| Category | Id | DisplayName | Description | Effect | Roles used |
|---|---|---|---|---|---|
| API for FHIR | 0fea8f8a-4169-495d-8307-30ec335f387d | CORS should not allow every domain to access your API for FHIR | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. | Default: audit Allowed: (audit,disabled) |
none |
| API Management | ef619a2c-cc4d-4d03-b2ba-8c94a834d85b | API Management services should use a virtual network | Virtual network on API Management services of the specified SKU should be enabled. | Default: Audit Allowed: (Audit,Disabled) |
none |
| App Configuration | ca610c1d-041c-4332-9d88-7ed3094967c7 | App Configuration should use a private link | This policy audits any App Configuration instance that does not use a private link. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Configuration | 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 | App Configuration should use a customer managed key | This policy audits any App Configuration instance that does not use a customer managed key. | Default: Audit Allowed: (Audit,Disabled) |
none |
| App Platform | 0f2d8593-4667-4932-acca-6a9f187af109 | [Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled | Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. | Default: Audit Allowed: (Audit,Disabled) |
none |
| App Service | 843664e0-7563-41ee-a9cb-7522c382d2c4 | Ensure that '.NET Framework' version is the latest, if used as a part of the Web app | Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | cb510bfd-1cba-4d9f-a230-cb0976f4bb71 | Remote debugging should be turned off for Web Applications | Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba | Ensure that 'PHP version' is the latest, if used as a part of the Api app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | aa81768c-cb87-4ce2-bfaa-00baa10d760c | Ensure that Register with Azure Active Directory is enabled on WEB App | Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 0820b7b9-23aa-4725-a1ce-ae4558f718e5 | CORS should not allow every resource to access your Function Apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b | Latest TLS version should be used in your Web App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e | Latest TLS version should be used in your API App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | ab965db2-d2bf-4b64-8b39-c38ec8179461 | Ensure that 'PHP version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | f0473e7a-a1ba-4e86-afb2-e829e11b01d8 | Ensure that Register with Azure Active Directory is enabled on Function App | Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 | CORS should not allow every resource to access your Web Applications | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | Ensure that 'Python version' is the latest, if used as a part of the Web app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 | Authentication should be enabled on your Function app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 496223c3-ad65-4ecd-878a-bae78737e9ed | Ensure that 'Java version' is the latest, if used as a part of the Web app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 58d94fc1-a072-47c2-bd37-9cdb38e77453 | [Deprecated]: Ensure Function app is using the latest version of TLS encryption | Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | Function App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Audit Allowed: (Audit,Disabled) |
none |
| App Service | 10c1859c-e1a7-4df3-ab97-a487fa8059f6 | Ensure that '.NET Framework' version is the latest, if used as a part of the Function App | Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | f9d614c5-c173-4d56-95a7-b4437057d193 | Latest TLS version should be used in your Function App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 88999f4c-376a-45c8-bcb3-4058f713cf39 | Ensure that 'Java version' is the latest, if used as a part of the Api app | Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 | Ensure that '.NET Framework' version is the latest, if used as a part of the API app | Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 6ad61431-88ce-4357-a0e1-6da43f292bd7 | [Deprecated]: Ensure WEB app is using the latest version of TLS encryption | Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 86d97760-d216-4d81-a3ad-163087b2b6c3 | Ensure that Register with Azure Active Directory is enabled on API app | Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | c4ebc54a-46e1-481a-bee2-d4411e95d828 | Authentication should be enabled on your API app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | c4d441f8-f9d9-4a9e-9cef-e82117cb3eef | Managed identity should be used in your API App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 0c192fe8-9cbb-4516-85b3-0ade8bd03886 | Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default: Audit Allowed: (Audit,Disabled) |
none |
| App Service | 8c122334-9d20-4eb8-89ea-ac9a705b74ae | Ensure that 'HTTP Version' is the latest, if used to run the Web app | Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b | FTPS should be required in your Web App | Enable FTPS enforcement for enhanced security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 0e60b895-3786-45da-8377-9c6b4b6ac5f9 | Remote debugging should be turned off for Function Apps | Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | a4af4a39-4135-47fb-b175-47fbdf85311d | Web Application should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Audit Allowed: (Audit,Disabled) |
none |
| App Service | e2c1c086-2d84-4019-bff3-c44ccd95113c | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | Managed identity should be used in your Function App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Ensure that 'Python version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 74c3584d-afae-46f7-a20a-6f8adba71a16 | Ensure that 'Python version' is the latest, if used as a part of the Api app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 95bccee9-a7f8-4bec-9ee9-62c3473701fc | Authentication should be enabled on your web app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 2b9ad585-36bc-4615-b300-fd4435808332 | Managed identity should be used in your Web App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 5bb220d9-2698-4ee4-8404-b9c30c9df609 | Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default: Audit Allowed: (Audit,Disabled) |
none |
| App Service | 752c6934-9bcc-4749-b004-655e676ae2ac | [Deprecated]: Audit enabling of diagnostic logs in App Services | Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised | Default: Audit Allowed: (Audit,Disabled) |
none |
| App Service | 399b2637-a50f-4f95-96f8-3a145476eb15 | FTPS only should be required in your Function App | Enable FTPS enforcement for enhanced security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 991310cd-e9f3-47bc-b7b6-f57b557d07db | Ensure that 'HTTP Version' is the latest, if used to run the Api app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Ensure that 'Java version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | Ensure Function app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default: Audit Allowed: (Audit,Disabled) |
none |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | Ensure that 'PHP version' is the latest, if used as a part of the WEB app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | b7ddfbdc-1260-477d-91fd-98bd9be789a6 | API App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: Audit Allowed: (Audit,Disabled) |
none |
| App Service | 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 | FTPS only should be required in your API App | Enable FTPS enforcement for enhanced security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac | CORS should not allow every resource to access your API App | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0 | Diagnostic logs in App Services should be enabled | Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| App Service | e9c8d085-d9cc-4b17-9cdc-059f1f01f19e | Remote debugging should be turned off for API Apps | Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Automation | 3657f5a0-770e-44a3-b44e-9431ba1e9735 | Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Backup | 013e242c-8828-4970-87b3-ab247555486d | Azure Backup should be enabled for Virtual Machines | This policy helps audit if Azure Backup service is enabled for all Virtual machines. Azure Backup is a cost-effective, one-click backup solution simplifies data recovery and is easier to enable than other cloud backup services. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on VMs of a location to an existing central Vault in the same location | This policy configures Azure Backup protection on VMs in a given location to an existing central vault in the same location. It applies to only those VMs that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond the defined schedule. This policy will be enhanced to support more VM images. | Default: deployIfNotExists Allowed: (deployIfNotExists,auditIfNotExists,disabled) |
Virtual Machine Contributor Backup Contributor |
| Batch | 428256e6-1fac-4f48-a757-df34c2b3336d | Diagnostic logs in Batch accounts should be enabled | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Batch | 26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7 | Metric alert rules should be configured on Batch accounts | Audit configuration of metric alert rules on Batch account to enable the required metric | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Cache | 22bee202-a82f-4305-9a2a-6d7f44d4dedb | Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Cache | 7d092e0a-7acd-40d2-a975-dca21cae48c4 | Azure Cache for Redis should reside within a virtual network | This policy audits whether the Azure Cache for Redis resource has a non-public endpoint by being deployed into a virtual network. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | Public network access should be disabled for Cognitive Services accounts | This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Cognitive Services | 46aa9b05-0e60-4eae-a88b-1e9d374fa515 | Cognitive Services accounts should use customer owned storage | This policy audits any Cognitive Services account not using customer owned storage. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Cognitive Services | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | Cognitive Services accounts should restrict network access | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Cognitive Services | 11566b39-f7f7-4b82-ab06-68d8700eb0a4 | Cognitive Services accounts should use customer owned storage or enable data encryption. | This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with customer managed key | This policy audits any Cognitive Services account not using data encryption with customer managed key. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Cognitive Services | 2bdd0062-9d75-436e-89df-487dd8e4b3c7 | Cognitive Services accounts should enable data encryption | This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Compute | c43e4a30-77cb-48ab-a4dd-93f175c63b57 | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Compute | 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 | Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Fixed: auditIfNotExists | none |
| Compute | 9b597639-28e4-48eb-b506-56b05d366257 | Microsoft IaaSAntimalware extension should be deployed on Windows servers | This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Compute | 06a78e20-9358-41c9-923c-fb736d382a4d | Audit VMs that do not use managed disks | This policy audits VMs that do not use managed disks | Fixed: audit | none |
| Compute | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Compute | 465f0161-0087-490a-9ad9-ad6217f4f43a | Require automatic OS image patching on Virtual Machine Scale Sets | This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. | Fixed: deny | none |
| Compute | 2c89a2e5-7285-40fe-afe0-ae8654b92fb2 | Unattached disks should be encrypted | This policy audits any unattached disk without encryption enabled. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Compute | 2835b622-407b-4114-9198-6f7064cbe0dc | Deploy default Microsoft IaaSAntimalware extension for Windows Server | This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. | Fixed: deployIfNotExists | Virtual Machine Contributor |
| Compute | cccc23c7-8427-4f53-ad12-b6a63eb452b3 | Allowed virtual machine size SKUs | This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. | Fixed: Deny | none |
| Compute | 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 | [Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs | This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the selected Log Analytics workspace | Fixed: deployIfNotExists | Log Analytics Contributor |
| Compute | c0e996f8-39cf-4af9-9f45-83fbde810432 | Only approved VM extensions should be installed | This policy governs the virtual machine extensions that are not approved. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Compute | 7c1b1214-f927-48bf-8882-84f0af6588b1 | Diagnostic logs in Virtual Machine Scale Sets should be enabled | It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container Registries should be encrypted with a Customer-Managed Key (CMK) | Audit Container Registries that do not have encryption enabled with Customer-Managed Keys (CMK). For more information on CMK encryption, please visit: https://aka.ms/acr/CMK. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Container Registry | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | Container Registries should use private links | Audit Container Registries that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/acr/private-link. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container Registries should not allow unrestricted network access | Audit Container Registries that do not have any Network (IP or VNET) Rules configured and allow all network access by default. Container Registries with at least one IP / Firewall rule or configured virtual network will be deemed compliant. For more information on Container Registry Network rules, please visit: https://aka.ms/acr/vnet. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Cosmos DB | 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb | Azure Cosmos DB accounts should have firewall rules | Audit or deny resources that do not have any IP rules configured and allow all networks by default. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Default: Deny Allowed: (Audit,Deny,Disabled) |
none |
| Cosmos DB | 1f905d99-2ab7-462c-a6b0-f709acca6c8f | Azure Cosmos DB account should use customer-managed keys to encrypt data at rest | Use customer-managed keys to control the encryption at rest of the data stored in Azure Cosmos DB when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. See https://aka.ms/cosmosdb-cmk | Default: audit Allowed: (audit,deny,disabled) |
none |
| Cosmos DB | 4750c32b-89c0-46af-bfcb-2e4541a818d5 | Azure Cosmos DB key based metadata write access should be disabled | This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. | Fixed: append | none |
| Cosmos DB | b5f04e03-92a3-4b09-9410-2cc5e5047656 | Deploy Advanced Threat Protection for Cosmos DB Accounts | This policy enables Advanced Threat Protection across Cosmos DB accounts. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Security Admin |
| Cosmos DB | 0473574d-2d43-4217-aefe-941fcdf7e684 | Azure Cosmos DB allowed locations | This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. |
Default: deny Allowed: (deny,audit,disabled) |
none |
| Cosmos DB | 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf | Azure Cosmos DB throughput should be limited | This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. | Default: deny Allowed: (audit,deny,disabled) |
none |
| Custom Provider | c15c281f-ea5c-44cd-90b8-fc3c14d13f0c | Deploy associations for a custom provider | Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. | Fixed: deployIfNotExists | Contributor |
| Data Lake | 057ef27e-665e-4328-8ea3-04b3122bd9fb | Diagnostic logs in Azure Data Lake Store should be enabled | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Data Lake | a7ff3161-0087-490a-9ad9-ad6217f4f43a | Require encryption on Data Lake Store accounts | This policy ensures encryption is enabled on all Data Lake Store accounts | Fixed: deny | none |
| Data Lake | c95c74d9-38fe-4f0d-af86-0c7d626a315c | Diagnostic logs in Data Lake Analytics should be enabled | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Event Grid | 9830b652-8523-49cc-b1b3-e17dce1127ca | Azure Event Grid domains should use private links | Audit Azure Event Grid domains that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections via private links. For more information, visit https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Event Grid | 4b90e17e-8448-49db-875e-bd83fb6f804f | Azure Event Grid topics should use private links | Audit Azure Event Grid topics that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections via private links. For more information, visit https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Event Hub | f4826e5f-6a27-407c-ae3e-9582eb39891d | Authorization rules on the Event Hub instance should be defined | Audit existence of authorization rules on Event Hub entities to grant least-privileged access | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Event Hub | 83a214f7-d01a-484b-91a9-ed54470c9a6a | Diagnostic logs in Event Hub should be enabled | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Event Hub | b278e460-7cfc-4451-8294-cccc40a940d7 | All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace | Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| General | 94c19f19-8192-48cd-a11b-e37099d3e36b | [Deprecated]: Allow resource creation only in European data centers | Allows resource creation in the following locations only: North Europe, West Europe | Fixed: Deny | none |
| General | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | Audit usage of custom RBAC rules | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Default: Audit Allowed: (Audit,Disabled) |
none |
| General | 983211ba-f348-4758-983b-21fa29294869 | [Deprecated]: Allow resource creation only in United States data centers | Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US | Fixed: Deny | none |
| General | c1b9cbed-08e3-427d-b9ce-7c535b1e9b94 | [Deprecated]: Allow resource creation only in Asia data centers | Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West | Fixed: Deny | none |
| General | 6fdb9205-3462-4cfc-87d8-16c7860b53f4 | [Deprecated]: Allow resource creation only in Japan data centers | Allows resource creation in the following locations only: Japan East, Japan West | Fixed: Deny | none |
| General | e56962a6-4747-49cd-b67b-bf8b01975c4c | Allowed locations | This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. | Fixed: deny | none |
| General | 0a914e76-4921-4c19-b460-a2d36003525a | Audit resource location matches resource group location | Audit that the resource location matches its resource group location | Fixed: audit | none |
| General | a08ec900-254a-4555-9bf5-e42af04b5c5c | Allowed resource types | This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. | Fixed: deny | none |
| General | e765b5de-1225-4ba3-bd56-1ac6695af988 | Allowed locations for resource groups | This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. | Fixed: deny | none |
| General | 5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54 | [Deprecated]: Allow resource creation only in India data centers | Allows resource creation in the following locations only: West India, South India, Central India | Fixed: Deny | none |
| General | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 | Not allowed resource types | This policy enables you to specify the resource types that your organization cannot deploy. | Fixed: Deny | none |
| General | e01598e8-6538-41ed-95e8-8b29746cd697 | [Deprecated]: Allow resource creation only in Japan data centers | Allows resource creation in the following locations only: Japan East, Japan West | Fixed: Deny | none |
| General | 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9 | Custom subscription owner roles should not exist | This policy ensures that no custom subscription owner roles exist. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Guest Configuration | 29829ec2-489d-4925-81b7-bda06b1718e0 | Show audit results from Windows VMs configurations in 'Security Options - User Account Control' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 7227ebe5-9ff7-47ab-b823-171cd02fb90f | Show audit results from Windows VMs on which the DSC configuration is not compliant | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 7e56b49b-5990-4159-a734-511ea19b731c | Show audit results from Windows VMs that have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 225e937e-d32e-4713-ab74-13ce95b3519a | Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 9f658460-46b7-43af-8565-94fc0662be38 | Show audit results from Windows VMs that are not set to the specified time zone | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 7229bd6a-693d-478a-87f0-1dc1af06f3b8 | Show audit results from Windows VMs configurations in 'Administrative Templates - Network' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 7e84ba44-6d03-46fd-950e-5efa5a1112fa | Show audit results from Windows VMs that have not restarted within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 3d7b154e-2700-4c8c-9e46-cb65ac1578c2 | Show audit results from Windows VMs configurations in 'Security Options - Devices' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 5c028d2a-1889-45f6-b821-31f42711ced8 | Show audit results from Windows VMs configurations in 'Security Options - Network Security' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 | Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | b821191b-3a12-44bc-9c38-212138a29ff3 | Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 5aa11bbc-5c76-4302-80e5-aba46a4282e7 | Show audit results from Windows VMs that do not have a minimum password age of 1 day | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 23020aa6-1135-4be2-bae2-149982b06eca | Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 40917425-69db-4018-8dae-2a0556cef899 | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | d38b4c26-9d2e-47d7-aefe-18d859a8706a | Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant | This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | [Preview]: Audit Linux virtual machines on which the use of passwords for SSH is allowed | This policy audits Linux virtual machines that use passwords for authenticating through SSH. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Guest Configuration | 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 | Show audit results from Linux VMs that have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | a030a57e-4639-4e8f-ade9-a92f33afe7ee | Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 5aebc8d1-020d-4037-89a0-02043a7524ec | Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | ec49586f-4939-402d-a29e-6ff502b20592 | Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 24dde96d-f0b1-425e-884f-4a1421e2dcdc | Show audit results from Windows VMs that do not have a maximum password age of 70 days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 726671ac-c4de-4908-8c7d-6043ae62e3b6 | Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords | This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | ec7ac234-2af5-4729-94d2-c557c071799d | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 5bb36dda-8a78-4df9-affd-4f05a8612a8a | Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c | Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | fcbc55c9-f25a-4e55-a6cb-33acb3be778b | Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | d7ccd0ca-8d78-42af-a43d-6b7f928accbc | Show audit results from Windows Server VMs on which Windows Serial Console is not enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 356a906e-05e5-4625-8729-90771e0ee934 | Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux virtual machines | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 5fc23db3-dd4d-4c56-bcc7-43626243e601 | Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled | This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Guest Configuration | 32b1e4d4-6cd5-47b4-a935-169da8a5c262 | Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 60ffe3e2-4604-4460-8f22-0f1da058266c | Show audit results from Windows web servers that are not using secure communication protocols | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | e0efc13a-122a-47c5-b817-2ccfe5d12615 | Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy | This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | e3a77a94-cf41-4ee8-b45c-98be28841c03 | Show audit results from Windows VMs configurations in 'Security Options - Shutdown' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 315c850a-272d-4502-8935-b79010405970 | Deploy prerequisites to audit Windows VMs that are not joined to the specified domain | This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | e3d95ab7-f47a-49d8-a347-784177b6c94c | Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 30040dab-4e75-4456-8273-14b8f75d91d9 | Show audit results from Windows VMs configurations in 'Security Options - Network Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 7a031c68-d6ab-406e-a506-697a19c634b0 | Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled | This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | e425e402-a050-45e5-b010-bd3f934589fc | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 36e17963-7202-494a-80c3-f508211c826b | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 3750712b-43d0-478e-9966-d2c26f6141b9 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 6141c932-9384-44c6-a395-59e4c057d7c9 | [Preview]: Configure time zone on Windows machines. | This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | ddb53c61-9db4-41d4-a953-2abff5b66c12 | Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 97646672-5efa-4622-9b54-740270ad60bf | Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | b18175dd-c599-4c64-83ba-bb018a06d35b | Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | b3802d79-dd88-4bce-b81d-780218e48280 | Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 02a84be7-c304-421f-9bb7-5d2c26af54ad | Show audit results from Windows VMs on which the remote host connection status does not match the specified one | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | a1e8dda3-9fd2-4835-aec3-0e55531fde33 | Show audit results from Windows VMs configurations in 'Administrative Templates - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 97b595c8-fd10-400e-8543-28e2b9138b13 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 620e58b5-ac75-49b4-993f-a9d4f0459636 | Show audit results from Windows VMs configurations in 'Security Options - System objects' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | b2fc8f91-866d-4434-9089-5ebfe38d6fd8 | Deploy prerequisites to audit Windows web servers that are not using secure communication protocols | This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows virtual machines | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 5e393799-e3ca-4e43-a9a5-0ec4648a57d9 | Show audit results from Windows VMs that do not have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | e5b81f87-9185-4224-bf00-9f505e9f89f3 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 2d60d3b7-aa10-454c-88a8-de39d99d17c6 | Show audit results from Windows VMs that do not store passwords using reversible encryption | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 2d67222d-05fd-4526-a171-2ee132ad9e83 | Show audit results from Linux VMs that allow remote connections from accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 985285b7-b97a-419c-8d48-c88cc934c8d8 | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | dd4680ed-0559-4a6a-ad10-081d14cbb484 | Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | b872a447-cc6f-43b9-bccf-45703cd81607 | Show audit results from Windows VMs configurations in 'Security Options - Accounts' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 60aeaf73-a074-417a-905f-7ce9df0ff77b | Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 6481cc21-ed6e-4480-99dd-ea7c5222e897 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | f8b0158d-4766-490f-bea0-259e52dba473 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | c1e289c0-ffad-475d-a924-adc058765d65 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 12ae2d24-3805-4b37-9fa9-465968bfbcfa | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 12f7e5d0-42a7-4630-80d8-54fb7cff9bd6 | Deploy prerequisites to audit Windows VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | f8036bd0-c10b-4931-86bb-94a878add855 | Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | c8abcef9-fc26-482f-b8db-5fa60ee4586d | Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 498b810c-59cd-4222-9338-352ba146ccf3 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 8ff0b18b-262e-4512-857a-48ad0aeb9a78 | Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 144f1397-32f9-4598-8c88-118decc3ccba | Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | c961dac9-5916-42e8-8fb1-703148323994 | Show audit results from Windows VMs configurations in 'User Rights Assignment' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 3470477a-b35a-49db-aca5-1073d04524fe | Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 16390df4-2f73-4b42-af13-c801066763df | Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | c96f3246-4382-4264-bf6b-af0b35e23c3c | Deploy prerequisites to audit Windows VMs with a pending reboot | This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 21e2995e-683e-497a-9e81-2f42ad07050a | Show audit results from Windows VMs configurations in 'Security Options - Audit' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 909c958d-1b99-4c74-b88f-46a5c5bc34f9 | Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 16f9b37c-4408-4c30-bc17-254958f2e2d6 | Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | c21f7060-c148-41cf-a68b-0ab3e14c764c | Deploy prerequisites to audit Windows VMs that are not set to the specified time zone | This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 86880e5c-df35-43c5-95ad-7e120635775e | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | c40c9087-1981-4e73-9f53-39743eda9d05 | Show audit results from Linux VMs that have accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 87b590fe-4a1d-4697-ae74-d4fe72ab786c | Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 4d1c04de-2172-403f-901b-90608c35c721 | Deploy prerequisites to audit Linux VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 8bbd627e-4d25-4906-9a6e-3789780af3ec | Show audit results from Windows VMs configurations in 'Windows Firewall Properties' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 8b0de57a-f511-4d45-a277-17cb79cb163b | Show audit results from Windows VMs with a pending reboot | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | faf25c8c-9598-4305-b4de-0aee1317fb31 | Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled | This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Guest Configuration | fee5cb2b-9d9b-410e-afe3-2902d90d0004 | Show audit results from Linux VMs that do not have the specified applications installed | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a | Show audit results from Windows VMs on which the specified services are not installed and 'Running' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 106ccbe4-a791-4f33-a44a-06796944b8d5 | Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root | This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | c5fbc59e-fb6f-494f-81e2-d99a671bdaa8 | Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 0a9991e6-21be-49f9-8916-a06d934bcf29 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 8e170edb-e0f5-497a-bb36-48b3280cec6a | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 884b209a-963b-4520-8006-d20cb3c213e0 | Deploy prerequisites to audit Linux VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | f56a3ab2-89d1-44de-ac0d-2ada5962e22a | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 90ba2ee7-4ca8-4673-84d1-c851c50d3baf | Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | f4b245d4-46c9-42be-9b1a-49e2b5b94194 | Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 7066131b-61a6-4917-a7e4-72e8983f0aa6 | Show audit results from Windows VMs configurations in 'System Audit Policies - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 7040a231-fb65-4412-8c0a-b365f4866c24 | Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | bc87d811-4a9b-47cc-ae54-0a41abda7768 | Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | f0633351-c7b2-41ff-9981-508fc08553c2 | Deploy prerequisites to audit Windows VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 9328f27e-611e-44a7-a244-39109d7d35ab | Show audit results from Windows VMs that contain certificates expiring within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 437a1f8f-8552-47a8-8b12-a2fee3269dd5 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | f19aa1c1-6b91-4c27-ae6a-970279f03db9 | Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 68511db2-bd02-41c4-ae6b-1900a012968a | Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | bde62c94-ccca-4821-a815-92c1d31a76de | Show audit results from Windows VMs in which the Administrators group contains any of the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 6a7a2bcf-f9be-4e35-9734-4f9657a70f1d | [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | ce2370f6-0ac5-4d85-8ab4-10721cc640b0 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 6fe4ef56-7576-4dc4-8e9c-26bad4b087ce | Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | cdbf72d9-ac9c-4026-8a3a-491a5ac59293 | Show audit results from Windows VMs that allow re-use of the previous 24 passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 8a39d1f1-5513-4628-b261-f469a5a3341b | Show audit results from Windows VMs configurations in 'Security Options - System settings' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 1f8c20ce-3414-4496-8b26-0e902a1541da | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | [Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled | Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. This policy requires the Azure Policy for Windows extension. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Guest Configuration | 42a07bbf-ffcf-459a-b4b1-30ecd118a505 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | a29ee95c-0395-4515-9851-cc04ffe82a91 | Show audit results from Windows VMs that are not joined to the specified domain | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 0d9b45ff-9ddd-43fc-bf59-fbd1c8423053 | [Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | f48b2913-1dc5-4834-8c72-ccc1dfd819bb | Show audit results from Windows VMs that do not have the password complexity setting enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | a9a33475-481d-4b81-9116-0bf02ffe67e8 | Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | bbcdd8fa-b600-4ee3-85b8-d184e3339652 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | cc7cda28-f867-4311-8497-a526129a8d19 | Show audit results from Windows VMs in which the Administrators group does not contain only the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 815dcc9f-6662-43f2-9a03-1b83e9876f24 | Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | ba12366f-f9a6-42b8-9d98-157d0b1a837b | Show audit results from Windows VMs configurations in 'Security Options - Recovery console' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | f3b9ad83-000d-4dc1-bff0-6d54533dd03f | Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | f3b44e5d-1456-475f-9c67-c66c4618e85a | Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | 9178b430-2295-406e-bb28-f6a7a2a2f897 | Show audit results from Windows VMs configurations in 'Windows Components' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
| Guest Configuration | c04255ee-1b9f-42c1-abaa-bf1553f79930 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Guest Configuration | 93507a81-10a4-4af0-9ee2-34cf25a96e98 | Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
| Internet of Things | 383856f8-de7f-44a2-81fc-e5135b5c2aa4 | Diagnostic logs in IoT Hub should be enabled | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | [Preview]: Manage certificates that are within a specified number of days of expiration | This policy manages certificates that are within a specified number of days to their expiration date. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Key Vault | 0a075868-4c26-42ef-914c-5bc007359560 | [Preview]: Manage certificate validity period | This policy manages the maximum validity period for certificates in months. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Key Vault | ed7c8c13-51e7-49d1-8a43-8490431a0da2 | Deploy Diagnostic Settings for Key Vault to Event Hub | Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. | Fixed: deployIfNotExists | Contributor |
| Key Vault | cee51871-e572-4576-855c-047c820360f0 | [Preview]: Manage minimum key size for RSA certificates | This policy manages the minimum key size for RSA certificates. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Key Vault | 1151cede-290b-4ba0-8b38-0ad145ac888f | [Preview]: Manage allowed certificate key types | This policy manages the allowed key types for certificates. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Key Vault | 8e826246-c976-48f6-b03e-619bb92b3d82 | [Preview]: Manage certificates issued by an integrated CA | This policy manages certificates are issued by a specified key vault integrated Certificate Authority. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Key Vault | bd78111f-4953-4367-9fd5-7e08808b54bf | [Preview]: Manage allowed curve names for elliptic curve cryptography certificates | This policy manages the allowed elliptic curve names for elliptic curve cryptography certificates. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Key Vault | a22f4a40-01d3-4c7d-8071-da157eeff341 | [Preview]: Manage certificates issued by a non-integrated CA | This policy manages certificates are issued by a specified non-integrated Certificate Authority. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Key Vault | 12ef42cb-9903-4e39-9c26-422d29570417 | [Preview]: Manage certificate lifetime action triggers | This policy manages the configuration for certificate lifetime action triggers before certificate expiration. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Key Vault | 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 | Key Vault objects should be recoverable | This policy audits if key vault objects are not recoverable. Soft Delete feature helps to effectively hold the resources for a given retention period (90 days) even after a DELETE operation, while giving the appearance that the object is deleted. When 'Purge protection' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention policy will be followed. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Key Vault | cf820ca0-f99e-4f3e-84fb-66e913812d21 | Diagnostic logs in Key Vault should be enabled | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | [Preview]: Ensure only allowed container images in Kubernetes cluster | This policy ensures only allowed container images are running in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | [Preview]: Kubernetes clusters should not allow container privilege escalation | This policy does not allow containers to use privilege escalation in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | [Preview]: Kubernetes cluster pods should only use approved host network and port range | This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | [Preview]: Do not allow privileged containers in Kubernetes cluster | This policy does not allow privileged containers creation in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | [Preview]: Kubernetes cluster containers should not use forbidden sysctl interfaces | This policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | [Preview]: Kubernetes cluster containers should only use allowed seccomp profiles | This policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | [Preview]: Kubernetes cluster pod hostPath volumes should only use allowed host paths | This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | [Preview]: Enforce HTTPS ingress in Kubernetes cluster | This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | [Preview]: Kubernetes cluster containers should only use allowed AppArmor profiles | This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | [Preview]: Kubernetes cluster pods should only use allowed volume types | This policy ensures pods can only use allowed volume types in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | [Preview]: Kubernetes cluster containers should not share host process ID or host IPC namespace | This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | [Preview]: Kubernetes cluster containers should only use allowed capabilities | This policy ensures containers only use allowed capabilities in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | [Preview]: Kubernetes cluster containers should only use allowed ProcMountType | This policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 | [Preview]: Deploy GitOps to Kubernetes cluster | This policy deploys a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth from the defined git repo. For instructions on using this policy, visit https://aka.ms/K8sGitOpsPolicy. | Fixed: DeployIfNotExists | Contributor |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | [Preview]: Enforce labels on pods in Kubernetes cluster | This policy enforces the specified labels are provided for pods in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | [Preview]: Kubernetes cluster containers should run with a read only root file system | This policy ensures containers run with a read only root file system in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | [Preview]: Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | This policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | [Preview]: Kubernetes cluster pods and containers should only run with approved user and group IDs | This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | [Preview]: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster | This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | [Preview]: Enforce internal load balancers in Kubernetes cluster | This policy enforces load balancers do not have public IPs in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 0a15ec92-a229-4763-bb14-0ea34a568f8d | [Preview]: Kubernetes Management Policy add-on should be installed and enabled on your clusters | Azure Kubernetes Management Policy add-on extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Preview]: Ensure containers listen only on allowed ports in Kubernetes cluster | This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | [Preview]: Kubernetes cluster pods and containers should only use allowed SELinux options | This policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | [Preview]: Ensure services listen only on allowed ports in Kubernetes cluster | This policy enforces services to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
| Kubernetes service | 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 | [Deprecated]: Do not allow privileged containers in AKS | This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
| Kubernetes service | 5f86cb6e-c4da-441b-807c-44bd0cc14e66 | [Deprecated]: Ensure only allowed container images in AKS | This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
| Kubernetes service | a2d3ed81-8d11-4079-80a5-1faadc0024f4 | [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS | This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
| Kubernetes service | 16c6ca72-89d2-4798-b87e-496f9de7fcb7 | [Deprecated]: Enforce labels on pods in AKS | This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
| Kubernetes service | a74d8f00-2fd9-4ce4-968e-0ee1eb821698 | [Deprecated]: Enforce internal load balancers in AKS | This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
| Kubernetes service | 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 | [Deprecated]: Enforce HTTPS ingress in AKS | This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
| Kubernetes service | 0f636243-1b1c-4d50-880f-310f6199f2cb | [Deprecated]: Ensure containers listen only on allowed ports in AKS | This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
| Kubernetes service | d011d9f7-ba32-4005-b727-b3d09371ca60 | [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS | This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
| Kubernetes service | 25dee3db-6ce0-4c02-ab5d-245887b24077 | [Deprecated]: Ensure services listen only on allowed ports in AKS | This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
| Lighthouse | 76bed37b-484f-430f-a009-fd7592dff818 | Audit delegation of scopes to a managing tenant | Audit delegation of scopes to a managing tenant via Azure Lighthouse. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Logic Apps | 34f95f76-5386-4de7-b824-0d8478470c9d | Diagnostic logs in Logic Apps should be enabled | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | This policy helps provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting,disabled) |
none |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | This policy helps provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting,disabled) |
none |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | This policy helps provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting,disabled) |
none |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | This policy helps provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting,disabled) |
none |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | This policy helps configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting,disabled) |
none |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | This policy helps provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting,disabled) |
none |
| Managed Application | 17763ad9-70c0-4794-9397-53d765932634 | Deploy associations for a managed application | Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. | Fixed: deployIfNotExists | Contributor |
| Monitoring | e8d096bc-85de-4c5f-8cfb-857bd1b9d62d | Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub | Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
| Monitoring | 04d53d87-841c-4f23-8a5b-21564380b55e | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
| Monitoring | 41388f1c-2db0-4c25-95b2-35d7f5ccbfa9 | Azure Monitor should collect activity logs from all regions | This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | a1dae6c7-13f3-48ea-a149-ff8442661f60 | Deploy Diagnostic Settings for Logic Apps to Event Hub | Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
| Monitoring | 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf | [Preview]: Deploy Log Analytics agent to Linux Azure Arc machines | This policy deploys the Log Analytics agent to Linux Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
