/provisioningServices/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Devices/provisioningServices/publicNetworkAccess
IF (1)
•Microsoft.Devices/provisioningServices
GA BuiltIn
Internet of Things Internet of Things 9b75ea5b-c796-4c99-aaaf-21c204daac43 Configure IoT Hub device provisioning service instances with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to IoT Hub device provisioning service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/iotdpsvnet. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (2)
•Microsoft.Devices/provisioningServices/privateEndpointConnections[*]
•Microsoft.Devices/provisioningServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Devices/provisioningServices
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Internet of Things Internet of Things c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02 Deploy - Configure Azure IoT Hubs to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. Default: deployIfNotExists
Allowed: (deployIfNotExists, disabled)
Network Contributor, Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Internet of Things Internet of Things bf684997-3909-404e-929c-d4a38ed23b2e Deploy - Configure Azure IoT Hubs with private endpoints A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Contributor THEN-ExistenceCondition (1)
•Microsoft.Devices/IotHubs/PrivateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Devices/IotHubs
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Internet of Things Internet of Things d82101f3-f3ce-4fc5-8708-4c09f4009546 IoT Hub device provisioning service instances should disable public network access Disabling public network access improves security by ensuring that IoT Hub device provisioning service instance isn't exposed on the public internet. Creating private endpoints can limit exposure of the IoT Hub device provisioning instances. Learn more at: https://aka.ms/iotdpsvnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Devices/provisioningServices/publicNetworkAccess
IF (1)
•Microsoft.Devices/provisioningServices
GA BuiltIn
Internet of Things Internet of Things df39c015-56a4-45de-b4a3-efe77bed320d IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.Devices/provisioningServices/privateEndpointConnections[*]
•Microsoft.Devices/provisioningServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Devices/provisioningServices
GA BuiltIn
Internet of Things Internet of Things 114eec6e-5e59-4bad-999d-6eceeb39d582 Modify - Configure Azure IoT Hubs to disable public network access Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.Devices/IotHubs/publicNetworkAccess
THEN-Operations (1)
•Microsoft.Devices/IotHubs/publicNetworkAccess
IF (1)
•Microsoft.Devices/IotHubs
GA BuiltIn
Internet of Things Internet of Things 0d40b058-9f95-4a19-93e3-9b0330baa2a3 Private endpoint should be enabled for IoT Hub Private endpoint connections enforce secure communication by enabling private connectivity to IoT Hub. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.Devices/IotHubs/privateEndpointConnections[*]
•Microsoft.Devices/IotHubs/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Devices/IotHubs
GA BuiltIn
Internet of Things Internet of Things 2d6830fb-07eb-48e7-8c4d-2a442b35f0fb Public network access on Azure IoT Hub should be disabled Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Devices/IotHubs/publicNetworkAccess
IF (1)
•Microsoft.Devices/IotHubs
GA BuiltIn
Internet of Things Internet of Things 383856f8-de7f-44a2-81fc-e5135b5c2aa4 Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (4)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
IF (1)
•Microsoft.Devices/IotHubs
GA BuiltIn
Key Vault Key Vault 19ea9d63-adee-4431-a95e-1913c6c1c75f [Preview]: Azure Key Vault Managed HSM should disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.KeyVault/managedHSMs/createMode
•Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction
IF (1)
•Microsoft.KeyVault/managedHSMs
Preview BuiltIn
Key Vault Key Vault 59fee2f4-d439-4f1b-9b9a-982e1474bfd8 [Preview]: Azure Key Vault Managed HSM should use private link Private link provides a way to connect Azure Key Vault Managed HSM to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link Default: Audit
Allowed: (Audit, Disabled)
IF (3)
•Microsoft.KeyVault/managedHSMs/privateEndpointConnections
•Microsoft.KeyVault/managedHSMs/privateEndpointConnections[*]
•Microsoft.KeyVault/managedHSMs/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.KeyVault/managedHSMs
Preview BuiltIn
Key Vault Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 [Preview]: Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.KeyVault/vaults/createMode
•Microsoft.KeyVault/vaults/networkAcls.defaultAction
IF (1)
•Microsoft.KeyVault/vaults
Preview BuiltIn
Key Vault Key Vault a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 [Preview]: Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.KeyVault/vaults/privateEndpointConnections[*]
•Microsoft.KeyVault/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.KeyVault/vaults
Preview BuiltIn
Key Vault Key Vault 0a075868-4c26-42ef-914c-5bc007359560 [Preview]: Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default: audit
Allowed: (audit, deny, disabled)
Preview BuiltIn
Key Vault Key Vault f772fb64-8e40-40ad-87bc-7706e1949427 [Preview]: Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: audit
Allowed: (audit, deny, disabled)
Preview BuiltIn
Key Vault Key Vault 84d327c3-164a-4685-b453-900478614456 [Preview]: Configure Azure Key Vault Managed HSM to disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Default: Modify
Allowed: (Modify, Disabled)
Managed HSM contributor IF (1)
•Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction
THEN-Operations (1)
•Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction
IF (1)
•Microsoft.KeyVault/managedHSMs
Preview BuiltIn
Key Vault Key Vault d1d6d8bb-cc7c-420f-8c7d-6f6f5279a844 [Preview]: Configure Azure Key Vault Managed HSM with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Key Vault Managed HSM, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Managed HSM contributor THEN-ExistenceCondition (1)
•Microsoft.KeyVault/managedHSMs/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.KeyVault/managedHSMs
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
Preview BuiltIn
Key Vault Key Vault ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 [Preview]: Configure Azure Key Vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
Preview BuiltIn
Key Vault Key Vault 9d4fad1f-5189-4a42-b29e-cf7929c6b6df [Preview]: Configure Azure Key Vaults with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Key Vault Contributor THEN-ExistenceCondition (1)
•Microsoft.KeyVault/vaults/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.KeyVault/vaults
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
Preview BuiltIn
Key Vault Key Vault ac673a9a-f77d-4846-b2d8-a57f8e1c01dc [Preview]: Configure key vaults to disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default: Modify
Allowed: (Modify, Disabled)
Key Vault Contributor IF (1)
•Microsoft.KeyVault/vaults/networkAcls.defaultAction
THEN-Operations (1)
•Microsoft.KeyVault/vaults/networkAcls.defaultAction
IF (1)
•Microsoft.KeyVault/vaults
Preview BuiltIn
Key Vault Key Vault 5f0bc445-3935-4915-9981-011aa2b46147 [Preview]: Private endpoint should be configured for Key Vault Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.KeyVault/vaults/privateEndpointConnections
IF (1)
•Microsoft.KeyVault/vaults
Preview BuiltIn
Key Vault Key Vault c39ba22d-4428-4149-b981-70acb31fc383 Azure Key Vault Managed HSM should have purge protection enabled Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.KeyVault/managedHsms/enablePurgeProtection
•Microsoft.KeyVault/managedHsms/enableSoftDelete
IF (1)
•Microsoft.KeyVault/managedHsms
GA BuiltIn
Key Vault Key Vault 8e826246-c976-48f6-b03e-619bb92b3d82 Certificates should be issued by the specified integrated certificate authority Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default: audit
Allowed: (audit, deny, disabled)
GA BuiltIn
Key Vault Key Vault a22f4a40-01d3-4c7d-8071-da157eeff341 Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. Default: audit
Allowed: (audit, deny, disabled)
GA BuiltIn
Key Vault Key Vault 12ef42cb-9903-4e39-9c26-422d29570417 Certificates should have the specified lifetime action triggers Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default: audit
Allowed: (audit, deny, disabled)
GA BuiltIn
Key Vault Key Vault 1151cede-290b-4ba0-8b38-0ad145ac888f Certificates should use allowed key types Manage your organizational compliance requirements by restricting the key types allowed for certificates. Default: audit
Allowed: (audit, deny, disabled)
GA BuiltIn
Key Vault Key Vault bd78111f-4953-4367-9fd5-7e08808b54bf Certificates using elliptic curve cryptography should have allowed curve names Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default: audit
Allowed: (audit, deny, disabled)
GA BuiltIn
Key Vault Key Vault cee51871-e572-4576-855c-047c820360f0 Certificates using RSA cryptography should have the specified minimum key size Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default: audit
Allowed: (audit, deny, disabled)
GA BuiltIn
