BuiltIn
77 categories
77 categories
Azure Landing Zones (ALZ)
15 categories
15 categories
Community
45 categories
45 categories
Category | Category txt | Id | Display name | Description | Effect | Roles | Rule Aliases | Rule ResourceTypes | Compliance | State | Type | API for FHIR | API for FHIR | 051cba44-2429-45b9-9649-46cec11c7119 | Azure API for FHIR should use a customer-managed key to encrypt data at rest | Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. | Default Audit Allowed audit, Audit, disabled, Disabled | IF (1) •Microsoft.HealthcareApis/services/cosmosDbConfiguration.keyVaultKeyUri |
IF (1) •Microsoft.HealthcareApis/services |
count: 007 CMMC_2.0_L2_SC.L2-3.13.10, CMMC_L3_SC.3.177, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12 |
GA | BuiltIn |
---|---|---|---|---|---|---|---|---|---|---|---|
API for FHIR | API for FHIR | 1ee56206-5dd1-42ab-b02d-8aae8b1634ce | Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.HealthcareApis/services/privateEndpointConnections[*] •Microsoft.HealthcareApis/services/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.HealthcareApis/services |
count: 038 CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_SS-3, NZISM_Security_Benchmark_v1.1_SS-3 |
GA | BuiltIn | |
API for FHIR | API for FHIR | 0fea8f8a-4169-495d-8307-30ec335f387d | CORS should not allow every domain to access your API for FHIR | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. | Default Audit Allowed audit, Audit, disabled, Disabled | IF (1) •Microsoft.HealthcareApis/services/corsConfiguration.origins[*] |
IF (1) •Microsoft.HealthcareApis/services |
count: 005 CMMC_L3_AC.1.001, CMMC_L3_AC.1.002, CMMC_L3_AC.2.016, CMMC_L3_CM.3.068, CMMC_L3_SC.3.183 |
GA | BuiltIn | |
API Management | API Management | ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 | API Management APIs should use only encrypted protocols | To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. | Default Audit Allowed Audit, Disabled, Deny | IF (1) •Microsoft.ApiManagement/service/apis/protocols[*] |
count: 001 Azure_Security_Benchmark_v3.0_DP-3 |
GA | BuiltIn | ||
API Management | API Management | c15dcc82-b93c-4dcb-9332-fbf121685b54 | API Management calls to API backends should be authenticated | Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. | Default Audit Allowed Audit, Disabled, Deny | IF (5) •Microsoft.ApiManagement/service/backends/credentials.authorization.parameter •Microsoft.ApiManagement/service/backends/credentials.authorization.scheme •Microsoft.ApiManagement/service/backends/credentials.certificate •Microsoft.ApiManagement/service/backends/protocol •Microsoft.ApiManagement/service/backends/url |
count: 001 Azure_Security_Benchmark_v3.0_IM-4 |
GA | BuiltIn | ||
API Management | API Management | 92bb331d-ac71-416a-8c91-02f2cb734ce4 | API Management calls to API backends should not bypass certificate thumbprint or name validation | To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. | Default Audit Allowed Audit, Disabled, Deny | IF (2) •Microsoft.ApiManagement/service/backends/tls.validateCertificateChain •Microsoft.ApiManagement/service/backends/tls.validateCertificateName |
count: 001 Azure_Security_Benchmark_v3.0_IM-4 |
GA | BuiltIn | ||
API Management | API Management | b741306c-968e-4b67-b916-5675e5c709f4 | API Management direct management endpoint should not be enabled | The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. | Default Audit Allowed Audit, Disabled, Deny | IF (1) •Microsoft.ApiManagement/service/tenant/enabled |
count: 001 Azure_Security_Benchmark_v3.0_PV-2 |
GA | BuiltIn | ||
API Management | API Management | 549814b6-3212-4203-bdc8-1548d342fb67 | API Management minimum API version should be set to 2019-12-01 or higher | To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.ApiManagement/service/apiVersionConstraint.minApiVersion •Microsoft.ApiManagement/service/sku.name |
IF (1) •Microsoft.ApiManagement/service |
count: 002 Azure_Security_Benchmark_v3.0_IM-8, Azure_Security_Benchmark_v3.0_PV-2 |
GA | BuiltIn | |
API Management | API Management | f1cc7827-022c-473e-836e-5a51cae0b249 | API Management secret named values should be stored in Azure Key Vault | Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. | Default Audit Allowed Audit, Disabled, Deny | IF (4) •Microsoft.ApiManagement/service/namedValues/displayName •Microsoft.ApiManagement/service/namedValues/keyVault •Microsoft.ApiManagement/service/namedValues/keyVault.secretIdentifier •Microsoft.ApiManagement/service/namedValues/secret |
count: 002 Azure_Security_Benchmark_v3.0_DP-6, Azure_Security_Benchmark_v3.0_IM-8 |
GA | BuiltIn | ||
API Management | API Management | 73ef9241-5d81-4cd4-b483-8443d1730fe5 | API Management service should use a SKU that supports virtual networks | With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.ApiManagement/service/sku.name |
IF (1) •Microsoft.ApiManagement/service |
GA | BuiltIn | ||
API Management | API Management | ef619a2c-cc4d-4d03-b2ba-8c94a834d85b | API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.ApiManagement/service/sku.name •Microsoft.ApiManagement/service/virtualNetworkType |
IF (1) •Microsoft.ApiManagement/service |
count: 027 Azure_Security_Benchmark_v2.0_NS-1, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7, RMiT_v1.0_10.33 |
GA | BuiltIn | |
API Management | API Management | df73bd95-24da-4a4f-96b9-4e8b94b402bd | API Management should disable public network access to the service configuration endpoints | To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | IF (1) •Microsoft.ApiManagement/service/sku.name THEN-ExistenceCondition (1) •Microsoft.ApiManagement/service/tenant/enabled |
IF (1) •Microsoft.ApiManagement/service |
count: 001 Azure_Security_Benchmark_v3.0_NS-2 |
GA | BuiltIn | |
API Management | API Management | ffe25541-3853-4f4e-b71d-064422294b11 | API Management should have username and password authentication disabled | To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.ApiManagement/service/portalconfigs/enableBasicAuth |
GA | BuiltIn | |||
API Management | API Management | 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 | API Management subscriptions should not be scoped to all APIs | API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. | Default Audit Allowed Audit, Disabled, Deny | IF (2) •Microsoft.ApiManagement/service/subscriptions/scope •Microsoft.ApiManagement/service/subscriptions/state |
count: 001 Azure_Security_Benchmark_v3.0_PA-7 |
GA | BuiltIn | ||
API Management | API Management | f9869580-d1e9-491a-91b5-d212d8acd27e | Audit - Sample Products should be removed from API Management | API Management includes two sample products Starter and Unlimited. Accidentally adding APIs to these sample products may expose APIs more than intended. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.ApiManagement/service/products/displayName |
GA | Community | |||
API Management | API Management | 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 | Configure API Management services to disable access to API Management public service configuration endpoints | To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •API Management Service Contributor |
IF (1) •Microsoft.ApiManagement/service/sku.name THEN-ExistenceCondition (1) •Microsoft.ApiManagement/service/tenant/enabled |
IF (1) •Microsoft.ApiManagement/service |
GA | BuiltIn | |
API Management | API Management | 830fdfd0-7e40-405a-89d0-893aae0fc1fb | Configure ReadOnly lock for API Management's subnet | Deploy ReadOnly resource lock for API Management's configured subnet. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled | count: 2 •Contributor •User Access Administrator |
THEN-ExistenceCondition (1) •Microsoft.Authorization/locks/level |
IF (1) •Microsoft.ApiManagement/service THEN-Deployment (1) •Microsoft.Authorization/locks |
GA | Community | |
API Management | API Management | b525e077-ad27-4116-bdd1-83cfa9c86bfc | Deny - Enforcing Internal VPN | The policy enforces the API Manager resource to be deployed in an Internal Virtual Private Network. No Public EndPoint, no External VPN. | Default Deny Allowed Deny, Audit, Disabled | IF (1) •Microsoft.ApiManagement/service/virtualNetworkType |
IF (1) •Microsoft.ApiManagement/service |
GA | Community | ||
API Management | API Management | 1b0d74ac-4b43-4c39-a15f-594385adc38d | Modify API Management to disable username and password authentication | To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. | Default Modify Allowed Modify | count: 1 •Contributor |
IF (1) •Microsoft.ApiManagement/service/portalconfigs/enableBasicAuth THEN-Operations (1) •Microsoft.ApiManagement/service/portalconfigs/enableBasicAuth |
GA | BuiltIn | ||
App Configuration | App Configuration | 3d9f5e4c-9947-4579-9539-2a7695fbc187 | App Configuration should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.AppConfiguration/configurationStores/publicNetworkAccess |
IF (1) •Microsoft.AppConfiguration/configurationStores |
count: 001 RMiT_v1.0_10.54 |
GA | BuiltIn | |
App Configuration | App Configuration | 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 | App Configuration should use a customer-managed key | Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.AppConfiguration/configurationStores/encryption.keyVaultProperties.keyIdentifier |
IF (1) •Microsoft.AppConfiguration/configurationStores |
count: 002 RBI_ITF_NBFC_v2017_3.1.h, RMiT_v1.0_10.53 |
GA | BuiltIn | |
App Configuration | App Configuration | 89c8a434-18f0-402c-8147-630a8dea54e0 | App Configuration should use a SKU that supports private link | When using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.AppConfiguration/configurationStores/sku.name |
IF (1) •Microsoft.AppConfiguration/configurationStores |
GA | BuiltIn | ||
App Configuration | App Configuration | ca610c1d-041c-4332-9d88-7ed3094967c7 | App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.AppConfiguration/configurationStores |
count: 043 Azure_Security_Benchmark_v2.0_NS-2, Azure_Security_Benchmark_v2.0_NS-3, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7 |
GA | BuiltIn | |
App Configuration | App Configuration | b08ab3ca-1062-4db3-8803-eec9cae605d6 | App Configuration stores should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.AppConfiguration/configurationStores/disableLocalAuth |
IF (1) •Microsoft.AppConfiguration/configurationStores |
GA | BuiltIn | ||
App Configuration | App Configuration | 72bc14af-4ab8-43af-b4e4-38e7983f9a1f | Configure App Configuration stores to disable local authentication methods | Disable local authentication methods so that your App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (1) •Microsoft.AppConfiguration/configurationStores/disableLocalAuth THEN-Operations (1) •Microsoft.AppConfiguration/configurationStores/disableLocalAuth |
IF (1) •Microsoft.AppConfiguration/configurationStores |
GA | BuiltIn | |
App Configuration | App Configuration | 73290fa2-dfa7-4bbb-945d-a5e23b75df2c | Configure App Configuration to disable public network access | Disable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (1) •Microsoft.AppConfiguration/configurationStores/publicNetworkAccess THEN-Operations (1) •Microsoft.AppConfiguration/configurationStores/publicNetworkAccess |
IF (1) •Microsoft.AppConfiguration/configurationStores |
count: 002 RMiT_v1.0_10.33, RMiT_v1.0_11.15 |
GA | BuiltIn |
App Configuration | App Configuration | 7a860e27-9ca2-4fc6-822d-c2d248c300df | Configure private DNS zones for private endpoints connected to App Configuration | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
App Configuration | App Configuration | 614ffa75-862c-456e-ad8b-eaa1b0844b07 | Configure private endpoints for App Configuration | Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://aka.ms/appconfig/private-endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Contributor |
THEN-ExistenceCondition (1) •Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.AppConfiguration/configurationStores THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
App Platform | App Platform | 0f2d8593-4667-4932-acca-6a9f187af109 | [Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled | Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.AppPlatform/Spring/trace.enabled •Microsoft.AppPlatform/Spring/trace.state |
IF (1) •Microsoft.AppPlatform/Spring |
Preview | BuiltIn | ||
App Platform | App Platform | af35e2a4-ef96-44e7-a9ae-853dd97032c4 | Azure Spring Cloud should use network injection | Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. | Default Audit Allowed Audit, Disabled, Deny | IF (2) •Microsoft.AppPlatform/Spring/networkProfile.serviceRuntimeSubnetId •Microsoft.AppPlatform/Spring/sku.tier |
IF (1) •Microsoft.AppPlatform/Spring |
count: 022 Azure_Security_Benchmark_v2.0_NS-2, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7 |
GA | BuiltIn | |
App Service | App Service | b7ddfbdc-1260-477d-91fd-98bd9be789a6 | [Deprecated]: API App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should only be accessible over HTTPS', which is scoped to include API apps in addition to Web Apps. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 0c192fe8-9cbb-4516-85b3-0ade8bd03886 | [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have 'Client Certificates (Incoming client certificates)' enabled', which is scoped to include API apps in addition to Web Apps. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Web/sites/clientCertEnabled |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 324c7761-08db-4474-9661-d1039abc92ee | [Deprecated]: API apps should use an Azure file share for its content directory | The content directory of an API app should be located on an Azure file share. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use an Azure file shares for its content directory', which is scoped to include API apps in addition to Web Apps. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Web/sites/storageAccountRequired |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 74c3584d-afae-46f7-a20a-6f8adba71a16 | [Deprecated]: API apps that use Python should use the latest 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Python should use the latest 'Python version''. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd | [Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/vnetRouteAllEnabled |
IF (1) •Microsoft.Web/sites/slots |
Deprecated | BuiltIn | ||
App Service | App Service | 33228571-70a4-4fa1-8ca1-26d0aba8d6ef | [Deprecated]: App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/vnetRouteAllEnabled |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | d79ab062-dffd-4318-8344-f70de714c0bc | [Deprecated]: App Service should disable public network access | Disabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Web/sites/config/PublicNetworkAccess |
Deprecated | BuiltIn | |||
App Service | App Service | 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7 | [Deprecated]: App Services should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/publicNetworkAccess |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 752c6934-9bcc-4749-b004-655e676ae2ac | [Deprecated]: Audit enabling of diagnostic logs in App Services | Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised | Default Audit Allowed Audit, Disabled | IF (3) •Microsoft.Web/sites/config/detailedErrorLoggingEnabled •Microsoft.Web/sites/config/httpLoggingEnabled •Microsoft.Web/sites/config/requestTracingEnabled |
Deprecated | BuiltIn | |||
App Service | App Service | c4ebc54a-46e1-481a-bee2-d4411e95d828 | [Deprecated]: Authentication should be enabled on your API app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps should have authentication enabled', which is scoped to include API apps in addition to Web apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/siteAuthEnabled |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 81dff7c0-4020-4b58-955d-c076a2136b56 | [Deprecated]: Configure App Services to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/publicNetworkAccess |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | |
App Service | App Service | 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac | [Deprecated]: CORS should not allow every resource to access your API App | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should not have CORS configured to allow every resource to access your apps', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.cors.allowedOrigins[*] |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0 | [Deprecated]: Diagnostic logs in App Services should be enabled | Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (3) •Microsoft.Web/sites/config/detailedErrorLoggingEnabled •Microsoft.Web/sites/config/httpLoggingEnabled •Microsoft.Web/sites/config/requestTracingEnabled |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 58d94fc1-a072-47c2-bd37-9cdb38e77453 | [Deprecated]: Ensure Function app is using the latest version of TLS encryption | Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.minTlsVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.netFrameworkVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 10c1859c-e1a7-4df3-ab97-a487fa8059f6 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.netFrameworkVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 843664e0-7563-41ee-a9cb-7522c382d2c4 | [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app | This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.netFrameworkVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 991310cd-e9f3-47bc-b7b6-f57b557d07db | [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use latest 'HTTP Version'', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.http20Enabled |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 88999f4c-376a-45c8-bcb3-4058f713cf39 | [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app | Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Java should use the latest 'Java version'', which is scoped to include API apps in addition to Web apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba | [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps that use PHP should use the latest 'PHP version'', which is scoped to include API apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | ab965db2-d2bf-4b64-8b39-c38ec8179461 | [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app | PHP cannot be used with Function apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (2) •Microsoft.Web/sites/config/web.linuxFxVersion •Microsoft.Web/sites/config/web.phpVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 86d97760-d216-4d81-a3ad-163087b2b6c3 | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.managedServiceIdentityId |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | f0473e7a-a1ba-4e86-afb2-e829e11b01d8 | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.managedServiceIdentityId |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | aa81768c-cb87-4ce2-bfaa-00baa10d760c | [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App | This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.managedServiceIdentityId |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 6ad61431-88ce-4357-a0e1-6da43f292bd7 | [Deprecated]: Ensure WEB app is using the latest version of TLS encryption | Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.minTlsVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 | [Deprecated]: FTPS only should be required in your API App | Enable FTPS enforcement for enhanced security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should require FTPS only', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/ftpsState |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e | [Deprecated]: Latest TLS version should be used in your API App | Upgrade to the latest TLS version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use the latest TLS version', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/minTlsVersion |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | c4d441f8-f9d9-4a9e-9cef-e82117cb3eef | [Deprecated]: Managed identity should be used in your API App | Use a managed identity for enhanced authentication security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use managed identity', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (2) •Microsoft.Web/sites/config/managedServiceIdentityId •Microsoft.Web/sites/config/xmanagedServiceIdentityId |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | e9c8d085-d9cc-4b17-9cdc-059f1f01f19e | [Deprecated]: Remote debugging should be turned off for API Apps | Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have remote debugging turned off', which is scoped to include API apps in addition to Web Apps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/remoteDebuggingEnabled |
IF (1) •Microsoft.Web/sites |
Deprecated | BuiltIn | ||
App Service | App Service | app-service_allowed-appservicesplan-skus | Allowed App Services Plan SKUs | This policy enables you to specify a set of App Services Plan SKUs that your organization can deploy. | Fixed Deny | IF (1) •Microsoft.Web/serverfarms/sku.name |
IF (1) •Microsoft.Web/serverfarms |
GA | Community | ||
App Service | App Service | Deny-AppServiceApiApp-http | API App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Deny Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | ALZ | ||