| Monitoring | bef3f64c-5290-43b7-85b0-9b254eef4c47 | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy Log Analytics agent for Windows VMs | Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: deployIfNotExists | Log Analytics Contributor |
| Monitoring | ef7b61ef-b8e4-4c91-8e78-6946c6b0023f | Deploy Diagnostic Settings for Event Hub to Event Hub | Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
| Monitoring | efbde977-ba53-4479-b8e9-10b957924fbf | The Log Analytics agent should be installed on Virtual Machine Scale Sets | This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | 1f6e93e8-6b31-41b1-83f6-36e449a42579 | Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
| Monitoring | fbb99e8e-e444-4da0-9ff1-75c92f5a85b2 | Storage account containing the container with activity logs must be encrypted with BYOK | This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | b02aacc0-b073-424e-8298-42b22829ee0a | Activity log should be retained for at least one year | This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | c84e5349-db6d-4769-805e-e14037dab9b5 | Deploy Diagnostic Settings for Batch Account to Log Analytics workspace | Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
| Monitoring | 7796937f-307b-4598-941c-67d3a05ebfe7 | Azure subscriptions should have a log profile for Activity Log | This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | [Preview]: Deploy Dependency agent to Windows Azure Arc machines | This policy deploys the Dependency agent to Windows Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
| Monitoring | 6b51af03-9277-49a9-a3f8-1c69c9ff7403 | Deploy Diagnostic Settings for Service Bus to Event Hub | Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy Dependency agent for Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: deployIfNotExists | Log Analytics Contributor |
| Monitoring | 1a4e592a-6a6e-44a5-9814-e36264ca96e7 | Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | 842c54e8-c2f9-4d79-ae8d-38d8b8019373 | [Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
| Monitoring | 4daddf25-4823-43d4-88eb-2419eb6dcc08 | Deploy Diagnostic Settings for Data Lake Analytics to Event Hub | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
| Monitoring | f47b5582-33ec-4c5c-87c0-b010a6b2e917 | Audit Log Analytics workspace for VM - Report Mismatch | Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. | Fixed: audit | none |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics agent for Linux virtual machine scale sets | Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Log Analytics Contributor Virtual Machine Contributor |
| Monitoring | e2dd799a-a932-4e9d-ac17-d473bc3c6c10 | Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: auditIfNotExists | none |
| Monitoring | deacecc0-9f84-44d2-bb82-46f32d766d43 | [Preview]: Deploy Dependency agent to hybrid Linux Azure Arc machines | This policy deploys the Dependency agent to Linux Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
| Monitoring | b954148f-4c11-4c38-8221-be76711e194a | An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Virtual Machine Contributor |
| Monitoring | db51110f-0865-4a6e-b274-e2e07a5b2cd7 | Deploy Diagnostic Settings for Batch Account to Event Hub | Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
| Monitoring | 053d3325-282c-4e5c-b944-24faffd30d77 | Deploy Log Analytics agent for Linux VMs | Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
| Monitoring | 3b980d31-7904-4bb7-8575-5665739a8052 | An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy Dependency agent for Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Virtual Machine Contributor |
| Monitoring | d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e | [Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy Log Analytics agent for Windows virtual machine scale sets | Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Log Analytics Contributor Virtual Machine Contributor |
| Monitoring | c5447c04-a4d7-4ba8-a263-c9ee321a6858 | An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | 08ba64b8-738f-4918-9686-730d2ed79c7d | Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
| Monitoring | c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 | Deploy Diagnostic Settings for Network Security Groups | This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. | Fixed: deployIfNotExists | Monitoring Contributor Storage Account Contributor |
| Monitoring | a70ca396-0a34-413a-88e1-b956c1e683be | The Log Analytics agent should be installed on virtual machines | This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | 3d5da587-71bd-41f5-ac95-dd3330c2d58d | Deploy Diagnostic Settings for Search Services to Event Hub | Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
| Monitoring | b889a06c-ec72-4b03-910a-cb169ee18721 | Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace | Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
| Monitoring | 04c4380f-3fae-46e8-96c9-30193528f602 | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | 11ac78e3-31bc-4f0c-8434-37ab963cea07 | Audit Dependency agent deployment - VM Image (OS) unlisted | Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: auditIfNotExists | none |
| Monitoring | d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 | Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
| Monitoring | edf3780c-3d70-40fe-b17e-ab72013dafca | Deploy Diagnostic Settings for Stream Analytics to Event Hub | Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
| Monitoring | 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 | Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: auditIfNotExists | none |
| Monitoring | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | [Preview]: Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. | Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. | Fixed: deployIfNotExists | Monitoring Contributor Log Analytics Contributor |
| Monitoring | 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 | Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
| Monitoring | 7f89b1eb-583c-429a-8828-af049802c1d9 | Audit diagnostic setting | Audit diagnostic setting for selected resource types | Fixed: AuditIfNotExists | none |
| Monitoring | 3e596b57-105f-48a6-be97-03e9243bad6e | Azure Monitor solution 'Security and Audit' must be deployed | This policy ensures that Security and Audit is deployed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Monitoring | 25763a0a-5783-4f14-969e-79d4933eb74b | Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | [Preview]: Deploy Log Analytics agent to Windows Azure Arc machines | This policy deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
| Monitoring | 32133ab0-ee4b-4b44-98d6-042180979d50 | [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted | Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: auditIfNotExists | none |
| Network | f6b68e5a-7207-4638-a1fb-47d90404209e | [Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service | Mandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. | Default: Deny Allowed: (Audit,Deny,Disabled) |
none |
| Network | be7ed5c8-2660-4136-8216-e6f3412ba909 | [Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway | Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. | Default: Deny Allowed: (Audit,Deny,Disabled) |
none |
| Network | c4857be7-912a-4c75-87e6-e30292bcdf78 | [Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Network | fc5e4038-4584-4632-8c85-c0448d374b2c | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Network | a9b99dd8-06c5-4317-8629-9d86a3c6e7d9 | Deploy network watcher when virtual networks are created | This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. | Fixed: DeployIfNotExists | Network Contributor |
| Network | 12430be1-6cc8-4527-a9a8-e3d38f250096 | Web Application Firewall (WAF) should use the specified mode for Application Gateway | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Network | 50b83b09-03da-41c1-b656-c293c914862b | A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections | This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported algorithms and key strengths - https://aka.ms/AA62kb0 | Default: Audit Allowed: (Audit,Disabled) |
none |
| Network | 88c0b9da-ce96-4b03-9635-f29a937e2900 | Network interfaces should disable IP forwarding | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. | Fixed: deny | none |
| Network | 425bea59-a659-4cbb-8d31-34499bd030b8 | Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Network | d63edb4a-c612-454d-b47d-191a724fcbf0 | Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Network | b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 | Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. | Fixed: auditIfNotExists | none |
| Network | 83a86a26-fd1f-447c-b59d-e51f44264114 | Network interfaces should not have public IPs | This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team. | Fixed: deny | none |
| Network | ea4d6841-2173-4317-9747-ff522a45120f | Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Network | 055aa869-bc98-4af8-bafc-23f1ab6ffe2c | Web Application Firewall (WAF) should be enabled for Azure Front Door Service | Requires Web Application Firewall (WAF) on any Azure Front Door Service. A Web Application Firewall provides greater security for your other Azure resources. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Network | d416745a-506c-48b6-8ab1-83cb814bcaa3 | Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Network | 235359c5-7c52-4b82-9055-01c75cf9f60e | Service Bus should use a virtual network service endpoint | This policy audits any Service Bus not configured to use a virtual network service endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Network | ae5d2f14-d830-42b6-9899-df6cfe9c71a3 | SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Network | 2d21331d-a4c2-4def-a9ad-ee4e1e023beb | App Service should use a virtual network service endpoint | This policy audits any App Service not configured to use a virtual network service endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Network | 2c89a2e5-7285-40fe-afe0-ae8654b92fab | SSH access from the Internet should be blocked | This policy audits any network security rule that allows SSH access from Internet | Default: Audit Allowed: (Audit,Disabled) |
none |
| Network | f1776c76-f58c-4245-a8d0-2b207198dc8b | Virtual networks should use specified virtual network gateway | This policy audits any virtual network if the default route does not point to the specified virtual network gateway. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Network | e372f825-a257-4fb8-9175-797a8a8627d6 | RDP access from the Internet should be blocked | This policy audits any network security rule that allows RDP access from Internet | Default: Audit Allowed: (Audit,Disabled) |
none |
| Network | 60d21c4f-21a3-4d94-85f4-b924e6aeeda4 | Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Network | e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9 | Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Network | 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 | Web Application Firewall (WAF) should be enabled for Application Gateway | Requires Web Application Firewall (WAF) on any Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Network | 35f9c03a-cc27-418e-9c0c-539ff999d010 | Gateway subnets should not be configured with a network security group | This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. | Fixed: deny | none |
| Network | e345b6c3-24bd-4c93-9bbb-7e5e49a17b78 | Azure VPN gateways should not use 'basic' SKU | This policy ensures that VPN gateways do not use 'basic' SKU. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Regulatory Compliance | a96f743d-a195-420d-983a-08aa06bc441e | Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | b083a535-a66a-41ec-ba7f-f9498bf67cde | Microsoft Managed Control 1711 - Security Function Verification | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | b19454ca-0d70-42c0-acf5-ea1c1e5726d1 | Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | a96d5098-a604-4cdf-90b1-ef6449a27424 | Microsoft Managed Control 1400 - Controlled Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | a9172e76-7f56-46e9-93bf-75d69bdb5491 | Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | b07c9b24-729e-4e85-95fc-f224d2d08a80 | Microsoft Managed Control 1429 - Media Marking | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | b11c985b-f2cd-4bd7-85f4-b52426edf905 | Microsoft Managed Control 1571 - Acquisition Process | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c | Microsoft Managed Control 1073 - Access Control For Mobile Devices | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | af2a93c8-e6dd-4c94-acdd-4a2eedfc478e | Microsoft Managed Control 1710 - Security Function Verification | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | afc234b5-456b-4aa5-b3e2-ce89108124cc | Microsoft Managed Control 1725 - Error Handling | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | afbd0baf-ff1a-4447-a86f-088a97347c0c | Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | aeedddb6-6bc0-42d5-809b-80048033419d | Microsoft Managed Control 1413 - Nonlocal Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | a9eae324-d327-4539-9293-b48e122465f8 | Microsoft Managed Control 1511 - Personnel Screening | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8 | Microsoft Managed Control 1272 - Alternate Processing Site | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | adfe020d-0a97-45f4-a39c-696ef99f3a95 | Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | aabb155f-e7a5-4896-a767-e918bfae2ee0 | Microsoft Managed Control 1539 - Security Categorization | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | ad58985d-ab32-4f99-8bd3-b7e134c90229 | Microsoft Managed Control 1454 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | aae8d54c-4bce-4c04-b3aa-5b65b67caac8 | Microsoft Managed Control 1006 - Account Management | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | aafef03e-fea8-470b-88fa-54bd1fcd7064 | Microsoft Managed Control 1461 - Monitoring Physical Access | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | ad2f8e61-a564-4dfd-8eaa-816f5be8cb34 | Microsoft Managed Control 1569 - Acquisition Process | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | ac43352f-df83-4694-8738-cfce549fd08d | Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | abe8f70b-680f-470c-9b86-a7edfb664ecc | Microsoft Managed Control 1323 - Authenticator Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | a9a08d1c-09b1-48f1-90ea-029bbdf7111e | Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | ae7e1f5e-2d63-4b38-91ef-bce14151cce3 | Microsoft Managed Control 1598 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 8fd7b917-d83b-4379-af60-51e14e316c61 | Microsoft Managed Control 1013 - Account Management | Automated System Account Management | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | a895fbdb-204d-4302-9689-0a59dc42b3d9 | Microsoft Managed Control 1295 - Information System Recovery And Reconstitution | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 976a74cf-b192-4d35-8cab-2068f272addb | Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 9e7c35d0-12d4-4e0c-80a2-8a352537aefd | Microsoft Managed Control 1504 - Information Security Architecture | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | 9693b564-3008-42bc-9d5d-9c7fe198c011 | Microsoft Managed Control 1453 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 9e93fa71-42ac-41a7-b177-efbfdc53c69f | Microsoft Managed Control 1609 - Development Process, Standards, And Tools | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 9ed09d84-3311-4853-8b67-2b55dfa33d09 | Microsoft Managed Control 1494 - System Security Plan | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | 9ed5ca00-0e43-434e-a018-7aab91461ba7 | Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 9f2b2f9e-4ba6-46c3-907f-66db138b6f85 | Microsoft Managed Control 1187 - Configuration Change Control | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef | Microsoft Managed Control 1717 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 961663a1-8a91-4e59-b6f5-1eee57c0f49c | Microsoft Managed Control 1163 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 9fd92c17-163a-4511-bb96-bbb476449796 | Microsoft Managed Control 1354 - Incident Response Training | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 953e6261-a05a-44fd-8246-000e1a3edbb9 | Microsoft Managed Control 1526 - Access Agreements | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | a0724970-9c75-4a64-a225-a28002953f28 | Microsoft Managed Control 1145 - Security Assessments | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 9447f354-2c85-4700-93b3-ecdc6cb6a417 | Microsoft Managed Control 1371 - Incident Reporting | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 9442dd2c-a07f-46cd-b55a-553b66ba47ca | Microsoft Managed Control 1379 - Incident Response Plan | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 942b3e97-6ae3-410e-a794-c9c999b97c0b | Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | a0e45314-57b8-4623-80cd-bbb561f59516 | Microsoft Managed Control 1245 - Contingency Plan | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | a0f5339c-9292-43aa-a0bc-d27c6b8e30aa | Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 9e61da80-0957-4892-b70c-609d5eaafb6b | Microsoft Managed Control 1490 - Security Planning Policy And Procedures | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | a18adb5b-1db6-4a5b-901a-7d3797d12972 | Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 9e5225fe-cdfb-4fce-9aec-0fe20dd53b62 | Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 97ed5bac-a92f-4f6d-a8ed-dc094723597c | Microsoft Managed Control 1136 - Audit Record Retention | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 9ba3ed84-c768-4e18-b87c-34ef1aff1b57 | Microsoft Managed Control 1236 - Software Usage Restrictions | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 9be2f688-7a61-45e3-8230-e1ec93893f66 | Microsoft Managed Control 1525 - Personnel Transfer | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 9c284fc0-268a-4f29-af44-3c126674edb4 | Microsoft Managed Control 1138 - Audit Generation | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 9adf7ba7-900a-4f35-8d57-9f34aafc405c | Microsoft Managed Control 1049 - System Use Notification | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 9a3eb0a3-428d-4669-baff-20a14eb4b551 | Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 9c308b6b-2429-4b97-86cf-081b8e737b04 | Microsoft Managed Control 1135 - Non-Repudiation | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 9d0a794f-1444-4c96-9534-e35fc8c39c91 | Microsoft Managed Control 1489 - Location Of Information System Components | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 9a16d673-8cf0-4dcf-b1d5-9b3e114fef71 | Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 99deec7d-5526-472e-b07c-3645a792026a | Microsoft Managed Control 1300 - Identification And Authentication (Organizational Users) | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 9943c16a-c54c-4b4a-ad28-bfd938cdbf57 | Microsoft Managed Control 1102 - Audit Events | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 98a4bd5f-6436-46d4-ad00-930b5b1dfed4 | Microsoft Managed Control 1076 - Use Of External Information Systems | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 9d1d971e-467e-4278-9633-c74c3d4fecc4 | Microsoft Managed Control 1322 - Authenticator Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 97fceb70-6983-42d0-9331-18ad8253184d | Microsoft Managed Control 1378 - Incident Response Plan | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 9d79001f-95fe-45d0-8736-f217e78c1f57 | Microsoft Managed Control 1233 - Configuration Management Plan | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 9d9166a8-1722-4b8f-847c-2cf3f2618b3d | Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 9d9e18f7-bad9-4d30-8806-a0c9d5e26208 | Microsoft Managed Control 1259 - Contingency Training | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 9dd5b241-03cb-47d3-a5cd-4b89f9c53c92 | Microsoft Managed Control 1500 - Rules Of Behavior | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | 9df4277e-8c88-4d5c-9b1a-541d53d15d7b | Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 8b2b263e-cd05-4488-bcbf-4debec7a17d9 | Microsoft Managed Control 1534 - Personnel Sanctions | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 93fd8af1-c161-4bae-9ba9-f62731f76439 | Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | a2037b3d-8b04-4171-8610-e6d4f1d08db5 | Microsoft Managed Control 1612 - Developer Security Architecture And Design | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 8fb0966e-be1d-42c3-baca-60df5c0bcc61 | Microsoft Managed Control 1668 - Flaw Remediation | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 8f5ad423-50d6-4617-b058-69908f5586c9 | Microsoft Managed Control 1517 - Personnel Termination | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 8e5ef485-9e16-4c53-a475-fbb8107eac59 | Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | a631d8f5-eb81-4f9d-9ee1-74431371e4a3 | Microsoft Managed Control 1617 - Application Partitioning | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 8de614d8-a8b7-4f70-a62a-6d37089a002c | Microsoft Managed Control 1250 - Contingency Plan | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | a7173c52-2b99-4696-a576-63dd5f970ef4 | Microsoft Managed Control 1431 - Media Storage | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | a7211477-c970-446b-b4af-062f37461147 | Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 8dc459b3-0e77-45af-8d71-cfd8c9654fe2 | Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f | Microsoft Managed Control 1288 - Information System Backup | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 8d096fe0-f510-4486-8b4d-d17dc230980b | Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 8cfea2b3-7f77-497e-ac20-0752f2ff6eee | Microsoft Managed Control 1324 - Authenticator Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c | Microsoft Managed Control 1027 - Access Enforcement | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 8ce14753-66e5-465d-9841-26ef55c09c0d | Microsoft Managed Control 1316 - Identifier Management | Identify User Status | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | a7fcf38d-bb09-4600-be7d-825046eb162a | Microsoft Managed Control 1570 - Acquisition Process | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 8c79fee4-88dd-44ce-bbd4-4de88948c4f8 | Microsoft Managed Control 1683 - Information System Monitoring | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203 | Microsoft Managed Control 1458 - Physical Access Control | Information System Access | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12 | Microsoft Managed Control 1170 - Penetration Testing | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | a450eba6-2efc-4a00-846a-5804a93c6b77 | Microsoft Managed Control 1693 - Information System Monitoring | System-Generated Alerts | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 93e9e233-dd0a-4bde-aea5-1371bce0e002 | Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 9afe2edf-232c-4fdf-8e6a-e867a5c525fd | Microsoft Managed Control 1563 - Allocation Of Resources | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | a328fd72-8ff5-4f96-8c9c-b30ed95db4ab | Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41 | Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security Controls | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | a20d2eaa-88e2-4907-96a2-8f3a05797e5c | Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 92f85ce9-17b7-49ea-85ee-ea7271ea6b82 | Microsoft