Key Vault Key Vault keyvault_deny-access-policies-with-certificate-authorities-roles Deny creation of access policies with certificate authorities roles This policy prevent creation of key vault access policies with certificate authorities roles. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Key Vault Key Vault keyvault_deny-deployment-with-access-to-specific-services-(vm,-arm,-ade) Deny deployment with access to specific services (VM, ARM, ADE) This policy prevent specific services (VM, ARM, ADE) access to kv. Default: audit
Allowed: (audit, deny, disabled)
GA Community
Key Vault Key Vault keyvault_deny-deployment-with-azure-rbac-enabled Deny deployment with Azure RBAC enabled This policy deny deployment with Azure RBAC enabled. Default: audit
Allowed: (audit, deny, disabled)
GA Community
Key Vault Key Vault 951af2fa-529b-416e-ab6e-066fd85ac459 Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault a6d2c800-5230-4a40-bff3-8268b4987d42 Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Event Hub when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.KeyVault/managedHsms
GA BuiltIn
Key Vault Key Vault ed7c8c13-51e7-49d1-8a43-8490431a0da2 Deploy Diagnostic Settings for Key Vault to Event Hub Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. Fixed: deployIfNotExists Contributor THEN-ExistenceCondition (4)
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].enabled
•Microsoft.Insights/diagnosticSettings/metrics[*]
•Microsoft.Insights/diagnosticSettings/metrics[*].enabled
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault keyvault_deploy-soft-delete-and-purge-protection Enable soft-delete and purge protection on Key Vaults This Policy will enable soft-delete and purge protection on all Key Vaults. Fixed: DeployIfNotExists Key Vault Contributor IF (2)
•Microsoft.KeyVault/vaults/enablePurgeProtection
•Microsoft.KeyVault/vaults/enableSoftDelete
THEN-ExistenceCondition (2)
•Microsoft.KeyVault/vaults/enablePurgeProtection
•Microsoft.KeyVault/vaults/enableSoftDelete
IF (1)
•Microsoft.KeyVault/vaults
THEN-Deployment (1)
•Microsoft.KeyVault/vaults
GA Community
Key Vault Key Vault keyvault_enforce-key-vault-firewall-blocking-public-access Enforce key vault firewall blocking public access This policy prevents setting key vault public firewall as allow all or have any vnet/ip rules. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Key Vault Key Vault keyvault_enforce-key-vault-premium-sku Enforce key vault premium SKU This policy enforces premium sku for key vaults. Default: Deny
Allowed: (Deny, Audit, Disabled)
IF (1)
•Microsoft.KeyVault/Vaults/sku.name
GA Community
Key Vault Key Vault key-vault-firewall-settings-v1 Key vault - Firewall Settings DENY v1 This Azure Policy denies the deployment of an Azure Key Vault when the 'Allow access from' setting is not set to 'Private endpoints and selected networks' or when the Firewall does contain any IP addresses outside of the approved ones. Fixed: Deny IF (2)
•Microsoft.KeyVault/vaults/networkAcls.defaultAction
•Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value
IF (1)
•Microsoft.KeyVault/vaults
GA Community
Key Vault Key Vault 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 Key Vault keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 98728c90-32c7-4049-8429-847dc0f4fe37 Key Vault secrets should have an expiration date Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key vaults should have purge protection enabled Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (3)
•Microsoft.KeyVault/vaults/createMode
•Microsoft.KeyVault/vaults/enablePurgeProtection
•Microsoft.KeyVault/vaults/enableSoftDelete
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d Key vaults should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.KeyVault/vaults/createMode
•Microsoft.KeyVault/vaults/enableSoftDelete
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault 587c79fe-dd04-4a5e-9d0b-f89598c7261b Keys should be backed by a hardware security module (HSM) An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 75c4f823-d65c-4f29-a733-01d0077fdbcb Keys should be the specified cryptographic type RSA or EC Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 5ff38825-c5d8-47c5-b70e-069a21955146 Keys should have more than the specified number of days before expiration If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 49a22571-d204-4c91-a7b6-09b1a586fbc9 Keys should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault c26e4b24-cf98-4c67-b48b-5a25c4c69eb9 Keys should not be active for longer than the specified number of days Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault ff25f3c8-b739-4538-9d07-3d6d25cfb255 Keys using elliptic curve cryptography should have the specified curve names Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 82067dbb-e53b-4e06-b631-546d197452d9 Keys using RSA cryptography should have a specified minimum key size Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault Append-KV-SoftDelete KeyVault SoftDelete should be enabled This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added. Fixed: append IF (1)
•Microsoft.KeyVault/vaults/enableSoftDelete
THEN-Details (1)
•Microsoft.KeyVault/vaults/enableSoftDelete
IF (1)
•Microsoft.KeyVault/vaults
GA ESLZ
Key Vault Key Vault keyvault_prevent-key-vault-access-to-trusted-services Prevent key vault access to trusted services This policy prevents key vault access to trusted services. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Key Vault Key Vault a2a5b911-5617-447e-a49e-59dbe0e0434b Resource logs in Azure Key Vault Managed HSM should be enabled To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.KeyVault/managedHsms
GA BuiltIn
Key Vault Key Vault cf820ca0-f99e-4f3e-84fb-66e913812d21 Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.KeyVault/vaults
GA BuiltIn
Key Vault Key Vault 75262d3e-ba4a-4f43-85f8-9f72c090e5e3 Secrets should have content type set A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault b0eb591a-5e70-4534-a8bf-04b9c489584a Secrets should have more than the specified number of days before expiration If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault 342e8053-e12e-4c44-be01-c3c2f318400f Secrets should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Key Vault Key Vault e8d99835-8a06-45ae-a8e0-87a91941ccfe Secrets should not be active for longer than the specified number of days If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. Default: Audit
Allowed: (Audit, Deny, Disabled)
GA BuiltIn
Kubernetes Kubernetes b2fd3e59-6390-4f2b-8247-ea676bd03e2d [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.Kubernetes/connectedClusters
Deprecated BuiltIn
Kubernetes Kubernetes 440b515e-a580-421e-abeb-b159a61ddcbc [Deprecated]: Kubernetes cluster containers should only listen on allowed ports Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes Kubernetes 8dfab9c4-fe7b-49ad-85e4-1e9be085358f [Preview]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (2)
•Microsoft.Kubernetes/connectedClusters/connectivityStatus
•Microsoft.Kubernetes/connectedClusters/distribution
THEN-ExistenceCondition (2)
•Microsoft.KubernetesConfiguration/extensions/extensionType
•Microsoft.KubernetesConfiguration/extensions/provisioningState
IF (1)
•Microsoft.Kubernetes/connectedClusters
Preview BuiltIn
Kubernetes Kubernetes 6b2122c1-8120-4ff5-801b-17625a355590 [Preview]: Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.KubernetesConfiguration/extensions/extensionType
IF (1)
•Microsoft.Kubernetes/connectedClusters
Preview BuiltIn
Kubernetes Kubernetes a1840de2-8088-4ea8-b153-b4c723e9cb01 [Preview]: Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-introduction Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/securityProfile.azureDefender.enabled
IF (1)
•Microsoft.ContainerService/managedClusters
Preview BuiltIn
Kubernetes Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Azure Defender's extension Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor, Log Analytics Contributor IF (2)
•Microsoft.Kubernetes/connectedClusters/connectivityStatus
•Microsoft.Kubernetes/connectedClusters/distribution
THEN-ExistenceCondition (2)
•Microsoft.KubernetesConfiguration/extensions/extensionType
•Microsoft.KubernetesConfiguration/extensions/provisioningState
IF (1)
•Microsoft.Kubernetes/connectedClusters
THEN-Deployment (4)
•Microsoft.KubernetesConfiguration/extensions
•Microsoft.OperationalInsights/workspaces
•Microsoft.Resources/deployments
•Microsoft.Resources/resourceGroups
Preview BuiltIn
Kubernetes Kubernetes 0adc5395-9169-4b9b-8687-af838d69410a [Preview]: Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Kubernetes Extension Contributor THEN-ExistenceCondition (1)
•Microsoft.KubernetesConfiguration/extensions/extensionType
IF (1)
•Microsoft.Kubernetes/connectedClusters
THEN-Deployment (1)
•Microsoft.KubernetesConfiguration/extensions
Preview BuiltIn
Kubernetes Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 [Preview]: Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-introduction. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor, Log Analytics Contributor THEN-ExistenceCondition (1)
•Microsoft.ContainerService/managedClusters/securityProfile.azureDefender.enabled
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (4)
•Microsoft.ContainerService/ManagedClusters
•Microsoft.OperationalInsights/workspaces