App Service | App Service | 24b7a1c6-44fe-40cc-a2e6-242d2ef70e98 | App Service app slots should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Web/sites/slots/virtualNetworkSubnetId |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 701a595d-38fb-4a66-ae6d-fb3735217622 | App Service app slots should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Web/sites/slots/publicNetworkAccess |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 5747353b-1ca9-42c1-a4dd-b874b894f3d4 | App Service app slots should enable configuration routing to Azure Virtual Network | By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.Web/sites/slots/vnetContentShareEnabled •Microsoft.Web/sites/slots/vnetImagePullEnabled |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | f5c0bfb3-acea-47b1-b477-b0edcdf6edc1 | App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Web/sites/slots/vnetRouteAllEnabled |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 2f7c08c2-f671-4282-9fdb-597b6ef2c10d | App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Web/sites/slots/clientCertEnabled |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | ec71c0bc-6a45-4b1f-9587-80dc83e6898c | App Service app slots should have local authentication methods disabled for FTP deployments | Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 847ef871-e2fe-4e6e-907e-4adbf71de5cf | App Service app slots should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods improves security by ensuring that App Service slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | a08ae1ab-8d1d-422b-a123-df82b307ba61 | App Service app slots should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.remoteDebuggingEnabled |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | d639b3af-a535-4bef-8dcf-15078cddf5e2 | App Service app slots should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | cae7c12e-764b-4c87-841a-fdc6675d196f | App Service app slots should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.cors.allowedOrigins[*] |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | ae1b9a8c-dfce-4605-bd91-69213b4a26fc | App Service app slots should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Web/sites/slots/httpsOnly |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | c285a320-8830-4665-9cc7-bbd05fc7c5c0 | App Service app slots should require FTPS only | Enable FTPS enforcement for enhanced security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/ftpsState |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | fd34e936-069e-4fe5-bac6-f7c9824caab6 | App Service app slots should use an Azure file share for its content directory | The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Web/sites/slots/storageAccountRequired |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 4dcfb8b5-05cd-4090-a931-2ec29057e1fc | App Service app slots should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.http20Enabled |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 4a15c15f-90d5-4a1f-8b63-2903944963fd | App Service app slots should use managed identity | Use a managed identity for enhanced authentication security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (2) •Microsoft.Web/sites/slots/config/managedServiceIdentityId •Microsoft.Web/sites/slots/config/xmanagedServiceIdentityId |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 4ee5b817-627a-435a-8932-116193268172 | App Service app slots should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/minTlsVersion |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 46dad49f-8945-44d7-9bb1-2e1542f627d3 | App Service app slots that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | f466b2a6-823d-470d-8ea5-b031e72d79ae | App Service app slots that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 9c014953-ef68-4a98-82af-fd0f6b2306c8 | App Service app slots that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 72d04c29-f87d-4575-9731-419ff16a2757 | App Service apps should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Web/sites/virtualNetworkSubnetId |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | 1b5ef780-c53c-4a64-87f3-bb9c8c8094ba | App Service apps should disable public network access | Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Web/sites/publicNetworkAccess |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | 801543d1-1953-4a90-b8b0-8cf6d41473a5 | App Service apps should enable configuration routing to Azure Virtual Network | By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.Web/sites/vnetContentShareEnabled •Microsoft.Web/sites/vnetImagePullEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | a691eacb-474d-47e4-b287-b4813ca44222 | App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network | By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Web/sites/vnetRouteAllEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | 95bccee9-a7f8-4bec-9ee9-62c3473701fc | App Service apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/siteAuthEnabled |
IF (1) •Microsoft.Web/sites |
count: 005 CIS_Azure_1.1.0_9.1, CIS_Azure_1.3.0_9.1, CIS_Azure_1.4.0_9.1, NZ_ISM_v3.5_SS-9, RMiT_v1.0_10.54 |
GA | BuiltIn | |
App Service | App Service | 5bb220d9-2698-4ee4-8404-b9c30c9df609 | App Service apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Web/sites/clientCertEnabled |
IF (1) •Microsoft.Web/sites |
count: 025 Azure_Security_Benchmark_v1.0_1.3, Azure_Security_Benchmark_v2.0_PV-2, Azure_Security_Benchmark_v3.0_PV-2, CIS_Azure_1.1.0_9.4, CIS_Azure_1.3.0_9.4, CIS_Azure_1.4.0_9.4, CMMC_2.0_L2_CM.L2-3.4.1, CMMC_2.0_L2_CM.L2-3.4.2, FedRAMP_High_R4_CM-6, FedRAMP_Moderate_R4_CM-6, hipaa-0662.09sCSPOrganizational.2-09.s, hipaa-0915.09s2Organizational.2-09.s, NIST_SP_800-171_R2_3.4.1, NIST_SP_800-171_R2_3.4.2, NIST_SP_800-53_R4_CM-6, NIST_SP_800-53_R5_CM-6, NZ_ISM_v3.5_SS-9, RBI_CSF_Banks_v2016_13.1, RBI_CSF_Banks_v2016_4.3, RBI_ITF_NBFC_v2017_3.8, RMiT_v1.0_10.20, SOC_2_CC6.8, SOC_2_CC8.1, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_2.4A |
GA | BuiltIn | |
App Service | App Service | 871b205b-57cf-4e1e-a234-492616998bf7 | App Service apps should have local authentication methods disabled for FTP deployments | Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | aede300b-d67f-480a-ae26-4b3dfb1a1fdc | App Service apps should have local authentication methods disabled for SCM site deployments | Disabling local authentication methods improves security by ensuring that App Service exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | cb510bfd-1cba-4d9f-a230-cb0976f4bb71 | App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.remoteDebuggingEnabled |
IF (1) •Microsoft.Web/sites |
count: 046 AU_ISM_1386, Azure_Security_Benchmark_v1.0_1.3, Azure_Security_Benchmark_v2.0_PV-2, Azure_Security_Benchmark_v3.0_PV-2, CCCS_AC-17(1), CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_CM.L2-3.4.1, CMMC_2.0_L2_CM.L2-3.4.2, CMMC_L3_AC.1.001, CMMC_L3_AC.2.013, CMMC_L3_CM.3.068, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_CM-6, FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_CM-6, hipaa-0912.09s1Organizational.4-09.s, hipaa-1194.01l2Organizational.2-01.l, IRS_1075_9.3.1.12, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-171_R2_3.4.1, NIST_SP_800-171_R2_3.4.2, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_CM-6, NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_CM-6, NZ_ISM_v3.5_SS-2, NZISM_Security_Benchmark_v1.1_SS-2, RBI_CSF_Banks_v2016_13.1, RBI_CSF_Banks_v2016_4.3, RBI_ITF_NBFC_v2017_3.1.b, RMiT_v1.0_Appendix_5.7, SOC_2_CC6.8, SOC_2_CC8.1, SWIFT_CSCF_v2021_1.1, SWIFT_CSCF_v2021_1.2, SWIFT_CSCF_v2021_6.2, SWIFT_CSCF_v2021_6.5A, UK_NCSC_CSP_11 |
GA | BuiltIn | |
App Service | App Service | 91a78b24-f231-4a8a-8da9-02c35b2b6510 | App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.Web/sites |
count: 030 Azure_Security_Benchmark_v1.0_2.3, Azure_Security_Benchmark_v2.0_LT-4, Azure_Security_Benchmark_v3.0_LT-3, CIS_Azure_1.3.0_5.3, CIS_Azure_1.4.0_5.3, CMMC_2.0_L2_AU.L2-3.3.1, CMMC_2.0_L2_AU.L2-3.3.2, CMMC_L3_AU.3.048, FedRAMP_High_R4_AU-12, FedRAMP_High_R4_AU-12(1), FedRAMP_High_R4_AU-6(4), FedRAMP_High_R4_AU-6(5), FedRAMP_Moderate_R4_AU-12, hipaa-1209.09aa3System.2-09.aa, NIST_SP_800-171_R2_3.3.1, NIST_SP_800-171_R2_3.3.2, NIST_SP_800-53_R4_AU-12, NIST_SP_800-53_R4_AU-12(1), NIST_SP_800-53_R4_AU-6(4), NIST_SP_800-53_R4_AU-6(5), NIST_SP_800-53_R5_AU-12, NIST_SP_800-53_R5_AU-12(1), NIST_SP_800-53_R5_AU-6(4), NIST_SP_800-53_R5_AU-6(5), NZ_ISM_v3.5_AC-18, NZISM_Security_Benchmark_v1.1_AC-17, RBI_CSF_Banks_v2016_17.1, RBI_CSF_Banks_v2016_6.4, RMiT_v1.0_10.66, SWIFT_CSCF_v2022_6.4 |
GA | BuiltIn | |
App Service | App Service | 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 | App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.cors.allowedOrigins[*] |
IF (1) •Microsoft.Web/sites |
count: 033 AU_ISM_1424, Azure_Security_Benchmark_v1.0_1.3, Azure_Security_Benchmark_v2.0_PV-2, Azure_Security_Benchmark_v3.0_PV-2, CCCS_AC-4, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_CM.L2-3.4.1, CMMC_2.0_L2_CM.L2-3.4.2, CMMC_L3_AC.1.001, CMMC_L3_AC.1.002, CMMC_L3_CM.3.068, CMMC_L3_SC.3.183, FedRAMP_High_R4_AC-4, FedRAMP_High_R4_CM-6, FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_CM-6, hipaa-0901.09s1Organizational.1-09.s, hipaa-0916.09s2Organizational.4-09.s, IRS_1075_9.3.1.4, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.4.1, NIST_SP_800-171_R2_3.4.2, NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_CM-6, NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_CM-6, NZ_ISM_v3.5_SS-9, NZISM_Security_Benchmark_v1.1_SS-9, RBI_CSF_Banks_v2016_13.1, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.8, SOC_2_CC8.1, SWIFT_CSCF_v2021_6.5A |
GA | BuiltIn | |
App Service | App Service | a4af4a39-4135-47fb-b175-47fbdf85311d | App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
count: 051 AU_ISM_1552, Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, CCCS_SC-8(1), CIS_Azure_1.1.0_9.2, CIS_Azure_1.3.0_9.2, CIS_Azure_1.4.0_9.2, CMMC_2.0_L2_SC.L2-3.13.8, CMMC_L3_AC.1.002, CMMC_L3_IA.3.084, CMMC_L3_SC.1.175, CMMC_L3_SC.3.185, CMMC_L3_SC.3.190, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), hipaa-0809.01n2Organizational.1234-01.n, hipaa-0810.01n2Organizational.5-01.n, hipaa-0811.01n2Organizational.6-01.n, hipaa-0812.01n2Organizational.8-01.n, hipaa-0814.01n1Organizational.12-01.n, hipaa-0949.09y2Organizational.5-09.y, hipaa-1403.05i1Organizational.67-05.i, IRS_1075_9.3.16.6, ISO27001-2013_A.10.1.1, NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_SS-9, NZISM_Security_Benchmark_v1.1_SS-9, PCI_DSS_V3.2.1_3.4, PCI_DSS_V3.2.1_4.1, PCI_DSS_V3.2.1_6.5.3, PCI_DSS_v4.0_3.5.1, PCI_DSS_v4.0_6.2.4, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.4, RBI_ITF_NBFC_v2017_3.1.h, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.1, SOC_2_CC6.6, SOC_2_CC6.7, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_2.4A, SWIFT_CSCF_v2021_2.5A, UK_NCSC_CSP_1 |
GA | BuiltIn | |
App Service | App Service | 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b | App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/ftpsState |
IF (1) •Microsoft.Web/sites |
count: 024 Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, CIS_Azure_1.3.0_9.10, CIS_Azure_1.4.0_9.10, CMMC_2.0_L2_SC.L2-3.13.8, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_SS-9, NZISM_Security_Benchmark_v1.1_CR-7, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.4, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.1, SOC_2_CC6.6, SOC_2_CC6.7 |
GA | BuiltIn | |
App Service | App Service | 546fe8d2-368d-4029-a418-6af48a7f61e5 | App Service apps should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.Web/serverFarms/sku.name •Microsoft.Web/serverFarms/sku.tier |
IF (1) •Microsoft.Web/serverFarms |
GA | BuiltIn | ||
App Service | App Service | dcbc65aa-59f3-4239-8978-3bb869d82604 | App Service apps should use an Azure file share for its content directory | The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Web/sites/storageAccountRequired |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | 8c122334-9d20-4eb8-89ea-ac9a705b74ae | App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.http20Enabled |
IF (1) •Microsoft.Web/sites |
count: 016 CIS_Azure_1.1.0_9.10, CIS_Azure_1.3.0_9.9, CIS_Azure_1.4.0_9.9, CMMC_2.0_L2_SI.L1-3.14.1, CMMC_L3_SI.1.210, FedRAMP_High_R4_SI-2, FedRAMP_Moderate_R4_SI-2, NIST_SP_800-171_R2_3.14.1, NIST_SP_800-53_R4_SI-2, NIST_SP_800-53_R4_SI-2(6), NIST_SP_800-53_R5_SI-2, NIST_SP_800-53_R5_SI-2(6), NZ_ISM_v3.5_SS-9, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.8, SOC_2_CC8.1 |
GA | BuiltIn | |
App Service | App Service | 2b9ad585-36bc-4615-b300-fd4435808332 | App Service apps should use managed identity | Use a managed identity for enhanced authentication security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (2) •Microsoft.Web/sites/config/managedServiceIdentityId •Microsoft.Web/sites/config/xmanagedServiceIdentityId |
IF (1) •Microsoft.Web/sites |
count: 042 Azure_Security_Benchmark_v1.0_7.12, Azure_Security_Benchmark_v2.0_IM-1, Azure_Security_Benchmark_v2.0_IM-2, Azure_Security_Benchmark_v3.0_IM-3, CIS_Azure_1.1.0_9.5, CIS_Azure_1.3.0_9.5, CIS_Azure_1.4.0_9.5, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, CMMC_2.0_L2_IA.L1-3.5.1, CMMC_2.0_L2_IA.L1-3.5.2, CMMC_2.0_L2_IA.L2-3.5.5, CMMC_2.0_L2_IA.L2-3.5.6, FedRAMP_High_R4_AC-2, FedRAMP_High_R4_AC-3, FedRAMP_High_R4_IA-2, FedRAMP_High_R4_IA-4, FedRAMP_Moderate_R4_AC-2, FedRAMP_Moderate_R4_AC-3, FedRAMP_Moderate_R4_IA-2, FedRAMP_Moderate_R4_IA-4, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-171_R2_3.5.1, NIST_SP_800-171_R2_3.5.2, NIST_SP_800-171_R2_3.5.5, NIST_SP_800-171_R2_3.5.6, NIST_SP_800-53_R4_AC-2, NIST_SP_800-53_R4_AC-3, NIST_SP_800-53_R4_IA-2, NIST_SP_800-53_R4_IA-4, NIST_SP_800-53_R5_AC-2, NIST_SP_800-53_R5_AC-3, NIST_SP_800-53_R5_IA-2, NIST_SP_800-53_R5_IA-4, NZ_ISM_v3.5_AC-2, NZISM_Security_Benchmark_v1.1_AC-2, RBI_CSF_Banks_v2016_6.4, RBI_CSF_Banks_v2016_8.4, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_5.2, SWIFT_CSCF_v2021_5.4 |
GA | BuiltIn | |
App Service | App Service | 687aa49d-0982-40f8-bf6b-66d1da97a04b | App Service apps should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b | App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/minTlsVersion |
IF (1) •Microsoft.Web/sites |
count: 039 AU_ISM_1139, Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, Azure_Security_Benchmark_v3.0_NS-8, CIS_Azure_1.1.0_9.3, CIS_Azure_1.3.0_9.3, CIS_Azure_1.4.0_9.3, CMMC_2.0_L2_SC.L2-3.13.8, CMMC_L3_IA.3.084, CMMC_L3_SC.1.175, CMMC_L3_SC.3.185, CMMC_L3_SC.3.190, CMMC_L3_SI.1.210, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), hipaa-0809.01n2Organizational.1234-01.n, hipaa-0810.01n2Organizational.5-01.n, hipaa-0811.01n2Organizational.6-01.n, hipaa-0812.01n2Organizational.8-01.n, hipaa-0814.01n1Organizational.12-01.n, hipaa-0949.09y2Organizational.5-09.y, NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_CR-8, NZISM_Security_Benchmark_v1.1_CR-7, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.1, RBI_CSF_Banks_v2016_13.4, RBI_ITF_NBFC_v2017_3.1.h, RMiT_v1.0_10.68, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_2.6 |
GA | BuiltIn | |
App Service | App Service | 496223c3-ad65-4ecd-878a-bae78737e9ed | App Service apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | App Service apps that use PHP should use a specified 'PHP version' | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | App Service apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | 2d048aca-6479-4923-88f5-e2ac295d9af3 | App Service Environment apps should not be reachable over public internet | To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Web/HostingEnvironments/internalLoadBalancingMode |
IF (1) •Microsoft.Web/hostingEnvironments |
GA | BuiltIn | ||
App Service | App Service | 817dcf37-e83d-4999-a472-644eada2ea1e | App Service Environment should be configured with strongest TLS Cipher suites | The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. | Default Audit Allowed Audit, Disabled | IF (3) •Microsoft.Web/HostingEnvironments/clusterSettings[*] •Microsoft.Web/HostingEnvironments/clusterSettings[*].name •Microsoft.Web/HostingEnvironments/clusterSettings[*].value |
IF (1) •Microsoft.Web/hostingEnvironments |
GA | BuiltIn | ||
App Service | App Service | eb4d34ab-0929-491c-bbf3-61e13da19f9a | App Service Environment should be provisioned with latest versions | Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Web/hostingEnvironments |
GA | BuiltIn | |||
App Service | App Service | fb74e86f-d351-4b8d-b034-93da7391c01f | App Service Environment should have internal encryption enabled | Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. | Default Audit Allowed Audit, Disabled | IF (3) •Microsoft.Web/HostingEnvironments/clusterSettings[*] •Microsoft.Web/HostingEnvironments/clusterSettings[*].name •Microsoft.Web/HostingEnvironments/clusterSettings[*].value |
IF (1) •Microsoft.Web/hostingEnvironments |
count: 011 CMMC_2.0_L2_SC.L2-3.13.16, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1), RBI_ITF_NBFC_v2017_3.1.h |
GA | BuiltIn | |
App Service | App Service | d6545c6b-dd9d-4265-91e6-0b451e2f1c50 | App Service Environment should have TLS 1.0 and 1.1 disabled | TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. | Default Audit Allowed Audit, Deny, Disabled | IF (3) •Microsoft.Web/HostingEnvironments/clusterSettings[*] •Microsoft.Web/HostingEnvironments/clusterSettings[*].name •Microsoft.Web/HostingEnvironments/clusterSettings[*].value |
IF (1) •Microsoft.Web/hostingEnvironments |
count: 001 ACAT_Security_Policies |
GA | BuiltIn | |
App Service | App Service | app-service_audit-appservicesbackend-appgw | Apps Require App Gateway Front End | Custom policy requires that HTTP(S) triggered apps require App GW Front-End so that inbound ports are not opened on apps | Default auditIfNotExists Allowed auditIfNotExists, disabled | THEN-ExistenceCondition (2) •Microsoft.Network/applicationGateways/backendAddressPools[*].backendAddresses[*] •Microsoft.Network/applicationGateways/backendAddressPools[*].backendAddresses[*].fqdn |
IF (1) •Microsoft.Web/sites |
GA | Community | ||
App Service | App Service | Append-AppService-httpsonly | AppService append enable https only setting to enforce https setting. | Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny. | Default Append Allowed Append, Disabled | IF (1) •Microsoft.Web/sites/httpsOnly THEN-Details (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | ALZ | ||
App Service | App Service | Append-AppService-latestTLS | AppService append sites with minimum TLS version to enforce. | Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. | Default Append Allowed Append, Disabled | IF (1) •Microsoft.Web/sites/config/minTlsVersion THEN-Details (1) •Microsoft.Web/sites/config/minTlsVersion |
GA | ALZ | |||
App Service | App Service | monitoring_app-service-audit-diagnostic-logs | Audit enabling of diagnostic logs in App Services | Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised | Default Audit Allowed Audit, Disabled | IF (3) •Microsoft.Web/sites/config/detailedErrorLoggingEnabled •Microsoft.Web/sites/config/httpLoggingEnabled •Microsoft.Web/sites/config/requestTracingEnabled |
GA | Community | |||
App Service | App Service | f493116f-3b7f-4ab3-bf80-0c2af35e46c2 | Configure App Service app slots to disable local authentication for FTP deployments | Disable local authentication methods for FTP deployments so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | |
App Service | App Service | 2c034a29-2a5f-4857-b120-f800fe5549ae | Configure App Service app slots to disable local authentication for SCM sites | Disable local authentication methods for SCM sites so that your App Services slots exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | |
App Service | App Service | c6c3e00e-d414-4ca4-914f-406699bb8eee | Configure App Service app slots to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled | count: 1 •Website Contributor |
IF (1) •Microsoft.Web/sites/slots/publicNetworkAccess THEN-Operations (1) •Microsoft.Web/sites/slots/publicNetworkAccess |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | |
App Service | App Service | a18c77f2-3d6d-497a-9f61-849a7e8a3b79 | Configure App Service app slots to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled | count: 1 •Website Contributor |
IF (1) •Microsoft.Web/sites/slots/httpsOnly THEN-Operations (1) •Microsoft.Web/sites/slots/httpsOnly |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | |
App Service | App Service | cca5adfe-626b-4cc6-8522-f5b6ed2391bd | Configure App Service app slots to turn off remote debugging | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.remoteDebuggingEnabled |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | |
App Service | App Service | 014664e7-e348-41a3-aeb9-566e4ff6a9df | Configure App Service app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/minTlsVersion |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | |
App Service | App Service | 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 | Configure App Service apps to disable local authentication for FTP deployments | Disable local authentication methods for FTP deployments so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
App Service | App Service | 5e97b776-f380-4722-a9a3-e7f0be029e79 | Configure App Service apps to disable local authentication for SCM sites | Disable local authentication methods for SCM sites so that your App Services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
App Service | App Service | 2374605e-3e0b-492b-9046-229af202562c | Configure App Service apps to disable public network access | Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled | count: 1 •Website Contributor |
IF (1) •Microsoft.Web/sites/publicNetworkAccess THEN-Operations (1) •Microsoft.Web/sites/publicNetworkAccess |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
App Service | App Service | 0f98368e-36bc-4716-8ac2-8f8067203b63 | Configure App Service apps to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled | count: 1 •Website Contributor |
IF (1) •Microsoft.Web/sites/httpsOnly THEN-Operations (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
App Service | App Service | a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b | Configure App Service apps to turn off remote debugging | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.remoteDebuggingEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
App Service | App Service | b318f84a-b872-429b-ac6d-a01b96814452 | Configure App Service apps to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.Network/privateEndpoints •Microsoft.Web/sites |
GA | BuiltIn | |
App Service | App Service | ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d | Configure App Service apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/minTlsVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
App Service | App Service | 242222f3-4985-4e99-b5ef-086d6a6cb01c | Configure Function app slots to disable public network access | Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled | count: 1 •Website Contributor |
IF (1) •Microsoft.Web/sites/slots/publicNetworkAccess THEN-Operations (1) •Microsoft.Web/sites/slots/publicNetworkAccess |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | |
App Service | App Service | 08cf2974-d178-48a0-b26d-f6b8e555748b | Configure Function app slots to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled | count: 1 •Website Contributor |
IF (1) •Microsoft.Web/sites/slots/httpsOnly THEN-Operations (1) •Microsoft.Web/sites/slots/httpsOnly |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | |
App Service | App Service | 70adbb40-e092-42d5-a6f8-71c540a5efdb | Configure Function app slots to turn off remote debugging | Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.remoteDebuggingEnabled |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | |
App Service | App Service | fa3a6357-c6d6-4120-8429-855577ec0063 | Configure Function app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/minTlsVersion |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | |
App Service | App Service | cd794351-e536-40f4-9750-503a463d8cad | Configure Function apps to disable public network access | Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Modify Allowed Modify, Disabled | count: 1 •Website Contributor |
IF (1) •Microsoft.Web/sites/publicNetworkAccess THEN-Operations (1) •Microsoft.Web/sites/publicNetworkAccess |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