Managed Control 1290 - Information System Backup | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 924e1b2d-c502-478f-bfdb-a7e09a0d5c01 | Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | a23d9d53-ad2e-45ef-afd5-e6d10900a737 | Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 91c97b44-791e-46e9-bad7-ab7c4949edbb | Microsoft Managed Control 1069 - Wireless Access | Authentication And Encryption | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 90f01329-a100-43c2-af31-098996135d2b | Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source) | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | a2567a23-d1c3-4783-99f3-d471302a4d6b | Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | a2596a9f-e59f-420d-9625-6e0b536348be | Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | a29b5d9f-4953-4afe-b560-203a6410b6b4 | Microsoft Managed Control 1059 - Remote Access | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 90e01f69-3074-4de8-ade7-0fef3e7d83e0 | Microsoft Managed Control 1355 - Incident Response Training | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | a2c66299-9017-4d95-8040-8bdbf7901d52 | Microsoft Managed Control 1532 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 90d8b8ad-8ee3-4db7-913f-2a53fcff5316 | Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 90b60a09-133d-45bc-86ef-b206a6134bbe | Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 902908fb-25a8-4225-a3a5-5603c80066c9 | Microsoft Managed Control 1550 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | a2cdf6b8-9505-4619-b579-309ba72037ac | Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 8fef824a-29a8-4a4c-88fc-420a39c0d541 | Microsoft Managed Control 1147 - Security Assessments | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1 | Microsoft Managed Control 1238 - User-Installed Software | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 9b1f3a9a-13a1-4b40-8420-36bca6fd8c02 | Microsoft Managed Control 1462 - Monitoring Physical Access | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | cd0ec6fa-a2e7-4361-aee4-a8688659a9ed | Microsoft Managed Control 1443 - Media Use | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | b25faf85-8a16-4f28-8e15-d05c0072d64d | Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | e72edbf6-aa61-436d-a227-0f32b77194b3 | Microsoft Managed Control 1567 - System Development Life Cycle | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | e7568697-0c9e-4ea3-9cec-9e567d14f3c6 | Microsoft Managed Control 1311 - Identifier Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a | Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National Security System Connections | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | e77fcbf2-a1e8-44f1-860e-ed6583761e65 | Microsoft Managed Control 1273 - Alternate Processing Site | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | e7ba2cb3-5675-4468-8b50-8486bdd998a5 | Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | e80b6812-0bfa-4383-8223-cdd86a46a890 | Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | e8f6bddd-6d67-439a-88d4-c5fe39a79341 | Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | e901375c-8f01-4ac8-9183-d5312f47fe63 | Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | e91927a0-ac1d-44a0-95f8-5185f9dfce9f | Microsoft Managed Control 1723 - Information Input Validation | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | e98fe9d7-2ed3-44f8-93b7-24dca69783ff | Microsoft Managed Control 1200 - Security Impact Analysis | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | e9c3371d-c30c-4f58-abd9-30b8a8199571 | Microsoft Managed Control 1487 - Alternate Work Site | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | ea3e8156-89a1-45b1-8bd6-938abc79fdfd | Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | ea556850-838d-4a37-8ce5-9d7642f95e11 | Microsoft Managed Control 1422 - Maintenance Personnel | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | eab340d0-3d55-4826-a0e5-feebfeb0131d | Microsoft Managed Control 1542 - Risk Assessment | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb | Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | eb627cc6-3a9d-46b5-96b7-5fca49178a37 | Microsoft Managed Control 1321 - Authenticator Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | eca4d7b2-65e2-4e04-95d4-c68606b063c3 | Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | ecf56554-164d-499a-8d00-206b07c27bed | Microsoft Managed Control 1622 - Boundary Protection | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | edea4f20-b02c-4115-be75-86c080e5c0ed | Microsoft Managed Control 1217 - Least Functionality | Periodic Review | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | ee45e02a-4140-416c-82c4-fecfea660b9d | Microsoft Managed Control 1189 - Configuration Change Control | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | ef080e67-0d1a-4f76-a0c5-fb9b0358485e | Microsoft Managed Control 1089 - Security Awareness Training | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | e6e41554-86b5-4537-9f7f-4fc41a1d1640 | Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | ef0c8530-efd9-45b8-b753-f03083d06295 | Microsoft Managed Control 1314 - Identifier Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | e59671ab-9720-4ee2-9c60-170e8c82251e | Microsoft Managed Control 1499 - Rules Of Behavior | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | e55698b6-3dea-4aa9-99b9-d8218c6ab6e5 | Microsoft Managed Control 1023 - Account Management | Usage Conditions | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | dd83410c-ecb6-4547-8f14-748c3cbdc7ac | Microsoft Managed Control 1146 - Security Assessments | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | ddae2e97-a449-499f-a1c8-aea4a7e52ec9 | Microsoft Managed Control 1602 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | de901f2f-a01a-4456-97f0-33cda7966172 | Microsoft Managed Control 1689 - Information System Monitoring | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | deb9797c-22f8-40e8-b342-a84003c924e6 | Microsoft Managed Control 1528 - Access Agreements | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | dff0b90d-5a6f-491c-b2f8-b90aa402d844 | Microsoft Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | e0de232d-02a0-4652-872d-88afb4ae5e91 | Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | e12494fa-b81e-4080-af71-7dbacc2da0ec | Microsoft Managed Control 1714 - Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | e17085c5-0be8-4423-b39b-a52d3d1402e5 | Microsoft Managed Control 1686 - Information System Monitoring | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | e1da06bd-25b6-4127-a301-c313d6873fff | Microsoft Managed Control 1722 - Spam Protection | Automatic Updates | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62 | Microsoft Managed Control 1047 - System Use Notification | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | e214e563-1206-4a43-a56b-ac5880c9c571 | Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | e29e0915-5c2f-4d09-8806-048b749ad763 | Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | e2f8f6c6-dde4-436b-a79d-bc50e129eb3a | Microsoft Managed Control 1161 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | e3007185-3857-43a9-8237-06ca94f1084c | Microsoft Managed Control 1387 - Information Spillage Response | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | e327b072-281d-4f75-9c28-4216e5d72f26 | Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | e3f1e5a3-25c1-4476-8cb6-3955031f8e65 | Microsoft Managed Control 1451 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | e4213689-05e8-4241-9d4e-8dd1cdafd105 | Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | e51ff84b-e5ea-408f-b651-2ecc2933e4c6 | Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | e5368258-9684-4567-8126-269f34e65eab | Microsoft Managed Control 1381 - Incident Response Plan | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | e539caaa-da8c-41b8-9e1e-449851e2f7a6 | Microsoft Managed Control 1421 - Maintenance Personnel | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | e54c325e-42a0-4dcf-b105-046e0f6f590f | Microsoft Managed Control 1716 - Software, Firmware, And Information Integrity | Integration Of Detection And Response | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | e57b98a0-a011-4956-a79d-5d17ed8b8e48 | Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | ef212163-3bc4-4e86-bcf8-705127086393 | Microsoft Managed Control 1128 - Time Stamps | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | ef869332-921d-4c28-9402-3be73e6e50c8 | Microsoft Managed Control 1472 - Emergency Shutoff | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | efd7b9ae-1db6-4eb6-b0fe-87e6565f9738 | Microsoft Managed Control 1012 - Account Management | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | f997df46-cfbb-4cc8-aac8-3fecdaf6a183 | Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | f9a165d2-967d-4733-8399-1074270dae2e | Microsoft Managed Control 1535 - Personnel Sanctions | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | f9ad559e-c12d-415e-9a78-e50fdd7da7ba | Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | fa108498-b3a8-4ffb-9e79-1107e76afad3 | Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | fa4c2a3d-1294-41a3-9ada-0e540471e9fb | Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | fa8d221b-d130-4637-ba16-501e666628bb | Microsoft Managed Control 1435 - Media Transport | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | facb66e0-1c48-478a-bed5-747a312323e1 | Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | fb321e6f-16a0-4be3-878f-500956e309c5 | Microsoft Managed Control 1086 - Publicly Accessible Content | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | fb39e62f-6bda-4558-8088-ec03d5670914 | Microsoft Managed Control 1222 - Information System Component Inventory | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | fc933d22-04df-48ed-8f87-22a3773d4309 | Microsoft Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | fced5fda-3bdb-4d73-bfea-0e2c80428b66 | Microsoft Managed Control 1318 - Authenticator Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | fd00b778-b5b5-49c0-a994-734ea7bd3624 | Microsoft Managed Control 1543 - Risk Assessment | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | fd4a2ac8-868a-4702-a345-6c896c3361ce | Microsoft Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated Alerts And Advisories | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | fd4e54f7-9ab0-4bae-b6cc-457809948a89 | Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | fd73310d-76fc-422d-bda4-3a077149f179 | Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | fd7c4c1d-51ee-4349-9dab-89a7f8c8d102 | Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time Source | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f | Microsoft Managed Control 1611 - Developer-Provided Training | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b | Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | fe2ad78b-8748-4bff-a924-f74dfca93f30 | Microsoft Managed Control 1613 - Developer Security Architecture And Design | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | ff9fbd83-1d8d-4b41-aac2-94cb44b33976 | Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | fff50cf2-28eb-45b4-b378-c99412688907 | Microsoft Managed Control 1158 - Security Authorization | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | f9873db2-18ad-46b3-a11a-1a1f8cbf0335 | Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert Exfiltration | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | f9012d14-e3e6-4d7b-b926-9f37b5537066 | Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | f87b8085-dca9-4cf1-8f7b-9822b997797c | Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | f86aa129-7c07-4aa4-bbf5-792d93ffd9ea | Microsoft Managed Control 1345 - Cryptographic Module Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | effbaeef-5bf4-400d-895e-ef8cbc0e64c7 | Microsoft Managed Control 1358 - Incident Response Testing | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | f0643e0c-eee5-4113-8684-c608d05c5236 | Microsoft Managed Control 1531 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | f171df5c-921b-41e9-b12b-50801c315475 | Microsoft Managed Control 1028 - Information Flow Enforcement | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | f25bc08f-27cb-43b6-9a23-014d00700426 | Microsoft Managed Control 1701 - Information System Monitoring | Host-Based Devices | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | f2d9d3e6-8886-4305-865d-639163e5c305 | Microsoft Managed Control 1457 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | f355d62b-39a8-4ba3-abf7-90f71cb3b000 | Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance Of Piv Credentials | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | f35e02aa-0a55-49f8-8811-8abfa7e6f2c0 | Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | f3793f5e-937f-44f7-bfba-40647ef3efa0 | Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | f475ee0e-f560-4c9b-876b-04a77460a404 | Microsoft Managed Control 1706 - Security Alerts, Advisories, And Directives | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | f4978d0e-a596-48e7-9f8c-bbf52554ce8d | Microsoft Managed Control 1495 - System Security Plan | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | dd6ac1a1-660e-4810-baa8-74e868e2ed47 | Microsoft Managed Control 1391 - Information Spillage Response | Training | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd | Microsoft Managed Control 1469 - Power Equipment And Cabling | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | f56be5c3-660b-4c61-9078-f67cf072c356 | Microsoft Managed Control 1198 - Configuration Change Control | Security Representative | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | f5c66fdc-3d02-4034-9db5-ba57802609de | Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | f5fd629f-3075-4cae-ab53-bad65495a4ac | Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | f714a4e2-b580-47b6-ae8c-f2812d3750f3 | Microsoft Managed Control 1214 - Least Functionality | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | f751cdb7-fbee-406b-969b-815d367cb9b3 | Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions / Ports / Protocols / Services | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | f75cedb2-5def-4b31-973e-b69e8c7bd031 | Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | f771f8cb-6642-45cc-9a15-8a41cd5c6977 | Microsoft Managed Control 1540 - Security Categorization | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | f784d3b0-5f2b-49b7-b9f3-00ba8653ced5 | Microsoft Managed Control 1449 - Physical Access Authorizations | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | f7d2ff17-d604-4dd9-b607-9ecf63f28ad2 | Microsoft Managed Control 1506 - Personnel Security Policy And Procedures | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | f82e3639-fa2b-4e06-a786-932d8379b972 | Microsoft Managed Control 1705 - Security Alerts, Advisories, And Directives | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | f52f89aa-4489-4ec4-950e-8c96a036baa9 | Microsoft Managed Control 1618 - Security Function Isolation | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | dd533cb0-b416-4be7-8e86-4d154824dfd7 | Microsoft Managed Control 1678 - Malicious Code Protection | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | dd469ae0-71a8-4adc-aafc-de6949ca3339 | Microsoft Managed Control 1715 - Software, Firmware, And Information Integrity | Automated Response To Integrity Violations | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | dd280d4b-50a1-42fb-a479-ece5878acf19 | Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | bc90e44f-d83f-4bdf-900f-3d5eb4111b31 | Microsoft Managed Control 1427 - Media Protection Policy And Procedures | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | bcfb6683-05e5-4ce6-9723-c3fbe9896bdd | Microsoft Managed Control 1351 - Incident Response Policy And Procedures | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | bd20184c-b4ec-4ce5-8db6-6e86352d183f | Microsoft Managed Control 1050 - Concurrent Session Control | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | be5b05e7-0b82-4ebc-9eda-25e447b1a41e | Microsoft Managed Control 1360 - Incident Handling | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | beff0acf-7e67-40b2-b1ca-1a0e8205cf1b | Microsoft Managed Control 1152 - System Interconnections | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | bf296b8c-f391-4ea4-9198-be3c9d39dd1f | Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | bf6850fe-abba-468e-9ef4-d09ec7d983cd | Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | c10152dd-78f8-4335-ae2d-ad92cc028da4 | Microsoft Managed Control 1124 - Audit Reduction And Report Generation | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | c10fb58b-56a8-489e-9ce3-7ffe24e78e4b | Microsoft Managed Control 1676 - Malicious Code Protection | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | c13da9b4-fe14-4fe2-853a-5997c9d4215a | Microsoft Managed Control 1719 - Spam Protection | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | c158eb1c-ae7e-4081-8057-d527140c4e0c | Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | c171b095-7756-41de-8644-a062a96043f2 | Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | c17822dc-736f-4eb4-a97d-e6be662ff835 | Microsoft Managed Control 1004 - Account Management | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | c1fa9c2f-d439-4ab9-8b83-81fb1934f81d | Microsoft Managed Control 1503 - Information Security Architecture | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | c30690a5-7bf3-467f-b0cd-ef5c7c7449cd | Microsoft Managed Control 1176 - Baseline Configuration | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | c39e6fda-ae70-4891-a739-be7bba6d1062 | Microsoft Managed Control 1389 - Information Spillage Response | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | c3b65b63-09ec-4cb5-8028-7dd324d10eb0 | Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | c40f31a7-81e1-4130-99e5-a02ceea2a1d6 | Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | c416970d-b12b-49eb-8af4-fb144cd7c290 | Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | c49c610b-ece4-44b3-988c-2172b70d6e46 | Microsoft Managed Control 1235 - Software Usage Restrictions | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | c4aff9e7-2e60-46fa-86be-506b79033fc5 | Microsoft Managed Control 1173 - Internal System Connections | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | bc3f6f7a-057b-433e-9834-e8c97b0194f6 | Microsoft Managed Control 1095 - Role-Based Security Training | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | bc34667f-397e-4a65-9b72-d0358f0b6b09 | Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | bba2a036-fb3b-4261-b1be-a13dfb5fbcaa | Microsoft Managed Control 1533 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | bb20548a-c926-4e4d-855c-bcddc6faf95e | Microsoft Managed Control 1188 - Configuration Change Control | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | b26f8610-e615-47c2-abd6-c00b2b0b503a | Microsoft Managed Control 1009 - Account Management | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | b293f881-361c-47ed-b997-bc4e2296bc0b | Microsoft Managed Control 1234 - Software Usage Restrictions | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | b29ed931-8e21-4779-8458-27916122a904 | Microsoft Managed Control 1107 - Content Of Audit Records | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | b3d8d15b-627a-4219-8c96-4d16f788888b | Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | b4319b7e-ea8d-42ff-8a67-ccd462972827 | Microsoft Managed Control 1380 - Incident Response Plan | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | b43e946e-a4c8-4b92-8201-4a39331db43c | Microsoft Managed Control 1172 - Internal System Connections | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | b45fe972-904e-45a4-ac20-673ba027a301 | Microsoft Managed Control 1672 - Flaw Remediation | Central Management | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | b472a17e-c2bc-493f-b50b-42d55a346962 | Microsoft Managed Control 1131 - Protection Of Audit Information | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | b4f9b47a-2116-4e6f-88db-4edbf22753f1 | Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | b6747bf9-2b97-45b8-b162-3c8becb9937d | Microsoft Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | c53f3123-d233-44a7-930b-f40d3bfeb7d6 | Microsoft Managed Control 1600 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08 | Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network Access To Privileged Accounts | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | b73b7b3b-677c-4a2a-b949-ad4dc4acd89f | Microsoft Managed Control 1608 - Supply Chain Protection | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | b78ee928-e3c1-4569-ad97-9f8c4b629847 | Microsoft Managed Control 1401 - Controlled Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | b958b241-4245-4bd6-bd2d-b8f0779fb543 | Microsoft Managed Control 1257 - Contingency Training | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | b95ba3bd-4ded-49ea-9d10-c6f4b680813d | Microsoft Managed Control 1186 - Configuration Change Control | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | b9783a99-98fe-4a95-873f-29613309fe9a | Microsoft Managed Control 1447 - Physical Access Authorizations | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | b9b66a4d-70a1-4b47-8fa1-289cec68c605 | Microsoft Managed Control 1625 - Boundary Protection | Access Points | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | b9f3fb54-4222-46a1-a308-4874061f8491 | Microsoft Managed Control 1610 - Development Process, Standards, And Tools | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca | Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | baff1279-05e0-4463-9a70-8ba5de4c7aa4 | Microsoft Managed Control 1726 - Information Handling And Retention | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | bb02733d-3cc5-4bb0-a6cd-695ba2c2272e | Microsoft Managed Control 1166 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | b6a8eae8-9854-495a-ac82-d2cd3eac02a6 | Microsoft Managed Control 1568 - Acquisition Process | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | b23bd715-5d1c-4e5c-9759-9cbdf79ded9d | Microsoft Managed Control 1091 - Security Awareness Training | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | c5f56ac6-4bb2-4086-bc41-ad76344ba2c2 | Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | c66a3d1e-465b-4f28-9da5-aef701b59892 | Microsoft Managed Control 1190 - Configuration Change Control | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | d2b4feae-61ab-423f-a4c5-0e38ac4464d8 | Microsoft Managed Control 1106 - Audit Events | Reviews And Updates | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | d3531453-b869-4606-9122-29c1cd6e7ed1 | Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | d39d4f68-7346-4133-8841-15318a714a24 | Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | d3bf4251-0818-42db-950b-afd5b25a51c2 | Microsoft Managed Control 1249 - Contingency Plan | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | d4142013-7964-4163-a313-a900301c2cef | Microsoft Managed Control 1562 - Allocation Of Resources | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | d4558451-e16a-4d2d-a066-fe12a6282bb9 | Microsoft Managed Control 1383 - Incident Response Plan | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | d530aad8-4ee2-45f4-b234-c061dae683c0 | Microsoft Managed Control 1112 - Response To Audit Processing Failures | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | d57f8732-5cdc-4cda-8d27-ab148e1f3a55 | Microsoft Managed Control 1585 - Security Engineering Principles | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | d61880dc-6e38-4f2a-a30c-3406a98f8220 | Microsoft Managed Control 1667 - System And Information Integrity Policy And Procedures | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | d630429d-e763-40b1-8fba-d20ba7314afb | Microsoft Managed Control 1150 - Security Assessments | External Organizations | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | d6976a08-d969-4df2-bb38-29556c2eb48a | Microsoft Managed Control 1549 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | d7047705-d719-46a7-8bb0-76ad233eba71 | Microsoft Managed Control 1473 - Emergency Power | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | d74fdc92-1cb8-4a34-9978-8556425cd14c | Microsoft Managed Control 1529 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | d77fd943-6ba6-4a21-ba07-22b03e347cc4 | Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Issued Profiles | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | d8b43277-512e-40c3-ab00-14b3b6e72238 | Microsoft Managed Control 1016 - Account Management | Automated Audit Actions | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | d8ef30eb-a44f-47af-8524-ac19a36d41d2 | Microsoft Managed Control 1488 - Alternate Work Site | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | d922484a-8cfc-4a6b-95a4-77d6a685407f | Microsoft Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | da3bfb53-9c46-4010-b3db-a7ba1296dada | Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | da3cd269-156f-435b-b472-c3af34c032ed | Microsoft Managed Control 1516 - Personnel Termination | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | dc43e829-3d50-4a0a-aa0f-428d551862aa | Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | dce72873-c5f1-47c3-9b4f-6b8207fd5a45 | Microsoft Managed Control 1439 - Media Sanitization | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a | Microsoft Managed Control 1721 - Spam Protection | Central Management | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | d1e1d65c-1013-4484-bd54-991332e6a0d2 | Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | d1880188-e51a-4772-b2ab-68f5e8bd27f6 | Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | d17c826b-1dec-43e1-a984-7b71c446649c | Microsoft Managed Control 1620 - Denial Of Service Protection | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | c69b870e-857b-458b-af02-bb234f7a00d3 | Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | c6ce745a-670e-47d3-a6c4-3cfe5ef00c10 | Microsoft Managed Control 1125 - Audit Reduction And Report Generation | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | c722e569-cb52-45f3-a643-836547d016e1 | Microsoft Managed Control 1619 - Information In Shared Resources | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1 | Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | c785ad59-f78f-44ad-9a7f-d1202318c748 | Microsoft Managed Control 1353 - Incident Response Training | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | c89ba09f-2e0f-44d0-8095-65b05bd151ef | Microsoft Managed Control 1470 - Emergency Shutoff | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | c9121abf-e698-4ee9-b1cf-71ee528ff07f | Microsoft Managed Control 1018 - Account Management | Role-Based Schemes | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | ca94b046-45e2-444f-a862-dc8ce262a516 | Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | ca9a4469-d6df-4ab2-a42f-1213c396f0ec | Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff | Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. Access To Priv. Accts. - Replay | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | c6108469-57ee-4666-af7e-79ba61c7ae0c | Microsoft Managed Control 1670 - Flaw Remediation | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | cb790345-a51f-43de-934e-98dbfaf9dca5 | Microsoft Managed Control 1486 - Alternate Work Site | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | cc5c8616-52ef-4e5e-8000-491634ed9249 | Microsoft Managed Control 1374 - Incident Response Assistance | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | cd9e2f38-259b-462c-bfad-0ad7ab4e65c5 | Microsoft Managed Control 1582 - Information System Documentation | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | cdd8d244-18b2-4306-a1d1-df175ae0935f | Microsoft Managed Control 1104 - Audit Events | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | ce669c31-9103-4552-ae9c-cdef4e03580d | Microsoft Managed Control 1209 - Configuration Settings | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | cf3b3293-667a-445e-a722-fa0b0afc0958 | Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | cf3e4836-f19e-47eb-a8cd-c3ca150452c0 | Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications And Anomalous System Behavior | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | cf55fc87-48e1-4676-a2f8-d9a8cf993283 | Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | d03516cf-0293-489f-9b32-a18f2a79f836 | Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | d07594d1-0307-4c08-94db-5d71ff31f0f6 | Microsoft Managed Control 1724 - Error Handling | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | d0eb15db-dd1c-4d1d-b200-b12dd6cd060c | Microsoft Managed Control 1084 - Publicly Accessible Content | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | cbb2be76-4891-430b-95a7-ca0b0a3d1300 | Microsoft Managed Control 1167 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 8a29d47b-8604-4667-84ef-90d203fcb305 | Microsoft Managed Control 1092 - Security Awareness Training | Insider Threat | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | 81817e1c-5347-48dd-965a-40159d008229 | Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote Access - Separate Device | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 465f32da-0ace-4603-8d1b-7be5a3a702de | Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 382016f3-d4ba-4e15-9716-55077ec4dc2a | Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 3867f2a9-23bb-4729-851f-c3ad98580caf | Microsoft Managed Control 1081 - Information Sharing | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 38b470cc-f939-4a15-80e0-9f0c74f2e2c9 | Microsoft Managed Control 1522 - Personnel Transfer | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 38dfd8a3-5290-4099-88b7-4081f4c4d8ae | Microsoft Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 391af4ab-1117-46b9-b2c7-78bbd5cd995b | Microsoft Managed Control 1397 - Controlled Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 391ff8b3-afed-405e-9f7d-ef2f8168d5da | Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 396ba986-eac1-4d6d-85c4-d3fda6b78272 | Microsoft Managed Control 1232 - Configuration Management Plan | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 398eb61e-8111-40d5-a0c9-003df28f1753 | Microsoft Managed Control 1246 - Contingency Plan | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 399cd6ee-0e18-41db-9dea-cde3bd712f38 | Microsoft Managed Control 1680 - Malicious Code Protection | Central Management | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 39c54140-5902-4079-8bb5-ad31936fe764 | Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 3a7b9de4-a8a2-4672-914d-c5f6752aa7f9 | Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 3a9eb14b-495a-4ebb-933c-ce4ef5264e32 | Microsoft Managed Control 1648 - Collaborative Computing Devices | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 37d079e3-d6aa-4263-a069-dd7ac6dd9684 | Microsoft Managed Control 1624 - Boundary Protection | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 3aa87116-f1a1-4edb-bfbf-14e036f8d454 | Microsoft Managed Control 1315 - Identifier Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 3b4a3eb2-c25d-40bf-ad41-5094b6f59cee | Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 3b68b179-3704-4ff7-b51d-7d65374d165d | Microsoft Managed Control 1003 - Account Management | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 3cb9f731-744a-4691-a481-ca77b0411538 | Microsoft Managed Control 1621 - Resource Availability | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5 | Microsoft Managed Control 1521 - Personnel Termination | Automated Notification | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 3ce328db-aef3-48ed-9f81-2ab7cf839c66 | Microsoft Managed Control 1127 - Time Stamps | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 3e495e65-8663-49ca-9b38-9f45e800bc58 | Microsoft Managed Control 1385 - Information Spillage Response | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 3e797ca6-2aa8-4333-b335-7036f1110c05 | Microsoft Managed Control 1160 - Security Authorization | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 3f4b171a-a56b-4328-8112-32cf7f947ee1 | Microsoft Managed Control 1545 - Risk Assessment | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c | Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 40364c3f-c331-4e29-b1e3-2fbe998ba2f5 | Microsoft Managed Control 1561 - Allocation Of Resources | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 4057863c-ca7d-47eb-b1e0-503580cba8a4 | Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 4075bedc-c62a-4635-bede-a01be89807f3 | Microsoft Managed Control 1637 - Boundary Protection | Fail Secure | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 3afe6c78-6124-4d95-b85c-eb8c0c9539cb | Microsoft Managed Control 1548 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 36fbe499-f2f2-41b6-880e-52d7ea1d94a5 | Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 36b0ef30-366f-4b1b-8652-a3511df11f53 | Microsoft Managed Control 1685 - Information System Monitoring | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 367ae386-db7f-4167-b672-984ff86277c0 | Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 2ce63a52-e47b-4ae2-adbb-6e40d967f9e6 | Microsoft Managed Control 1414 - Nonlocal Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 2cf42a28-193e-41c5-98df-7688e7ef0a88 | Microsoft Managed Control 1679 - Malicious Code Protection | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 2d045bca-a0fd-452e-9f41-4ec33769717c | Microsoft Managed Control 1068 - Wireless Access | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 2d44b6fa-1134-4ea6-ad4e-9edb68f65429 | Microsoft Managed Control 1704 - Security Alerts, Advisories, And Directives | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 2dad3668-797a-412e-a798-07d3849a7a79 | Microsoft Managed Control 1077 - Use Of External Information Systems | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 2e1b855b-a013-481a-aeeb-2bcb129fd35d | Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 2e3c5583-1729-4d36-8771-59c32f090a22 | Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | 2ef3cc79-733e-48ed-ab6f-7bf439e9b406 | Microsoft Managed Control 1000 - Access Control Policy And Procedures | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 2f13915a-324c-4ab8-b45c-2eefeeefb098 | Microsoft Managed Control 1519 - Personnel Termination | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 2fa15ff1-a693-4ee4-b094-324818dc9a51 | Microsoft Managed Control 1144 - Security Assessments | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 2fb740e5-cbc7-4d10-8686-d1bf826652b1 | Microsoft Managed Control 1090 - Security Awareness Training | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | 319dc4f0-0fed-4ac9-8fc3-7aeddee82c07 | Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 31b752c1-05a9-432a-8fce-c39b56550119 | Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 32820956-9c6d-4376-934c-05cd8525be7c | Microsoft Managed Control 1587 - External Information System Services | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 3298d6bf-4bc6-4278-a95d-f7ef3ac6e594 | Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 32d07d59-2716-4972-b37b-214a67ac4a37 | Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 34042a97-ec6d-4263-93d2-8c1c46823b2a | Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 347e3b69-7fb7-47df-a8ef-71a1a7b44bca | Microsoft Managed Control 1151 - System Interconnections | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 3492d949-0dbb-4589-88b3-7b59601cc764 | Microsoft Managed Control 1412 - Nonlocal Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 34a63848-30cf-4081-937e-ce1a1c885501 | Microsoft Managed Control 1475 - Emergency Lighting | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 34a987fd-2003-45de-a120-014956581f2b | Microsoft Managed Control 1060 - Remote Access | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 34cb7e92-fe4c-4826-b51e-8cd203fa5d35 | Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 3502c968-c490-4570-8167-1476f955e9b8 | Microsoft Managed Control 1210 - Configuration Settings | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 35a4102f-a778-4a2e-98c2-971056288df8 | Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 361a77f6-0f9c-4748-8eec-bc13aaaa2455 | Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 36220f5b-79a1-4cdb-8c74-2d2449f9a510 | Microsoft Managed Control 1313 - Identifier Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 3643717a-3897-4bfd-8530-c7c96b26b2a0 | Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 40a2a83b-74f2-4c02-ae65-f460a5d2792a | Microsoft Managed Control 1202 - Access Restrictions For Change | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 2ce1ea7e-4038-4e53-82f4-63e8859333c1 | Microsoft Managed Control 1546 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 40fcc635-52a2-4dbc-9523-80a1f4aa1de6 | Microsoft Managed Control 1438 - Media Sanitization | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 411f7e2d-9a0b-4627-a0b9-1700432db47d | Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 493a95f3-f2e3-47d0-af02-65e6d6decc2f | Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 498f6234-3e20-4b6a-a880-cbd646d973bd | Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 49b99653-32cd-405d-a135-e7d60a9aae1f | Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 49dbe627-2c1e-438c-979e-dd7a39bbf81d | Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 4a1d0394-b9f5-493e-9e83-563fd0ac4df8 | Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 4a248e1e-040f-43e5-bff2-afc3a57a3923 | Microsoft Managed Control 1677 - Malicious Code Protection | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 4b1853e0-8973-446b-b567-09d901d31a09 | Microsoft Managed Control 1094 - Role-Based Security Training | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | 4c090801-59bc-4454-bb33-e0455133486a | Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 4c615c2a-dc83-4dda-8220-abce7b50c9bc | Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 4c643c9a-1be7-4016-a5e7-e4bada052920 | Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers At Logout | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 4cca950f-c3b7-492a-8e8f-ea39663c14f9 | Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 4ce9073a-77fa-48f0-96b1-87aa8e6091c2 | Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 48f2f62b-5743-4415-a143-288adc0e078d | Microsoft Managed Control 1669 - Flaw Remediation | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 4d33f9f1-12d0-46ad-9fbd-8f8046694977 | Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 4d6a5968-9eef-4c18-8534-376790ab7274 | Microsoft Managed Control 1312 - Identifier Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 4db56f68-3f50-45ab-88f3-ca46f5379a94 | Microsoft Managed Control 1394 - System Maintenance Policy And Procedures | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 4dfc0855-92c4-4641-b155-a55ddd962362 | Microsoft Managed Control 1702 - Information System Monitoring | Indicators Of Compromise | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 4e26f8c3-4bf3-4191-b8fc-d888805101b7 | Microsoft Managed Control 1001 - Access Control Policy And Procedures | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 4e319cb6-2ca3-4a58-ad75-e67f484e50ec | Microsoft Managed Control 1083 - Publicly Accessible Content | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 4e54c7ef-7457-430b-9a3e-ef8881d4a8e0 | Microsoft Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 4e666db5-b2ef-4b06-aac6-09bfce49151b | Microsoft Managed Control 1247 - Contingency Plan | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 4e7f4ea4-dd62-44f6-8886-ac6137cf52b0 | Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 4e95f70e-181c-4422-9da2-43079710c789 | Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 4e97ba1d-be5d-4953-8da4-0cccf28f4805 | Microsoft Managed Control 1267 - Alternate Storage Site | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 4ebd97f7-b105-4f50-8daf-c51465991240 | Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 4ed62522-de00-4dda-9810-5205733d2f34 | Microsoft Managed Control 1139 - Audit Generation | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 4d52e864-9a3b-41ee-8f03-520815fe5378 | Microsoft Managed Control 1156 - Plan Of Action And Milestones | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 486b006a-3653-45e8-b41c-a052d3e05456 | Microsoft Managed Control 1484 - Water Damage Protection | Automation Support | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 4862a63c-6c74-4a9d-a221-89af3c374503 | Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 48540f01-fc11-411a-b160-42807c68896e | Microsoft Managed Control 1033 - Separation Of Duties | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 41256567-1795-4684-b00b-a1308ce43cac | Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 41472613-3b05-49f6-8fe8-525af113ce17 | Microsoft Managed Control 1263 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 420c1477-aa43-49d0-bd7e-c4abdd9addff | Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | 42254fc4-2738-4128-9613-72aaa4f0d9c3 | Microsoft Managed Control 1260 - Contingency Training | Simulated Events | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 426c4ac9-ff17-49d0-acd7-a13c157081c0 | Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications Traffic Anomalies | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 42a9a714-8fbb-43ac-b115-ea12d2bd652f | Microsoft Managed Control 1174 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 4344df62-88ab-4637-b97b-bcaf2ec97e7c | Microsoft Managed Control 1137 - Audit Generation | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 435b2547-6374-4f87-b42d-6e8dbe6ae62a | Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 43684572-e4f1-4642-af35-6b933bc506da | Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 43ced7c9-cd53-456b-b0da-2522649a4271 | Microsoft Managed Control 1544 - Risk Assessment | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 443e8f3d-b51a-45d8-95a7-18b0e42f4dc4 | Microsoft Managed Control 1398 - Controlled Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 4455c2e8-c65d-4acf-895e-304916f90b36 | Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 44b9a7cd-f36a-491a-a48b-6d04ae7c4221 | Microsoft Managed Control 1720 - Spam Protection | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 44bfdadc-8c2e-4c30-9c99-f005986fabcd | Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 44dbba23-0b61-478e-89c7-b3084667782f | Microsoft Managed Control 1604 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 44e543aa-41db-42aa-98eb-8a5eb1db53f0 | Microsoft Managed Control 1712 - Software, Firmware, And Information Integrity | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 450d7ede-823d-4931-a99d-57f6a38807dc | Microsoft Managed Control 1310 - Device Identification And Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 45692294-f074-42bd-ac54-16f1a3c07554 | Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 45b7b644-5f91-498e-9d89-7402532d3645 | Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols / Services In Use | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 45ce2396-5c76-4654-9737-f8792ab3d26b | Microsoft Managed Control 1565 - System Development Life Cycle | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 463e5220-3f79-4e24-a63f-343e4096cd22 | Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party Registration | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 464dc8ce-2200-4720-87a5-dc5952924cc6 | Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users) | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 898d4fe8-f743-4333-86b7-0c9245d93e7d | Microsoft Managed Control 1411 - Nonlocal Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 4708723f-e099-4af1-bbf9-b6df7642e444 | Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 47bc7ea0-7d13-4f7c-a154-b903f7194253 | Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 47e10916-6c9e-446b-b0bd-ff5fd439d79d | Microsoft Managed Control 1165 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 483e7ca9-82b3-45a2-be97-b93163a0deb7 | Microsoft Managed Control 1048 - System Use Notification | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 4116891d-72f7-46ee-911c-8056cc8dcbd5 | Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 4f26049b-2c5a-4841-9ff3-d48a26aae475 | Microsoft Managed Control 1442 - Media Sanitization | Nondestructive Techniques | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa | Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 2c7c575a-d4c5-4f6f-bd49-dee97a8cba55 | Microsoft Managed Control 1388 - Information Spillage Response | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 09828c65-e323-422b-9774-9d5c646124da | Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network Access To Non-Privileged Accounts | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 0a2ee16e-ab1f-414a-800b-d1608835862b | Microsoft Managed Control 1654 - Voice Over Internet Protocol | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 0a560d32-8075-4fec-9615-9f7c853f4ea9 | Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 0a77fcc7-b8d8-451a-ab52-56197913c0c7 | Microsoft Managed Control 1428 - Media Access | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 0abbac52-57cf-450d-8408-1208d0dd9e90 | Microsoft Managed Control 1044 - Unsuccessful Logon Attempts | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 0afce0b3-dd9f-42bb-af28-1e4284ba8311 | Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 0b1aa965-7502-41f9-92be-3e2fe7cc392a | Microsoft Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 0b291ee8-3140-4cad-beb7-568c077c78ce | Microsoft Managed Control 1020 - Account Management | Role-Based Schemes | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 0b653845-2ad9-4e09-a4f3-5a7c1d78353d | Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 0be51298-f643-4556-88af-d7db90794879 | Microsoft Managed Control 1239 - User-Installed Software | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 0ca96127-2f87-46ab-a4fc-0d2a786df1c8 | Microsoft Managed Control 1496 - System Security Plan | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | 0d58f734-c052-40e9-8b2f-a1c2bff0b815 | Microsoft Managed Control 1518 - Personnel Termination | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 0925f098-7877-450b-8ba4-d1e55f2d8795 | Microsoft Managed Control 1159 - Security Authorization | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 0d87c70b-5012-48e9-994b-e70dd4b8def0 | Microsoft Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity Checks | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 0dced7ab-9ce5-4137-93aa-14c13e06ab17 | Microsoft Managed Control 1718 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e | Microsoft Managed Control 1601 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 0f3c4ac2-3e35-4906-a80b-473b12a622d7 | Microsoft Managed Control 1476 - Fire Protection | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 0f4f6750-d1ab-4a4c-8dfd-af3237682665 | Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 0f559588-5e53-4b14-a7c4-85d28ebc2234 | Microsoft Managed Control 1430 - Media Marking | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 