•Microsoft.Resources/deployments
•Microsoft.Resources/resourceGroups
Preview BuiltIn
Kubernetes Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Preview]: Kubernetes clusters should gate deployment of vulnerable images Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview BuiltIn
Kubernetes Kubernetes kubernetes_aks-prevent-load-balancer-profile AKS prevent load balancer profile This policy prevent load balancer profile for aks. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Kubernetes Kubernetes kubernetes_aks-prevent-node-public-ip AKS prevent node public ip This policy prevent node public ip for aks. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/agentPoolProfiles[*]
GA Community
Kubernetes Kubernetes 993c2fcd-2b29-49d2-9eb0-df2c3a730c32 Azure Kubernetes Service Clusters should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/disableLocalAccounts
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 040732e8-d947-40b8-95d6-854c95024bf8 Azure Kubernetes Service Private Clusters should be enabled Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 0a15ec92-a229-4763-bb14-0ea34a568f8d Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/addonProfiles.azurePolicy.enabled
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/diskEncryptionSetID
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Azure Active Directory integrated AKS clusters. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Kubernetes Service Contributor Role IF (1)
•Microsoft.ContainerService/managedClusters/aadProfile
THEN-ExistenceCondition (1)
•Microsoft.ContainerService/managedClusters/aadProfile.adminGroupObjectIDs[*]
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (2)
•Microsoft.ContainerService/managedClusters
•Microsoft.Resources/deployments
GA BuiltIn
Kubernetes Kubernetes a6f560f4-f582-4b67-b123-a37dcd1bf7ea Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Contributor THEN-ExistenceCondition (5)
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 Configure Kubernetes clusters with specified GitOps configuration using no secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Contributor THEN-ExistenceCondition (5)
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes c050047b-b21b-4822-8a2d-c1e37c3c0c6a Configure Kubernetes clusters with specified GitOps configuration using SSH secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Contributor THEN-ExistenceCondition (6)
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl
•Microsoft.KubernetesConfiguration/sourceControlConfigurations/sshKnownHostsContents
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 6c66c325-74c8-42fd-a286-a74b0e2939d8 Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Azure Kubernetes Service Contributor Role THEN-ExistenceCondition (1)
•Microsoft.ContainerService/managedClusters/addonProfiles.azurePolicy.enabled
IF (1)
•Microsoft.ContainerService/managedClusters
THEN-Deployment (2)
•Microsoft.ContainerService/managedClusters
•Microsoft.Resources/deployments
GA BuiltIn
Kubernetes Kubernetes kubernetes_enforce-aks-aad-support Enforce AKS aad support This policy enforces aad support for AKS. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Kubernetes Kubernetes kubernetes_enforce-aks-network-plugin Enforce AKS network plugin This policy enforces network plugin for AKS. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/networkProfile.networkPlugin
GA Community
Kubernetes Kubernetes kubernetes_enforce-aks-outbound-type Enforce AKS outbound type This policy enforces outbound type for AKS. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters/networkProfile.outboundType
GA Community
Kubernetes Kubernetes kubernetes_allowed-external-ips Ensure only allowed External IPs are used in Kubernetes Cluster This policy ensures only allowed external ips are used in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.Kubernetes/connectedClusters
GA BuiltIn
Kubernetes Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.Kubernetes/connectedClusters
GA BuiltIn
Kubernetes Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.Kubernetes/connectedClusters
GA BuiltIn
Kubernetes Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default: deny
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 245fc9df-fa96-4414-9a0b-3738c2f7341c Resource logs in Azure Kubernetes Service should be enabled Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes Kubernetes 41425d9f-d1a5-499a-9932-f8ed8453932c Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.ContainerService/managedClusters/agentPoolProfiles[*]
•Microsoft.ContainerService/managedClusters/agentPoolProfiles[*].enableEncryptionAtHost
IF (1)
•Microsoft.ContainerService/managedClusters
GA BuiltIn
Kubernetes PSP Kubernetes PSP kubernetes_block-default-namespace Block usage of the default namespace in a Kubernetes cluster This policy blocks usage of the default namespace in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_allowed-host-paths Control allowed Host Paths on volumes in a Kubernetes Cluster This policy controls valid host paths that are allowed to be used by hostPath volumes in a Kubernetes Cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_allowed-proc-mount-types Control allowed Proc Mount Type on pods in a Kubernetes Cluster This policy controls valid ProcMount types on pods in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_host-network-ports Control whether a Pod may use the Host Network, and allow Host Ports in a Kubernetes Cluster This policy controls whether pod may use the host network, and allows host ports in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_allowed-users Control which user ID containers are run with in a Kubernetes Cluster This policy controls allowed user IDs for containers to run with in a Kubernetes Cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_container-no-privilege-escalation Do not allow container privilege escalation in Kubernetes cluster This policy does not allow containers to use privilege escalation in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_block-host-namespace Do not allow sharing of host process ID and IPC namespaces in a Kubernetes Cluster This policy blocks pod containers from sharing the host process ID namespace and IPC namespace in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_container-disallowed-capabilities Ensure disallowed capabilities are not used in Kubernetes Cluster This policy ensures specified security capabilities are not used inside a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_enforce-apparmor-profile Ensure only allowed app armor profiles are used in Kubernetes Cluster This policy ensures containers define an App Armor profile and only use allowed App Armor profiles. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_container-allowed-capabilities Ensure only allowed capabilities are used in Kubernetes Cluster This policy ensures specified security capabilities are defined and removed inside a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_selinux Ensure only allowed SELinux options are used in a Kubernetes cluster This policy ensures only allowed SELinux options are used in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_allowed-volume-types Ensure only allowed Volume Types are used in Kubernetes Cluster This policy ensures only allowed volume types are used in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_allowed-seccomp-profiles Ensure Pods use only allowed Seccomp Profiles in a Kubernetes Cluster This policy ensures Pods in a Kubernetes cluster only use allowed Seccomp Profiles. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_read-only-root-filesystem Ensure Read-Only Access to Root Filesystem in a Kubernetes Cluster This policy ensures pods only have read-only access to the root filesystem in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_forbidden-sysctl-interfaces Forbid Pods in Kubernetes Cluster from using forbidden Sysctl Interfaces This policy forbids pods in a Kubernetes cluster from using specified Sysctl Interfaces. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes PSP Kubernetes PSP kubernetes_block-automount-token Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Preview Community
Kubernetes service Kubernetes service 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 [Deprecated]: Do not allow privileged containers in AKS This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 [Deprecated]: Enforce HTTPS ingress in AKS This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service a74d8f00-2fd9-4ce4-968e-0ee1eb821698 [Deprecated]: Enforce internal load balancers in AKS This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service 16c6ca72-89d2-4798-b87e-496f9de7fcb7 [Deprecated]: Enforce labels on pods in AKS This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service d011d9f7-ba32-4005-b727-b3d09371ca60 [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service 0f636243-1b1c-4d50-880f-310f6199f2cb [Deprecated]: Ensure containers listen only on allowed ports in AKS This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service a2d3ed81-8d11-4079-80a5-1faadc0024f4 [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service 5f86cb6e-c4da-441b-807c-44bd0cc14e66 [Deprecated]: Ensure only allowed container images in AKS This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service 25dee3db-6ce0-4c02-ab5d-245887b24077 [Deprecated]: Ensure services listen only on allowed ports in AKS This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