App Service | App Service | a096cbd0-4693-432f-9374-682f485f23f3 | Configure Function apps to only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Modify Allowed Modify, Disabled | count: 1 •Website Contributor |
IF (1) •Microsoft.Web/sites/httpsOnly THEN-Operations (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
App Service | App Service | 25a5046c-c423-4805-9235-e844ae9ef49b | Configure Function apps to turn off remote debugging | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.remoteDebuggingEnabled |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
App Service | App Service | 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 | Configure Function apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/minTlsVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | |
App Service | App Service | app-service_functionapp-enforce-ftps-only | Enforce FTPS only or disablement of FTP/FTPS for App Service and Azure Functions | Enforce FTPS only or disablement of FTP/FTPS for App Service and Azure Functions | Default AuditIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/ftpsState |
IF (1) •Microsoft.Web/sites |
GA | Community | |
App Service | App Service | app-service_functionapp-enforce-https-only-dine | Function App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites THEN-Deployment (1) •Microsoft.Web/sites |
GA | Community | |
App Service | App Service | Deny-AppServiceFunctionApp-http | Function App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Deny Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | ALZ | ||
App Service | App Service | app-service_functionapp-enforce-https-only-audit_or_deny | Function App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | Community | ||
App Service | App Service | 11c82d0c-db9f-4d7b-97c5-f3f9aa957da2 | Function app slots should disable public network access | Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Web/sites/slots/publicNetworkAccess |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | cf9ca02d-383e-4506-a421-258cc1a5300d | Function app slots should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Web/sites/slots/clientCertEnabled |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 89691ef9-8c50-49a8-8950-9c7fba41699e | Function app slots should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.remoteDebuggingEnabled |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | a1a22235-dd10-4062-bd55-7d62778f41b0 | Function app slots should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.cors.allowedOrigins[*] |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 | Function app slots should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Web/sites/slots/httpsOnly |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | e1a09430-221d-4d4c-a337-1edb5a1fa9bb | Function app slots should require FTPS only | Enable FTPS enforcement for enhanced security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/ftpsState |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 13bcff5d-f0eb-4ce7-913e-83ad6300376b | Function app slots should use an Azure file share for its content directory | The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Web/sites/slots/storageAccountRequired |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | fa98f1b1-1f56-4179-9faf-93ad82f3458f | Function app slots should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.http20Enabled |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | deb528de-8f89-4101-881c-595899253102 | Function app slots should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/minTlsVersion |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | e1d1b522-02b0-4d18-a04f-5ab62d20445f | Function app slots that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | 829b40f3-d3db-4fd2-be46-76663d3aeeb2 | Function app slots that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/slots/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites/slots |
GA | BuiltIn | ||
App Service | App Service | app-service_functionapp-deployed-to-appserviceenvironment | Function apps must be deployed to an App Service Environment (ASE) | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Web/sites/hostingEnvironmentProfile.id |
IF (1) •Microsoft.Web/sites |
GA | Community | |||
App Service | App Service | app-service_functionapp-private-endpoints-enabled-aine | Function apps must have private endpoints enabled | A private endpoint connection enables private connectivity to your function app via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Web/sites |
GA | Community | ||
App Service | App Service | app-service_functionapp-private-endpoints-enabled-dine | Function apps must have private endpoints enabled | A private endpoint connection enables private connectivity to your function app via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Network Contributor •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Web/sites THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | Community | |
App Service | App Service | app-service_functionapp-enforce-connect-to-acr-with-identity | Function apps should authenticate to Azure Container Registry using a managed identity | Function apps should authenticate to Azure Container Registry using a managed identity | Default AuditIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/acrUseManagedIdentityCreds |
IF (1) •Microsoft.Web/sites |
GA | Community | |
App Service | App Service | app-service_functionapp-vnet-injection-enabled | Function apps should be injected into a virtual network | Injecting function apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/networkConfig/subnetResourceId |
IF (1) •Microsoft.Web/sites |
GA | Community | ||
App Service | App Service | 969ac98b-88a8-449f-883c-2e9adb123127 | Function apps should disable public network access | Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Audit Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Web/sites/publicNetworkAccess |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 | Function apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/siteAuthEnabled |
IF (1) •Microsoft.Web/sites |
count: 005 CIS_Azure_1.1.0_9.1, CIS_Azure_1.3.0_9.1, CIS_Azure_1.4.0_9.1, NZ_ISM_v3.5_SS-9, RMiT_v1.0_10.54 |
GA | BuiltIn | |
App Service | App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Web/sites/clientCertEnabled |
IF (1) •Microsoft.Web/sites |
count: 020 Azure_Security_Benchmark_v2.0_PV-2, Azure_Security_Benchmark_v3.0_PV-2, CIS_Azure_1.1.0_9.4, CIS_Azure_1.3.0_9.4, CIS_Azure_1.4.0_9.4, CMMC_2.0_L2_CM.L2-3.4.1, CMMC_2.0_L2_CM.L2-3.4.2, FedRAMP_High_R4_CM-6, FedRAMP_Moderate_R4_CM-6, NIST_SP_800-171_R2_3.4.1, NIST_SP_800-171_R2_3.4.2, NIST_SP_800-53_R4_CM-6, NIST_SP_800-53_R5_CM-6, NZ_ISM_v3.5_SS-9, RBI_CSF_Banks_v2016_13.1, RBI_ITF_NBFC_v2017_3.1.b, RBI_ITF_NBFC_v2017_3.8, RMiT_v1.0_10.20, SOC_2_CC6.8, SOC_2_CC8.1 |
GA | BuiltIn | |
App Service | App Service | app-service_functionapp-enforce-client-certs-dine | Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/clientCertEnabled |
IF (1) •Microsoft.Web/sites THEN-Deployment (1) •Microsoft.Web/sites |
GA | Community | |
App Service | App Service | app-service_functionapp-enforce-client-certs-audit_or_deny | Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Web/sites/clientCertEnabled |
IF (1) •Microsoft.Web/sites |
GA | Community | ||
App Service | App Service | app-service_functionapp-disable-deployment-local-auth-scm | Function apps should have local authentication methods for deployment disabled | Disabling local authentication methods improves security by ensuring that the app exclusively requires Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites |
GA | Community | |
App Service | App Service | app-service_functionapp-disable-deployment-local-auth-ftp_functionapp-disable-deployment-local-auth-scm | Function apps should have local authentication methods for deployment disabled | Disabling local authentication methods improves security by ensuring that the app exclusively requires Azure Active Directory identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. | Default AuditIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow |
IF (1) •Microsoft.Web/sites |
GA | Community | |
App Service | App Service | 0e60b895-3786-45da-8377-9c6b4b6ac5f9 | Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.remoteDebuggingEnabled |
IF (1) •Microsoft.Web/sites |
count: 047 AU_ISM_1386, Azure_Security_Benchmark_v1.0_1.3, Azure_Security_Benchmark_v2.0_PV-2, Azure_Security_Benchmark_v3.0_PV-2, CCCS_AC-17(1), CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_CM.L2-3.4.1, CMMC_2.0_L2_CM.L2-3.4.2, CMMC_L3_AC.1.001, CMMC_L3_AC.2.013, CMMC_L3_CM.3.068, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_CM-6, FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_CM-6, hipaa-0913.09s1Organizational.5-09.s, hipaa-1195.01l3Organizational.1-01.l, hipaa-1325.09s1Organizational.3-09.s, IRS_1075_9.3.1.12, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-171_R2_3.4.1, NIST_SP_800-171_R2_3.4.2, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_CM-6, NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_CM-6, NZ_ISM_v3.5_SS-2, NZISM_Security_Benchmark_v1.1_SS-2, RBI_CSF_Banks_v2016_13.1, RBI_CSF_Banks_v2016_4.3, RBI_ITF_NBFC_v2017_3.1.b, RMiT_v1.0_Appendix_5.7, SOC_2_CC6.8, SOC_2_CC8.1, SWIFT_CSCF_v2021_1.1, SWIFT_CSCF_v2021_1.2, SWIFT_CSCF_v2021_6.2, SWIFT_CSCF_v2021_6.5A, UK_NCSC_CSP_11 |
GA | BuiltIn | |
App Service | App Service | 0820b7b9-23aa-4725-a1ce-ae4558f718e5 | Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.cors.allowedOrigins[*] |
IF (1) •Microsoft.Web/sites |
count: 025 Azure_Security_Benchmark_v1.0_1.3, Azure_Security_Benchmark_v2.0_PV-2, Azure_Security_Benchmark_v3.0_PV-2, CMMC_2.0_L2_CM.L2-3.4.1, CMMC_2.0_L2_CM.L2-3.4.2, CMMC_L3_AC.1.001, CMMC_L3_AC.1.002, CMMC_L3_AC.2.016, CMMC_L3_CM.3.068, CMMC_L3_SC.3.183, FedRAMP_High_R4_CM-6, FedRAMP_Moderate_R4_CM-6, hipaa-0902.09s2Organizational.13-09.s, hipaa-0960.09sCSPOrganizational.1-09.s, NIST_SP_800-171_R2_3.4.1, NIST_SP_800-171_R2_3.4.2, NIST_SP_800-53_R4_CM-6, NIST_SP_800-53_R5_CM-6, NZ_ISM_v3.5_SS-9, NZISM_Security_Benchmark_v1.1_SS-9, RBI_CSF_Banks_v2016_13.1, RMiT_v1.0_Appendix_5.7, SOC_2_CC6.8, SOC_2_CC8.1, SWIFT_CSCF_v2021_6.5A |
GA | BuiltIn | |
App Service | App Service | 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab | Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Audit Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
count: 048 AU_ISM_1552, Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, CCCS_SC-8(1), CMMC_2.0_L2_SC.L2-3.13.8, CMMC_L3_AC.1.002, CMMC_L3_IA.3.084, CMMC_L3_SC.1.175, CMMC_L3_SC.3.185, CMMC_L3_SC.3.190, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), hipaa-0809.01n2Organizational.1234-01.n, hipaa-0810.01n2Organizational.5-01.n, hipaa-0811.01n2Organizational.6-01.n, hipaa-0812.01n2Organizational.8-01.n, hipaa-0814.01n1Organizational.12-01.n, hipaa-0949.09y2Organizational.5-09.y, hipaa-1402.05i1Organizational.45-05.i, IRS_1075_9.3.16.6, ISO27001-2013_A.10.1.1, NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_SS-9, NZISM_Security_Benchmark_v1.1_SS-9, PCI_DSS_V3.2.1_3.4, PCI_DSS_V3.2.1_4.1, PCI_DSS_V3.2.1_6.5.3, PCI_DSS_v4.0_3.5.1, PCI_DSS_v4.0_6.2.4, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.4, RBI_ITF_NBFC_v2017_3.1.h, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.1, SOC_2_CC6.6, SOC_2_CC6.7, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_2.4A, SWIFT_CSCF_v2021_2.5A, UK_NCSC_CSP_1 |
GA | BuiltIn | |
App Service | App Service | 399b2637-a50f-4f95-96f8-3a145476eb15 | Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/ftpsState |
IF (1) •Microsoft.Web/sites |
count: 024 Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, CIS_Azure_1.3.0_9.10, CIS_Azure_1.4.0_9.10, CMMC_2.0_L2_SC.L2-3.13.8, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_SS-9, NZISM_Security_Benchmark_v1.1_CR-7, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.4, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.1, SOC_2_CC6.6, SOC_2_CC6.7 |
GA | BuiltIn | |
App Service | App Service | 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 | Function apps should use an Azure file share for its content directory | The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Web/sites/storageAccountRequired |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | e2c1c086-2d84-4019-bff3-c44ccd95113c | Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.http20Enabled |
IF (1) •Microsoft.Web/sites |
count: 016 CIS_Azure_1.1.0_9.10, CIS_Azure_1.3.0_9.9, CIS_Azure_1.4.0_9.9, CMMC_2.0_L2_SI.L1-3.14.1, CMMC_L3_SI.1.210, FedRAMP_High_R4_SI-2, FedRAMP_Moderate_R4_SI-2, NIST_SP_800-171_R2_3.14.1, NIST_SP_800-53_R4_SI-2, NIST_SP_800-53_R4_SI-2(6), NIST_SP_800-53_R5_SI-2, NIST_SP_800-53_R5_SI-2(6), NZ_ISM_v3.5_SS-9, RMiT_v1.0_Appendix_5.3, SOC_2_CC6.8, SOC_2_CC8.1 |
GA | BuiltIn | |
App Service | App Service | 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | Function apps should use managed identity | Use a managed identity for enhanced authentication security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (2) •Microsoft.Web/sites/config/managedServiceIdentityId •Microsoft.Web/sites/config/xmanagedServiceIdentityId |
IF (1) •Microsoft.Web/sites |
count: 043 Azure_Security_Benchmark_v1.0_7.12, Azure_Security_Benchmark_v2.0_IM-1, Azure_Security_Benchmark_v2.0_IM-2, Azure_Security_Benchmark_v3.0_IM-3, CIS_Azure_1.1.0_9.5, CIS_Azure_1.3.0_9.5, CIS_Azure_1.4.0_9.5, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, CMMC_2.0_L2_IA.L1-3.5.1, CMMC_2.0_L2_IA.L1-3.5.2, CMMC_2.0_L2_IA.L2-3.5.5, CMMC_2.0_L2_IA.L2-3.5.6, FedRAMP_High_R4_AC-2, FedRAMP_High_R4_AC-3, FedRAMP_High_R4_IA-2, FedRAMP_High_R4_IA-4, FedRAMP_Moderate_R4_AC-2, FedRAMP_Moderate_R4_AC-3, FedRAMP_Moderate_R4_IA-2, FedRAMP_Moderate_R4_IA-4, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-171_R2_3.5.1, NIST_SP_800-171_R2_3.5.2, NIST_SP_800-171_R2_3.5.5, NIST_SP_800-171_R2_3.5.6, NIST_SP_800-53_R4_AC-2, NIST_SP_800-53_R4_AC-3, NIST_SP_800-53_R4_IA-2, NIST_SP_800-53_R4_IA-4, NIST_SP_800-53_R5_AC-2, NIST_SP_800-53_R5_AC-3, NIST_SP_800-53_R5_IA-2, NIST_SP_800-53_R5_IA-4, NZ_ISM_v3.5_AC-2, NZISM_Security_Benchmark_v1.1_AC-2, RBI_CSF_Banks_v2016_6.4, RBI_CSF_Banks_v2016_8.4, RMiT_v1.0_10.54, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_5.2, SWIFT_CSCF_v2021_5.4 |
GA | BuiltIn | |
App Service | App Service | f9d614c5-c173-4d56-95a7-b4437057d193 | Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/minTlsVersion |
IF (1) •Microsoft.Web/sites |
count: 042 AU_ISM_1139, Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, Azure_Security_Benchmark_v3.0_NS-8, CIS_Azure_1.1.0_9.3, CIS_Azure_1.3.0_9.3, CIS_Azure_1.4.0_9.3, CMMC_2.0_L2_SC.L2-3.13.8, CMMC_L3_IA.3.084, CMMC_L3_SC.1.175, CMMC_L3_SC.3.185, CMMC_L3_SC.3.190, CMMC_L3_SI.1.210, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), hipaa-0809.01n2Organizational.1234-01.n, hipaa-0810.01n2Organizational.5-01.n, hipaa-0811.01n2Organizational.6-01.n, hipaa-0812.01n2Organizational.8-01.n, hipaa-0814.01n1Organizational.12-01.n, hipaa-0949.09y2Organizational.5-09.y, NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_CR-8, NZISM_Security_Benchmark_v1.1_CR-7, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.1, RBI_CSF_Banks_v2016_13.4, RBI_ITF_NBFC_v2017_3.1.h, RMiT_v1.0_10.68, SOC_2_CC6.1, SOC_2_CC6.6, SOC_2_CC6.7, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_2.6 |
GA | BuiltIn | |
App Service | App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Function apps that use Java should use a specified 'Java version' | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Function apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/web.linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | BuiltIn | ||
App Service | App Service | app-service_functionapp-enforce-latest-tls | Latest TLS version should be used in your Function App | Upgrade to the latest TLS version | Default AuditIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/minTlsVersion |
IF (1) •Microsoft.Web/sites |
GA | Community | |
App Service | App Service | app-service_functionapp-pull-from-specified-registry | Linux function apps should only use a specified Azure Container Registry instance | Ensure that Linux function apps can only pull custom images from a specified container registry | Default AuditIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled | count: 1 •Website Contributor |
THEN-ExistenceCondition (1) •Microsoft.Web/sites/config/linuxFxVersion |
IF (1) •Microsoft.Web/sites |
GA | Community | |
App Service | App Service | Deny-AppServiceWebApp-http | Web Application should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Deny Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Web/sites/httpsOnly |
IF (1) •Microsoft.Web/sites |
GA | ALZ | ||
Attestation | Attestation | 5e7e928c-8693-4a23-9bf3-1c77b9a8fe97 | Azure Attestation providers should disable public network access | To improve the security of Azure Attestation Service, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in aka.ms/azureattestation. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Attestation/attestationProviders/publicNetworkAccess |
IF (1) •Microsoft.Attestation/attestationProviders |
GA | BuiltIn | ||
Attestation | Attestation | 7b256a2d-058b-41f8-bed9-3f870541c40a | Azure Attestation providers should use private endpoints | Private endpoints provide a way to connect Azure Attestation providers to your Azure resources without sending traffic over the public internet. By preventing public access, private endpoints help protect against undesired anonymous access. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (3) •Microsoft.Attestation/attestationProviders/privateEndpointConnections/privateEndpoint •Microsoft.Attestation/attestationProviders/privateEndpointConnections/privateLinkServiceConnectionState.status •Microsoft.Attestation/attestationProviders/privateEndpointConnections/provisioningState |
IF (1) •Microsoft.Attestation/attestationProviders |
GA | BuiltIn | ||
Authorization | Authorization | 920965ec-47a1-4db9-b85c-8612be3a081f | Deploy or audit for a specific role assignment at the subscription scope | This policy will validate that a specific role assignment exists or not. It can either audit for the role assignment or deploy it if it does not exist. | Default AuditIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled | count: 1 •Owner |
THEN-ExistenceCondition (2) •Microsoft.Authorization/roleAssignments/principalId •Microsoft.Authorization/roleAssignments/roleDefinitionId |
IF (1) •Microsoft.Resources/subscriptions THEN-Deployment (2) •Microsoft.Authorization/roleAssignments •Microsoft.Authorization/roleDefinitions |
GA | Community | |
Automanage | Automanage | 270610db-8c04-438a-a739-e8e6745b22d3 | [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Contributor |
IF (8) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.imageReference.id •Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (2) •Microsoft.Automanage/configurationProfileAssignments/accountId •Microsoft.Automanage/configurationProfileAssignments/configurationProfile |
IF (1) •Microsoft.Compute/virtualMachines |
Deprecated | BuiltIn | |
Automanage | Automanage | e4953962-5ae4-43eb-bb92-d66fd5563487 | [Preview]: A managed identity should be enabled on your machines | Resources managed by Automanage should have a managed identity. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.HybridCompute/machines |
count: 001 Azure Security Baseline |
Preview | BuiltIn | ||
Automanage | Automanage | fd4726f4-a5fc-4540-912d-67c96fc992d5 | [Preview]: Automanage Configuration Profile Assignment should be Conformant | Resources managed by Automanage should have a status of Conformant or ConformantCorrected. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Automanage/configurationProfileAssignments/status |
IF (1) •Microsoft.AzureStackHci/clusters |
count: 001 Automanage Best Practices |
Preview | BuiltIn | |
Automanage | Automanage | fb97d6e1-5c98-4743-a439-23e0977bad9e | [Preview]: Boot Diagnostics should be enabled on virtual machines | Azure virtual machines should have boot diagniostics enabled. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Compute/virtualMachines/diagnosticsProfile.bootDiagnostics.enabled |
IF (1) •Microsoft.Compute/virtualMachines |
count: 001 Boot Diagnostics |
Preview | BuiltIn | |
Automanage | Automanage | f889cab7-da27-4c41-a3b0-de1f6f87c550 | Configure virtual machines to be onboarded to Azure Automanage | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled | count: 1 •Contributor |
IF (9) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.imageReference.id •Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/machines/osSku THEN-ExistenceCondition (1) •Microsoft.Automanage/configurationProfileAssignments/configurationProfile |
IF (1) •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
Automanage | Automanage | b025cfb4-3702-47c2-9110-87fe0cfcc99b | Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile | Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled | count: 1 •Contributor |
IF (9) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.imageReference.id •Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/machines/osSku THEN-ExistenceCondition (1) •Microsoft.Automanage/configurationProfileAssignments/configurationProfile |
IF (1) •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
Automanage | Automanage | 6d02d2f7-e38b-4bdc-96f3-adc0a8726abc | Hotpatch should be enabled for Windows Server Azure Edition VMs | Minimize reboots and install updates quickly with hotpatch. Learn more at https://docs.microsoft.com/azure/automanage/automanage-hotpatch | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.enableHotpatching •Microsoft.Compute/virtualMachines/storageProfile.imageReference.sku |
IF (1) •Microsoft.Compute/virtualMachines |
count: 002 RBI_CSF_Banks_v2016_21.2, RBI_CSF_Banks_v2016_5.2 |
GA | BuiltIn | |
Automation | Automation | automation_audit-automation-account-variable-encryption | Audit encryption of Automation account variables | It is important to enable encryption of Automation account variable assets when storing sensitive data | Fixed Audit | IF (1) •Microsoft.Automation/automationAccounts/variables/isEncrypted |
GA | Community | |||
Automation | Automation | dea83a72-443c-4292-83d5-54a2f98749c0 | Automation Account should have Managed Identity | Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code . | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Automation/automationAccounts |
GA | BuiltIn | |||
Automation | Automation | 3657f5a0-770e-44a3-b44e-9431ba1e9735 | Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Automation/automationAccounts/variables/isEncrypted |