0f935dab-83d6-47b8-85ef-68b8584161b9 | Microsoft Managed Control 1574 - Acquisition Process | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 0fb8d3ce-9e96-481c-9c68-88d4e3019310 | Microsoft Managed Control 1164 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 0fc3db37-e59a-48c1-84e9-1780cedb409e | Microsoft Managed Control 1017 - Account Management | Inactivity Logout | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 100c82ba-42e9-4d44-a2ba-94b209248583 | Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | 10984b4e-c93e-48d7-bf20-9c03b04e9eca | Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 11158848-f679-4e9b-aa7b-9fb07d945071 | Microsoft Managed Control 1230 - Configuration Management Plan | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 1140e542-b80d-4048-af45-3f7245be274b | Microsoft Managed Control 1432 - Media Storage | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 0d943a9c-a6f1-401f-a792-740cdb09c451 | Microsoft Managed Control 1466 - Visitor Access Records | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 0882d488-8e80-4466-bc0f-0cd15b6cb66d | Microsoft Managed Control 1583 - Information System Documentation | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 07557aa0-e02f-4460-9a81-8ecd2fed601a | Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 06c45c30-ae44-4f0f-82be-41331da911cc | Microsoft Managed Control 1366 - Incident Handling | Information Correlation | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 00379355-8932-4b52-b63a-3bc6daf3451a | Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 0062eb8b-dc75-4718-8ea5-9bb4a9606655 | Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 01524fa8-4555-48ce-ba5f-c3b8dcef5147 | Microsoft Managed Control 1142 - Security Assessment And Authorization Policy And Procedures | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 01910bab-8639-4bd0-84ef-cc53b24d79ba | Microsoft Managed Control 1099 - Security Training Records | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | 01f7726b-db54-45c2-bcb5-9bd7a43796ee | Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 025992d6-7fee-4137-9bbf-2ffc39c0686c | Microsoft Managed Control 1709 - Security Function Verification | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 027cae1c-ec3e-4492-9036-4168d540c42a | Microsoft Managed Control 1052 - Session Lock | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 02a5ed00-6d2e-4e97-9a98-46c32c057329 | Microsoft Managed Control 1034 - Least Privilege | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 02ce1b22-412a-4528-8630-c42146f917ed | Microsoft Managed Control 1623 - Boundary Protection | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 02dd141a-a2b2-49a7-bcbd-ca31142f6211 | Microsoft Managed Control 1515 - Personnel Termination | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 03188d8f-1ae5-4fe1-974d-2d7d32ef937d | Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 03752212-103c-4ab8-a306-7e813022ca9d | Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 03996055-37a4-45a5-8b70-3f1caa45f87d | Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 03ad326e-d7a1-44b1-9a76-e17492efc9e4 | Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 03b78f5e-4877-4303-b0f4-eb6583f25768 | Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 03ed3be1-7276-4452-9a5d-e4168565ac67 | Microsoft Managed Control 1361 - Incident Handling | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 042ba2a1-8bb8-45f4-b080-c78cf62b90e9 | Microsoft Managed Control 1594 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 04f5fb00-80bb-48a9-a75b-4cb4d4c97c36 | Microsoft Managed Control 1572 - Acquisition Process | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 05460fe2-301f-4ed1-8174-d62c8bb92ff4 | Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 05938e10-cdbd-4a54-9b2b-1cbcfc141ad0 | Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a | Microsoft Managed Control 1223 - Information System Component Inventory | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 05a289ce-6a20-4b75-a0f3-dc8601b6acd0 | Microsoft Managed Control 1640 - Transmission Confidentiality And Integrity | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 05ae08cc-a282-413b-90c7-21a2c60b8404 | Microsoft Managed Control 1420 - Maintenance Personnel | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 063b540e-4bdc-4e7a-a569-3a42ddf22098 | Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 063c3f09-e0f0-4587-8fd5-f4276fae675f | Microsoft Managed Control 1688 - Information System Monitoring | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 068260be-a5e6-4b0a-a430-cd27071c226a | Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 068a88d4-e520-434e-baf0-9005a8164e6a | Microsoft Managed Control 1455 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 121eab72-390e-4629-a7e2-6d6184f57c6b | Microsoft Managed Control 1655 - Voice Over Internet Protocol | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 2c895fe7-2d8e-43a2-838c-3a533a5b355e | Microsoft Managed Control 1344 - Authenticator Feedback | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 12623e7e-4736-4b2e-b776-c1600f35f93a | Microsoft Managed Control 1681 - Malicious Code Protection | Automatic Updates | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 12e30ee3-61e6-4509-8302-a871e8ebb91e | Microsoft Managed Control 1666 - System And Information Integrity Policy And Procedures | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 21f639bc-f42b-46b1-8f40-7a2a389c291a | Microsoft Managed Control 1426 - Media Protection Policy And Procedures | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 2256e638-eb23-480f-9e15-6cf1af0a76b3 | Microsoft Managed Control 1399 - Controlled Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 22589a07-0007-486a-86ca-95355081ae2a | Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 22b469b3-fccf-42da-aa3b-a28e6fb113ce | Microsoft Managed Control 1493 - System Security Plan | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | 232ab24b-810b-4640-9019-74a7d0d6a980 | Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 23f6e984-3053-4dfc-ab48-543b764781f5 | Microsoft Managed Control 1268 - Alternate Storage Site | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 243ec95e-800c-49d4-ba52-1fdd9f6b8b57 | Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 244e0c05-cc45-4fe7-bf36-42dcf01f457d | Microsoft Managed Control 1231 - Configuration Management Plan | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 24d480ef-11a0-4b1b-8e70-4e023bf2be23 | Microsoft Managed Control 1082 - Information Sharing | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 25b96717-c912-4c00-9143-4e487f411726 | Microsoft Managed Control 1372 - Incident Reporting | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 26692e88-71b7-4a5f-a8ac-9f31dd05bd8e | Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 26d292cc-b0b8-4c29-9337-68abc758bf7b | Microsoft Managed Control 1649 - Collaborative Computing Devices | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 21e25e01-0ae0-41be-919e-04ce92b8e8b8 | Microsoft Managed Control 1596 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 276af98f-4ff9-4e69-99fb-c9b2452fb85f | Microsoft Managed Control 1396 - Controlled Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 2823de66-332f-4bfd-94a3-3eb036cd3b67 | Microsoft Managed Control 1527 - Access Agreements | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 283a4e29-69d5-4c94-b99e-29acf003c899 | Microsoft Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 28aab8b4-74fd-4b7c-9080-5a7be525d574 | Microsoft Managed Control 1436 - Media Transport | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 28cfa30b-7f72-47ce-ba3b-eed26c8d2c82 | Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 28e62650-c7c2-4786-bdfa-17edc1673902 | Microsoft Managed Control 1148 - Security Assessments | Independent Assessors | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 28e633fd-284e-4ea7-88b4-02ca157ed713 | Microsoft Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 292a7c44-37fa-4c68-af7c-9d836955ded2 | Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 2a39ac75-622b-4c88-9a3f-45b7373f7ef7 | Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 2aee175f-cd16-4825-939a-a85349d96210 | Microsoft Managed Control 1274 - Alternate Processing Site | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 2b909c26-162f-47ce-8e15-0c1f55632eac | Microsoft Managed Control 1603 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 2c18f06b-a68d-41c3-8863-b8cd3acb5f8f | Microsoft Managed Control 1434 - Media Transport | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 2c251a55-31eb-4e53-99c6-e9c43c393ac2 | Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 27a69937-af92-4198-9b86-08d355c7e59a | Microsoft Managed Control 1074 - Access Control For Mobile Devices | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 21de687c-f15e-4e51-bf8d-f35c8619965b | Microsoft Managed Control 1111 - Response To Audit Processing Failures | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 21839937-d241-4fa5-95c6-b669253d9ab9 | Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 201d3740-bd16-4baf-b4b8-7cda352228b7 | Microsoft Managed Control 1650 - Public Key Infrastructure Certificates | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 131a2706-61e9-4916-a164-00e052056462 | Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) | Acceptance Of PIV Creds. From Other Agys. | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 134d7a13-ba3e-41e2-b236-91bfcfa24e01 | Microsoft Managed Control 1450 - Physical Access Authorizations | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 13579d0e-0ab0-4b26-b0fb-d586f6d7ed20 | Microsoft Managed Control 1184 - Configuration Change Control | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 13d117e0-38b0-4bbb-aaab-563be5dd10ba | Microsoft Managed Control 1085 - Publicly Accessible Content | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 13d8f903-0cd6-449f-a172-50f6579c182b | Microsoft Managed Control 1404 - Maintenance Tools | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 13fcf812-ec82-4eda-9b89-498de9efd620 | Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 15495367-cf68-464c-bbc3-f53ca5227b7a | Microsoft Managed Control 1157 - Plan Of Action And Milestones | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 1571dd40-dafc-4ef4-8f55-16eba27efc7b | Microsoft Managed Control 1491 - Security Planning Policy And Procedures | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | 157f0ef9-143f-496d-b8f9-f8c8eeaad801 | Microsoft Managed Control 1564 - System Development Life Cycle | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 165cb91f-7ea8-4ab7-beaf-8636b98c9d15 | Microsoft Managed Control 1662 - Fail In Known State | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 16bfdb59-db38-47a5-88a9-2e9371a638cf | Microsoft Managed Control 1684 - Information System Monitoring | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 16feeb31-6377-437e-bbab-d7f73911896d | Microsoft Managed Control 1103 - Audit Events | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 17200329-bf6c-46d8-ac6d-abf4641c2add | Microsoft Managed Control 1007 - Account Management | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 17641f70-94cd-4a5d-a613-3d1143e20e34 | Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Approved Products | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 1845796a-7581-49b2-ae20-443121538e19 | Microsoft Managed Control 1325 - Authenticator Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 18a767cc-1947-4338-a240-bc058c81164f | Microsoft Managed Control 1480 - Temperature And Humidity Controls | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 18cc35ed-a429-486d-8d59-cb47e87304ed | Microsoft Managed Control 1369 - Incident Monitoring | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 19b9439d-865d-4474-b17d-97d2702fdb66 | Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 1a437f5b-9ad6-4f28-8861-de404d511ae4 | Microsoft Managed Control 1071 - Wireless Access | Restrict Configurations By Users | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 1ca29e41-34ec-4e70-aba9-6248aca18c31 | Microsoft Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 1cb067d5-c8b5-4113-a7ee-0a493633924b | Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source) | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 1d01ba6c-289f-42fd-a408-494b355b6222 | Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 1d50f99d-1356-49c0-934a-45f742ba7783 | Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | 1d7658b2-e827-49c3-a2ae-6d2bd0b45874 | Microsoft Managed Control 1538 - Security Categorization | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 1dc784b5-4895-4d27-9d40-a06b032bd1ee | Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 1e0414e7-6ef5-4182-8076-aa82fbb53341 | Microsoft Managed Control 1595 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 2006457a-48b3-4f7b-8d2e-1532287f9929 | Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 129eb39f-d79a-4503-84cd-92f036b5e429 | Microsoft Managed Control 1240 - User-Installed Software | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 4f34f554-da4b-4786-8d66-7915c90893da | Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 0004bbf0-5099-4179-869e-e9ffe5fb0945 | Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 731856d8-1598-4b75-92de-7d46235747c0 | Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 6519d7f3-e8a2-4ff3-a935-9a9497152ad7 | Microsoft Managed Control 1441 - Media Sanitization | Equipment Testing | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec | Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of Planned Audit Record Content | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 65592b16-4367-42c5-a26e-d371be450e17 | Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0 | Microsoft Managed Control 1279 - Telecommunications Services | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339 | Microsoft Managed Control 1051 - Session Lock | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 7c6de11b-5f51-4f7c-8d83-d2467c8a816e | Microsoft Managed Control 1143 - Security Assessment And Authorization Policy And Procedures | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 65aeceb5-a59c-4cb1-8d82-9c474be5d431 | Microsoft Managed Control 1261 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 70f6af82-7be6-44aa-9b15-8b9231b2e434 | Microsoft Managed Control 1541 - Risk Assessment | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 6420cd73-b939-43b7-9d99-e8688fea053c | Microsoft Managed Control 1185 - Configuration Change Control | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 7b694eed-7081-43c6-867c-41c76c961043 | Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 7ac22808-a2e8-41c4-9d46-429b50738914 | Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 70792197-9bfc-4813-905a-bd33993e327f | Microsoft Managed Control 1509 - Position Risk Designation | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 7a87fc7f-301e-49f3-ba2a-4d74f424fa97 | Microsoft Managed Control 1687 - Information System Monitoring | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 7a724864-956a-496c-b778-637cb1d762cf | Microsoft Managed Control 1289 - Information System Backup | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 7a1e2c88-13de-4959-8ee7-47e3d74f1f48 | Microsoft Managed Control 1708 - Security Function Verification | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 7a0bdeeb-15f4-47e8-a1da-9f769f845fdf | Microsoft Managed Control 1093 - Role-Based Security Training | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | 666143df-f5e0-45bd-b554-135f0f93e44e | Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 79fbc228-461c-4a45-9004-a865ca0728a7 | Microsoft Managed Control 1384 - Information Spillage Response | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 7ad5f307-e045-46f7-8214-5bdb7e973737 | Microsoft Managed Control 1492 - System Security Plan | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | 79da5b09-0e7e-499e-adda-141b069c7998 | Microsoft Managed Control 1510 - Position Risk Designation | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 7daef997-fdd3-461b-8807-a608a6dd70f1 | Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 7dd0e9ce-1772-41fb-a50a-99977071f916 | Microsoft Managed Control 1471 - Emergency Shutoff | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 804faf7d-b687-40f7-9f74-79e28adf4205 | Microsoft Managed Control 1703 - Security Alerts, Advisories, And Directives | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 717a1c78-a267-4f56-ac58-ee6c54dc4339 | Microsoft Managed Control 1481 - Temperature And Humidity Controls | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 7fbfe680-6dbb-4037-963c-a621c5635902 | Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 60171210-6dde-40af-a144-bf2670518bfa | Microsoft Managed Control 1663 - Protection Of Information At Rest | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 7f37f71b-420f-49bf-9477-9c0196974ecf | Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 7f2c513b-eb16-463b-b469-c10e5fa94f0a | Microsoft Managed Control 1520 - Personnel Termination | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 6182bfa7-0f2a-43f5-834a-a2ddf31c13c7 | Microsoft Managed Control 1110 - Audit Storage Capacity | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 71475fb4-49bd-450b-a1a5-f63894c24725 | Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For Real-Time Analysis | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc | Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 61a1dd98-b259-4840-abd5-fbba7ee0da83 | Microsoft Managed Control 1415 - Nonlocal Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 72f1cb4e-2439-4fe8-88ea-b8671ce3c268 | Microsoft Managed Control 1524 - Personnel Transfer | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 62b638c5-29d7-404b-8d93-f21e4b1ce198 | Microsoft Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 63096613-ce83-43e5-96f4-e588e8813554 | Microsoft Managed Control 1660 - Session Authenticity | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 632024c2-8079-439d-a7f6-90af1d78cc65 | Microsoft Managed Control 1002 - Account Management | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 7f26a61b-a74d-467c-99cf-63644db144f7 | Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 7ecda928-9df4-4dd7-8f44-641a91e470e8 | Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound Communications Traffic | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 7e6a54f3-883f-43d5-87c4-172dfd64a1f5 | Microsoft Managed Control 1011 - Account Management | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 633988b9-cf2f-4323-8394-f0d2af9cd6e1 | Microsoft Managed Control 1498 - Rules Of Behavior | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | 61cf3125-142c-4754-8a16-41ab4d529635 | Microsoft Managed Control 1153 - System Interconnections | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 80ca0a27-918a-4604-af9e-723a27ee51e8 | Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local Access To Privileged Accounts | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 66f7ae57-5560-4fc5-85c9-659f204e7a42 | Microsoft Managed Control 1319 - Authenticator Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 68434bd1-e14b-4031-9edb-a4adf5f84a67 | Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 6b93a801-fe25-4574-a60d-cb22acffae00 | Microsoft Managed Control 1031 - Separation Of Duties | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 6c59a207-6aed-41dc-83a2-e1ff66e4a4db | Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b | Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local Access To Non-Privileged Accounts | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 6d1eb6ed-bf13-4046-b993-b9e2aef0f76c | Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 7741669e-d4f6-485a-83cb-e70ce7cbbc20 | Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 6d4820bc-8b61-4982-9501-2123cb776c00 | Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 6f54c732-71d4-4f93-a696-4e373eca3a77 | Microsoft Managed Control 1320 - Authenticator Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 6d8d492c-dd7a-46f7-a723-fa66a425b87c | Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 77f56280-e367-432a-a3b9-8ca2aa636a26 | Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 76f500cc-4bca-4583-bda1-6d084dc21086 | Microsoft Managed Control 1508 - Position Risk Designation | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 6dab4254-c30d-4bb7-ae99-1d21586c063c | Microsoft Managed Control 1175 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 76e85d08-8fbb-4112-a1c1-93521e6a9254 | Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 6db63528-c9ba-491c-8a80-83e1e6977a50 | Microsoft Managed Control 1651 - Mobile Code | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 769efd9b-3587-4e22-90ce-65ddcd5bd969 | Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 7582b19c-9dba-438e-aed8-ede59ac35ba3 | Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 6f3ce1bb-4f77-4695-8355-70b08d54fdda | Microsoft Managed Control 1460 - Access Control For Output Devices | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 6e3b2fbd-8f37-4766-a64d-3f37703dcb51 | Microsoft Managed Control 1586 - External Information System Services | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 6e40d9de-2ad4-4cb5-8945-23143326a502 | Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912 | Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 67de62b4-a737-4781-8861-3baed3c35069 | Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 7814506c-382c-4d33-a142-249dd4a0dbff | Microsoft Managed Control 1258 - Contingency Training | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 6a8b9dc8-6b00-4701-aa96-bba3277ebf50 | Microsoft Managed Control 1211 - Configuration Settings | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 68b250ec-2e4f-4eee-898a-117a9fda7016 | Microsoft Managed Control 1597 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 791cfc15-6974-42a0-9f4c-2d4b82f4a78c | Microsoft Managed Control 1647 - Cryptographic Protection | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 704e136a-4fe0-427c-b829-cd69957f5d2b | Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 68ebae26-e0e0-4ecb-8379-aabf633b51e9 | Microsoft Managed Control 1588 - External Information System Services | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 68f837d0-8942-4b1e-9b31-be78b247bda8 | Microsoft Managed Control 1070 - Wireless Access | Disable Wireless Networking | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 78e8e649-50f6-4fe3-99ac-fedc2e63b03f | Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System Components | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 697175a7-9715-4e89-b98b-c6f605888fa3 | Microsoft Managed Control 1727 - Memory Protection | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 6998e84a-2d29-4e10-8962-76754d4f772d | Microsoft Managed Control 1652 - Mobile Code | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b | Microsoft Managed Control 1653 - Mobile Code | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 7894fe6a-f5cb-44c8-ba90-c3f254ff9484 | Microsoft Managed Control 1216 - Least Functionality | Periodic Review | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 69d2a238-20ab-4206-a6dc-f302bf88b1b8 | Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring Information | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 6a13a8f8-c163-4b1b-8554-d63569dab937 | Microsoft Managed Control 1244 - Contingency Plan | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 