IF (1)
•Microsoft.ContainerService/managedClusters
Deprecated BuiltIn
Kubernetes service Kubernetes service kubernetesservice_append-aks-api-ip-restrictions Append AKS API IP Restrictions This policy will restrict access to the AKS API server as documented here: https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges Fixed: append THEN-Details (1)
•Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges
IF (1)
•Microsoft.ContainerService/managedClusters
GA Community
Lighthouse Lighthouse 7a8a51a3-ad87-4def-96f3-65a1839242b6 Allow managing tenant ids to onboard through Azure Lighthouse Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. Fixed: deny IF (1)
•Microsoft.ManagedServices/registrationDefinitions/managedByTenantId
IF (1)
•Microsoft.ManagedServices/registrationDefinitions
GA BuiltIn
Lighthouse Lighthouse 76bed37b-484f-430f-a009-fd7592dff818 Audit delegation of scopes to a managing tenant Audit delegation of scopes to a managing tenant via Azure Lighthouse. Default: Audit
Allowed: (Audit, Disabled)
IF (1)
•Microsoft.ManagedServices/registrationAssignments
GA BuiltIn
Load Balancer Load Balancer loadbalancer_deny-load-balancer-outbound-rules Deny load balancer outbound rules This policy deny load balancer outbound rules. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Load Balancer Load Balancer loadbalancer_enforce-disabling-of-snat-in-load-balancer-rules Enforce disabling of snat in load balancer rules This policy enforce disabling of snat in load balancer rules. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Network/loadBalancers/loadBalancingRules[*]
GA Community
Load Balancer Load Balancer loadbalancer_enforce-lb-private-ip-addresses-only-in-frontend-configuration Enforce load balancer private ip addresses only in frontend configuration This policy enforces private ip addresses only in frontend configuration. Default: Deny
Allowed: (Audit, Deny, Disabled)
GA Community
Load Balancer Load Balancer loadbalancer_enforce-load-balancer-regional-tier Enforce load balancer regional TIER This policy enforces regional tier for load balancers. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Network/loadBalancers/sku.tier
GA Community
Load Balancer Load Balancer loadbalancer_enforce-load-balancer-standard-sku Enforce load balancer standard SKU This policy enforces standard sku for load balancers. Default: Deny
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Network/loadBalancers/sku.name
GA Community
Logic Apps Logic Apps 1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5 Logic Apps Integration Service Environment should be encrypted with customer-managed keys Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Logic/integrationServiceEnvironments/encryptionConfiguration
IF (1)
•Microsoft.Logic/integrationServiceEnvironments
GA BuiltIn
Logic Apps Logic Apps dc595cb1-1cde-45f6-8faf-f88874e1c0e1 Logic Apps should be deployed into Integration Service Environment Deploying Logic Apps into Integration Service Environment in a virtual network unlocks advanced Logic Apps networking and security features and provides you with greater control over your network configuration. Learn more at: https://aka.ms/integration-service-environment. Deploying into Integration Service Environment also allows encryption with customer-managed keys which provides enhanced data protection by allowing you to manage your encryption keys. This is often to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Logic/workflows/integrationServiceEnvironment
IF (1)
•Microsoft.Logic/workflows
GA BuiltIn
Logic Apps Logic Apps 34f95f76-5386-4de7-b824-0d8478470c9d Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (5)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/logs[*]
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days
•Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled
•Microsoft.Insights/diagnosticSettings/storageAccountId
IF (1)
•Microsoft.Logic/workflows
GA BuiltIn
Machine Learning Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview BuiltIn
Machine Learning Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview BuiltIn
Machine Learning Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview BuiltIn
Machine Learning Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview BuiltIn
Machine Learning Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview BuiltIn
Machine Learning Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
Preview BuiltIn
Machine Learning Machine Learning 7804b5c7-01dc-4723-969b-ae300cc07ff1 Audit Azure Machine Learning Compute Cluster and Instance is behind virtual network Azure Virtual Network deployment provides enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access.When am Azure Machine Learning Compute instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default: Audit
Allowed: (Audit, Disabled)
IF (2)
•Microsoft.MachineLearningServices/workspaces/computes/computeType
•Microsoft.MachineLearningServices/workspaces/computes/subnet.id
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes
GA BuiltIn
Machine Learning Machine Learning Deny-MachineLearning-PublicNetworkAccess Azure Machine Learning should have disabled public network access Denies public network access for Azure Machine Learning workspaces. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.MachineLearningServices/workspaces/publicNetworkAccess
IF (1)
•Microsoft.MachineLearningServices/workspaces
GA ESLZ
Machine Learning Machine Learning ba769a63-b8cc-4b2d-abf6-ac33c7204be8 Azure Machine Learning workspaces should be encrypted with a customer-managed key Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.MachineLearningServices/workspaces/encryption.status
IF (1)
•Microsoft.MachineLearningServices/workspaces
GA BuiltIn
Machine Learning Machine Learning 438c38d2-3772-465a-a9cc-7a6666a275ce Azure Machine Learning workspaces should disable public network access Disabling public network access improves security by ensuring that the machine learning workspaces aren't exposed on the public internet. You can limit exposure of your workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.MachineLearningServices/workspaces/publicNetworkAccess
IF (1)
•Microsoft.MachineLearningServices/workspaces
GA BuiltIn
Machine Learning Machine Learning 40cec1dd-a100-4920-b15b-3024fe8901ab Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*]
•Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*].privateLinkServiceConnectionState.status
IF (1)
•Microsoft.MachineLearningServices/workspaces
GA BuiltIn
Machine Learning Machine Learning 5f0c7d88-c7de-45b8-ac49-db49e72eaa78 Azure Machine Learning workspaces should use user-assigned managed identity Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.MachineLearningServices/workspaces/primaryUserAssignedIdentity
IF (1)
•Microsoft.MachineLearningServices/workspaces
GA BuiltIn
Machine Learning Machine Learning ee40564d-486e-4f68-a5ca-7a621edae0fb Configure Azure Machine Learning workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (1)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
IF (1)
•Microsoft.Network/privateEndpoints
GA BuiltIn
Machine Learning Machine Learning a10ee784-7409-4941-b091-663697637c0f Configure Azure Machine Learning workspaces to disable public network access Disable public network access for Azure Machine Learning workspaces so that your workspaces aren't accessible over the public internet. This will help protect the workspaces against data leakage risks. You can limit exposure of the your machine learning workspaces by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Modify
Allowed: (Modify, Disabled)
AzureML Data Scientist IF (1)
•Microsoft.MachineLearningServices/workspaces/publicNetworkAccess
THEN-Operations (1)
•Microsoft.MachineLearningServices/workspaces/publicNetworkAccess
IF (1)
•Microsoft.MachineLearningServices/workspaces
GA BuiltIn
Machine Learning Machine Learning 7838fd83-5cbb-4b5d-888c-bfa240972597 Configure Azure Machine Learning workspaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Machine Learning workspace, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor THEN-ExistenceCondition (1)
•Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.MachineLearningServices/workspaces
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Machine Learning Machine Learning a6f9a2d0-cff7-4855-83ad-4cd750666512 Configure Machine Learning computes to disable local authentication methods Disable location authentication methods so that your Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (1)
•Microsoft.MachineLearningServices/workspaces/computes/disableLocalAuth
THEN-Operations (1)
•Microsoft.MachineLearningServices/workspaces/computes/disableLocalAuth
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes
GA BuiltIn
Machine Learning Machine Learning Audit-MachineLearning-PrivateEndpointId Control private endpoint connections to Azure Machine Learning Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id
•Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status
GA ESLZ