count: 032 Azure_Security_Benchmark_v1.0_4.8, Azure_Security_Benchmark_v2.0_DP-5, Azure_Security_Benchmark_v3.0_DP-4, CMMC_2.0_L2_SC.L2-3.13.16, CMMC_L3_SC.3.177, CMMC_L3_SC.3.191, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), ISO27001-2013_A.10.1.1, NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1), NZ_ISM_v3.5_CR-3, PCI_DSS_V3.2.1_3.4, PCI_DSS_V3.2.1_4.1, PCI_DSS_V3.2.1_6.5.3, PCI_DSS_v4.0_3.5.1, PCI_DSS_v4.0_6.2.4, RBI_CSF_Banks_v2016_13.4, RBI_ITF_NBFC_v2017_3.1.h, SOC_2_CC6.1, SWIFT_CSCF_v2021_2.1, SWIFT_CSCF_v2021_2.4A, SWIFT_CSCF_v2021_2.5A, SWIFT_CSCF_v2022_2.1, SWIFT_CSCF_v2022_2.4A, SWIFT_CSCF_v2022_2.5A, UK_NCSC_CSP_2.3 |
GA | BuiltIn | ||
Automation | Automation | 955a914f-bf86-4f0e-acd5-e0766b0efcb6 | Automation accounts should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Automation/automationAccounts/publicNetworkAccess |
IF (1) •Microsoft.Automation/automationAccounts |
GA | BuiltIn | ||
Automation | Automation | 48c5f1cb-14ad-4797-8e3b-f78ab3f8d700 | Azure Automation account should have local authentication method disabled | Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Automation/automationAccounts/disableLocalAuth |
IF (1) •Microsoft.Automation/automationAccounts |
GA | BuiltIn | ||
Automation | Automation | 56a5ee18-2ae6-4810-86f7-18e39ce5629b | Azure Automation accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Automation/automationAccounts/encryption.keySource |
IF (1) •Microsoft.Automation/automationAccounts |
count: 006 CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12 |
GA | BuiltIn | |
Automation | Automation | 30d1d58e-8f96-47a5-8564-499a3f3cca81 | Configure Azure Automation account to disable local authentication | Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (1) •Microsoft.Automation/automationAccounts/disableLocalAuth THEN-Operations (1) •Microsoft.Automation/automationAccounts/disableLocalAuth |
IF (1) •Microsoft.Automation/automationAccounts |
GA | BuiltIn | |
Automation | Automation | 23b36a7c-9d26-4288-a8fd-c1d2fa284d8c | Configure Azure Automation accounts to disable public network access | Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (1) •Microsoft.Automation/automationAccounts/publicNetworkAccess THEN-Operations (1) •Microsoft.Automation/automationAccounts/publicNetworkAccess |
IF (1) •Microsoft.Automation/automationAccounts |
GA | BuiltIn | |
Automation | Automation | 6dd01e4f-1be1-4e80-9d0b-d109e04cb064 | Configure Azure Automation accounts with private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Automation | Automation | c0c3130e-7dda-4187-aed0-ee4a472eaa60 | Configure private endpoint connections on Azure Automation accounts | Private endpoint connections allow secure communication by enabling private connectivity to Azure Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Contributor •Network Contributor |
THEN-ExistenceCondition (1) •Microsoft.Automation/automationAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Automation/automationAccounts THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Automation | Automation | compute_deploy-dsc-extension | Deploy DSC Extension to Azure VM and Arc connected machines | Deploys the DSC extension to and assigns configuration artifact from url location. | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (4) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines •Microsoft.HybridCompute/machines/extensions |
GA | Community | |
Automation | Automation | Deny-AA-child-resources | No child resources in Automation Account | This policy denies the creation of child resources on the Automation Account | Default Deny Allowed Audit, Deny, Disabled | GA | ALZ | ||||
Automation | Automation | automation_onboard-to-automation-dsc | Onboard Azure VM and Arc connected machines to Azure Automation DSC | Deploys the DSC extension to onboard nodes to Azure Automation DSC. Does not assign a configuration. | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (4) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines •Microsoft.HybridCompute/machines/extensions |
GA | Community | |
Automation | Automation | 0c2b3618-68a8-4034-a150-ff4abc873462 | Private endpoint connections on Automation Accounts should be enabled | Private endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Automation/automationAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Automation/automationAccounts |
GA | BuiltIn | ||
Azure Active Directory | Azure Active Directory | 3aa87b5a-7813-4b57-8a43-42dd9df5aaa7 | Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode | Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.AAD/domainServices/domainSecuritySettings.tlsV1 |
IF (1) •Microsoft.AAD/domainServices |
GA | BuiltIn | ||
Azure Active Directory | Azure Active Directory | 2e9411a0-0c5a-44b3-9ddb-ff10a1a2bf28 | Azure Active Directory should use private link to access Azure services | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.aadiam/privateLinkForAzureAD |
GA | BuiltIn | ||
Azure Active Directory | Azure Active Directory | 7e4301f9-5f32-4738-ad9f-7ec2d15563ad | Configure Private Link for Azure AD to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure AD. Learn more at: https://aka.ms/privateLinkforAzureADDocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.aadiam/privateLinkForAzureAD •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Azure Active Directory | Azure Active Directory | b923afcf-4c3a-4ed6-8386-1ff64b68de47 | Configure Private Link for Azure AD with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Contributor |
THEN-ExistenceCondition (1) •microsoft.aadiam/privateLinkForAzureAD/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.aadiam/privateLinkForAzureAD THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Azure Arc | Azure Arc | 7eab1da3-2bf0-4ff0-8303-1a4277c380e8 | Azure Arc Private Link Scopes should be configured with a private endpoint | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Arc Private Link Scopes, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections[*] •Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.HybridCompute/privateLinkScopes |
GA | BuiltIn | ||
Azure Arc | Azure Arc | 898f2439-3333-4713-af25-f1d78bc50556 | Azure Arc Private Link Scopes should disable public network access | Disabling public network access improves security by ensuring that Azure Arc resources cannot connect via the public internet. Creating private endpoints can limit exposure of Azure Arc resources. Learn more at: https://aka.ms/arc/privatelink. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess |
IF (1) •Microsoft.HybridCompute/privateLinkScopes |
GA | BuiltIn | ||
Azure Arc | Azure Arc | 12e7176a-4919-47ef-922b-34eda4c7f0ce | Azure Arc-enabled kubernetes clusters should be configured with an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Kubernetes/connectedClusters/privateLinkScopeResourceId |
IF (1) •Microsoft.Kubernetes/connectedClusters |
GA | BuiltIn | ||
Azure Arc | Azure Arc | efa3f296-ff2b-4f38-bc0d-5ef12c965b68 | Azure Arc-enabled servers should be configured with an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.HybridCompute/machines/privateLinkScopeResourceId |
IF (1) •Microsoft.HybridCompute/machines |
GA | BuiltIn | ||
Azure Arc | Azure Arc | de0bc8ea-76e2-4fe2-a288-a07556d0e9c4 | Configure Azure Arc Private Link Scopes to disable public network access | Disable public network access for your Azure Arc Private Link Scope so that associated Azure Arc resources cannot connect to Azure Arc services over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/arc/privatelink. | Default Modify Allowed Modify, Disabled | count: 1 •Azure Connected Machine Resource Administrator |
IF (1) •Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess THEN-Operations (1) •Microsoft.HybridCompute/privateLinkScopes/publicNetworkAccess |
IF (1) •Microsoft.HybridCompute/privateLinkScopes |
GA | BuiltIn | |
Azure Arc | Azure Arc | 55c4db33-97b0-437b-8469-c4f4498f5df9 | Configure Azure Arc Private Link Scopes to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.HybridCompute/privateLinkScopes •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Azure Arc | Azure Arc | d6eeba80-df61-4de5-8772-bc1b7852ba6b | Configure Azure Arc Private Link Scopes with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 3 •Azure Connected Machine Resource Administrator •Kubernetes Cluster - Azure Arc Onboarding •Network Contributor |
THEN-ExistenceCondition (1) •Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.HybridCompute/privateLinkScopes THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Azure Arc | Azure Arc | 4002015b-1272-4dfb-8943-fed4aeec39b6 | Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default Modify Allowed Modify, Disabled | count: 1 •Kubernetes Cluster - Azure Arc Onboarding |
IF (1) •Microsoft.Kubernetes/connectedClusters/privateLinkScopeResourceId THEN-Operations (2) •Microsoft.Kubernetes/connectedClusters/privateLinkScopeResourceId •Microsoft.Kubernetes/connectedClusters/privateLinkState |
IF (1) •Microsoft.Kubernetes/connectedClusters |
GA | BuiltIn | |
Azure Arc | Azure Arc | a3461c8c-6c9d-4e42-a644-40ba8a1abf49 | Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Default Modify Allowed Modify, Disabled | count: 1 •Azure Connected Machine Resource Administrator |
IF (1) •Microsoft.HybridCompute/machines/privateLinkScopeResourceId THEN-Operations (1) •Microsoft.HybridCompute/machines/privateLinkScopeResourceId |
IF (1) •Microsoft.HybridCompute/machines |
GA | BuiltIn | |
Azure Data Explorer | Azure Data Explorer | 8945ba5e-918e-4a57-8117-fe615d12e3ba | All Database Admin on Azure Data Explorer should be disabled | Disable all database admin role to restrict granting highly privileged/administrative user role. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Kusto/Clusters/principalAssignments/role |
IF (1) •Microsoft.Kusto/Clusters/principalAssignments |
GA | BuiltIn | ||
Azure Data Explorer | Azure Data Explorer | f7735886-8927-431f-b201-c953922512b8 | Azure Data Explorer cluster should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.Kusto/Clusters/PrivateEndpointConnections[*] •Microsoft.Kusto/Clusters/PrivateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Kusto/Clusters |
GA | BuiltIn | ||
Azure Data Explorer | Azure Data Explorer | 81e74cea-30fd-40d5-802f-d72103c2aaaa | Azure Data Explorer encryption at rest should use a customer-managed key | Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. | Default Audit Allowed Audit, Deny, Disabled | IF (4) •Microsoft.Kusto/clusters/keyVaultProperties •Microsoft.Kusto/clusters/keyVaultProperties.keyName •Microsoft.Kusto/clusters/keyVaultProperties.keyVaultUri •Microsoft.Kusto/clusters/keyVaultProperties.keyVersion |
IF (1) •Microsoft.Kusto/Clusters |
count: 007 CMMC_2.0_L2_SC.L2-3.13.10, CMMC_L3_SC.3.177, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12 |
GA | BuiltIn | |
Azure Data Explorer | Azure Data Explorer | 1fec9658-933f-4b3e-bc95-913ed22d012b | Azure Data Explorer should use a SKU that supports private link | With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Kusto/clusters/sku.tier |
IF (1) •Microsoft.Kusto/clusters |
GA | BuiltIn | ||
Azure Data Explorer | Azure Data Explorer | a47272e1-1d5d-4b0b-b366-4873f1432fe0 | Configure Azure Data Explorer clusters with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. Learn more at: [ServiceSpecificAKA.ms]. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Network Contributor •SQL Server Contributor |
THEN-ExistenceCondition (1) •Microsoft.Kusto/Clusters/PrivateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Kusto/Clusters THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Azure Data Explorer | Azure Data Explorer | 7b32f193-cb28-4e15-9a98-b9556db0bafa | Configure Azure Data Explorer to disable public network access | Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters . | Default Modify Allowed Modify, Disabled | count: 1 •SQL Server Contributor |
IF (1) •Microsoft.Kusto/clusters/publicNetworkAccess THEN-Operations (1) •Microsoft.Kusto/clusters/publicNetworkAccess |
IF (1) •Microsoft.Kusto/clusters |
GA | BuiltIn | |
Azure Data Explorer | Azure Data Explorer | f4b53539-8df9-40e4-86c6-6b607703bd4e | Disk encryption should be enabled on Azure Data Explorer | Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Kusto/clusters/enableDiskEncryption |
IF (1) •Microsoft.Kusto/Clusters |
count: 014 ACAT_Security_Policies, CMMC_2.0_L2_SC.L2-3.13.16, CMMC_L3_SC.3.177, CMMC_L3_SC.3.191, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1), RBI_ITF_NBFC_v2017_3.1.h |
GA | BuiltIn | |
Azure Data Explorer | Azure Data Explorer | ec068d99-e9c7-401f-8cef-5bdde4e6ccf1 | Double encryption should be enabled on Azure Data Explorer | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Kusto/clusters/enableDoubleEncryption |
IF (1) •Microsoft.Kusto/Clusters |
count: 012 CMMC_2.0_L2_SC.L2-3.13.16, CMMC_L3_SC.3.177, CMMC_L3_SC.3.191, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1) |
GA | BuiltIn | |
Azure Data Explorer | Azure Data Explorer | 43bc7be6-5e69-4b0d-a2bb-e815557ca673 | Public network access on Azure Data Explorer should be disabled | Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Kusto/clusters/publicNetworkAccess |
IF (1) •Microsoft.Kusto/clusters |
GA | BuiltIn | ||
Azure Data Explorer | Azure Data Explorer | 9ad2fd1f-b25f-47a2-aa01-1a5a779e6413 | Virtual network injection should be enabled for Azure Data Explorer | Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. | Default Audit Allowed Audit, Deny, Disabled | IF (4) •Microsoft.Kusto/clusters/virtualNetworkConfiguration •Microsoft.Kusto/clusters/virtualNetworkConfiguration.dataManagementPublicIpId •Microsoft.Kusto/clusters/virtualNetworkConfiguration.enginePublicIpId •Microsoft.Kusto/clusters/virtualNetworkConfiguration.subnetId |
IF (1) •Microsoft.Kusto/Clusters |
GA | BuiltIn | ||
Azure Databricks | Azure Databricks | b76cbbfe-4af8-44ad-ac54-c460d0907796 | Audit - Databricks should use customer-managed key for encrypting DBFS | Customer-managed key should be used to encrypt DBFS in Databricks service. The policy marks a resource Noncompliant if the prepareEncryption value is not set to true. The resource is also marked Noncompliant when the keySource value does not exist. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.Databricks/workspaces/parameters.encryption.value.keySource •Microsoft.Databricks/workspaces/parameters.prepareEncryption.value |
IF (1) •Microsoft.Databricks/workspaces |
GA | Community | ||
Azure Databricks | Azure Databricks | 69df3b75-5432-4e6b-bb18-b41c64b09145 | Audit - Databricks should use customer-managed key for encrypting managed services | Customer-managed key based encryption should be configured for Databricks's managed services. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Databricks/workspaces/encryption.entities.managedServices.keySource |
IF (1) •Microsoft.Databricks/workspaces |
GA | Community | ||
Azure Databricks | Azure Databricks | 51c1490f-3319-459c-bbbc-7f391bbed753 | Azure Databricks Clusters should disable public IP | Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value |
IF (1) •Microsoft.Databricks/workspaces |
count: 001 Azure_Security_Benchmark_v3.0_NS-2 |
GA | BuiltIn | |
Azure Databricks | Azure Databricks | 9c25c9e4-ee12-4882-afd2-11fb9d87893f | Azure Databricks Workspaces should be in a virtual network | Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. | Default Audit Allowed Audit, Deny, Disabled | IF (3) •Microsoft.Databricks/workspaces/parameters.customPrivateSubnetName.value •Microsoft.Databricks/workspaces/parameters.customPublicSubnetName.value •Microsoft.Databricks/workspaces/parameters.customVirtualNetworkId.value |
IF (1) •Microsoft.Databricks/workspaces |
count: 001 Azure_Security_Benchmark_v3.0_NS-2 |
GA | BuiltIn | |
Azure Databricks | Azure Databricks | 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 | Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption | Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Databricks/workspaces/sku.name |
IF (1) •Microsoft.Databricks/workspaces |
GA | BuiltIn | ||
Azure Databricks | Azure Databricks | 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 | Azure Databricks Workspaces should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Databricks/workspaces/publicNetworkAccess |
IF (1) •Microsoft.Databricks/workspaces |
count: 001 Azure_Security_Benchmark_v3.0_NS-2 |
GA | BuiltIn | |
Azure Databricks | Azure Databricks | 258823f2-4595-4b52-b333-cc96192710d8 | Azure Databricks Workspaces should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.Databricks/workspaces/privateEndpointConnections[*] •Microsoft.Databricks/workspaces/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Databricks/workspaces |
count: 001 Azure_Security_Benchmark_v3.0_NS-2 |
GA | BuiltIn | |
Azure Databricks | Azure Databricks | 0eddd7f3-3d9b-4927-a07a-806e8ac9486c | Configure Azure Databricks workspace to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.Databricks/workspaces •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Azure Databricks | Azure Databricks | 09210db3-d32c-4b2b-b4e1-f72ae920eb11 | Configure Azure Databricks Workspaces with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Contributor |
THEN-ExistenceCondition (1) •Microsoft.Databricks/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Databricks/workspaces THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Azure Databricks | Azure Databricks | 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d | Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace | Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Log Analytics Contributor •Monitoring Contributor |
THEN-ExistenceCondition (2) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/workspaceId |
IF (1) •Microsoft.Databricks/workspaces |
GA | BuiltIn | |
Azure Databricks | Azure Databricks | 138ff14d-b687-4faa-a81c-898c91a87fa2 | Resource logs in Azure Databricks Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.Databricks/workspaces |
count: 001 Azure_Security_Benchmark_v3.0_LT-3 |
GA | BuiltIn | |
Azure DNS | Azure DNS | network_enforce_azfw_dns_servers | Enforce Firewall Policy DNS servers | This policy prevent settings non authorized dns servers for firewall policies. | Default Audit Allowed Deny, Audit, Disabled | IF (1) •Microsoft.Network/firewallPolicies/dnsSettings.servers[*] |
GA | Community | |||
Azure DNS | Azure DNS | network_enforce_vnet_dns_servers | Enforce VNET DNS servers | This policy prevent settings non authorized dns servers for vnets. | Default Audit Allowed Deny, Audit, Disabled | IF (1) •Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*] |
GA | Community | |||
Azure Edge Hardware Center | Azure Edge Hardware Center | 08a6b96f-576e-47a2-8511-119a212d344d | Azure Edge Hardware Center devices should have double encryption support enabled | Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.EdgeOrder/orderItems/orderItemDetails.preferences.encryptionPreferences.doubleEncryptionStatus •Microsoft.EdgeOrder/orderItems/orderItemDetails.productDetails.productDoubleEncryptionStatus |
IF (1) •Microsoft.EdgeOrder/orderItems |
GA | BuiltIn | ||
Azure Load Testing | Azure Load Testing | 65c4f833-1f2e-426c-8780-f6d7593bed7a | Azure load testing resource should use customer-managed keys to encrypt data at rest | Use customer-managed keys(CMK) to manage the encryption at rest for your Azure Load Testing resource. By default the encryptio is done using Service managed keys, customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/load-testing/how-to-configure-customer-managed-keys?tabs=portal. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.LoadTestService/loadTests/encryption.keyUrl |
IF (1) •Microsoft.LoadTestService/loadtests |
GA | BuiltIn | ||
Azure Purview | Azure Purview | 9259053b-ddb8-40ab-842a-0aef19d0ade4 | Azure Purview accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.Purview/accounts/privateEndpointConnections[*] •Microsoft.Purview/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Purview/accounts |
GA | BuiltIn | ||
Azure Stack Edge | Azure Stack Edge | b4ac1030-89c5-4697-8e00-28b5ba6a8811 | Azure Stack Edge devices should use double-encryption | To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled | IF (1) •Microsoft.DataboxEdge/DataBoxEdgeDevices/sku.name |
IF (1) •Microsoft.DataBoxEdge/DataBoxEdgeDevices |
count: 010 CMMC_2.0_L2_SC.L2-3.13.16, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1) |
GA | BuiltIn | |
Backup | Backup | 9ebbbba3-4d65-4da9-bb67-b22cfaaff090 | [Preview]: Azure Recovery Services vaults should disable public network access | Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.RecoveryServices/vaults/publicNetworkAccess |
IF (1) •Microsoft.RecoveryServices/vaults |
Preview | BuiltIn | ||
Backup | Backup | 2e94d99a-8a36-4563-bc77-810d8893b671 | [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data | Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.RecoveryServices/vaults/encryption.infrastructureEncryption •Microsoft.RecoveryServices/vaults/encryption.keyVaultProperties.keyUri |
IF (1) •Microsoft.RecoveryServices/vaults |
count: 010 CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, RBI_ITF_NBFC_v2017_6, RBI_ITF_NBFC_v2017_6.2, RBI_ITF_NBFC_v2017_6.3, RBI_ITF_NBFC_v2017_6.4 |
Preview | BuiltIn | |
Backup | Backup | deeddb44-9f94-4903-9fa0-081d524406e3 | [Preview]: Azure Recovery Services vaults should use private link for backup | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. | Default Audit Allowed Audit, Disabled | IF (4) •Microsoft.RecoveryServices/vaults/privateEndpointConnections[*] •Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].id •Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status •Microsoft.RecoveryServices/vaults/privateEndpointConnections[*].provisioningState |
IF (1) •Microsoft.RecoveryServices/vaults |
count: 005 RBI_CSF_Banks_v2016_14.1, RBI_ITF_NBFC_v2017_6, RBI_ITF_NBFC_v2017_6.2, RBI_ITF_NBFC_v2017_6.3, RBI_ITF_NBFC_v2017_6.4 |
Preview | BuiltIn | |
Backup | Backup | 04726aae-4e8d-427c-af7d-ecf56d490022 | [Preview]: Configure Azure Recovery Services vaults to disable public network access | Disable public network access for your Recovery services vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. | Default Modify Allowed Modify, Disabled | count: 1 •Backup Contributor |
IF (1) •Microsoft.RecoveryServices/vaults/publicNetworkAccess THEN-Operations (1) •Microsoft.RecoveryServices/vaults/publicNetworkAccess |
IF (1) •Microsoft.RecoveryServices/vaults |
Preview | BuiltIn | |
Backup | Backup | 615b01c4-d565-4f6f-8c6e-d130268e3a1a | [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region | Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled | count: 1 •Backup Contributor |
IF (3) •Microsoft.Storage/storageAccounts/isHnsEnabled •Microsoft.Storage/storageAccounts/isNfsV3Enabled •Microsoft.Storage/storageAccounts/sku.name THEN-ExistenceCondition (1) •Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled |
IF (1) •Microsoft.Storage/StorageAccounts THEN-Deployment (3) •Microsoft.Resources/deployments •Microsoft.Storage/storageAccounts •Microsoft.Storage/storageAccounts/blobServices |
Preview | BuiltIn | |