784663a8-1eb0-418a-a98c-24d19bc1bb62 | Microsoft Managed Control 1010 - Account Management | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 6a3ee9b2-3977-459c-b8ce-2db583abd9f7 | Microsoft Managed Control 1019 - Account Management | Role-Based Schemes | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5 | Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network Services | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 78255758-6d45-4bf0-a005-7016bc03b13c | Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 7818b8f4-47c6-441a-90ae-12ce04e99893 | Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 6fdefbf4-93e7-4513-bc95-c1858b7093e0 | Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 69c7bee8-bc19-4129-a51e-65a7b39d3e7c | Microsoft Managed Control 1699 - Information System Monitoring | Privileged Users | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0 | Microsoft Managed Control 1459 - Access Control For Transmission Medium | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 813a10a7-3943-4fe3-8678-00dc52db5490 | Microsoft Managed Control 1505 - Information Security Architecture | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | 8154e3b3-cc52-40be-9407-7756581d71f6 | Microsoft Managed Control 1614 - Developer Security Architecture And Design | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 54205576-cec9-463f-ba44-b4b3f5d0a84c | Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 86ccd1bf-e7ad-4851-93ce-6ec817469c1e | Microsoft Managed Control 1507 - Personnel Security Policy And Procedures | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 544a208a-9c3f-40bc-b1d1-d7e144495c14 | Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 55419419-c597-4cd4-b51e-009fd2266783 | Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 7207a023-a517-41c5-9df2-09d4c6845a05 | Microsoft Managed Control 1395 - System Maintenance Policy And Procedures | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 554d2dd6-f3a8-4ad5-b66f-5ce23bd18892 | Microsoft Managed Control 1045 - Unsuccessful Logon Attempts | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 8605fc00-1bf5-4fb3-984e-c95cec4f231d | Microsoft Managed Control 1326 - Authenticator Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 5577a310-2551-49c8-803b-36e0d5e55601 | Microsoft Managed Control 1523 - Personnel Transfer | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 53c76a39-2097-408a-b237-b279f7b4614d | Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 562afd61-56be-4313-8fe4-b9564aa4ba7d | Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 57149289-d52b-4f40-9fe6-5233c1ef80f7 | Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 733ba9e3-9e7c-440a-a7aa-6196a90a2870 | Microsoft Managed Control 1456 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 85c32733-7d23-4948-88da-058e2c56b60f | Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592 | Microsoft Managed Control 1162 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 5807e1b4-ba5e-4718-8689-a0ca05a191b2 | Microsoft Managed Control 1054 - Session Termination | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 855ced56-417b-4d74-9d5f-dd1bc81e22d6 | Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) | Acceptance Of Third-Party Credentials | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 5864522b-ff1d-4979-a9f8-58bee1fb174c | Microsoft Managed Control 1584 - Information System Documentation | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 854db8ac-6adf-42a0-bef3-b73f764f40b9 | Microsoft Managed Control 1580 - Information System Documentation | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 56d970ee-4efc-49c8-8a4e-5916940d784c | Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69 | Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 5352e3e0-e63a-452e-9e5f-9c1d181cff9c | Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 5350cbf9-8bdd-4904-b22a-e88be84ca49d | Microsoft Managed Control 1467 - Visitor Access Records | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 7327b708-f0e0-457d-9d2a-527fcc9c9a65 | Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 50301354-95d0-4a11-8af5-8039ecf6d38b | Microsoft Managed Control 1485 - Delivery And Removal | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 88fc93e8-4745-4785-b5a5-b44bb92c44ff | Microsoft Managed Control 1215 - Least Functionality | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 506814fa-b930-4b10-894e-a45b98c40e1a | Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric Keys | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 50ad3724-e2ac-4716-afcc-d8eabd97adb9 | Microsoft Managed Control 1566 - System Development Life Cycle | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 88817b58-8472-4f6c-81fa-58ce42b67f51 | Microsoft Managed Control 1501 - Rules Of Behavior | Microsoft implements this Planning control | Fixed: audit | none |
| Regulatory Compliance | 50fc602d-d8e0-444b-a039-ad138ee5deb0 | Microsoft Managed Control 1248 - Contingency Plan | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 5120193e-91fd-4f9d-bc6d-194f94734065 | Microsoft Managed Control 1386 - Information Spillage Response | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 518cb545-bfa8-43f8-a108-3b7d5037469a | Microsoft Managed Control 1352 - Incident Response Policy And Procedures | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 8877f519-c166-47b7-81b7-8a8eb4ff3775 | Microsoft Managed Control 1317 - Authenticator Management | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 8829f8f5-e8be-441e-85c9-85b72a5d0ef3 | Microsoft Managed Control 1356 - Incident Response Training | Simulated Events | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 53397227-5ee3-4b23-9e5e-c8a767ce6928 | Microsoft Managed Control 1642 - Network Disconnect | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 881299bf-2a5b-4686-a1b2-321d33679953 | Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document / Verify | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 87f7cd82-2e45-4d0f-9e2f-586b0962d142 | Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e | Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 874e7880-a067-42a7-bcbe-1a340f54c8cc | Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 8713a0ed-0d1e-4d10-be82-83dffb39830e | Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 86ec7f9b-9478-40ff-8cfd-6a0d510081a8 | Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 86dc819f-15e1-43f9-a271-41ae58d4cecc | Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52 | Microsoft Managed Control 1547 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 5f18c885-ade3-48c5-80b1-8f9216019c18 | Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information For Security Controls | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 58c93053-7b98-4cf0-b99f-1beb985416c2 | Microsoft Managed Control 1573 - Acquisition Process | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 852981b4-a380-4704-aa1e-2e52d63445e5 | Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 82c76455-4d3f-4e09-a654-22e592107e74 | Microsoft Managed Control 1452 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 825d6494-e583-42f2-a3f2-6458e6f0004f | Microsoft Managed Control 1448 - Physical Access Authorizations | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 82409f9e-1f32-4775-bf07-b99d53a91b06 | Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment | Microsoft implements this Security Assessment and Authorization control | Fixed: audit | none |
| Regulatory Compliance | 5cb81060-3c8a-4968-bcdc-395a1801f6c1 | Microsoft Managed Control 1483 - Water Damage Protection | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 5d169442-d6ef-439b-8dca-46c2c3248214 | Microsoft Managed Control 1362 - Incident Handling | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 5dee936c-8037-4df1-ab35-6635733da48c | Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 5df3a55c-8456-44d4-941e-175f79332512 | Microsoft Managed Control 1665 - Process Isolation | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 593ce201-54b2-4dd0-b34f-c308005d7780 | Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 71bb965d-4047-4623-afd4-b8189a58df5d | Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time Source | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 81f11e32-a293-4a58-82cd-134af52e2318 | Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 5e2b3730-8c14-4081-8893-19dbb5de7348 | Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 7522ed84-70d5-4181-afc0-21e50b1b6d0e | Microsoft Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 819dc6da-289d-476e-8500-7e341ef8677d | Microsoft Managed Control 1287 - Information System Backup | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 5e47bc51-35d1-44b8-92af-e2f2d8b67635 | Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 5ea87673-d06b-456f-a324-8abcee5c159f | Microsoft Managed Control 1208 - Configuration Settings | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 75603f96-80a1-4757-991d-5a1221765ddd | Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 74ae9b8e-e7bb-4c9c-992f-c535282f7a2c | Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception | Microsoft implements this System and Communications Protection control | Fixed: audit | none |
| Regulatory Compliance | 5c5e54f6-0127-44d0-8b61-f31dc8dd6190 | Microsoft Managed Control 1067 - Wireless Access | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 742b549b-7a25-465f-b83c-ea1ffb4f4e0e | Microsoft Managed Control 1581 - Information System Documentation | Microsoft implements this System and Services Acquisition control | Fixed: audit | none |
| Regulatory Compliance | 5b070cab-0fb8-4e48-ad29-fc90b4c2797c | Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components | Microsoft implements this Configuration Management control | Fixed: audit | none |
| Regulatory Compliance | 84e622c8-4bed-417c-84c6-b2fb0dd73682 | Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. Access To Non-Priv. Accts. - Replay | Microsoft implements this Identification and Authentication control | Fixed: audit | none |
| Regulatory Compliance | 59721f87-ae25-4db0-a2a4-77cc5b25d495 | Microsoft Managed Control 1463 - Monitoring Physical Access | Microsoft implements this Physical and Environmental Protection control | Fixed: audit | none |
| Regulatory Compliance | 5983d99c-f39b-4c32-a3dc-170f19f6941b | Microsoft Managed Control 1425 - Timely Maintenance | Microsoft implements this Maintenance control | Fixed: audit | none |
| Regulatory Compliance | 84914fb4-12da-4c53-a341-a9fd463bed10 | Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 845f6359-b764-4b40-b579-657aefe23c44 | Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 5a8324ad-f599-429b-aaed-f9c6e8c987a8 | Microsoft Managed Control 1512 - Personnel Screening | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 84363adb-dde3-411a-9fc1-36b56737f822 | Microsoft Managed Control 1098 - Security Training Records | Microsoft implements this Awareness and Training control | Fixed: audit | none |
| Regulatory Compliance | 5aa85661-d618-46b8-a20f-ca40a86f0751 | Microsoft Managed Control 1032 - Separation Of Duties | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 5afa8cab-1ed7-4e40-884c-64e0ac2059cc | Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 831e510e-db41-4c72-888e-a0621ab62265 | Microsoft Managed Control 1262 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | Fixed: audit | none |
| Regulatory Compliance | 6e8f9566-29f1-49cd-b61f-f8628a3cf993 | Microsoft Managed Control 1530 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | Fixed: audit | none |
| Regulatory Compliance | 5b626abc-26d4-4e22-9de8-3831818526b1 | Microsoft Managed Control 1005 - Account Management | Microsoft implements this Access Control control | Fixed: audit | none |
| Regulatory Compliance | 5b73f57b-587d-4470-a344-0b0ae805f459 | Microsoft Managed Control 1105 - Audit Events | Microsoft implements this Audit and Accountability control | Fixed: audit | none |
| Regulatory Compliance | 5b879b41-2728-41c5-ad24-9ee2c37cbe65 | Microsoft Managed Control 1433 - Media Transport | Microsoft implements this Media Protection control | Fixed: audit | none |
| Regulatory Compliance | 841392b3-40da-4473-b328-4cde49db67b3 | Microsoft Managed Control 1382 - Incident Response Plan | Microsoft implements this Incident Response control | Fixed: audit | none |
| Regulatory Compliance | 5bbda922-0172-4095-89e6-5b4a0bf03af7 | Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability | Microsoft implements this Risk Assessment control | Fixed: audit | none |
| Regulatory Compliance | 5c5bbef7-a316-415b-9b38-29753ce8e698 | Microsoft Managed Control 1671 - Flaw Remediation | Microsoft implements this System and Information Integrity control | Fixed: audit | none |
| Regulatory Compliance | 8356cfc6-507a-4d20-b818-08038011cd07 | Microsoft Managed Control 1008 - Account Management | Microsoft implements this Access Control control | Fixed: audit | none |
| Search | b4330a05-a843-4bc8-bf9a-cacce50c67f4 | Diagnostic logs in Search services should be enabled | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 201ea587-7c90-41c3-910f-c280ae01cfd6 | [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM | Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 224da9fe-0d38-4e79-adb3-0a6e2af942ac | [Deprecated]: Audit API Apps that are not using custom domains | Use of custom domains protects a API app from common attacks such as phishing and other DNS-related attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Azure Security Center alerts | Enable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
| Security Center | 22730e10-96f6-4aac-ad84-9383d35b5917 | Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Azure Security Center recommendations | Enable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
| Security Center | 0e6763cc-5078-4e64-889d-ff4d9a839047 | Advanced threat protection should be enabled on Key Vault | Advanced threat protection standard tier should be enabled on Key Vault. This provides an additional layer of protection of security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 9daedab3-fb2d-461e-b861-71790eead4f6 | Access through Internet facing endpoint should be restricted | Azure Security center has identified some of your Network Security Groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to easily target your resources. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 001802d1-4969-4c82-a700-c29c6c6f9bbd | [Deprecated]: Audit Web Sockets state for a Function App | The Web Sockets protocol is vulnerable to different types of security threats. Use of Web Sockets within an Function app must be carefully reviewed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 86b3d65f-7626-441e-b690-81a8b71cff60 | System updates should be installed on your machines | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 8e7da0a5-0a0e-4bbc-bfc0-7773c018b616 | Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. | Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
| Security Center | 08b17839-76c6-4015-90e0-33d9d54d219c | [Deprecated]: Audit Web Applications that are not using latest supported PHP Framework | Use the latest supported PHP version for the latest security classes. Using older classes and types can make your application vulnerable. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | Adaptive Network Hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 09024ccc-0c5f-475e-9457-b7c0d9ed487b | There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 0961003e-5a0a-4549-abde-af6a37f2724d | Disk encryption should be applied on virtual machines | VMs without an enabled disk encryption will be monitored by Azure Security Center as recommendations | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 9297c21d-2ed6-4474-b48f-163f75654ce3 | MFA should be enabled accounts with write permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendations | Enable export to Log Analytics workspace of Azure Security Center alerts and/or recommendations. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
| Security Center | 1de7b11d-1870-41a5-8181-507e7c663cfb | [Deprecated]: Audit API Applications that are not using latest supported .NET Framework | Use the latest supported .NET Framework version for the latest security classes. Using older classes and types can make your application vulnerable. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | feedbf84-6b99-488c-acc2-71c829aa5ffc | Vulnerabilities on your SQL databases should be remediated | Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | Advanced data security should be enabled on Azure SQL Database servers | Advanced data security standard tier should be enabled on Azure SQL Database servers. This provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat on SQL database and discovering and classifying sensitive data. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 0e246bcf-5f6f-4f87-bc6f-775d4712c7ea | [Preview]: Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Security Center | fb893a29-21bb-418c-a157-e99480ec364c | [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version | Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ | Default: Audit Allowed: (Audit,Disabled) |
none |
| Security Center | 123a3936-f020-408a-ba0c-47873faf1534 | Whitelisting rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to whitelist in adaptive application control policies. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | f8456c1c-aa66-4dfb-861a-25d127b775c9 | External accounts with owner permissions should be removed from your subscription | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 9bfe3727-0a17-471f-a2fe-eddd6b668745 | [Deprecated]: Audit API Applications that are not using latest supported Java Framework | Use the latest supported Java version for the latest security classes. Using older classes and types can make your application vulnerable. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 1a833ff1-d297-4a0f-9944-888428f8e0ff | [Deprecated]: Access to App Services should be restricted | Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that are too broad | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 760a85ff-6162-42b3-8d70-698e268f648c | Vulnerabilities should be remediated by a Vulnerability Assessment solution | Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 0b15565f-aa9e-48ba-8619-45960f2c314d | Email notification to subscription owner for high severity alerts should be enabled | Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 | A security contact email address should be provided for your subscription | Enter an email address to receive notifications when Azure Security Center detects compromised resources | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 6df2fee6-a9ed-4fef-bced-e13be1b25f1c | Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. | Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
| Security Center | ebb62a0c-3560-49e1-89ed-27e074e9f8ad | Deprecated accounts with owner permissions should be removed from your subscription | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 475aae12-b88a-4572-8b36-9b712b2b3a17 | Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription | Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security data | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 46544d7b-1f0d-46f5-81da-5c1351de1b06 | [Deprecated]: Audit Web Applications that are not using latest supported Python Framework | Use the latest supported Python version for the latest security classes. Using older classes and types can make your application vulnerable. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 2fde8a98-6892-426a-83ba-050e640c0ce0 | [Deprecated]: Web Application should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | Advanced threat protection should be enabled on Storage accounts | Advanced threat protection standard tier should be enabled on Storage accounts. This provides detections of unusual and potentially harmful attempts to access or exploit Storage accounts. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 3fe37002-5d00-4b37-a301-da09e3a0ca66 | [Deprecated]: Audit API Applications that are not using latest supported PHP Framework | Use the latest supported PHP version for the latest security classes. Using older classes and types can make your application vulnerable. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | e3576e28-8b17-4677-84c3-db2990658d64 | MFA should be enabled on accounts with read permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | aa633080-8b72-40c4-a2d7-d00c03e80bed | MFA should be enabled on accounts with owner permissions on your subscription | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 | Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349 | [Preview]: Sensitive data in your SQL databases should be classified | Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | abcc6037-1fc4-47f6-aac5-89706589be24 | [Deprecated]: Automatic provisioning of security monitoring agent | Installs security agent on VMs for advanced security alerts and preventions in Azure Security Center. Applies only for subscriptions that use Azure Security Center. | Fixed: AuditIfNotExists | none |
| Security Center | 44452482-524f-4bf4-b852-0bff7cc4a3ed | [Deprecated]: Monitor permissive network access in Azure Security Center | Network Security Groups with too permissive rules will be monitored by Azure Security Center as recommendations | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Azure Security Center alerts and recommendations | Enable export to Event Hub of Azure Security Center alerts and/or recommendations. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
| Security Center | ac076320-ddcf-4066-b451-6154267e8ad2 | Enable Azure Security Center on your subscription | Identifies existing subscriptions that are not monitored by Azure Security Center (ASC). Subscriptions not monitored by ASC will be registered to the free pricing tier. Subscriptions already monitored by ASC (free or standard), will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. | Fixed: deployIfNotExists | Security Admin |