Machine Learning Machine Learning Deny-MachineLearning-Aks Deny AKS cluster creation in Azure Machine Learning Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (2)
•Microsoft.MachineLearningServices/workspaces/computes/computeType
•Microsoft.MachineLearningServices/workspaces/computes/resourceId
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes
GA ESLZ
Machine Learning Machine Learning Deny-MachineLearning-PublicAccessWhenBehindVnet Deny public acces behind vnet to Azure Machine Learning workspace Deny public access behind vnet to Azure Machine Learning workspaces. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet
IF (1)
•Microsoft.MachineLearningServices/workspaces
GA ESLZ
Machine Learning Machine Learning Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess Deny public access of Azure Machine Learning clusters via SSH Deny public access of Azure Machine Learning clusters via SSH. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (2)
•Microsoft.MachineLearningServices/workspaces/computes/computeType
•Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes
GA ESLZ
Machine Learning Machine Learning Deny-MachineLearning-Compute-SubnetId Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (2)
•Microsoft.MachineLearningServices/workspaces/computes/computeType
•Microsoft.MachineLearningServices/workspaces/computes/subnet.id
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes
GA ESLZ
Machine Learning Machine Learning Deny-MachineLearning-HbiWorkspace Enforces high business impact Azure Machine Learning Workspaces Enforces high business impact Azure Machine Learning workspaces. Default: Deny
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.MachineLearningServices/workspaces/hbiWorkspace
IF (1)
•Microsoft.MachineLearningServices/workspaces
GA ESLZ
Machine Learning Machine Learning e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Machine Learning computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes/disableLocalAuth
IF (1)
•Microsoft.MachineLearningServices/workspaces/computes
GA BuiltIn
Managed Application Managed Application 9db7917b-1607-4e7d-a689-bca978dd0633 Application definition for Managed Application should use customer provided storage account Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.Solutions/applicationDefinitions/storageAccountId
IF (1)
•Microsoft.Solutions/applicationDefinitions
GA BuiltIn
Managed Application Managed Application 17763ad9-70c0-4794-9397-53d765932634 Deploy associations for a managed application Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. Fixed: deployIfNotExists Contributor THEN-Deployment (1)
•Microsoft.Resources/deployments
GA BuiltIn
Media Services Media Services 8bfe3603-0888-404a-87ff-5c1b6b4cc5e3 Azure Media Services accounts should disable public network access Disabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet. Creating private endpoints can limit exposure of Media Services resources. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Media/mediaservices/publicNetworkAccess
IF (1)
•Microsoft.Media/mediaservices
GA BuiltIn
Media Services Media Services a77d8bb4-8d22-4bc1-a884-f582a705b480 Azure Media Services accounts should use an API that supports Private Link Media Services accounts should be created with an API that supports private link. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Media/mediaservices/encryption.type
IF (1)
•Microsoft.Media/mediaservices
GA BuiltIn
Media Services Media Services ccf93279-9c91-4143-a841-8d1f21505455 Azure Media Services accounts that allow access to the legacy v2 API should be blocked The Media Services legacy v2 API allows requests that cannot be managed using Azure Policy. Media Services resources created using the 2020-05-01 API or later block access to the legacy v2 API. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Media/mediaservices/encryption.type
IF (1)
•Microsoft.Media/mediaservices
GA BuiltIn
Media Services Media Services daccf7e4-9808-470c-a848-1c5b582a1afb Azure Media Services content key policies should use token authentication Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Azure Active Directory. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (6)
•Microsoft.Media/mediaServices/contentKeyPolicies/options[*]
•Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction
•Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.audience
•Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.issuer
•Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.openIdConnectDiscoveryDocument
•Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.restrictionTokenType
IF (1)
•Microsoft.Media/mediaservices/contentKeyPolicies
GA BuiltIn
Media Services Media Services e9914afe-31cd-4b8a-92fa-c887f847d477 Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns Restrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property. Default: Deny
Allowed: (Deny, Disabled)
IF (8)
•Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputClip.files[*]
•Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputHttp.baseUri
•Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*]
•Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputClip.files[*]
•Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri
•Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*]
•Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputClip.files[*]
•Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri
IF (1)
•Microsoft.Media/mediaservices/transforms/jobs
GA BuiltIn
Media Services Media Services 9285c3de-d5fd-4225-86d4-027894b0c442 Azure Media Services should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Media Services accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/mediaservicescmkdocs. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (1)
•Microsoft.Media/mediaservices/encryption.type
IF (1)
•Microsoft.Media/mediaservices
GA BuiltIn
Media Services Media Services 4a591bf5-918e-4a5f-8dad-841863140d61 Azure Media Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Media/mediaservices/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Media/mediaservices
GA BuiltIn
Media Services Media Services b4a7f6c1-585e-4177-ad5b-c2c93f4bb991 Configure Azure Media Services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.Media/mediaservices
•Microsoft.Network/privateEndpoints
GA BuiltIn
Media Services Media Services c5632066-946d-4766-9544-cd79bcc1286e Configure Azure Media Services with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor, Media Services Account Administrator THEN-ExistenceCondition (4)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
•Microsoft.Network/privateEndpoints/subnet.id
IF (1)
•Microsoft.Media/mediaservices
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Migrate Migrate 7590a335-57cf-4c95-babd-ecbc8fafeb1f Configure Azure Migrate resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (4)
•Microsoft.Migrate/assessmentProjects
•Microsoft.Migrate/migrateProjects
•Microsoft.Network/privateEndpoints
•Microsoft.OffAzure/masterSites
GA BuiltIn
Monitoring Monitoring bacd7fca-1938-443d-aad6-a786107b1bfb [Preview]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace Protect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (1)
•Microsoft.HybridCompute/machines/osName
THEN-ExistenceCondition (3)
•Microsoft.HybridCompute/machines/extensions/provisioningState
•Microsoft.HybridCompute/machines/extensions/publisher
•Microsoft.HybridCompute/machines/extensions/type
IF (1)
•Microsoft.HybridCompute/machines
THEN-Deployment (5)
•Microsoft.HybridCompute/machines/extensions
•Microsoft.OperationalInsights/workspaces
•Microsoft.OperationsManagement/solutions
•Microsoft.Resources/deployments
•Microsoft.Resources/resourceGroups
Preview BuiltIn
Monitoring Monitoring 594c1276-f44f-482d-9910-71fac2ce5ae0 [Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor IF (1)
•Microsoft.HybridCompute/machines/osName
THEN-ExistenceCondition (3)
•Microsoft.HybridCompute/machines/extensions/provisioningState
•Microsoft.HybridCompute/machines/extensions/publisher
•Microsoft.HybridCompute/machines/extensions/type
IF (1)
•Microsoft.HybridCompute/machines
THEN-Deployment (5)
•Microsoft.HybridCompute/machines/extensions
•Microsoft.OperationalInsights/workspaces
•Microsoft.OperationsManagement/solutions
•Microsoft.Resources/deployments
•Microsoft.Resources/resourceGroups
Preview BuiltIn
Monitoring Monitoring 17b3de92-f710-4cf4-aa55-0e7859f1ed7b [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default: Modify
Allowed: (Modify, Disabled)
Virtual Machine Contributor, Managed Identity Contributor, Managed Identity Operator IF (4)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSku
•Microsoft.Compute/virtualMachines/securityProfile.uefiSettings
IF (2)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachineScaleSets
Preview BuiltIn
Monitoring Monitoring 32133ab0-ee4b-4b44-98d6-042180979d50 [Preview]: Log Analytics Extension should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (1)
•Microsoft.Compute/virtualMachines/extensions/publisher
IF (1)
•Microsoft.Compute/virtualMachines
Preview BuiltIn
Monitoring Monitoring 842c54e8-c2f9-4d79-ae8d-38d8b8019373 [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (3)
•Microsoft.HybridCompute/machines/extensions/provisioningState
•Microsoft.HybridCompute/machines/extensions/publisher