Backup | Backup | 958dbd4e-0e20-4385-a082-d3f20c2a6ad8 | [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region | Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled | count: 1 •Backup Contributor |
IF (3) •Microsoft.Storage/storageAccounts/isHnsEnabled •Microsoft.Storage/storageAccounts/isNfsV3Enabled •Microsoft.Storage/storageAccounts/sku.name THEN-ExistenceCondition (1) •Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled |
IF (1) •Microsoft.Storage/StorageAccounts THEN-Deployment (3) •Microsoft.Resources/deployments •Microsoft.Storage/storageAccounts •Microsoft.Storage/storageAccounts/blobServices |
Preview | BuiltIn | |
Backup | Backup | af783da1-4ad1-42be-800d-d19c70038820 | [Preview]: Configure Recovery Services vaults to use private DNS zones for backup | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.Network/privateEndpoints •Microsoft.RecoveryServices/vaults |
Preview | BuiltIn | |
Backup | Backup | 8015d6ed-3641-4534-8d0b-5c67b67ff7de | [Preview]: Configure Recovery Services vaults to use private endpoints for backup | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (1) •Microsoft.RecoveryServices/vaults/backupStorageVersion |
IF (1) •Microsoft.RecoveryServices/vaults THEN-Deployment (1) •Microsoft.Network/privateEndpoints |
Preview | BuiltIn | |
Backup | Backup | f19b0c83-716f-4b81-85e3-2dbf057c35d6 | [Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. | Default Modify Allowed Modify, Disabled | count: 1 •Backup Contributor |
IF (1) •Microsoft.RecoveryServices/vaults/restoreSettings.crossSubscriptionRestoreSettings.crossSubscriptionRestoreState THEN-Operations (1) •Microsoft.RecoveryServices/vaults/restoreSettings.crossSubscriptionRestoreSettings.crossSubscriptionRestoreState |
IF (1) •Microsoft.RecoveryServices/vaults |
Preview | BuiltIn | |
Backup | Backup | 4d479a11-f2b5-4f0a-bb1e-d2332aa95cda | [Preview]: Disable Cross Subscription Restore for Backup Vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. | Default Modify Allowed Modify, Disabled | count: 1 •Backup Contributor |
IF (1) •Microsoft.DataProtection/backupVaults/featureSettings.crossSubscriptionRestoreSettings.state THEN-Operations (1) •Microsoft.DataProtection/backupVaults/featureSettings.crossSubscriptionRestoreSettings.state |
IF (1) •Microsoft.DataProtection/backupVaults |
Preview | BuiltIn | |
Backup | Backup | 2514263b-bc0d-4b06-ac3e-f262c0979018 | [Preview]: Immutability must be enabled for backup vaults | This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.DataProtection/backupVaults/securitySettings.immutabilitySettings.State |
IF (1) •Microsoft.DataProtection/backupvaults |
Preview | BuiltIn | ||
Backup | Backup | 9798d31d-6028-4dee-8643-46102185c016 | [Preview]: Soft delete should be enabled for Backup Vaults | This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.DataProtection/backupVaults/securitySettings.softDeleteSettings.state |
IF (1) •Microsoft.DataProtection/backupvaults |
Preview | BuiltIn | ||
Backup | Backup | 013e242c-8828-4970-87b3-ab247555486d | Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | IF (1) •Microsoft.Compute/imagePublisher |
IF (1) •Microsoft.Compute/virtualMachines THEN-Details (1) •Microsoft.RecoveryServices/backupprotecteditems |
count: 030 Azure_Security_Benchmark_v1.0_9.1, Azure_Security_Benchmark_v1.0_9.2, Azure_Security_Benchmark_v2.0_BR-1, Azure_Security_Benchmark_v2.0_BR-2, Azure_Security_Benchmark_v3.0_BR-1, Azure_Security_Benchmark_v3.0_BR-2, CMMC_2.0_L2_MP.L2-3.8.9, CMMC_L3_RE.2.137, CMMC_L3_RE.3.139, FedRAMP_High_R4_CP-9, FedRAMP_Moderate_R4_CP-9, hipaa-1620.09l1Organizational.8-09.l, hipaa-1625.09l3Organizational.34-09.l, hipaa-1699.09l1Organizational.10-09.l, NIST_SP_800-171_R2_3.8.9, NIST_SP_800-53_R4_CP-9, NIST_SP_800-53_R5_CP-9, RBI_CSF_Banks_v2016_13.3, RBI_CSF_Banks_v2016_19.5, RBI_ITF_NBFC_v2017_5.2, RBI_ITF_NBFC_v2017_6, RBI_ITF_NBFC_v2017_6.2, RBI_ITF_NBFC_v2017_6.3, RMiT_v1.0_10.30, SOC_2_A1.2, SOC_2_PI1.5, SWIFT_CSCF_v2021_2.5A, SWIFT_CSCF_v2021_6.4, SWIFT_CSCF_v2022_2.5A, SWIFT_CSCF_v2022_6.4 |
GA | BuiltIn | |
Backup | Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | count: 2 •Backup Contributor •Virtual Machine Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.RecoveryServices/vaults |
GA | BuiltIn | |
Backup | Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | count: 2 •Backup Contributor •Virtual Machine Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.Resources/deployments |
GA | BuiltIn | |
Backup | Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | count: 2 •Backup Contributor •Virtual Machine Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.RecoveryServices/vaults |
GA | BuiltIn | |
Backup | Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | count: 2 •Backup Contributor •Virtual Machine Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.Resources/deployments |
count: 001 RMiT_v1.0_11.4 |
GA | BuiltIn |
Backup | Backup | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. | Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. | Fixed deployIfNotExists | count: 2 •Log Analytics Contributor •Monitoring Contributor |
THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].Category •Microsoft.Insights/diagnosticSettings/logs[*].Enabled •Microsoft.Insights/diagnosticSettings/workspaceId |
IF (1) •Microsoft.RecoveryServices/vaults |
GA | BuiltIn | |
Backup | Backup | d1ad6c00-a48d-4039-87a9-8662253c303f | Resource Lock should be enabled | With this policy: any resource that has the tag key LockLevel with the value CanNotDelete means authorized users can read and modify the resource, but they can t delete it. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled, AuditIfNotExists | count: 1 •Owner |
THEN-ExistenceCondition (2) •Microsoft.Authorization/locks/level •Microsoft.Authorization/locks/notes |
THEN-Deployment (1) •Microsoft.Authorization/locks |
GA | Community | |
Batch | Batch | monitoring_batch-account-audit-metric-alert-rules-configuration | Audit configuration of metric alert rules on Batch accounts | Audit configuration of metric alert rules on Batch account to enable the required metric | Fixed AuditIfNotExists | THEN-ExistenceCondition (3) •Microsoft.Insights/alertRules/condition.dataSource.metricName •Microsoft.Insights/alertRules/condition.dataSource.resourceUri •Microsoft.Insights/alertRules/isEnabled |
IF (1) •Microsoft.Batch/batchAccounts |
GA | Community | ||
Batch | Batch | monitoring_audit-enabling-diagnostic-logs-batch-accounts | Audit enabling of diagnostic logs in Batch accounts | Audit enabling of logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised | Fixed AuditIfNotExists | THEN-ExistenceCondition (2) •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled |
IF (1) •Microsoft.Batch/batchAccounts |
GA | Community | ||
Batch | Batch | 99e9ccd8-3db9-4592-b0d1-14b1715a4d8a | Azure Batch account should use customer-managed keys to encrypt data | Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Batch/batchAccounts/encryption.keySource |
IF (1) •Microsoft.Batch/batchAccounts |
count: 006 CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12 |
GA | BuiltIn | |
Batch | Batch | 1760f9d4-7206-436e-a28f-d9f3a5c8a227 | Azure Batch pools should have disk encryption enabled | Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption. | Default Audit Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Batch/batchAccounts/pools/deploymentConfiguration.virtualMachineConfiguration.diskEncryptionConfiguration.targets[*] |
IF (1) •Microsoft.Batch/batchAccounts/pools |
GA | BuiltIn | ||
Batch | Batch | 6f68b69f-05fe-49cd-b361-777ee9ca7e35 | Batch accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.Batch/batchAccounts/allowedAuthenticationModes •Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*] |
IF (1) •Microsoft.Batch/batchAccounts |
GA | BuiltIn | ||
Batch | Batch | 4dbc2f5c-51cf-4e38-9179-c7028eed2274 | Configure Batch accounts to disable local authentication | Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (2) •Microsoft.Batch/batchAccounts/allowedAuthenticationModes •Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*] THEN-Operations (1) •Microsoft.Batch/batchAccounts/allowedAuthenticationModes |
IF (1) •Microsoft.Batch/batchAccounts |
GA | BuiltIn | |
Batch | Batch | c520cefc-285f-40f3-86e2-2efc38ef1f64 | Configure Batch accounts to disable public network access | Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (1) •Microsoft.Batch/batchAccounts/publicNetworkAccess THEN-Operations (1) •Microsoft.Batch/batchAccounts/publicNetworkAccess |
IF (1) •Microsoft.Batch/batchAccounts |
GA | BuiltIn | |
Batch | Batch | 0ef5aac7-c064-427a-b87b-d47b3ddcaf73 | Configure Batch accounts with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/batch/private-connectivity. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Contributor |
IF (1) •Microsoft.Batch/batchAccounts/publicNetworkAccess THEN-ExistenceCondition (1) •Microsoft.Batch/batchAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Batch/batchAccounts THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Batch | Batch | 4ec38ebc-381f-45ee-81a4-acbc4be878f8 | Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts | Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Batch | Batch | 26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7 | Metric alert rules should be configured on Batch accounts | Audit configuration of metric alert rules on Batch account to enable the required metric | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (3) •Microsoft.Insights/alertRules/condition.dataSource.metricName •Microsoft.Insights/alertRules/condition.dataSource.resourceUri •Microsoft.Insights/alertRules/isEnabled |
IF (1) •Microsoft.Batch/batchAccounts |
GA | BuiltIn | ||
Batch | Batch | 009a0c92-f5b4-4776-9b66-4ed2b4775563 | Private endpoint connections on Batch accounts should be enabled | Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at https://docs.microsoft.com/azure/batch/private-connectivity. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Batch/batchAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Batch/batchAccounts |
count: 002 NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9 |
GA | BuiltIn | |
Batch | Batch | 74c5a0ae-5e48-4738-b093-65e23a060488 | Public network access should be disabled for Batch accounts | Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Batch/batchAccounts/publicNetworkAccess |
IF (1) •Microsoft.Batch/batchAccounts |
GA | BuiltIn | ||
Batch | Batch | 428256e6-1fac-4f48-a757-df34c2b3336d | Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.Batch/batchAccounts |
count: 027 Azure_Security_Benchmark_v1.0_2.3, Azure_Security_Benchmark_v2.0_LT-4, Azure_Security_Benchmark_v3.0_LT-3, CIS_Azure_1.3.0_5.3, CIS_Azure_1.4.0_5.3, CMMC_2.0_L2_AU.L2-3.3.1, CMMC_2.0_L2_AU.L2-3.3.2, FedRAMP_High_R4_AU-12, FedRAMP_High_R4_AU-12(1), FedRAMP_High_R4_AU-6(4), FedRAMP_High_R4_AU-6(5), FedRAMP_Moderate_R4_AU-12, hipaa-1205.09aa2System.1-09.aa, NIST_SP_800-171_R2_3.3.1, NIST_SP_800-171_R2_3.3.2, NIST_SP_800-53_R4_AU-12, NIST_SP_800-53_R4_AU-12(1), NIST_SP_800-53_R4_AU-6(4), NIST_SP_800-53_R4_AU-6(5), NIST_SP_800-53_R5_AU-12, NIST_SP_800-53_R5_AU-12(1), NIST_SP_800-53_R5_AU-6(4), NIST_SP_800-53_R5_AU-6(5), NZ_ISM_v3.5_AC-18, NZISM_Security_Benchmark_v1.1_AC-17, SWIFT_CSCF_v2021_6.4, SWIFT_CSCF_v2022_6.4 |
GA | BuiltIn | |
Bot Service | Bot Service | 6164527b-e1ee-4882-8673-572f425f5e0a | Bot Service endpoint should be a valid HTTPS URI | Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled | IF (1) •Microsoft.BotService/botServices/endpoint |
IF (1) •Microsoft.BotService/botServices |
GA | BuiltIn | ||
Bot Service | Bot Service | 51522a96-0869-4791-82f3-981000c2c67f | Bot Service should be encrypted with a customer-managed key | Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled | IF (1) •Microsoft.BotService/botServices/isCmekEnabled |
IF (1) •Microsoft.BotService/botServices |
count: 006 CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12 |
GA | BuiltIn | |
Bot Service | Bot Service | 52152f42-0dda-40d9-976e-abb1acdd611e | Bot Service should have isolated mode enabled | Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled | IF (1) •Microsoft.BotService/botServices/publicNetworkAccess |
IF (1) •Microsoft.BotService/botServices |
GA | BuiltIn | ||
Bot Service | Bot Service | ffea632e-4e3a-4424-bf78-10e179bb2e1a | Bot Service should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.BotService/botServices/disableLocalAuth |
IF (1) •Microsoft.BotService/botServices |
GA | BuiltIn | ||
Bot Service | Bot Service | 5e8168db-69e3-4beb-9822-57cb59202a9d | Bot Service should have public network access disabled | Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.BotService/botServices/publicNetworkAccess |
IF (1) •Microsoft.BotService/botServices |
GA | BuiltIn | ||
Bot Service | Bot Service | ad5621d6-a877-4407-aa93-a950b428315e | BotService resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your BotService resource, data leakage risks are reduced. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.BotService/botServices/privateEndpointConnections[*] •Microsoft.BotService/botServices/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.BotService/botServices |
GA | BuiltIn | ||
Bot Service | Bot Service | 6a4e6f44-f2af-4082-9702-033c9e88b9f8 | Configure BotService resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.BotService/botServices •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Bot Service | Bot Service | 29261f8e-efdb-4255-95b8-8215414515d6 | Configure BotService resources with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your BotService resource, you can reduce data leakage risks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
THEN-ExistenceCondition (1) •Microsoft.BotService/botServices/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.BotService/botServices THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Budget | Budget | Deploy-Budget | Deploy a default budget on all subscriptions under the assigned scope | Deploy a default budget on all subscriptions under the assigned scope | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled | count: 1 •Contributor |
THEN-ExistenceCondition (3) •Microsoft.Consumption/budgets/amount •Microsoft.Consumption/budgets/category •Microsoft.Consumption/budgets/timeGrain |
IF (1) •Microsoft.Resources/subscriptions THEN-Deployment (1) •Microsoft.Consumption/budgets |
GA | ALZ | |
Budget | Budget | Deny-MachineLearning-ComputeCluster-Scale | Enforce scale settings for Azure Machine Learning compute clusters | Enforce scale settings for Azure Machine Learning compute clusters. | Default Deny Allowed Audit, Disabled, Deny | IF (3) •Microsoft.MachineLearningServices/workspaces/computes/computeType •Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount •Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount |
IF (1) •Microsoft.MachineLearningServices/workspaces/computes |
GA | ALZ | ||
Budget | Budget | Deny-MachineLearning-Compute-VmSize | Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances | Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances. | Default Deny Allowed Audit, Disabled, Deny | IF (2) •Microsoft.MachineLearningServices/workspaces/computes/computeType •Microsoft.MachineLearningServices/workspaces/computes/vmSize |
IF (1) •Microsoft.MachineLearningServices/workspaces/computes |
GA | ALZ | ||
Cache | Cache | 7d092e0a-7acd-40d2-a975-dca21cae48c4 | [Deprecated]: Azure Cache for Redis should reside within a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Cache/Redis/subnetId |
IF (1) •Microsoft.Cache/redis |
count: 001 Azure_Security_Benchmark_v2.0_NS-2 |
Deprecated | BuiltIn | |
Cache | Cache | Append-Redis-sslEnforcement | Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. | Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default Append Allowed Append, Disabled | IF (1) •Microsoft.Cache/Redis/minimumTlsVersion THEN-Details (1) •Microsoft.Cache/Redis/minimumTlsVersion |
IF (1) •Microsoft.Cache/redis |
GA | ALZ | ||
Cache | Cache | Append-Redis-disableNonSslPort | Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. | Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default Append Allowed Append, Disabled | IF (1) •Microsoft.Cache/Redis/enableNonSslPort THEN-Details (1) •Microsoft.Cache/Redis/enableNonSslPort |
IF (1) •Microsoft.Cache/redis |
GA | ALZ | ||
Cache | Cache | Deny-Redis-http | Azure Cache for Redis only secure connections should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default Deny Allowed Audit, Deny, Disabled | IF (2) •Microsoft.Cache/Redis/enableNonSslPort •Microsoft.Cache/Redis/minimumTlsVersion |
IF (1) •Microsoft.Cache/redis |
GA | ALZ | ||
Cache | Cache | 470baccb-7e51-4549-8b1a-3e5be069f663 | Azure Cache for Redis should disable public network access | Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Cache/Redis/publicNetworkAccess |
IF (1) •Microsoft.Cache/Redis |
GA | BuiltIn | ||
Cache | Cache | 7803067c-7d34-46e3-8c79-0ca68fc4036d | Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Cache/redis/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Cache/redis |
count: 037 Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3) |
GA | BuiltIn | |
Cache | Cache | 30b3dfa5-a70d-4c8e-bed6-0083858f663d | Configure Azure Cache for Redis to disable public network access | Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks. | Default Modify Allowed Modify, Disabled | count: 1 •Redis Cache Contributor |
IF (1) •Microsoft.Cache/Redis/publicNetworkAccess THEN-Operations (1) •Microsoft.Cache/Redis/publicNetworkAccess |
IF (1) •Microsoft.Cache/Redis |
GA | BuiltIn | |
Cache | Cache | e016b22b-e0eb-436d-8fd7-160c4eaed6e2 | Configure Azure Cache for Redis to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Cache | Cache | 5d8094d7-7340-465a-b6fd-e60ab7e48920 | Configure Azure Cache for Redis with private endpoints | Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Redis Cache Contributor |
THEN-ExistenceCondition (1) •Microsoft.Cache/redis/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Cache/redis THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Cache | Cache | 22bee202-a82f-4305-9a2a-6d7f44d4dedb | Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Cache/Redis/enableNonSslPort |
IF (1) •Microsoft.Cache/redis |
count: 046 AU_ISM_1277, AU_ISM_1552, Azure_Security_Benchmark_v1.0_4.4, Azure_Security_Benchmark_v2.0_DP-4, Azure_Security_Benchmark_v3.0_DP-3, CCCS_SC-8(1), CMMC_2.0_L2_SC.L2-3.13.8, CMMC_L3_AC.1.002, CMMC_L3_SC.1.175, CMMC_L3_SC.3.185, FedRAMP_High_R4_SC-8, FedRAMP_High_R4_SC-8(1), FedRAMP_Moderate_R4_SC-8, FedRAMP_Moderate_R4_SC-8(1), hipaa-0809.01n2Organizational.1234-01.n, hipaa-0810.01n2Organizational.5-01.n, hipaa-0811.01n2Organizational.6-01.n, hipaa-0812.01n2Organizational.8-01.n, hipaa-0814.01n1Organizational.12-01.n, hipaa-0946.09y2Organizational.14-09.y, hipaa-1451.05iCSPOrganizational.2-05.i, IRS_1075_9.3.16.6, ISO27001-2013_A.10.1.1, ISO27001-2013_A.13.2.1, NIST_SP_800-171_R2_3.13.8, NIST_SP_800-53_R4_SC-8, NIST_SP_800-53_R4_SC-8(1), NIST_SP_800-53_R5_SC-8, NIST_SP_800-53_R5_SC-8(1), NZ_ISM_v3.5_PS-4, NZISM_Security_Benchmark_v1.1_PS-4, PCI_DSS_V3.2.1_3.4, PCI_DSS_V3.2.1_4.1, PCI_DSS_V3.2.1_6.5.3, PCI_DSS_v4.0_3.5.1, PCI_DSS_v4.0_6.2.4, RBI_CSF_Banks_v2016_10.1, RBI_CSF_Banks_v2016_10.2, RBI_CSF_Banks_v2016_13.4, SOC_2_CC6.1, SOC_2_CC6.6, SOC_2_CC6.7, SWIFT_CSCF_v2021_2.4A, SWIFT_CSCF_v2021_2.6, SWIFT_CSCF_v2021_6.5A, UK_NCSC_CSP_1 |
GA | BuiltIn | |
CDN | CDN | dfc212af-17ea-423a-9dcb-91e2cb2caa6b | Azure Front Door profiles should use Premium tier that supports managed WAF rules and private link | Azure Front Door Premium supports Azure managed WAF rules and private link to supported Azure origins. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Cdn/Profiles/sku.name |
IF (1) •Microsoft.Cdn/Profiles |
GA | BuiltIn | ||
CDN | CDN | 679da822-78a7-4eff-8fff-a899454a9970 | Azure Front Door Standard and Premium should be running minimum TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your custom domains are accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they are weak and do not support modern cryptographic algorithms. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Cdn/profiles/customDomains/tlsSettings.minimumTlsVersion |
IF (1) •Microsoft.Cdn/profiles/customDomains |
GA | BuiltIn | ||
CDN | CDN | daba2cce-8326-4af3-b049-81a362da024d | Secure private connectivity between Azure Front Door Premium and Azure Storage Blob, or Azure App Service | Private link ensures private connectivity between AFD Premium and Azure Storage Blob or Azure App Service over the Azure backbone network, without the Azure Storage Blob or the Azure App Service being publicly exposed to the internet. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.Cdn/profiles/originGroups/origins/hostName •Microsoft.Cdn/profiles/originGroups/origins/sharedPrivateLinkResource.privateLink |
IF (1) •Microsoft.Cdn/profiles/originGroups/origins |
GA | BuiltIn | ||
ChangeTrackingAndInventory | ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5192 | [Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Log Analytics Contributor •Monitoring Contributor |
IF (1) •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId |
IF (1) •Microsoft.HybridCompute/machines THEN-Deployment (1) •Microsoft.Insights/dataCollectionRuleAssociations |
Preview | BuiltIn | |
ChangeTrackingAndInventory | ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5187 | [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Azure Connected Machine Resource Administrator |
IF (1) •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (3) •Microsoft.HybridCompute/machines/extensions/provisioningState •Microsoft.HybridCompute/machines/extensions/publisher •Microsoft.HybridCompute/machines/extensions/type |
IF (1) •Microsoft.HybridCompute/machines THEN-Deployment (1) •Microsoft.HybridCompute/machines/extensions |
Preview | BuiltIn | |
ChangeTrackingAndInventory | ChangeTrackingAndInventory | bef2d677-e829-492d-9a3d-f5a20fda818f | [Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Log Analytics Contributor •Monitoring Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSku THEN-ExistenceCondition (1) •Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Insights/dataCollectionRuleAssociations |
Preview | BuiltIn | |
ChangeTrackingAndInventory | ChangeTrackingAndInventory | 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 | [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Virtual Machine Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSku THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/provisioningState •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
Preview | BuiltIn | |
ChangeTrackingAndInventory | ChangeTrackingAndInventory | 1142b015-2bd7-41e0-8645-a531afe09a1e | [Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Log Analytics Contributor •Monitoring Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSku THEN-ExistenceCondition (1) •Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId |
IF (1) •Microsoft.Compute/virtualMachineScaleSets THEN-Deployment (1) •Microsoft.Insights/dataCollectionRuleAssociations |
Preview | BuiltIn | |
ChangeTrackingAndInventory | ChangeTrackingAndInventory | b73e81f3-6303-48ad-9822-b69fc00c15ef | [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Virtual Machine Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSku THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState •Microsoft.Compute/virtualMachineScaleSets/extensions/publisher •Microsoft.Compute/virtualMachineScaleSets/extensions/type |
IF (1) •Microsoft.Compute/virtualMachineScaleSets THEN-Deployment (1) •Microsoft.Compute/virtualMachineScaleSets/extensions |
Preview | BuiltIn | |
ChangeTrackingAndInventory | ChangeTrackingAndInventory | ef9fe2ce-a588-4edd-829c-6247069dcfdb | [Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Log Analytics Contributor •Monitoring Contributor |
IF (1) •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId |
IF (1) •Microsoft.HybridCompute/machines THEN-Deployment (1) •Microsoft.Insights/dataCollectionRuleAssociations |
Preview | BuiltIn | |
ChangeTrackingAndInventory | ChangeTrackingAndInventory | a7acfae7-9497-4a3f-a3b5-a16a50abbe2f | [Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Azure Connected Machine Resource Administrator |
IF (1) •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (3) •Microsoft.HybridCompute/machines/extensions/provisioningState •Microsoft.HybridCompute/machines/extensions/publisher •Microsoft.HybridCompute/machines/extensions/type |
IF (1) •Microsoft.HybridCompute/machines THEN-Deployment (1) •Microsoft.HybridCompute/machines/extensions |
Preview | BuiltIn | |
ChangeTrackingAndInventory | ChangeTrackingAndInventory | b6faa975-0add-4f35-8d1c-70bba45c4424 | [Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Log Analytics Contributor •Monitoring Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (1) •Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Insights/dataCollectionRuleAssociations |
Preview | BuiltIn | |
ChangeTrackingAndInventory | ChangeTrackingAndInventory | ad1eeff9-20d7-4c82-a04e-903acab0bfc1 | [Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Virtual Machine Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSku THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/provisioningState •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
Preview | BuiltIn | |
ChangeTrackingAndInventory | ChangeTrackingAndInventory | 8fd85785-1547-4a4a-bf90-d5483c9571c5 | [Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Log Analytics Contributor •Monitoring Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (1) •Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId |
IF (1) •Microsoft.Compute/virtualMachineScaleSets THEN-Deployment (1) •Microsoft.Insights/dataCollectionRuleAssociations |
Preview | BuiltIn | |
ChangeTrackingAndInventory | ChangeTrackingAndInventory | 4485d24b-a9d3-4206-b691-1fad83bc5007 | [Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Virtual Machine Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSku THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState •Microsoft.Compute/virtualMachineScaleSets/extensions/publisher •Microsoft.Compute/virtualMachineScaleSets/extensions/type |
IF (1) •Microsoft.Compute/virtualMachineScaleSets THEN-Deployment (1) •Microsoft.Compute/virtualMachineScaleSets/extensions |
Preview | BuiltIn | |
Cognitive Services | Cognitive Services | 2bdd0062-9d75-436e-89df-487dd8e4b3c7 | [Deprecated]: Cognitive Services accounts should enable data encryption | This policy is deprecated. Cognitive Services have data encryption enforced. | Default Disabled Allowed Audit, Deny, Disabled | IF (2) •Microsoft.CognitiveServices/accounts/encryption •Microsoft.CognitiveServices/accounts/encryption.keySource |
IF (1) •Microsoft.CognitiveServices/accounts |
Deprecated | BuiltIn | ||
Cognitive Services | Cognitive Services | 11566b39-f7f7-4b82-ab06-68d8700eb0a4 | [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. | This policy is deprecated. Cognitive Services have data encryption enforced. | Default Disabled Allowed Audit, Deny, Disabled | IF (2) •Microsoft.CognitiveServices/accounts/encryption •Microsoft.CognitiveServices/accounts/encryption.keySource |
IF (1) •Microsoft.CognitiveServices/accounts |
Deprecated | BuiltIn | ||
Cognitive Services | Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | Cognitive Services accounts should disable public network access | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.CognitiveServices/accounts/publicNetworkAccess |
IF (1) •Microsoft.CognitiveServices/accounts |
count: 033 Azure_Security_Benchmark_v2.0_NS-1, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, CMMC_2.0_L2_SC.L2-3.13.6, CMMC_L3_AC.1.001, CMMC_L3_AC.1.002, CMMC_L3_AC.2.016, CMMC_L3_CM.3.068, CMMC_L3_SC.1.175, CMMC_L3_SC.3.183, FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-171_R2_3.13.6, NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_GS-2, NZISM_Security_Benchmark_v1.1_GS-2, RBI_CSF_Banks_v2016_14.1 |
GA | BuiltIn | |
Cognitive Services | Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Default Audit Allowed Audit, Deny, Disabled | IF (3) •Microsoft.CognitiveServices/accounts/capabilities[*] •Microsoft.CognitiveServices/accounts/capabilities[*].name •Microsoft.CognitiveServices/accounts/encryption.keySource |
IF (1) •Microsoft.CognitiveServices/accounts |
count: 014 Azure_Security_Benchmark_v2.0_DP-5, Azure_Security_Benchmark_v3.0_DP-5, CMMC_2.0_L2_SC.L2-3.13.10, CMMC_L3_SC.3.177, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, NZ_ISM_v3.5_CR-3, NZISM_Security_Benchmark_v1.1_CR-3, RBI_CSF_Banks_v2016_13.4, RBI_CSF_Banks_v2016_21.1, SOC_2_CC6.1 |
GA | BuiltIn | |
Cognitive Services | Cognitive Services | 71ef260a-8f18-47b7-abcb-62d0673d94dc | Cognitive Services accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.CognitiveServices/accounts/disableLocalAuth |
IF (1) •Microsoft.CognitiveServices/accounts |
count: 036 CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, CMMC_2.0_L2_IA.L1-3.5.1, CMMC_2.0_L2_IA.L1-3.5.2, CMMC_2.0_L2_IA.L2-3.5.5, CMMC_2.0_L2_IA.L2-3.5.6, FedRAMP_High_R4_AC-2, FedRAMP_High_R4_AC-2(1), FedRAMP_High_R4_AC-2(7), FedRAMP_High_R4_AC-3, FedRAMP_High_R4_IA-2, FedRAMP_High_R4_IA-4, FedRAMP_Moderate_R4_AC-2, FedRAMP_Moderate_R4_AC-2(1), FedRAMP_Moderate_R4_AC-2(7), FedRAMP_Moderate_R4_AC-3, FedRAMP_Moderate_R4_IA-2, FedRAMP_Moderate_R4_IA-4, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-171_R2_3.5.1, NIST_SP_800-171_R2_3.5.2, NIST_SP_800-171_R2_3.5.5, NIST_SP_800-171_R2_3.5.6, NIST_SP_800-53_R4_AC-2, NIST_SP_800-53_R4_AC-2(1), NIST_SP_800-53_R4_AC-2(7), NIST_SP_800-53_R4_AC-3, NIST_SP_800-53_R4_IA-2, NIST_SP_800-53_R4_IA-4, NIST_SP_800-53_R5_AC-2, NIST_SP_800-53_R5_AC-2(1), NIST_SP_800-53_R5_AC-2(7), NIST_SP_800-53_R5_AC-3, NIST_SP_800-53_R5_IA-2, NIST_SP_800-53_R5_IA-4 |
GA | BuiltIn | |
Cognitive Services | Cognitive Services | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | Cognitive Services accounts should restrict network access | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.CognitiveServices/accounts/networkAcls.defaultAction |
IF (1) •Microsoft.CognitiveServices/accounts |
count: 033 Azure_Security_Benchmark_v2.0_NS-1, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, CMMC_2.0_L2_SC.L2-3.13.6, CMMC_L3_AC.1.001, CMMC_L3_AC.1.002, CMMC_L3_AC.2.016, CMMC_L3_CM.3.068, CMMC_L3_SC.1.175, CMMC_L3_SC.3.183, FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-171_R2_3.13.6, NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_GS-3, NZISM_Security_Benchmark_v1.1_GS-3, RBI_CSF_Banks_v2016_14.1 |
GA | BuiltIn | |
Cognitive Services | Cognitive Services | fe3fd216-4f83-4fc1-8984-2bbec80a3418 | Cognitive Services accounts should use a managed identity | Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn | |||
Cognitive Services | Cognitive Services | 46aa9b05-0e60-4eae-a88b-1e9d374fa515 | Cognitive Services accounts should use customer owned storage | Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.CognitiveServices/accounts/capabilities[*] •Microsoft.CognitiveServices/accounts/capabilities[*].name |
IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn | ||
Cognitive Services | Cognitive Services | cddd188c-4b82-4c48-a19d-ddf74ee66a01 | Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.CognitiveServices/accounts/privateEndpointConnections[*] •Microsoft.CognitiveServices/accounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.CognitiveServices/accounts |
count: 036 CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3) |
GA | BuiltIn | |
Cognitive Services | Cognitive Services | 14de9e63-1b31-492e-a5a3-c3f7fd57f555 | Configure Cognitive Services accounts to disable local authentication methods | Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (1) •Microsoft.CognitiveServices/accounts/disableLocalAuth THEN-Operations (1) •Microsoft.CognitiveServices/accounts/disableLocalAuth |
IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn | |
Cognitive Services | Cognitive Services | 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c | Configure Cognitive Services accounts to disable public network access | Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default Modify Allowed Disabled, Modify | count: 1 •Contributor |
IF (1) •Microsoft.CognitiveServices/accounts/publicNetworkAccess THEN-Operations (1) •Microsoft.CognitiveServices/accounts/publicNetworkAccess |
IF (1) •Microsoft.CognitiveServices/accounts |
GA | BuiltIn | |
Cognitive Services | Cognitive Services | c4bc6f10-cb41-49eb-b000-d5ab82e2a091 | Configure Cognitive Services accounts to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.CognitiveServices/accounts •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Cognitive Services | Cognitive Services | db630ad5-52e9-4f4d-9c44-53912fe40053 | Configure Cognitive Services accounts with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Cognitive Services Contributor •Network Contributor |
THEN-ExistenceCondition (1) •Microsoft.CognitiveServices/accounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.CognitiveServices/accounts THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Cognitive Services | Cognitive Services | 014bf9e4-f49f-4aed-a9b0-c56399f90784 | Permit only approved OpenAI models | This policy permits only certain types of OpenAI models to be deployed | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.CognitiveServices/accounts/deployments/model.format •Microsoft.CognitiveServices/accounts/deployments/model.name |
GA | Community | |||
Cognitive Services | Cognitive Services | c4f50e79-ce44-4b76-b4e1-58330703e842 | Permit only approved types of Cognitive Services | This policy permits only certain types of Cognitive Services resources to be deployed. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.CognitiveServices/accounts |
GA | Community | |||
Compute | Compute | 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 | [Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs | This policy deploys the Log Analytics Extension on Ubuntu VMs, and connects to the selected Log Analytics workspace | Fixed deployIfNotExists | count: 1 •Log Analytics Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (2) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
Deprecated | BuiltIn | |
Compute | Compute | 7c1b1214-f927-48bf-8882-84f0af6588b1 | [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (2) •Microsoft.Compute/virtualMachineScaleSets/extensions/publisher •Microsoft.Compute/virtualMachineScaleSets/extensions/type |
IF (1) •Microsoft.Compute/virtualMachineScaleSets |
count: 002 Azure_Security_Benchmark_v1.0_2.3, Azure_Security_Benchmark_v2.0_LT-4 |
Deprecated | BuiltIn | |
Compute | Compute | 2c89a2e5-7285-40fe-afe0-ae8654b92fb2 | [Deprecated]: Unattached disks should be encrypted | This policy audits any unattached disk without encryption enabled. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.Compute/disks/diskState •Microsoft.Compute/disks/encryptionSettingsCollection.enabled |
IF (1) •Microsoft.Compute/disks |
count: 001 Azure_Security_Benchmark_v1.0_4.8 |
Deprecated | BuiltIn | |
Compute | Compute | cccc23c7-8427-4f53-ad12-b6a63eb452b3 | Allowed virtual machine size SKUs | This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. | Fixed Deny | IF (1) •Microsoft.Compute/virtualMachines/sku.name |
IF (1) •Microsoft.Compute/virtualMachines |
GA | BuiltIn | ||
Compute | Compute | compute_audit-classic-vm | Audit use of classic virtual machines | Use new Azure Resource Manager v2 for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Fixed Audit | IF (1) •Microsoft.classicCompute/virtualMachines |
GA | Community | |||
Compute | Compute | compute_audit-vmss-autoupgrade | Audit Virtual Machine Scale Sets without automatic OS upgrade enabled | This policy audits any Virtual Machine Scale Set that does not have automatic OS upgrade enabled. | Fixed audit | IF (1) •Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade |
IF (1) •Microsoft.Compute/virtualMachineScaleSets |
GA | Community | ||
Compute | Compute | 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 | Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Fixed auditIfNotExists | IF (1) •Microsoft.ClassicCompute/virtualMachines |
count: 023 AU_ISM_1511, CCCS_CP-7, CMMC_L3_RE.2.137, CMMC_L3_RE.3.139, FedRAMP_High_R4_CP-7, FedRAMP_Moderate_R4_CP-7, hipaa-1634.12b1Organizational.1-12.b, hipaa-1638.12b2Organizational.345-12.b, IRS_1075_9.3.6.6, NIST_SP_800-53_R4_CP-7, NIST_SP_800-53_R5_CP-7, NZ_ISM_v3.5_ISM-7, NZISM_Security_Benchmark_v1.1_ISM-7, RBI_CSF_Banks_v2016_19.4, RBI_ITF_NBFC_v2017_6, RBI_ITF_NBFC_v2017_6.2, RBI_ITF_NBFC_v2017_6.4, RMiT_v1.0_10.51, SWIFT_CSCF_v2021_2.5A, SWIFT_CSCF_v2021_6.4, SWIFT_CSCF_v2022_2.5A, SWIFT_CSCF_v2022_6.4, UK_NCSC_CSP_5.3 |
GA | BuiltIn | ||
Compute | Compute | 06a78e20-9358-41c9-923c-fb736d382a4d | Audit VMs that do not use managed disks | This policy audits VMs that do not use managed disks | Fixed audit | IF (3) •Microsoft.Compute/virtualMachines/osDisk.uri •Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl •Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.Compute/VirtualMachineScaleSets |
count: 012 CIS_Azure_1.3.0_7.1, CIS_Azure_1.4.0_7.1, ISO27001-2013_A.9.1.2, SOC_2_CC6.8, SOC_2_CC8.1, SWIFT_CSCF_v2021_1.3, SWIFT_CSCF_v2021_2.5A, SWIFT_CSCF_v2021_3.1, SWIFT_CSCF_v2022_1.3, SWIFT_CSCF_v2022_2.5A, SWIFT_CSCF_v2022_3.1, UK_NCSC_CSP_10 |
GA | BuiltIn | |
Compute | Compute | a091018b-fd0b-4898-92e1-d0b0a960e1eb | audit-vms-based-on-marketplace-acg-images | Audit Virtual Machines based on marketplace or Azure Compute Gallery images. createOption value 'FromImage' is used when you are using an image to create the virtual machine. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Compute/virtualMachines/storageProfile.osDisk.createOption |
IF (1) •Microsoft.Compute/virtualMachines |
GA | Community | ||
Compute | Compute | b6020716-02c1-4569-b0af-c30bd1e9cb3d | audit-vmsss-based-on-marketplace-acg-images | Audit Virtual Machine Scale Sets based on marketplace or Azure Compute Gallery images. createOption value 'FromImage' is used when you are using an image to create the virtual machine. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Compute/VirtualMachineScaleSets/osDisk.createOption |
IF (1) •Microsoft.Compute/VirtualMachineScaleSets |
GA | Community | ||
Compute | Compute | DeployDefenderForServers | COMPUTE - Deploy Defender for Servers | Uses a DeployIfNotExists policy to automatically deploy the Defender for Servers | Fixed deployIfNotExists | count: 1 •Security Admin |
IF (1) •Microsoft.Resources/subscriptions THEN-Deployment (1) •Microsoft.Security/pricings |
GA | Community | ||
Compute | Compute | ac34a73f-9fa5-4067-9247-a3ecae514468 | Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Owner |
THEN-ExistenceCondition (1) •Microsoft.Resources/links/targetId |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (7) •Microsoft.Compute/availabilitySets •Microsoft.Compute/proximityPlacementGroups •Microsoft.Network/virtualNetworks •Microsoft.RecoveryServices/replicationEligibilityResults •Microsoft.RecoveryServices/vaults •Microsoft.Resources/deployments •Microsoft.Storage/storageAccounts |
GA | BuiltIn | |
Compute | Compute | bc05b96c-0b36-4ca9-82f0-5c53f96ce05a | Configure disk access resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.Compute/diskAccesses •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Compute | Compute | 582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5 | Configure disk access resources with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Contributor |
THEN-ExistenceCondition (1) •Microsoft.Compute/diskAccesses/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Compute/diskAccesses THEN-Deployment (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Compute | Compute | compute_configure-managed-disks-to-disable-public-access | Configure managed disks to disable public access | This policy configures managed disks to disable public access. | Default modify Allowed deny, audit, disabled, modify | count: 1 •Contributor |
IF (1) •Microsoft.Compute/disks/networkAccessPolicy THEN-Operations (1) •Microsoft.Compute/disks/networkAccessPolicy |
GA | Community | ||
Compute | Compute | 8426280e-b5be-43d9-979e-653d12a08638 | Configure managed disks to disable public network access | Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (2) •Microsoft.Compute/disks/networkAccessPolicy •Microsoft.Compute/disks/publicNetworkAccess THEN-Operations (3) •Microsoft.Compute/disks/diskAccessId •Microsoft.Compute/disks/networkAccessPolicy •Microsoft.Compute/disks/publicNetworkAccess |
IF (1) •Microsoft.Compute/disks |
count: 002 RMiT_v1.0_10.33, RMiT_v1.0_11.15 |
GA | BuiltIn |
Compute | Compute | 950850fa-9a1a-4bd5-941d-01d0d6dbbf4b | Create Delete Lock on specified Azure VMs | List the VM names under the parameter vmName that you want to create a Delete Lock on./nThen expand the deployment variables and the resources to the amount of VMs given in the vmName array parameter. Make sure the values and deployment variables and resources are always aligned in numbers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled | count: 2 •Contributor •User Access Administrator |
THEN-ExistenceCondition (1) •Microsoft.Authorization/locks/level |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Authorization/locks •Microsoft.Compute/virtualMachines |
GA | Community | |
Compute | Compute | 578b0370-4e9e-4a25-b24e-3964c4003955 | Deny data access authentication mode | Disable data access authentication mode to restrict access to export the disk. https://learn.microsoft.com/en-us/azure/virtual-machines/windows/download-vhd?tabs=azure-portal#secure-downloads-and-uploads-with-azure-ad | Default Deny Allowed Audit, Disabled, Deny | IF (1) •Microsoft.Compute/disks/dataAccessAuthmode |
IF (1) •Microsoft.Compute/disks |
GA | Community | ||
Compute | Compute | compute_deny-new-linux-vm-ssh-with-password | Deny SSH Auth on New VMs | This policy denies a deployment when any Linux VMs use password-only authentication for SSH. | Fixed deny | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.disablePasswordAuthentication |
IF (1) •Microsoft.Compute/virtualMachines |
GA | Community | ||
Compute | Compute | compute_deploy-hybrid-benefit-windows | Deploy Azure Hybrid Benefit for Windows. | This policy ensures virtual machines are configured for Azure Hybrid Benefit for Windows Client and Server - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/hybrid-use-benefit-licensing#ways-to-use-azure-hybrid-benefit-for-windows-server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Virtual Machine Contributor |
IF (2) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher THEN-ExistenceCondition (1) •Microsoft.Compute/virtualMachines/licenseType |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines |
GA | Community | |
Compute | Compute | monitoring_deploy-oms-agent-based-on-region-linux | Deploy default Log Analytics VM Extension for Linux VMs. | This policy deploys Log Analytics VM Extensions on Linux VMs in specific regions, and connects to the selected Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Log Analytics Contributor |
IF (1) •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/settings.workspaceId •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.compute/virtualmachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
GA | Community | |
Compute | Compute | compute_deploy-oms-vm-extension-windows-vm | Deploy default Log Analytics VM Extension for Windows VMs. | This policy deploys Log Analytics VM Extensions on Windows VMs, and connects to the selected Log Analytics workspace. | Fixed deployIfNotExists | count: 1 •Log Analytics Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (2) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
GA | Community | |
Compute | Compute | monitoring_deploy-oms-agent-based-on-region-windows | Deploy default Log Analytics VM Extension for Windows VMs. | This policy deploys Log Analytics VM Extensions on Windows VMs in specific regions, and connects to the selected Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Log Analytics Contributor |
IF (1) •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/settings.workspaceId •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.compute/virtualmachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
GA | Community | |
Compute | Compute | 2835b622-407b-4114-9198-6f7064cbe0dc | Deploy default Microsoft IaaSAntimalware extension for Windows Server | This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. | Fixed deployIfNotExists | count: 1 •Virtual Machine Contributor |
IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (2) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
count: 001 hipaa-0201.09j1Organizational.124-09.j |
GA | BuiltIn |
Compute | Compute | hybridusebenefits_deploy-hybrid-use-windows-server | Deploy hybrid use for Windows Server | This Policy will enable HUB for Windows Server | Fixed deployIfNotExists | count: 1 •Owner |
IF (1) •Microsoft.Compute/virtualMachines/imageOffer THEN-ExistenceCondition (1) •Microsoft.Compute/virtualMachines/licenseType |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines |
GA | Community | |
Compute | Compute | 3552f7c0-c20f-4f13-aa60-3ded12935d28 | Deploy Microsoft IaaSAntimalware extension for Custom Windows Images | This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. This policy is used for custom images. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled | count: 1 •Virtual Machine Contributor |
IF (1) •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (2) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (1) •Microsoft.Compute/virtualMachines/extensions |
GA | Community | |