| Security Center | 664346d9-be92-43fb-a219-d595eeb76a90 | [Deprecated]: Audit IP restrictions configuration for a Function App | IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a Function app from common attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | a8bef009-a5c9-4d0f-90d7-6018734e8a16 | [Deprecated]: Monitor unencrypted SQL databases in Azure Security Center | Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent Data Encryption on SQL databases should be enabled' | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 5c607a2e-c700-4744-8254-d77e7c9eb5e4 | External accounts with write permissions should be removed from your subscription | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | b4d66858-c922-44e3-9566-5cdb7a7be744 | A security contact phone number should be provided for your subscription | Enter a phone number to receive notifications when Azure Security Center detects compromised resources | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 6581d072-105e-4418-827f-bd446d56421b | Advanced data security should be enabled on SQL Server on Virtual Machines | Advanced data security standard tier should be enabled on SQL Server on Virtual Machines. This provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to SQL database and discovering and classifying sensitive data. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 655cb504-bcee-4362-bd4c-402e6aa38759 | [Deprecated]: Audit missing blob encryption for storage accounts | This policy is no longer necessary because storage blob encryption is enabled by default and cannot be turned off. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Security Center | dd2ea520-6b06-45c3-806e-ea297c23e06a | [Deprecated]: Audit Web Applications that are not using custom domains | Use of custom domains protects a web application from common attacks such as phishing and other DNS-related attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | b48334a4-911b-4084-b1ab-3e6a4e50b951 | [Deprecated]: Audit Web Sockets state for an API App | The Web Sockets protocol is vulnerable to different types of security threats. Use of Web Sockets within an API app must be carefully reviewed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 5df82f4f-773a-4a2d-97a2-422a806f1a55 | [Deprecated]: Function App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 5e3315e0-a414-4efb-a4d2-c7bd2b0443d2 | [Deprecated]: Audit Web Applications that are not using latest supported .NET Framework | Use the latest supported .NET Framework version for the latest security classes. Using older classes and types can make your application vulnerable. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | af6cd1bd-1635-48cb-bde7-5b15693900b9 | Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | d1cb47db-b7a1-4c46-814e-aad1c0e84f3c | [Deprecated]: Audit Function Apps that are not using custom domains | Use of custom domains protects a Function app from common attacks such as phishing and other DNS-related attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | af8051bf-258b-44e2-a2bf-165330459f9d | [Deprecated]: Monitor unaudited SQL servers in Azure Security Center | SQL servers which don't have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: 'Auditing should be enabled on advanced data security settings on SQL Server' | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 3abeb944-26af-43ee-b83d-32aaf060fb94 | [Preview]: Pod Security Policies should be defined on Kubernetes Services | Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Security Center | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | Vulnerabilities in security configuration on your virtual machine scale sets should be remediated | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | b0f33259-77d7-4c9e-aac6-3aabcfae693c | Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 | External accounts with read permissions should be removed from your subscription | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 | [Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Security Center | 6b1cbf55-e8b6-442f-ba4c-7246b6381474 | Deprecated accounts should be removed from your subscription | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 6a8450e2-6c61-43b4-be65-62e3a197bffe | [Deprecated]: Audit IP restrictions configuration for a Web Application | IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects a web application from common attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | a7aca53f-2ed4-4466-a25e-0b45ade68efd | Azure DDoS Protection Standard should be enabled | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | bc0378bb-d7ab-4614-a0f6-5a6e3f02d644 | [Deprecated]: Audit API Applications that are not using latest supported Python Framework | Use the latest supported Python version for the latest security classes. Using older classes and types can make your application vulnerable. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | bb91dfba-c30d-4263-9add-9c2384e659a6 | Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | e8cbc669-f12d-49eb-93e7-9273119e9933 | Vulnerabilities in container security configurations should be remediated | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | Advanced threat protection should be enabled on App Service | Advanced threat protection standard tier should be enabled on App Service. This provides real-time threat protection for App Service workloads and generates hardening recommendations as well as alerts for suspicious activities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 4da35fc9-c9e7-4960-aec9-797fe7d9051d | Advanced threat protection should be enabled on Virtual Machines | Advanced threat protection standard tier should be enabled on Virtual Machines. This provides real-time threat protection for virtual machine workloads and generates hardening recommendations as well as alerts about suspicious activities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | e797f851-8be7-4c40-bb56-2e3395215b0e | [Deprecated]: Audit Web Sockets state for a Web Application | The Web Sockets protocol is vulnerable to different types of security threats. Use of Web Sockets within a web application must be carefully reviewed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | System updates on virtual machine scale sets should be installed | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 6e2593d9-add6-4083-9c9b-4b7d2188c899 | Email notification for high severity alerts should be enabled | Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risks | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | bd352bd5-2853-4985-bf0d-73806b4a5744 | IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | a1181c5f-672a-477a-979a-7d58aa086233 | Security Center standard pricing tier should be selected | The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center | Default: Audit Allowed: (Audit,Disabled) |
none |
| Security Center | be0a7681-bed4-48dc-9ff3-f0171ee170b6 | [Deprecated]: Audit Web Applications that are not using latest supported Java Framework | Use the latest supported Java version for the latest security classes. Using older classes and types can make your application vulnerable. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 48893b84-a2c8-4d9a-badf-835d5d1b7d53 | [Deprecated]: Audit IP restrictions configuration for an API App | IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. Use of IP Restrictions protects an API app from common attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 523b5cd1-3e23-492f-a539-13118b6d1e3a | Advanced threat protection should be enabled on Azure Kubernetes Service | Advanced threat protection standard tier should be enabled on Azure Kubernetes Service. This provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | e71308d3-144b-4262-b144-efdc3cc90517 | Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 | Advanced threat protection should be enabled on Azure Container Registry | Advanced threat protection standard tier should be enabled on Azure Container Registry. This provides scanning of container registries for security vulnerabilities on each pushed container image and exposes detailed findings per image. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 4f11b553-d42e-4e3a-89be-32ca364cad4c | A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | e67687e8-08d5-4e7f-8226-5b4753bba008 | [Deprecated]: Audit Web Applications that are not using latest supported Node.js Framework | Use the latest supported Node.js version for the latest security classes. Using older classes and types can make your application vulnerable. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | [Preview] Vulnerability Assessment should be enabled on Virtual Machines | Monitors vulnerabilities detected by Azure Security Center Vulnerability Assessment on Virtual Machines | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | c85538c1-b527-4ce4-bdb4-1dabcb3fd90d | [Deprecated]: API App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 26a828e1-e88f-464e-bbb3-c134a282b9de | Endpoint protection solution should be installed on virtual machine scale sets | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Security Center | 47a6b606-51aa-4496-8bb7-64b11cf66adc | Adaptive application controls for whitelisting safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Service Bus | a1817ec0-a368-432a-8057-8371e17ac6ee | All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace | Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Service Bus | f8d36e2f-389b-4ee4-898d-21aeb69a0f45 | Diagnostic logs in Service Bus should be enabled | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Service Fabric | 617c02be-7f02-4efd-8836-3180d47b6c68 | Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Service Fabric | b54ed75b-3e1a-44ac-a333-05ba39b99ff0 | Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| SignalR | 53503636-bcc9-4748-9663-5348217f160f | Azure SignalR Service should use private links | Audit Azure SignalR Service resources that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/asrs/privatelink. | Default: Audit Allowed: (Audit,Disabled) |
none |
| SQL | 0a1302fb-a631-4106-9753-f3d494733990 | Private endpoint should be enabled for MariaDB servers | This policy audits MariaDB servers not configured to use a private endpoint. For more details, visit https://aka.ms/mariadbprivatelink. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | c8343d2f-fdc9-4a97-b76f-fc71d1163bfc | [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 | Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports | Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 0564d078-92f5-4f97-8398-b9f58a51f70b | Private endpoint should be enabled for PostgreSQL servers | This policy audits PostgreSQL servers not configured to use a private endpoint. For more details, visit https://aka.ms/pgprivatelink. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | Public network access should be disabled for MariaDB servers | This policy audits MariaDB servers in your environment with public network access enabled. For more details, visit https://go.microsoft.com/fwlink/?linkid=2119542. | Default: Audit Allowed: (Audit,Disabled) |
none |
| SQL | d38fc420-0735-4ef3-ac11-c806f651a570 | Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf | [Deprecated]: Require SQL Server version 12.0 | This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version other than 12.0. | Fixed: Deny | none |
| SQL | 48af4db5-9b8b-401c-8e74-076be876a430 | Geo-redundant backup should be enabled for Azure Database for PostgreSQL | This policy audits any Azure Database for PostgreSQL with geo-redundant backup not enabled. | Default: Audit Allowed: (Audit,Disabled) |
none |
| SQL | 5345bb39-67dc-4960-a1bf-427e16b9a0bd | Connection throttling should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 048248b0-55cd-46da-b1ff-39efd52db260 | SQL Managed Instance TDE protector should be encrypted with your own key | Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | d158790f-bfb0-486c-8631-2dc6b4e8e6af | Enforce SSL connection should be enabled for PostgreSQL database servers | This policy audits any PostgreSQL server that is not enforcing SSL connection. Azure Database for PostgreSQL prefers connecting your client applications to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man-in-the-middle' attacks by encrypting the data stream between the server and your application | Default: Audit Allowed: (Audit,Disabled) |
none |
| SQL | 06a78e20-9358-41c9-923c-fb736d382a12 | [Deprecated]: Audit SQL DB Level Audit Setting | Audit DB level audit setting for SQL databases | Fixed: AuditIfNotExists | none |
| SQL | 82339799-d096-41ae-8538-b108becf0970 | Geo-redundant backup should be enabled for Azure Database for MySQL | This policy audits any Azure Database for MySQL with geo-redundant backup not enabled. | Default: Audit Allowed: (Audit,Disabled) |
none |
| SQL | 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 | Bring your own key data protection should be enabled for MySQL servers | This policy audits MySQL servers in your environment without bring your own key data protection enabled. For more details, visit https://aka.ms/mysqlbyok. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 86a912f6-9a06-4e26-b447-11b16ba8659f | Deploy SQL DB transparent data encryption | Enables transparent data encryption on SQL databases | Fixed: DeployIfNotExists | SQL DB Contributor |
| SQL | b52376f7-9612-48a1-81cd-1ffe4b61032c | Public network access should be disabled for PostgreSQL servers | This policy audits PostgreSQL servers in your environment with public network access enabled. For more details, visit https://go.microsoft.com/fwlink/?linkid=2120015. | Default: Audit Allowed: (Audit,Disabled) |
none |
| SQL | bda18df3-5e41-4709-add9-2554ce68c966 | [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings | It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 7ff426e2-515f-405a-91c8-4f2333442eb5 | SQL Auditing settings should have Action-Groups configured to capture critical activities | The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 89099bee-89e0-4b26-a5f4-165451757743 | SQL servers should be configured with auditing retention days greater than 90 days. | Audit SQL servers configured with an auditing retention period of less than 90 days. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d | Log checkpoints should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 1f314764-cb73-4fc9-b863-8eca98ac36e9 | An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 | Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 9a7c7a7d-49e5-4213-bea8-6a502b6272e0 | Deploy Diagnostic Settings for Azure SQL Database to Event Hub | Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. | Fixed: DeployIfNotExists | Contributor |
| SQL | 3375856c-3824-4e0e-ae6a-79e011dd4c47 | MySQL server should use a virtual network service endpoint | This policy audits MySQL servers not configured to use a virtual network service endpoint. For more details, visit https://aka.ms/mysqlvnet. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 17k78e20-9358-41c9-923c-fb736d382a12 | Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 0d134df8-db83-46fb-ad72-fe0c9428c8dd | SQL server TDE protector should be encrypted with your own key | Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | f4c68484-132f-41f9-9b6d-3e4b1cb55036 | Deploy Auditing on SQL servers | This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same region as the SQL server to store audit records. | Fixed: DeployIfNotExists | SQL Security Manager Storage Account Contributor |
| SQL | 18adea5e-f416-4d0f-8aa8-d24321e3e274 | Bring your own key data protection should be enabled for PostgreSQL servers | This policy audits PostgreSQL servers in your environment without bring your own key data protection enabled. For more details, visit https://aka.ms/postgresqlbyok. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 77e8b146-0078-4fb2-b002-e112381199f0 | Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. | Fixed: AuditIfNotExists | none |
| SQL | a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 | Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 1b7aa243-30e4-4c9e-bca8-d0d3022b634a | Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Fixed: audit | none |
| SQL | e756b945-1b1b-480b-8de8-9a0859d5f7ad | [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings | It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 7698e800-9299-47a6-b3b6-5a0fee576eed | Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Fixed: audit | none |
| SQL | e802a67a-daf5-4436-9ea6-f6d821dd0c5d | Enforce SSL connection should be enabled for MySQL database servers | This policy audits any MySQL server that is not enforcing SSL connection. Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. | Default: Audit Allowed: (Audit,Disabled) |
none |
| SQL | dfbd9a64-6114-48de-a47d-90574dc2e489 | MariaDB server should use a virtual network service endpoint | This policy audits MariaDB servers not configured to use a virtual network service endpoint. For more details, visit https://aka.ms/mariadbvirtualnetwork. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 | Advanced data security should be enabled on your SQL servers | Audit SQL servers without Advanced Data Security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 7595c971-233d-4bcf-bd18-596129188c49 | Private endpoint should be enabled for MySQL servers | This policy audits MySQL servers not configured to use a private endpoint. For more details, visit https://aka.ms/mysqlprivatelink. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 | Deploy Threat Detection on SQL servers | This policy ensures that Threat Detection is enabled on SQL Servers. | Fixed: DeployIfNotExists | SQL Security Manager |
| SQL | 6134c3db-786f-471e-87bc-8f479dc890f6 | Deploy Advanced Data Security on SQL servers | This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. | Fixed: DeployIfNotExists | SQL Security Manager Storage Account Contributor |
| SQL | 3c14b034-bcb6-4905-94e7-5b8e98a47b65 | PostgreSQL server should use a virtual network service endpoint | This policy audits PostgreSQL servers not configured to use a virtual network service endpoint. For more details, visit https://aka.ms/postgresqlvnet. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 0ec47710-77ff-4a3d-9181-6aa50af424d0 | Geo-redundant backup should be enabled for Azure Database for MariaDB | This policy audits any Azure Database for MariaDB with geo-redundant backup not enabled. | Default: Audit Allowed: (Audit,Disabled) |
none |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3 | Log duration should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e446 | Disconnections should be logged for PostgreSQL database servers. | This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | 3965c43d-b5f4-482e-b74a-d89ee0e0b3a8 | [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address to receive security alerts | Ensure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | aeb23562-188d-47cb-80b8-551f16ef9fff | [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL Managed Instance advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e442 | Log connections should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | d9844e8a-1437-4aeb-a32c-0c992f056095 | Public network access should be disabled for MySQL servers | This policy audits MySQL servers in your environment with public network access enabled. For more details, visit https://go.microsoft.com/fwlink/?linkid=2120014. | Default: Audit Allowed: (Audit,Disabled) |
none |
| SQL | 9677b740-f641-4f3c-b9c5-466005c85278 | [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts | Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
| SQL | abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 | Advanced data security should be enabled on SQL Managed Instance | Audit each SQL Managed Instance without advanced data security. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Storage | 404c3081-a854-4457-ae30-26a93ef643f9 | Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Storage | bf045164-79ba-4215-8f95-f8048dc1780b | Geo-redundant storage should be enabled for Storage Accounts | This policy audits any Storage Account with geo-redundant storage not enabled. | Default: Audit Allowed: (Audit,Disabled) |
none |
| Storage | 34c877ad-507e-4c82-993e-3452a6e0ad3c | Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Storage | 361c2074-3595-4e5d-8cab-4f21dffc835c | Deploy Advanced Threat Protection on Storage Accounts | This policy enables Advanced Threat Protection on Storage Accounts. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Security Admin |
| Storage | 7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f | [Deprecated]: Require blob encryption for storage accounts | This policy ensures blob encryption for storage accounts is turned on. It only applies to Microsoft.Storage resource types, not other storage providers. This policy is deprecated because storage blob encryption is now enabled by default, and can no longer be disabled. | Fixed: deny | none |
| Storage | 7433c107-6db4-4ad1-b57a-a76dce0154a1 | Allowed storage account SKUs | This policy enables you to specify a set of storage account SKUs that your organization can deploy. | Fixed: Deny | none |
| Storage | 37e0d2fe-28a5-43d6-a273-67d37d1f5606 | Storage accounts should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Storage | c9d007d0-c057-4772-b18c-01e546713bcd | Storage accounts should allow access from trusted Microsoft services | Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
| Stream Analytics | f9be5368-9bf5-4b84-9e0a-7850da98bb46 | Diagnostic logs in Azure Stream Analytics should be enabled | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
| Tags | 9ea02ca2-71db-412d-8b00-7c7ca9fcd32d | Append a tag and its value from the resource group | Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | Fixed: append | none |
| Tags | 871b6d14-10aa-478d-b590-94f262ecfa99 | Require a tag on resources | Enforces existence of a tag. Does not apply to resource groups. | Fixed: deny | none |
| Tags | 8ce3da23-7156-49e4-b145-24f95f9dcb46 | Require a tag and its value on resource groups | Enforces a required tag and its value on resource groups. | Fixed: deny | none |
| Tags | ea3f2387-9b95-492a-a190-fcdc54f7b070 | Inherit a tag from the resource group if missing | Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | Fixed: modify | Contributor |
| Tags | 5ffd78d9-436d-4b41-a421-5baa819e3008 | Add or replace a tag on resources | Adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does not modify tags on resource groups. | Fixed: modify | Contributor |
| Tags | 2a0e14a6-b0a6-4fab-991a-187a4f81c498 | Append a tag and its value to resources | Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | Fixed: append | none |
| Tags | 49c88fc8-6fd1-46fd-a676-f12d1d3a4c71 | Append a tag and its value to resource groups | Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | Fixed: append | none |
| Tags | 4f9dc7db-30c1-420c-b61a-e1d640128d26 | Add a tag to resources | Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups. | Fixed: modify | Contributor |
| Tags | cd3aa116-8754-49c9-a813-ad46512ece54 | Inherit a tag from the resource group | Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. | Fixed: modify | Contributor |
| Tags | cd8dc879-a2ae-43c3-8211-1877c5755064 | [Deprecated]: Allow resource creation if 'department' tag set | Allows resource creation only if the 'department' tag is set | Fixed: Deny | none |
| Tags | ac7e5fc0-c029-4b12-91d4-a8500ce697f9 | [Deprecated]: Allow resource creation if 'environment' tag value in allowed values | Allows resource creation if the 'environment' tag is set to one of the following values: production, dev, test, staging | Fixed: Deny | none |
| Tags | d157c373-a6c4-483d-aaad-570756956268 | Add or replace a tag on resource groups | Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task. | Fixed: modify | Contributor |
| Tags | 726aca4c-86e9-4b04-b0c5-073027359532 | Add a tag to resource groups | Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | Fixed: modify | Contributor |
| Tags | 40df99da-1232-49b1-a39a-6da8d878f469 | Inherit a tag from the subscription if missing | Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | Fixed: modify | Contributor |
| Tags | b27a0cbd-a167-4dfa-ae64-4337be671140 | Inherit a tag from the subscription | Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. | Fixed: modify | Contributor |
| Tags | 1e30110a-5ceb-460c-a204-c1c3969c6d62 | Require a tag and its value on resources | Enforces a required tag and its value. Does not apply to resource groups. | Fixed: deny | none |
| Tags | 96670d01-0a4d-4649-9c89-2d3abc0a5025 | Require a tag on resource groups | Enforces existence of a tag on resource groups. | Fixed: deny | none |
| VM Image Builder | 2154edb9-244f-4741-9970-660785bccdaa | VM Image Builder templates should use private link | Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may expose resources directly to the internet and increase the potential attack surface. | Default: Audit Allowed: (Audit,Disabled) |
none |