•Microsoft.HybridCompute/machines/extensions/type
IF (1)
•Microsoft.HybridCompute/machines
Preview BuiltIn
Monitoring Monitoring d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (1)
•Microsoft.HybridCompute/imageOffer
THEN-ExistenceCondition (3)
•Microsoft.HybridCompute/machines/extensions/provisioningState
•Microsoft.HybridCompute/machines/extensions/publisher
•Microsoft.HybridCompute/machines/extensions/type
IF (1)
•Microsoft.HybridCompute/machines
Preview BuiltIn
Monitoring Monitoring 04c4380f-3fae-46e8-96c9-30193528f602 [Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
Preview BuiltIn
Monitoring Monitoring 2f2ee1de-44aa-4762-b6bd-0893fc3f306d [Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (3)
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
Preview BuiltIn
Monitoring Monitoring b02aacc0-b073-424e-8298-42b22829ee0a Activity log should be retained for at least one year This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (2)
•Microsoft.Insights/logProfiles/retentionPolicy.days
•Microsoft.Insights/logProfiles/retentionPolicy.enabled
IF (1)
•Microsoft.Resources/subscriptions
GA BuiltIn
Monitoring Monitoring b954148f-4c11-4c38-8221-be76711e194a An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (4)
•Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]
•Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals
•Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field
•Microsoft.Insights/ActivityLogAlerts/enabled
IF (1)
•Microsoft.Resources/subscriptions
GA BuiltIn
Monitoring Monitoring c5447c04-a4d7-4ba8-a263-c9ee321a6858 An activity log alert should exist for specific Policy operations This policy audits specific Policy operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (4)
•Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]
•Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals
•Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field
•Microsoft.Insights/ActivityLogAlerts/enabled
IF (1)
•Microsoft.Resources/subscriptions
GA BuiltIn
Monitoring Monitoring 3b980d31-7904-4bb7-8575-5665739a8052 An activity log alert should exist for specific Security operations This policy audits specific Security operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (4)
•Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]
•Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals
•Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field
•Microsoft.Insights/ActivityLogAlerts/enabled
IF (1)
•Microsoft.Resources/subscriptions
GA BuiltIn
Monitoring Monitoring 1bc02227-0cb6-4e11-8f53-eb0b22eab7e8 Application Insights components should block log ingestion and querying from public networks Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. Default: audit
Allowed: (audit, deny, disabled)
IF (2)
•Microsoft.Insights/components/publicNetworkAccessForIngestion
•Microsoft.Insights/components/publicNetworkAccessForQuery
IF (1)
•Microsoft.Insights/components
GA BuiltIn
Monitoring Monitoring 199d5677-e4d9-4264-9465-efe1839c06bd Application Insights components should block non-Azure Active Directory based ingestion. Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. Default: Audit
Allowed: (Deny, Audit, Disabled)
IF (1)
•Microsoft.Insights/components/DisableLocalAuth
IF (1)
•Microsoft.Insights/components
GA BuiltIn
Monitoring Monitoring 0c4bd2e8-8872-4f37-a654-03f6f38ddc76 Application Insights components with Private Link enabled should use Bring Your Own Storage accounts for profiler and debugger. To support private link and customer-managed key policies, create your own storage account for profiler and debugger. Learn more in https://docs.microsoft.com/azure/azure-monitor/app/profiler-bring-your-own-storage Default: Audit
Allowed: (Deny, Audit, Disabled)
IF (1)
•Microsoft.Insights/components/ForceCustomerStorageForProfiler
IF (1)
•Microsoft.Insights/components
GA BuiltIn
Monitoring Monitoring monitoring_apply-diagnostic-setting-azsql-eventhub Apply Diagnostic Settings for Azure SQL to a regional Event Hub This policy automatically deploys diagnostic settings for Azure SQL to a regional event hub. Fixed: deployIfNotExists Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/eventHubName
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.Sql/servers/databases
GA Community
Monitoring Monitoring 7f89b1eb-583c-429a-8828-af049802c1d9 Audit diagnostic setting Audit diagnostic setting for selected resource types Fixed: AuditIfNotExists THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
GA BuiltIn
Monitoring Monitoring monitoring_audit-diagnostic-setting-for-wvd-applicationgroups-log-analytics Audit Diagnostic Settings for WVD Application Groups to Log Analytics workspace Audits the diagnostic settings for WVD Application Groups to stream to a regional Log Analytics workspace when any WVD Application Group which is missing these diagnostic settings is created or updated. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Insights/diagnosticSettings/logs.enabled
IF (1)
•Microsoft.DesktopVirtualization/applicationgroups
GA Community
Monitoring Monitoring monitoring_audit-diagnostic-setting-for-wvd-hostpools-log-analytics Audit Diagnostic Settings for WVD Host Pools to Log Analytics workspace Audits the diagnostic settings for WVD Host Pools to stream to a regional Log Analytics workspace when any WVD Host Pool which is missing these diagnostic settings is created or updated. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Insights/diagnosticSettings/logs.enabled
IF (1)
•Microsoft.DesktopVirtualization/hostpools
GA Community
Monitoring Monitoring monitoring_audit-diagnostic-setting-for-wvd-workspaces-log-analytics Audit Diagnostic Settings for WVD Workspaces to Log Analytics workspace Audits the diagnostic settings for WVD Workspaces to stream to a regional Log Analytics workspace when any WVD Workspace which is missing these diagnostic settings is created or updated. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Insights/diagnosticSettings/logs.enabled
IF (1)
•Microsoft.DesktopVirtualization/workspaces
GA Community
Monitoring Monitoring 94c1f94d-33b0-4062-bd04-1cdc3e7eece2 Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys Ensure that Azure Log Search Alerts are implementing customer-managed keys, by storing the query text using the storage account that the customer had provided for the queried Log Analytics workspace. For more information, visit https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. Default: Audit
Allowed: (Audit, Disabled, Deny)
IF (1)
•Microsoft.Insights/scheduledqueryrules/checkWorkspaceAlertsStorageConfigured
IF (1)
•Microsoft.Insights/scheduledqueryrules
GA BuiltIn
Monitoring Monitoring 1a4e592a-6a6e-44a5-9814-e36264ca96e7 Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Insights/logProfiles/categories[*]
IF (1)
•Microsoft.Resources/subscriptions
GA BuiltIn
Monitoring Monitoring ea0dfaed-95fb-448c-934e-d6e713ce393d Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.OperationalInsights/clusters/isDoubleEncryptionEnabled
IF (1)
•Microsoft.OperationalInsights/clusters
GA BuiltIn
Monitoring Monitoring 1f68a601-6e6d-4e42-babf-3f643a047ea2 Azure Monitor Logs clusters should be encrypted with customer-managed key Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. Default: audit
Allowed: (audit, deny, disabled)
IF (3)
•Microsoft.OperationalInsights/clusters/keyVaultProperties.keyName
•Microsoft.OperationalInsights/clusters/keyVaultProperties.keyVaultUri
•Microsoft.OperationalInsights/clusters/keyVaultProperties.keyVersion
IF (1)
•Microsoft.OperationalInsights/clusters
GA BuiltIn
Monitoring Monitoring d550e854-df1a-4de9-bf44-cd894b39a95e Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. Default: audit
Allowed: (audit, deny, disabled)
IF (1)
•Microsoft.Insights/components/WorkspaceResourceId
IF (1)
•Microsoft.Insights/components
GA BuiltIn
Monitoring Monitoring a499fed8-bcc8-4195-b154-641f14743757 Azure Monitor Private Link Scope should block access to non private link resources Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. Default: Audit
Allowed: (Audit, Deny, Disabled)
IF (2)
•Microsoft.Insights/privateLinkScopes/accessModeSettings.ingestionAccessMode
•Microsoft.Insights/privateLinkScopes/accessModeSettings.queryAccessMode
IF (1)
•Microsoft.Insights/privateLinkScopes
GA BuiltIn
Monitoring Monitoring 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 Azure Monitor Private Link Scope should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Insights/privateLinkScopes/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Insights/privateLinkScopes
GA BuiltIn
Monitoring Monitoring 41388f1c-2db0-4c25-95b2-35d7f5ccbfa9 Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Insights/logProfiles/locations[*]
IF (1)
•Microsoft.Resources/subscriptions
GA BuiltIn
Monitoring Monitoring 3e596b57-105f-48a6-be97-03e9243bad6e Azure Monitor solution 'Security and Audit' must be deployed This policy ensures that Security and Audit is deployed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.OperationsManagement/solutions/provisioningState
IF (1)
•Microsoft.Resources/subscriptions
GA BuiltIn
Monitoring Monitoring 7796937f-307b-4598-941c-67d3a05ebfe7 Azure subscriptions should have a log profile for Activity Log This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