Compute | Compute | Deploy-Vm-autoShutdown | Deploy Virtual Machine Auto Shutdown Schedule | Deploys an auto shutdown schedule to a virtual machine | Fixed deployIfNotExists | count: 1 •Virtual Machine Contributor |
THEN-ExistenceCondition (2) •Microsoft.DevTestLab/schedules/targetResourceId •Microsoft.DevTestLab/schedules/taskType |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.DevTestLab/schedules |
GA | ALZ | |
Compute | Compute | compute_deploy-or-audit-auto-shutdown-by-tag-value-on-vm | Deploy VM auto shutdown | Default audit Allowed audit, Deny, DeployIfNotExists, Disabled | count: 1 •Virtual Machine Contributor |
THEN-ExistenceCondition (2) •Microsoft.DevTestLab/labs/virtualMachines/schedules/status •Microsoft.DevTestLab/labs/virtualMachines/schedules/targetResourceId |
IF (1) •Microsoft.Compute/virtualMachines THEN-Deployment (2) •Microsoft.Compute/virtualMachines •Microsoft.devtestlab/schedules |
GA | Community | ||
Compute | Compute | f39f5f49-4abf-44de-8c70-0756997bfb51 | Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.Compute/diskAccesses/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.Compute/diskAccesses |
count: 036 CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3) |
GA | BuiltIn | |
Compute | Compute | compute_deploy-vmss-autoosupgrade | Enable automatic OS upgrade on Virtual Machine Scale Sets | This policy enables automatic OS upgrade on Virtual Machine Scale Sets. New scale sets will have automatic OS upgrade enabled automatically. Existing scale sets that are not opted into automatic OS upgrade will be marked as non-compliant and can be enabled through policy remediation. | Fixed deployIfNotExists | count: 1 •Virtual Machine Contributor |
IF (1) •Microsoft.Compute/imageVersion THEN-ExistenceCondition (1) •Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade |
IF (1) •Microsoft.Compute/virtualMachineScaleSets THEN-Deployment (1) •Microsoft.Compute/virtualMachineScaleSets |
GA | Community | |
Compute | Compute | ca91455f-eace-4f96-be59-e6e2c35b4816 | Managed disks should be double encrypted with both platform-managed and customer-managed keys | High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Compute/diskEncryptionSets/encryptionType |
IF (1) •Microsoft.Compute/diskEncryptionSets |
count: 006 CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12 |
GA | BuiltIn | |
Compute | Compute | 8405fdab-1faf-48aa-b702-999c9c172094 | Managed disks should disable public network access | Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.Compute/disks/networkAccessPolicy •Microsoft.Compute/disks/publicNetworkAccess |
IF (1) •Microsoft.Compute/disks |
count: 002 RMiT_v1.0_10.33, RMiT_v1.0_11.15 |
GA | BuiltIn | |
Compute | Compute | d461a302-a187-421a-89ac-84acdb4edc04 | Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption | Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. | Default Audit Allowed Audit, Deny, Disabled | IF (9) •Microsoft.Compute/disks/encryption.diskEncryptionSetId •Microsoft.Compute/disks/managedBy •Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId •Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.osDiskImage.diskEncryptionSetId •Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id •Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.managedDisk.diskEncryptionSet.id |
IF (5) •Microsoft.Compute/disks •Microsoft.Compute/galleries/images/versions •Microsoft.Compute/images •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachineScaleSets |
count: 003 RBI_ITF_NBFC_v2017_3.1.h, RMiT_v1.0_10.53, RMiT_v1.0_11.15 |
GA | BuiltIn | |
Compute | Compute | c43e4a30-77cb-48ab-a4dd-93f175c63b57 | Microsoft Antimalware for Azure should be configured to automatically update protection signatures | This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | IF (1) •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines |
count: 016 Azure_Security_Benchmark_v1.0_2.8, Azure_Security_Benchmark_v1.0_8.3, CMMC_2.0_L2_SI.L1-3.14.2, CMMC_2.0_L2_SI.L1-3.14.4, CMMC_2.0_L2_SI.L1-3.14.5, CMMC_L3_SI.1.210, CMMC_L3_SI.1.211, CMMC_L3_SI.1.212, CMMC_L3_SI.1.213, hipaa-0201.09j1Organizational.124-09.j, NIST_SP_800-171_R2_3.14.2, NIST_SP_800-171_R2_3.14.4, NIST_SP_800-171_R2_3.14.5, RMiT_v1.0_10.63, SWIFT_CSCF_v2021_6.1, SWIFT_CSCF_v2022_6.1 |
GA | BuiltIn | |
Compute | Compute | 9b597639-28e4-48eb-b506-56b05d366257 | Microsoft IaaSAntimalware extension should be deployed on Windows servers | This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | IF (3) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU THEN-ExistenceCondition (2) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines |
count: 013 AU_ISM_1288, AU_ISM_1417, CMMC_2.0_L2_SI.L1-3.14.2, CMMC_2.0_L2_SI.L1-3.14.4, CMMC_2.0_L2_SI.L1-3.14.5, CMMC_L3_SI.1.211, CMMC_L3_SI.1.213, NIST_SP_800-171_R2_3.14.2, NIST_SP_800-171_R2_3.14.4, NIST_SP_800-171_R2_3.14.5, RMiT_v1.0_Appendix_5.7, SWIFT_CSCF_v2021_6.1, SWIFT_CSCF_v2022_6.1 |
GA | BuiltIn | |
Compute | Compute | d7a36be7-42bc-4ea9-8029-2e8d4b8d175b | Not allowed VM Extensions | This policy governs which VM extensions that are explicitly denied. | Default Deny Allowed Audit, Deny, Disabled | IF (2) •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines/extensions |
GA | Community | ||
Compute | Compute | c0e996f8-39cf-4af9-9f45-83fbde810432 | Only approved VM extensions should be installed | This policy governs the virtual machine extensions that are not approved. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines/extensions |
count: 006 CIS_Azure_1.1.0_7.4, CIS_Azure_1.3.0_7.4, CIS_Azure_1.4.0_7.4, RMiT_v1.0_11.4, SOC_2_CC6.8, SOC_2_CC8.1 |
GA | BuiltIn | |
Compute | Compute | compute_only_approved_vmss_extensions_should_be_installed | Only approved VMSS extensions should be installed | This policy governs the virtual machine scale set extensions that are not approved. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.Compute/virtualMachineScaleSets/extensions/type •Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.extensionProfile.extensions[*].type |
GA | Community | |||
Compute | Compute | 702dd420-7fcc-42c5-afe8-4026edd20fe0 | OS and data disks should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Default Audit Allowed Audit, Deny, Disabled | IF (10) •Microsoft.Compute/disks/encryption.diskEncryptionSetId •Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*] •Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[*].encryption.dataDiskImages[*].diskEncryptionSetId •Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id •Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.id •Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.dataDisks[*].managedDisk.diskEncryptionSet.id •Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.managedDisk.diskEncryptionSet.id |
IF (5) •Microsoft.Compute/disks •Microsoft.Compute/galleries/images/versions •Microsoft.Compute/images •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachineScaleSets |
count: 007 CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, RMiT_v1.0_10.53 |
GA | BuiltIn | |
Compute | Compute | 63b4e328-7369-4a72-a5ad-0884d7fb1d04 | Prevent deployment of Windows VM or VMSS without BYOL | The policy checks if VMs or VM Scale Sets based on Microsoft operation system is using BYOL for Azure Hybrid Benefit. The decision, if VM is based on Microsoft OS or not, is based on the following policy: [Preview]: Azure Security agent should be installed on your Windows virtual machines - Microsoft Azure https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbb2c6c6d-14bc-4443-bef3-c6be0adc6076 | Default Audit Allowed Audit, Deny, Disabled | IF (3) •Microsoft.Compute/imagePublisher •Microsoft.Compute/licenseType •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType |
IF (1) •Microsoft.Compute/virtualMachines |
GA | Community | ||
Compute | Compute | 465f0161-0087-490a-9ad9-ad6217f4f43a | Require automatic OS image patching on Virtual Machine Scale Sets | This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. | Fixed deny | IF (2) •Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade •Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade |
IF (1) •Microsoft.Compute/virtualMachineScaleSets |
GA | BuiltIn | ||
Compute | Compute | compute_blocked-disk-skus | undefined | Default Audit Allowed Deny, Audit, Disabled | IF (1) •Microsoft.Compute/disks |
GA | Community | ||||
Compute | Compute | compute_allowed-disk-skus | undefined | Default Audit Allowed Deny, Audit, Disabled | IF (1) •Microsoft.Compute/disks/sku.name |
IF (1) •Microsoft.Compute/disks |
GA | Community | |||
Compute | Compute | compute_allowed-vm-os | undefined | Fixed deny | IF (4) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSku •Microsoft.Compute/licenseType |
IF (1) •Microsoft.Compute/VirtualMachineScaleSets |
GA | Community | |||
Compute | Compute | fc4d8e41-e223-45ea-9bf5-eada37891d87 | Virtual machines and virtual machine scale sets should have encryption at host enabled | Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost •Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.encryptionAtHost |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachineScaleSets |
count: 012 CMMC_2.0_L2_SC.L2-3.13.16, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1), RMiT_v1.0_11.2, RMiT_v1.0_11.20 |
GA | BuiltIn | |
Compute | Compute | 1d84d5fb-01f6-4d12-ba4f-4a26081d403d | Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.ClassicCompute/virtualMachines •Microsoft.Compute/virtualMachines |
count: 020 Azure_Security_Benchmark_v1.0_6.9, Azure_Security_Benchmark_v2.0_AM-3, Azure_Security_Benchmark_v3.0_AM-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, FedRAMP_High_R4_AC-3, FedRAMP_Moderate_R4_AC-3, hipaa-0835.09n1Organizational.1-09.n, ISO27001-2013_A.9.1.2, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-53_R4_AC-3, NIST_SP_800-53_R5_AC-3, PCI_DSS_V3.2.1_10.3, PCI_DSS_V3.2.1_10.5.4, PCI_DSS_v4.0_10.2.2, PCI_DSS_v4.0_10.3.3, RBI_CSF_Banks_v2016_13.1, RMiT_v1.0_10.27, UK_NCSC_CSP_10 |
GA | BuiltIn | ||
Compute | Compute | compute_vm-use-allowed-images | VM use allowed Images | This policy prevents unauthorized images for VMs. | Default audit Allowed deny, audit, disabled | IF (4) •Microsoft.Compute/virtualMachines/imageOffer •Microsoft.Compute/virtualMachines/imagePublisher •Microsoft.Compute/virtualMachines/imageSku •Microsoft.Compute/virtualMachines/imageVersion |
GA | Community | |||
Compute | Compute | 97d4dc8b-b0bd-42da-aa83-bbf98c0c7ef7 | VMAccess virtual machine extension for Linux | The VMAccess virtual machine extensions for Linux allows the user to reset the password/ssh of a selected user or the ability to create a new local users with sudo access. https://github.com/Azure/azure-linux-extensions/blob/master/VMAccess/README.md | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines/extensions |
GA | Community | ||
Container Apps | Container Apps | 2b585559-a78e-4cc4-b1aa-fb169d2f6b96 | Authentication should be enabled on Container Apps | Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.App/containerApps/authConfigs/platform.enabled |
IF (1) •Microsoft.App/containerApps |
GA | BuiltIn | ||
Container Apps | Container Apps | 8b346db6-85af-419b-8557-92cee2c0f9bb | Container App environments should use network injection | Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. | Default Audit Allowed Audit, Disabled, Deny | IF (1) •Microsoft.App/managedEnvironments/vnetConfiguration.infrastructureSubnetId |
IF (1) •Microsoft.App/managedEnvironments |
GA | BuiltIn | ||
Container Apps | Container Apps | 7c9f3fbb-739d-4844-8e42-97e3be6450e0 | Container App should configure with volume mount | Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.App/containerApps |
GA | BuiltIn | |||
Container Apps | Container Apps | d074ddf8-01a5-4b5e-a2b8-964aed452c0a | Container Apps environment should disable public network access | Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.App/managedEnvironments/vnetConfiguration •Microsoft.App/managedEnvironments/vnetConfiguration.internal |
IF (1) •Microsoft.App/managedEnvironments |
GA | BuiltIn | ||
Container Apps | Container Apps | 783ea2a8-b8fd-46be-896a-9ae79643a0b1 | Container Apps should disable external network access | Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.App/containerApps/configuration.ingress •Microsoft.App/containerApps/configuration.ingress.external |
IF (1) •Microsoft.App/containerApps |
GA | BuiltIn | ||
Container Apps | Container Apps | 0e80e269-43a4-4ae9-b5bc-178126b8a5cb | Container Apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.App/containerApps/configuration.ingress.allowInsecure |
IF (1) •Microsoft.App/containerApps |
GA | BuiltIn | ||
Container Apps | Container Apps | b874ab2d-72dd-47f1-8cb5-4a306478a4e7 | Managed Identity should be enabled for Container Apps | Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.App/containerApps |
GA | BuiltIn | |||
Container Instance | Container Instance | 8af8f826-edcb-4178-b35f-851ea6fea615 | Azure Container Instance container group should deploy into a virtual network | Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. | Default Audit Allowed Audit, Disabled, Deny | IF (3) •Microsoft.ContainerInstance/containerGroups/ipAddress.type •Microsoft.ContainerInstance/containerGroups/networkProfile.id •Microsoft.ContainerInstance/containerGroups/subnetIds[*].id |
IF (1) •Microsoft.ContainerInstance/containerGroups |
count: 001 RMiT_v1.0_10.33 |
GA | BuiltIn | |
Container Instance | Container Instance | 0aa61e00-0a01-4a3c-9945-e93cffedf0e6 | Azure Container Instance container group should use customer-managed key for encryption | Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Default Audit Allowed Audit, Disabled, Deny | IF (2) •Microsoft.ContainerInstance/containerGroups/encryptionProperties.keyName •Microsoft.ContainerInstance/containerGroups/encryptionProperties.vaultBaseUrl |
IF (1) •Microsoft.ContainerInstance/containerGroups |
count: 007 CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, RMiT_v1.0_10.53 |
GA | BuiltIn | |
Container Instances | Container Instances | 21c469fa-a887-4363-88a9-60bfd6911a15 | Configure diagnostics for container group to log analytics workspace | Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed. | Default Append Allowed Append, Disabled | IF (2) •Microsoft.ContainerInstance/containerGroups/diagnostics.logAnalytics.workspaceId •Microsoft.ContainerInstance/containerGroups/diagnostics.logAnalytics.workspaceKey |
IF (1) •Microsoft.ContainerInstance/containerGroups |
GA | BuiltIn | ||
Container Registry | Container Registry | cced2946-b08a-44fe-9fd9-e4ed8a779897 | Configure container registries to disable anonymous authentication. | Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (1) •Microsoft.ContainerRegistry/registries/anonymousPullEnabled THEN-Operations (1) •Microsoft.ContainerRegistry/registries/anonymousPullEnabled |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | |
Container Registry | Container Registry | 785596ed-054f-41bc-aaec-7f3d0ba05725 | Configure container registries to disable ARM audience token authentication. | Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (2) •Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy •Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy.status THEN-Operations (1) •Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy.status |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | |
Container Registry | Container Registry | 79fdfe03-ffcb-4e55-b4d0-b925b8241759 | Configure container registries to disable local admin account. | Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (1) •Microsoft.ContainerRegistry/registries/adminUserEnabled THEN-Operations (1) •Microsoft.ContainerRegistry/registries/adminUserEnabled |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | |
Container Registry | Container Registry | a3701552-92ea-433e-9d17-33b7f1208fc9 | Configure Container registries to disable public network access | Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (1) •Microsoft.ContainerRegistry/registries/publicNetworkAccess THEN-Operations (1) •Microsoft.ContainerRegistry/registries/publicNetworkAccess |
IF (1) •Microsoft.ContainerRegistry/registries |
count: 002 RMiT_v1.0_10.33, RMiT_v1.0_11.15 |
GA | BuiltIn |
Container Registry | Container Registry | a9b426fe-8856-4945-8600-18c5dd1cca2a | Configure container registries to disable repository scoped access token. | Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Modify Allowed Modify, Disabled | count: 1 •Contributor |
IF (1) •Microsoft.ContainerRegistry/registries/tokens/status THEN-Operations (1) •Microsoft.ContainerRegistry/registries/tokens/status |
IF (1) •Microsoft.ContainerRegistry/registries/tokens |
GA | BuiltIn | |
Container Registry | Container Registry | e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 | Configure Container registries to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Container Registry | Container Registry | d85c6833-7d33-4cf5-a915-aaa2de84405f | Configure Container registries with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Contributor |
IF (1) •Microsoft.ContainerRegistry/registries/sku.name THEN-ExistenceCondition (1) •Microsoft.ContainerRegistry/registries/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.ContainerRegistry/registries THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Container Registry | Container Registry | containerregistry_container-registries-prevent-access-to-trusted-services | Container Registries prevent access to trusted services | This policy configures container registry acr_firewall_bypass to prevent access to trusted services | Default Deny Allowed Audit, Deny, Disabled | GA | Community | ||||
Container Registry | Container Registry | containerregistry_container-registries-prevent-managed-identity | Container Registries prevent managed identity | This policy configures container registry to prevent managed identity | Default Deny Allowed Audit, Deny, Disabled | GA | Community | ||||
Container Registry | Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.ContainerRegistry/registries/encryption.status |
IF (1) •Microsoft.ContainerRegistry/registries |
count: 016 Azure_Security_Benchmark_v2.0_DP-5, Azure_Security_Benchmark_v3.0_DP-5, CMMC_2.0_L2_SC.L2-3.13.10, CMMC_L3_SC.3.177, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, NZ_ISM_v3.5_CR-3, NZISM_Security_Benchmark_v1.1_CR-3, RBI_CSF_Banks_v2016_13.4, RBI_CSF_Banks_v2016_21.1, RMiT_v1.0_10.53, SOC_2_CC6.1, SWIFT_CSCF_v2021_2.5A |
GA | BuiltIn | |
Container Registry | Container Registry | 9f2dea28-e834-476c-99c5-3507b4728395 | Container registries should have anonymous authentication disabled. | Disable anonymous pull for your registry so that data is not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.ContainerRegistry/registries/anonymousPullEnabled |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | ||
Container Registry | Container Registry | 42781ec6-6127-4c30-bdfa-fb423a0047d3 | Container registries should have ARM audience token authentication disabled. | Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy •Microsoft.ContainerRegistry/registries/policies.azureADAuthenticationAsArmPolicy.status |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | ||
Container Registry | Container Registry | 524b0254-c285-4903-bee6-bb8126cde579 | Container registries should have exports disabled | Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.ContainerRegistry/registries/policies.exportPolicy.status •Microsoft.ContainerRegistry/registries/publicNetworkAccess |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | ||
Container Registry | Container Registry | dc921057-6b28-4fbe-9b83-f7bec05db6c2 | Container registries should have local admin account disabled. | Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.ContainerRegistry/registries/adminUserEnabled |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | ||
Container Registry | Container Registry | ff05e24e-195c-447e-b322-5e90c9f9f366 | Container registries should have repository scoped access token disabled. | Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.ContainerRegistry/registries/tokens/status |
IF (1) •Microsoft.ContainerRegistry/registries/tokens |
GA | BuiltIn | ||
Container Registry | Container Registry | bd560fc0-3c69-498a-ae9f-aa8eb7de0e13 | Container registries should have SKUs that support Private Links | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.ContainerRegistry/registries/sku.name |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | BuiltIn | ||
Container Registry | Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction •Microsoft.ContainerRegistry/registries/publicNetworkAccess |
IF (1) •Microsoft.ContainerRegistry/registries |
count: 035 Azure_Security_Benchmark_v2.0_NS-1, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, CMMC_2.0_L2_SC.L2-3.13.6, CMMC_L3_AC.1.001, CMMC_L3_AC.1.002, CMMC_L3_AC.2.016, CMMC_L3_CM.3.068, CMMC_L3_SC.1.175, CMMC_L3_SC.3.183, FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-171_R2_3.13.6, NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_GS-3, NZISM_Security_Benchmark_v1.1_GS-3, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7, RMiT_v1.0_10.33 |
GA | BuiltIn | |
Container Registry | Container Registry | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.ContainerRegistry/registries/privateEndpointConnections[*] •Microsoft.ContainerRegistry/registries/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.ContainerRegistry/registries |
count: 044 Azure_Security_Benchmark_v2.0_NS-2, Azure_Security_Benchmark_v2.0_NS-3, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7, SWIFT_CSCF_v2021_1.1 |
GA | BuiltIn | |
Container Registry | Container Registry | containerregistry_container-registry-admin-user-filter | Enforce Admin User is disabled on all Container Registry instances | This policy ensures Admin User is disabled on all Container Registry instances | Fixed deny | IF (1) •Microsoft.ContainerRegistry/registries/adminUserEnabled |
IF (1) •Microsoft.ContainerRegistry/registries |
GA | Community | ||
Container Registry | Container Registry | 0fdf0491-d080-4575-b627-ad0e843cba0f | Public network access should be disabled for Container registries | Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.ContainerRegistry/registries/publicNetworkAccess |
IF (1) •Microsoft.ContainerRegistry/registries |
count: 001 RMiT_v1.0_10.33 |
GA | BuiltIn | |
Cosmos DB | Cosmos DB | cosmosdb_audit-cosmosdb-throughput | Audit Cosmos DB Throughput Exceeding Max | This policy audits when Cosmos DB shared or dedicated throughput exceeds a maximum. The policy audits Cosmos DB resources in accounts of any API (SQL, Cassandra, Gremlin, MongoDB, Table), where throughput can be provisioned either at the database/keyspace/table level or at the collection/container/graph/table level. | Fixed Audit | IF (9) •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.throughput |
GA | Community | |||