THEN-ExistenceCondition (1)
•Microsoft.Insights/logProfiles/categories
IF (1)
•Microsoft.Resources/subscriptions
GA BuiltIn
Monitoring Monitoring 2465583e-4e78-4c15-b6be-a36cbc7c8b0f Configure Azure Activity logs to stream to specified Log Analytics workspace Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.Resources/subscriptions
THEN-Deployment (1)
•Microsoft.Insights/diagnosticSettings
GA BuiltIn
Monitoring Monitoring dddfa1af-dcd6-42f4-b5b0-e1db01e0b405 Configure Azure Application Insights components to disable public network access for log ingestion and querying Disable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. Default: Modify
Allowed: (Modify, Disabled)
Application Insights Component Contributor IF (2)
•Microsoft.Insights/components/publicNetworkAccessForIngestion
•Microsoft.Insights/components/publicNetworkAccessForQuery
THEN-Operations (2)
•Microsoft.Insights/components/publicNetworkAccessForIngestion
•Microsoft.Insights/components/publicNetworkAccessForQuery
IF (1)
•Microsoft.Insights/components
GA BuiltIn
Monitoring Monitoring d3ba9c42-9dd5-441a-957c-274031c750c0 Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. Default: Modify
Allowed: (Modify, Disabled)
Log Analytics Contributor IF (2)
•Microsoft.OperationalInsights/workspaces/publicNetworkAccessForIngestion
•Microsoft.OperationalInsights/workspaces/publicNetworkAccessForQuery
THEN-Operations (2)
•Microsoft.OperationalInsights/workspaces/publicNetworkAccessForIngestion
•Microsoft.OperationalInsights/workspaces/publicNetworkAccessForQuery
IF (1)
•Microsoft.OperationalInsights/workspaces
GA BuiltIn
Monitoring Monitoring bec5db8e-c4e3-40f9-a545-e0bd00065c82 Configure Azure Monitor Private Link Scope to block access to non private link resources Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. Default: Modify
Allowed: (Modify, Disabled)
Contributor IF (2)
•Microsoft.Insights/privateLinkScopes/accessModeSettings.ingestionAccessMode
•Microsoft.Insights/privateLinkScopes/accessModeSettings.queryAccessMode
THEN-Operations (2)
•Microsoft.Insights/privateLinkScopes/accessModeSettings.ingestionAccessMode
•Microsoft.Insights/privateLinkScopes/accessModeSettings.queryAccessMode
IF (1)
•Microsoft.Insights/privateLinkScopes
GA BuiltIn
Monitoring Monitoring 437914ee-c176-4fff-8986-7e05eb971365 Configure Azure Monitor Private Link Scope to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor IF (3)
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]
•Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId
IF (2)
•Microsoft.Insights/privateLinkScopes
•Microsoft.Network/privateEndpoints
GA BuiltIn
Monitoring Monitoring e8185402-357b-4768-8058-f620bc0ae6b5 Configure Azure Monitor Private Link Scopes with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Monitor Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (1)
•Microsoft.Insights/privateLinkScopes/privateEndpointConnections/privateLinkServiceConnectionState.status
IF (1)
•Microsoft.Insights/privateLinkScopes
THEN-Deployment (2)
•Microsoft.Network/privateEndpoints
•Microsoft.Resources/deployments
GA BuiltIn
Monitoring Monitoring deacecc0-9f84-44d2-bb82-46f32d766d43 Configure Dependency agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor IF (1)
•Microsoft.HybridCompute/machines/osName
THEN-ExistenceCondition (3)
•Microsoft.HybridCompute/machines/extensions/provisioningState
•Microsoft.HybridCompute/machines/extensions/publisher
•Microsoft.HybridCompute/machines/extensions/type
IF (1)
•Microsoft.HybridCompute/machines
THEN-Deployment (1)
•Microsoft.HybridCompute/machines/extensions
GA BuiltIn
Monitoring Monitoring 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 Configure Dependency agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor IF (1)
•Microsoft.HybridCompute/machines/osName
THEN-ExistenceCondition (3)
•Microsoft.HybridCompute/machines/extensions/provisioningState
•Microsoft.HybridCompute/machines/extensions/publisher
•Microsoft.HybridCompute/machines/extensions/type
IF (1)
•Microsoft.HybridCompute/machines
THEN-Deployment (1)
•Microsoft.HybridCompute/machines/extensions
GA BuiltIn
Monitoring Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor IF (1)
•Microsoft.HybridCompute/machines/osName
THEN-ExistenceCondition (3)
•Microsoft.HybridCompute/machines/extensions/provisioningState
•Microsoft.HybridCompute/machines/extensions/publisher
•Microsoft.HybridCompute/machines/extensions/type
IF (1)
•Microsoft.HybridCompute/machines
THEN-Deployment (1)
•Microsoft.HybridCompute/machines/extensions
GA BuiltIn
Monitoring Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux machines to be associated with a Data Collection Rule Deploy a Data Collection Rule Association to link a Linux virtual machine, virtual machine scale set, or Arc machine to the specified Data Collection Rule. The list of locations and OS images are updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor IF (5)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSku
•Microsoft.HybridCompute/machines/osName
THEN-ExistenceCondition (1)
•Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId
IF (3)
•Microsoft.Compute/virtualMachines
•Microsoft.Compute/virtualMachineScaleSets
•Microsoft.HybridCompute/machines
THEN-Deployment (3)
•Microsoft.compute/virtualmachines
•Microsoft.compute/virtualmachinescalesets
•Microsoft.hybridcompute/machines
GA BuiltIn
Monitoring Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSku
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState
•Microsoft.Compute/virtualMachineScaleSets/extensions/publisher
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
THEN-Deployment (1)
•Microsoft.Compute/virtualMachineScaleSets/extensions
GA BuiltIn
Monitoring Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSku
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Monitoring Monitoring 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Configure Log Analytics extension on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor IF (1)
•Microsoft.HybridCompute/machines/osName
THEN-ExistenceCondition (3)
•Microsoft.HybridCompute/machines/extensions/provisioningState
•Microsoft.HybridCompute/machines/extensions/publisher
•Microsoft.HybridCompute/machines/extensions/type
IF (1)
•Microsoft.HybridCompute/machines
THEN-Deployment (1)
•Microsoft.HybridCompute/machines/extensions
GA BuiltIn
Monitoring Monitoring 69af7d4a-7b18-4044-93a9-2651498ef203 Configure Log Analytics extension on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor IF (1)
•Microsoft.HybridCompute/machines/osName
THEN-ExistenceCondition (3)
•Microsoft.HybridCompute/machines/extensions/provisioningState
•Microsoft.HybridCompute/machines/extensions/publisher
•Microsoft.HybridCompute/machines/extensions/type
IF (1)
•Microsoft.HybridCompute/machines
THEN-Deployment (1)
•Microsoft.HybridCompute/machines/extensions
GA BuiltIn
Monitoring Monitoring 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 Configure Log Analytics workspace and automation account to centralize logs and monitoring Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor IF (1)
•Microsoft.Resources/subscriptions
THEN-Deployment (4)
•Microsoft.Automation/automationAccounts
•Microsoft.OperationalInsights/workspaces
•Microsoft.Resources/deployments
•Microsoft.Resources/resourceGroups
GA BuiltIn
Monitoring Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor IF (1)
•Microsoft.HybridCompute/machines/osName
THEN-ExistenceCondition (3)
•Microsoft.HybridCompute/machines/extensions/provisioningState
•Microsoft.HybridCompute/machines/extensions/publisher
•Microsoft.HybridCompute/machines/extensions/type
IF (1)
•Microsoft.HybridCompute/machines
THEN-Deployment (1)
•Microsoft.HybridCompute/machines/extensions
GA BuiltIn
Monitoring Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows machines to be associated with a Data Collection Rule Deploy Association to link Windows virtual machines to specified Data Collection Rule. The list of OS images is updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (1)
•Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Monitoring Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState
•Microsoft.Compute/virtualMachineScaleSets/extensions/publisher
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
THEN-Deployment (1)
•Microsoft.Compute/virtualMachineScaleSets/extensions
GA BuiltIn
Monitoring Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Monitoring Monitoring 11ac78e3-31bc-4f0c-8434-37ab963cea07 Dependency agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (1)
•Microsoft.Compute/virtualMachines/extensions/publisher
IF (1)
•Microsoft.Compute/virtualMachines
GA BuiltIn
Monitoring Monitoring e2dd799a-a932-4e9d-ac17-d473bc3c6c10 Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (1)
•Microsoft.Compute/virtualMachineScaleSets/extensions/publisher
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
GA BuiltIn
Monitoring Monitoring 3be22e3b-d919-47aa-805e-8985dbeb0ad9 Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachineScaleSets/extensions/publisher
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
THEN-Deployment (1)
•Microsoft.Compute/virtualMachineScaleSets/extensions
GA BuiltIn
Monitoring Monitoring 1c210e94-a481-4beb-95fa-1571b434fb04 Deploy - Configure Dependency agent to be enabled on Windows virtual machines Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Monitoring Monitoring b3884c81-31aa-473d-a9bb-9466fe0ec2a0 Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Log Analytics workspace when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.KeyVault/managedHsms
GA BuiltIn
Monitoring Monitoring 3c1b3629-c8f8-4bf6-862c-037cb9094038 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor, Virtual Machine Contributor IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachineScaleSets/extensions/publisher
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
THEN-Deployment (1)
•Microsoft.Compute/virtualMachineScaleSets/extensions
GA BuiltIn
Monitoring Monitoring 0868462e-646c-4fe3-9ced-a733534b6a2c Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Monitoring Monitoring 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExists Virtual Machine Contributor IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (2)
•Microsoft.Compute/virtualMachineScaleSets/extensions/publisher
•Microsoft.Compute/virtualMachineScaleSets/extensions/type
IF (1)
•Microsoft.Compute/virtualMachineScaleSets
THEN-Deployment (1)
•Microsoft.Compute/virtualMachineScaleSets/extensions
GA BuiltIn
Monitoring Monitoring 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExists Log Analytics Contributor IF (4)
•Microsoft.Compute/imageId
•Microsoft.Compute/imageOffer
•Microsoft.Compute/imagePublisher
•Microsoft.Compute/imageSKU
THEN-ExistenceCondition (3)
•Microsoft.Compute/virtualMachines/extensions/provisioningState
•Microsoft.Compute/virtualMachines/extensions/publisher
•Microsoft.Compute/virtualMachines/extensions/type
IF (1)
•Microsoft.Compute/virtualMachines
THEN-Deployment (1)
•Microsoft.Compute/virtualMachines/extensions
GA BuiltIn
Monitoring Monitoring Deploy-Diagnostics-AnalysisService Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.AnalysisServices/servers
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-APIMgmt Deploy Diagnostic Settings for API Management to Log Analytics workspace Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.ApiManagement/service
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-WebServerFarm Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.Web/serverfarms
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-Website Deploy Diagnostic Settings for App Service to Log Analytics workspace Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.Web/sites
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-ApplicationGateway Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.Network/applicationGateways
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-AA Deploy Diagnostic Settings for Automation to Log Analytics workspace Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.Automation/automationAccounts
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-ApiForFHIR Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.HealthcareApis/services
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-DataExplorerCluster Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.Kusto/Clusters
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-Function Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.Web/sites
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-MediaService Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.Media/mediaServices
GA ESLZ
Monitoring Monitoring storage_deploy-storage-monitoring-log-analytics_blobservices Deploy Diagnostic Settings for Azure Storage blobs to Log Analytics workspace Deploys the diagnostic settings for Azure Storage blobs to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.Storage/storageAccounts
GA Community
Monitoring Monitoring storage_deploy-storage-monitoring-log-analytics_fileservices Deploy Diagnostic Settings for Azure Storage files to Log Analytics workspace Deploys the diagnostic settings for Azure Storage files to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.Storage/storageAccounts
GA Community
Monitoring Monitoring storage_deploy-storage-monitoring-log-analytics_queueservices Deploy Diagnostic Settings for Azure Storage queues to Log Analytics workspace Deploys the diagnostic settings for Azure Storage queues to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.Storage/storageAccounts
GA Community
Monitoring Monitoring storage_deploy-storage-monitoring-log-analytics_tableservices Deploy Diagnostic Settings for Azure Storage tables to Log Analytics workspace Deploys the diagnostic settings for Azure Storage tables to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.Storage/storageAccounts
GA Community
Monitoring Monitoring storage_deploy-storage-monitoring-log-analytics_storageaccounts Deploy Diagnostic Settings for Azure Storage to Log Analytics workspace Deploys the diagnostic settings for Azure Storage to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.Storage/storageAccounts
GA Community
Monitoring Monitoring storage_deploy-storage-monitoring-log-analytics Deploy Diagnostic Settings for Azure Storage, including blobs, files, tables, and queues to a Log Analytics workspace Deploys the diagnostic settings for Azure Storage, including blobs, files, tables, and queues to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.Storage/storageAccounts
GA Community
Monitoring Monitoring db51110f-0865-4a6e-b274-e2e07a5b2cd7 Deploy Diagnostic Settings for Batch Account to Event Hub Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Monitoring Monitoring c84e5349-db6d-4769-805e-e14037dab9b5 Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.Batch/batchAccounts
GA BuiltIn
Monitoring Monitoring Deploy-Diagnostics-CDNEndpoints Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.Cdn/profiles/endpoints
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-CognitiveServices Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.CognitiveServices/accounts
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-ACI Deploy Diagnostic Settings for Container Instances to Log Analytics workspace Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.ContainerInstance/containerGroups
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-ACR Deploy Diagnostic Settings for Container Registry to Log Analytics workspace Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.ContainerRegistry/registries
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-CosmosDB Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.DocumentDB/databaseAccounts
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-DataFactory Deploy Diagnostic Settings for Data Factory to Log Analytics workspace Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.DataFactory/factories
GA ESLZ
Monitoring Monitoring 4daddf25-4823-43d4-88eb-2419eb6dcc08 Deploy Diagnostic Settings for Data Lake Analytics to Event Hub Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.DataLakeAnalytics/accounts
GA BuiltIn
Monitoring Monitoring d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.DataLakeAnalytics/accounts
GA BuiltIn
Monitoring Monitoring Deploy-Diagnostics-DLAnalytics Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.DataLakeAnalytics/accounts
GA ESLZ
Monitoring Monitoring e8d096bc-85de-4c5f-8cfb-857bd1b9d62d Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.DataLakeStore/accounts
GA BuiltIn
Monitoring Monitoring 25763a0a-5783-4f14-969e-79d4933eb74b Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.DataLakeStore/accounts
GA BuiltIn
Monitoring Monitoring Deploy-Diagnostics-MySQL Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.DBforMySQL/servers
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-PostgreSQL Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.DBforPostgreSQL/servers
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-Databricks Deploy Diagnostic Settings for Databricks to Log Analytics workspace Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.Databricks/workspaces
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-EventGridSub Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.EventGrid/eventSubscriptions
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-EventGridSystemTopic Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.EventGrid/systemTopics
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-EventGridTopic Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.EventGrid/topics
GA ESLZ
Monitoring Monitoring ef7b61ef-b8e4-4c91-8e78-6946c6b0023f Deploy Diagnostic Settings for Event Hub to Event Hub Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Monitoring Monitoring 1f6e93e8-6b31-41b1-83f6-36e449a42579 Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (2)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
IF (1)
•Microsoft.EventHub/namespaces
GA BuiltIn
Monitoring Monitoring Deploy-Diagnostics-ExpressRoute Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondition (3)
•Microsoft.Insights/diagnosticSettings/logs.enabled
•Microsoft.Insights/diagnosticSettings/metrics.enabled
•Microsoft.Insights/diagnosticSettings/workspaceId
IF (1)
•Microsoft.Network/expressRouteCircuits
GA ESLZ
Monitoring Monitoring Deploy-Diagnostics-Firewall Deploy Diagnostic Settings for Firewall to Log Analytics workspace Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor, Log Analytics Contributor THEN-ExistenceCondit