Cosmos DB | Cosmos DB | cosmosdb_cosmos-db-multiple-write-locations | Audit or Deny Cosmos DB | Multiple Write Locations not set as required | This policy audits or denies when a Cosmos DB account does not have the required multiple write locations setting. | Default Audit Allowed Audit, Deny | IF (1) •Microsoft.DocumentDB/databaseAccounts/enableMultipleWriteLocations |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | Community | ||
Cosmos DB | Cosmos DB | 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb | Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Default Deny Allowed Audit, Deny, Disabled | IF (4) •Microsoft.DocumentDB/databaseAccounts/ipRangeFilter •Microsoft.DocumentDB/databaseAccounts/ipRules •Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled •Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
count: 028 Azure_Security_Benchmark_v2.0_NS-1, Azure_Security_Benchmark_v2.0_NS-4, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, CMMC_2.0_L2_SC.L2-3.13.6, FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-171_R2_3.13.6, NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_GS-3, NZISM_Security_Benchmark_v1.1_GS-3, RBI_ITF_NBFC_v2017_5 |
GA | BuiltIn | |
Cosmos DB | Cosmos DB | 9d83ccb1-f313-46ce-9d39-a198bfdb51a0 | Azure Cosmos DB accounts should not exceed the maximum number of days allowed since last account key regeneration. | Regenerate your keys in the specified time to keep your data more protected. | Default Audit Allowed Audit, Disabled | IF (4) •Microsoft.DocumentDB/databaseAccounts/keysMetadata.primaryMasterKey.generationTime •Microsoft.DocumentDB/databaseAccounts/keysMetadata.primaryReadonlyMasterKey.generationTime •Microsoft.DocumentDB/databaseAccounts/keysMetadata.secondaryMasterKey.generationTime •Microsoft.DocumentDB/databaseAccounts/keysMetadata.secondaryReadonlyMasterKey.generationTime |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | ||
Cosmos DB | Cosmos DB | 1f905d99-2ab7-462c-a6b0-f709acca6c8f | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled | IF (1) •Microsoft.DocumentDB/databaseAccounts/keyVaultKeyUri |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
count: 014 Azure_Security_Benchmark_v2.0_DP-5, Azure_Security_Benchmark_v3.0_DP-5, CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, NZ_ISM_v3.5_CR-3, NZISM_Security_Benchmark_v1.1_CR-3, RBI_CSF_Banks_v2016_13.4, RBI_CSF_Banks_v2016_21.1, RBI_ITF_NBFC_v2017_3.1.h, SOC_2_CC6.1 |
GA | BuiltIn | |
Cosmos DB | Cosmos DB | 0473574d-2d43-4217-aefe-941fcdf7e684 | Azure Cosmos DB allowed locations | This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled | IF (1) •Microsoft.DocumentDB/databaseAccounts/Locations[*] |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | ||
Cosmos DB | Cosmos DB | 4750c32b-89c0-46af-bfcb-2e4541a818d5 | Azure Cosmos DB key based metadata write access should be disabled | This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. | Fixed append | IF (1) •Microsoft.DocumentDB/databaseAccounts/disableKeyBasedMetadataWriteAccess THEN-Details (1) •Microsoft.DocumentDB/databaseAccounts/disableKeyBasedMetadataWriteAccess |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | ||
Cosmos DB | Cosmos DB | 797b37f7-06b8-444c-b1ad-fc62867f335a | Azure Cosmos DB should disable public network access | Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | ||
Cosmos DB | Cosmos DB | 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf | Azure Cosmos DB throughput should be limited | This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled | IF (27) •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/options •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/options •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/options •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/options •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/options •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/options •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/options •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/options •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/default.resource.throughput •Microsoft.DocumentDB/databaseAccounts/tables/options •Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.provisionedThroughputSettings •Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/default.resource.throughput |
GA | BuiltIn | |||
Cosmos DB | Cosmos DB | dc2d41d1-4ab1-4666-a3e1-3d51c43e0049 | Configure Cosmos DB database accounts to disable local authentication | Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. | Default Modify Allowed Modify, Disabled | count: 1 •DocumentDB Account Contributor |
IF (2) •Microsoft.DocumentDB/databaseAccounts/capabilities[*].name •Microsoft.DocumentDB/databaseAccounts/disableLocalAuth THEN-Operations (1) •Microsoft.DocumentDB/databaseAccounts/disableLocalAuth |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | |
Cosmos DB | Cosmos DB | da69ba51-aaf1-41e5-8651-607cd0b37088 | Configure CosmosDB accounts to disable public network access | Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. | Default Modify Allowed Modify, Disabled | count: 2 •Contributor •DocumentDB Account Contributor |
IF (1) •Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess THEN-Operations (1) •Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | BuiltIn | |
Cosmos DB | Cosmos DB | a63cc0bd-cda4-4178-b705-37dc439d3e0f | Configure CosmosDB accounts to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.DocumentDb/databaseAccounts •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Cosmos DB | Cosmos DB | b609e813-3156-4079-91fa-a8494c1471c4 | Configure CosmosDB accounts with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your CosmosDB account, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Contributor •DocumentDB Account Contributor |
THEN-ExistenceCondition (1) •Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.DocumentDB/databaseAccounts THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Cosmos DB | Cosmos DB | 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 | Cosmos DB database accounts should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.DocumentDB/databaseAccounts/capabilities[*].name •Microsoft.DocumentDB/databaseAccounts/disableLocalAuth |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
count: 001 Azure_Security_Benchmark_v3.0_IM-1 |
GA | BuiltIn | |
Cosmos DB | Cosmos DB | 58440f8a-10c5-4151-bdce-dfbaad4a20b7 | CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections[*] •Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
count: 036 CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3) |
GA | BuiltIn | |
Cosmos DB | Cosmos DB | b5f04e03-92a3-4b09-9410-2cc5e5047656 | Deploy Advanced Threat Protection for Cosmos DB Accounts | This policy enables Advanced Threat Protection across Cosmos DB accounts. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Security Admin |
THEN-ExistenceCondition (1) •Microsoft.Security/advancedThreatProtectionSettings/isEnabled |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
count: 001 CMMC_L3_IR.2.093 |
GA | BuiltIn |
Cosmos DB | Cosmos DB | cosmosdb_cosmos-db-vnet-filter | Enforce Virtual Network Filtering on Cosmos DB accounts | This policy ensures Virtual Network Filtering is enabled on all Cosmos DB accounts | Fixed deny | IF (1) •Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled |
IF (1) •Microsoft.DocumentDB/databaseAccounts |
GA | Community | ||
Cost Optimization | Cost Optimization | costoptimization_unused-app-service-plans-driving-cost-should-be-avoided | Unused App Service plans driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.Web/serverFarms/numberOfSites •Microsoft.Web/serverFarms/sku.tier |
IF (1) •Microsoft.Web/serverfarms |
GA | Community | ||
Cost Optimization | Cost Optimization | Audit-ServerFarms-UnusedResourcesCostOptimization | Unused App Service plans driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.Web/serverFarms/numberOfSites •Microsoft.Web/serverFarms/sku.tier |
IF (1) •Microsoft.Web/serverfarms |
GA | ALZ | ||
Cost Optimization | Cost Optimization | Audit-Disks-UnusedResourcesCostOptimization | Unused Disks driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Compute/disks/diskState |
IF (1) •Microsoft.Compute/disks |
GA | ALZ | ||
Cost Optimization | Cost Optimization | costoptimization_unused-disks-driving-cost-should-be-avoided | Unused Disks driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Compute/disks/diskState |
IF (1) •Microsoft.Compute/disks |
GA | Community | ||
Cost Optimization | Cost Optimization | Audit-PublicIpAddresses-UnusedResourcesCostOptimization | Unused Public IP addresses driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. | Default Audit Allowed Audit, Disabled | IF (4) •Microsoft.Network/publicIPAddresses/ipConfiguration •Microsoft.Network/publicIPAddresses/natGateway •Microsoft.Network/publicIPAddresses/publicIPPrefix •Microsoft.Network/publicIPAddresses/sku.name |
IF (1) •Microsoft.network/publicIpAddresses |
GA | ALZ | ||
Cost Optimization | Cost Optimization | costoptimization_unused-public-ip-addresses-driving-cost-should-be-avoided | Unused Public IP addresses driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. | Default Audit Allowed Audit, Disabled | IF (4) •Microsoft.Network/publicIPAddresses/ipConfiguration •Microsoft.Network/publicIPAddresses/natGateway •Microsoft.Network/publicIPAddresses/publicIPPrefix •Microsoft.Network/publicIPAddresses/sku.name |
IF (1) •Microsoft.network/publicIpAddresses |
GA | Community | ||
Custom Provider | Custom Provider | c15c281f-ea5c-44cd-90b8-fc3c14d13f0c | Deploy associations for a custom provider | Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. | Fixed deployIfNotExists | count: 1 •Contributor |
THEN-Deployment (1) •Microsoft.Resources/deployments |
GA | BuiltIn | ||
Data Box | Data Box | c349d81b-9985-44ae-a8da-ff98d108ede8 | Azure Data Box jobs should enable double encryption for data at rest on the device | Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.DataBox/jobs/details.preferences.encryptionPreferences.doubleEncryption •Microsoft.Databox/jobs/sku.name |
IF (1) •Microsoft.DataBox/jobs |
count: 012 CMMC_2.0_L2_SC.L2-3.13.16, CMMC_L3_SC.3.177, CMMC_L3_SC.3.191, FedRAMP_High_R4_SC-28, FedRAMP_High_R4_SC-28(1), FedRAMP_Moderate_R4_SC-28, FedRAMP_Moderate_R4_SC-28(1), NIST_SP_800-171_R2_3.13.16, NIST_SP_800-53_R4_SC-28, NIST_SP_800-53_R4_SC-28(1), NIST_SP_800-53_R5_SC-28, NIST_SP_800-53_R5_SC-28(1) |
GA | BuiltIn | |
Data Box | Data Box | 86efb160-8de7-451d-bc08-5d475b0aadae | Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password | Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.DataBox/jobs/details.keyEncryptionKey.kekType •Microsoft.Databox/jobs/sku.name |
IF (1) •Microsoft.DataBox/jobs |
count: 006 CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12 |
GA | BuiltIn | |
Data Factory | Data Factory | 3d02a511-74e5-4dab-a5fd-878704d4a61a | [Preview]: Azure Data Factory pipelines should only communicate with allowed domains | To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. | Default Deny Allowed Deny, Disabled | Preview | BuiltIn | ||||
Data Factory | Data Factory | 4ec52d6d-beb7-40c4-9a9e-fe753254690e | Azure data factories should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.DataFactory/factories/encryption.vaultBaseUrl |
IF (1) •Microsoft.DataFactory/factories |
count: 006 CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12 |
GA | BuiltIn | |
Data Factory | Data Factory | 85bb39b5-2f66-49f8-9306-77da3ac5130f | Azure Data Factory integration runtime should have a limit for number of cores | To manage your resources and costs, limit the number of cores for an integration runtime. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.dataFlowProperties.coreCount •Microsoft.DataFactory/factories/integrationruntimes/type |
IF (1) •Microsoft.DataFactory/factories/integrationRuntimes |
GA | BuiltIn | ||
Data Factory | Data Factory | 6809a3d0-d354-42fb-b955-783d207c62a8 | Azure Data Factory linked service resource type should be in allow list | Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.DataFactory/factories/linkedservices/type |
GA | BuiltIn | |||
Data Factory | Data Factory | 127ef6d7-242f-43b3-9eef-947faf1725d0 | Azure Data Factory linked services should use Key Vault for storing secrets | To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. | Default Audit Allowed Audit, Deny, Disabled | IF (30) •Microsoft.DataFactory/factories/linkedservices/AmazonMWS.typeProperties.mwsAuthToken.type •Microsoft.DataFactory/factories/linkedservices/AmazonMWS.typeProperties.secretKey.type •Microsoft.DataFactory/factories/linkedservices/AmazonS3.typeProperties.secretAccessKey.type •Microsoft.DataFactory/factories/linkedservices/AzureBlobStorage.typeProperties.servicePrincipalKey •Microsoft.DataFactory/factories/linkedservices/AzureBlobStorage.typeProperties.servicePrincipalKey.type •Microsoft.DataFactory/factories/linkedservices/AzureSearch.typeProperties.key.type •Microsoft.DataFactory/factories/linkedservices/AzureSqlDW.typeProperties.servicePrincipalKey.type •Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.accountKey •Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri •Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri.type •Microsoft.DataFactory/factories/linkedservices/CosmosDb.typeProperties.accountKey.type •Microsoft.DataFactory/factories/linkedservices/Dynamics.typeProperties.servicePrincipalCredential •Microsoft.DataFactory/factories/linkedservices/Dynamics.typeProperties.servicePrincipalCredential.type •Microsoft.DataFactory/factories/linkedservices/GoogleAdWords.typeProperties.developerToken.type •Microsoft.DataFactory/factories/linkedservices/GoogleBigQuery.typeProperties.clientSecret.type •Microsoft.DataFactory/factories/linkedservices/GoogleBigQuery.typeProperties.refreshToken.type •Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken •Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken.type •Microsoft.DataFactory/factories/linkedservices/OData.typeProperties.servicePrincipalEmbeddedCert.type •Microsoft.DataFactory/factories/linkedservices/OData.typeProperties.servicePrincipalEmbeddedCertPassword.type •Microsoft.DataFactory/factories/linkedservices/Odbc.typeProperties.credential.type •Microsoft.DataFactory/factories/linkedservices/Salesforce.typeProperties.securityToken.type •Microsoft.DataFactory/factories/linkedservices/Sftp.typeProperties.passPhrase.type •Microsoft.DataFactory/factories/linkedservices/Sftp.typeProperties.privateKeyContent.type •Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password •Microsoft.DataFactory/factories/linkedservices/SqlServer.typeProperties.password.type •Microsoft.DataFactory/factories/linkedservices/type •Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString •Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString.type •Microsoft.DataFactory/factories/linkedservices/typeProperties.encryptedCredential |
GA | BuiltIn | |||
Data Factory | Data Factory | f78ccdb4-7bf4-4106-8647-270491d2978a | Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported | Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. | Default Audit Allowed Audit, Deny, Disabled | IF (7) •Microsoft.DataFactory/factories/linkedservices/AzureSqlDW.typeProperties.servicePrincipalKey •Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.accountKey •Microsoft.DataFactory/factories/linkedservices/AzureStorage.typeProperties.sasUri •Microsoft.DataFactory/factories/linkedservices/Hubspot.typeProperties.accessToken •Microsoft.DataFactory/factories/linkedservices/type •Microsoft.DataFactory/factories/linkedservices/typeProperties.connectionString •Microsoft.DataFactory/factories/linkedservices/typeProperties.encryptedCredential |
GA | BuiltIn | |||
Data Factory | Data Factory | 77d40665-3120-4348-b539-3192ec808307 | Azure Data Factory should use a Git repository for source control | Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.DataFactory/factories/repoConfiguration.repositoryName |
IF (1) •Microsoft.DataFactory/factories |
GA | BuiltIn | ||
Data Factory | Data Factory | 8b0323be-cc25-4b61-935d-002c3798c6ea | Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.DataFactory/factories/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.DataFactory/factories |
count: 036 CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3) |
GA | BuiltIn | |
Data Factory | Data Factory | 08b1442b-7789-4130-8506-4f99a97226a7 | Configure Data Factories to disable public network access | Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default Modify Allowed Modify, Disabled | count: 1 •Data Factory Contributor |
IF (1) •Microsoft.DataFactory/factories/publicNetworkAccess THEN-Operations (1) •Microsoft.DataFactory/factories/publicNetworkAccess |
IF (1) •Microsoft.DataFactory/factories |
GA | BuiltIn | |
Data Factory | Data Factory | 86cd96e1-1745-420d-94d4-d3f2fe415aa4 | Configure private DNS zones for private endpoints that connect to Azure Data Factory | Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Data Factory | Data Factory | 496ca26b-f669-4322-a1ad-06b7b5e41882 | Configure private endpoints for Data factories | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Data Factory Contributor •Network Contributor |
THEN-ExistenceCondition (1) •Microsoft.DataFactory/factories/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.DataFactory/factories THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Data Factory | Data Factory | 67a1def3-5e6d-4d07-adc0-e929bba328a6 | Prevent-DataFactory-ManagedSSISRuntime | Prevent creation of Managed SSIS runtime for Azure Data Factory | Default Deny Allowed Audit, Disabled, Deny | IF (2) •Microsoft.DataFactory/factories/integrationruntimes/type •Microsoft.DataFactory/factories/integrationruntimes/typeProperties.ssisProperties |
IF (1) •Microsoft.DataFactory/factories/integrationruntimes |
GA | Community | ||
Data Factory | Data Factory | 1cf164be-6819-4a50-b8fa-4bcaa4f98fb6 | Public network access on Azure Data Factory should be disabled | Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.DataFactory/factories/publicNetworkAccess |
IF (1) •Microsoft.DataFactory/factories |
GA | BuiltIn | ||
Data Factory | Data Factory | 0088bc63-6dee-4a9c-9d29-91cfdc848952 | SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network | Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. | Default Audit Allowed Audit, Deny, Disabled | IF (3) •Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.vnetProperties.vnetId •Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.customerVirtualNetwork.subnetId •Microsoft.DataFactory/factories/integrationruntimes/type |
IF (1) •Microsoft.DataFactory/factories/integrationRuntimes |
GA | BuiltIn | ||
Data Lake | Data Lake | monitoring_audit-enabling-diagnostic-logs-data-lake-analytics | Audit enabling of diagnostic logs in Data Lake Analytics | Audit enabling of logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised | Fixed AuditIfNotExists | THEN-ExistenceCondition (2) •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled |
IF (1) •Microsoft.DataLakeAnalytics/accounts |
GA | Community | ||
Data Lake | Data Lake | datalake_data-lake-store-encryption | Enforce encryption on Data Lake Store accounts | This policy ensures encryption is enabled on all Data Lake Store accounts | Fixed deny | IF (1) •Microsoft.DataLakeStore/accounts/encryptionState |
IF (1) •Microsoft.DataLakeStore/accounts |
GA | Community | ||
Data Lake | Data Lake | a7ff3161-0087-490a-9ad9-ad6217f4f43a | Require encryption on Data Lake Store accounts | This policy ensures encryption is enabled on all Data Lake Store accounts | Fixed deny | IF (1) •Microsoft.DataLakeStore/accounts/encryptionState |
IF (1) •Microsoft.DataLakeStore/accounts |
count: 003 CMMC_L3_SC.3.177, CMMC_L3_SC.3.191, hipaa-0304.09o3Organizational.1-09.o |
GA | BuiltIn | |
Data Lake | Data Lake | 057ef27e-665e-4328-8ea3-04b3122bd9fb | Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.DataLakeStore/accounts |
count: 027 Azure_Security_Benchmark_v1.0_2.3, Azure_Security_Benchmark_v2.0_LT-4, Azure_Security_Benchmark_v3.0_LT-3, CIS_Azure_1.3.0_5.3, CIS_Azure_1.4.0_5.3, CMMC_2.0_L2_AU.L2-3.3.1, CMMC_2.0_L2_AU.L2-3.3.2, FedRAMP_High_R4_AU-12, FedRAMP_High_R4_AU-12(1), FedRAMP_High_R4_AU-6(4), FedRAMP_High_R4_AU-6(5), FedRAMP_Moderate_R4_AU-12, hipaa-1202.09aa1System.1-09.aa, NIST_SP_800-171_R2_3.3.1, NIST_SP_800-171_R2_3.3.2, NIST_SP_800-53_R4_AU-12, NIST_SP_800-53_R4_AU-12(1), NIST_SP_800-53_R4_AU-6(4), NIST_SP_800-53_R4_AU-6(5), NIST_SP_800-53_R5_AU-12, NIST_SP_800-53_R5_AU-12(1), NIST_SP_800-53_R5_AU-6(4), NIST_SP_800-53_R5_AU-6(5), NZ_ISM_v3.5_AC-18, NZISM_Security_Benchmark_v1.1_AC-17, RBI_CSF_Banks_v2016_17.1, SWIFT_CSCF_v2021_6.4 |
GA | BuiltIn | |
Data Lake | Data Lake | c95c74d9-38fe-4f0d-af86-0c7d626a315c | Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.DataLakeAnalytics/accounts |
count: 027 Azure_Security_Benchmark_v1.0_2.3, Azure_Security_Benchmark_v2.0_LT-4, Azure_Security_Benchmark_v3.0_LT-3, CIS_Azure_1.3.0_5.3, CIS_Azure_1.4.0_5.3, CMMC_2.0_L2_AU.L2-3.3.1, CMMC_2.0_L2_AU.L2-3.3.2, FedRAMP_High_R4_AU-12, FedRAMP_High_R4_AU-12(1), FedRAMP_High_R4_AU-6(4), FedRAMP_High_R4_AU-6(5), FedRAMP_Moderate_R4_AU-12, hipaa-1210.09aa3System.3-09.aa, NIST_SP_800-171_R2_3.3.1, NIST_SP_800-171_R2_3.3.2, NIST_SP_800-53_R4_AU-12, NIST_SP_800-53_R4_AU-12(1), NIST_SP_800-53_R4_AU-6(4), NIST_SP_800-53_R4_AU-6(5), NIST_SP_800-53_R5_AU-12, NIST_SP_800-53_R5_AU-12(1), NIST_SP_800-53_R5_AU-6(4), NIST_SP_800-53_R5_AU-6(5), NZ_ISM_v3.5_AC-18, NZISM_Security_Benchmark_v1.1_AC-17, RBI_CSF_Banks_v2016_17.1, SWIFT_CSCF_v2021_6.4 |
GA | BuiltIn | |
Databricks | Databricks | Deny-Databricks-VirtualNetwork | Deny Databricks workspaces without Vnet injection | Enforces the use of vnet injection for Databricks workspaces. | Default Deny Allowed Audit, Disabled, Deny | IF (3) •Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value •Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value •Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value |
IF (1) •Microsoft.Databricks/workspaces |
GA | ALZ | ||
Databricks | Databricks | Deny-Databricks-Sku | Deny non-premium Databricks sku | Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD. | Default Deny Allowed Audit, Disabled, Deny | IF (1) •Microsoft.DataBricks/workspaces/sku.name |
IF (1) •Microsoft.Databricks/workspaces |
GA | ALZ | ||
Databricks | Databricks | Deny-Databricks-NoPublicIp | Deny public IPs for Databricks cluster | Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. | Default Deny Allowed Audit, Disabled, Deny | IF (1) •Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value |
IF (1) •Microsoft.Databricks/workspaces |
GA | ALZ | ||
DB for MySQL | DB for MySQL | dbformysql_db-for-mysql-ssl-enforce-filter | Enforce SSL on all DB for MySQL instances | This policy ensures SSL is enforced on all DB for MySQL instances | Fixed deny | IF (1) •Microsoft.DBforMySQL/servers/sslEnforcement |
IF (1) •Microsoft.DBforMySQL/servers |
GA | Community | ||
Desktop Virtualization | Desktop Virtualization | c25dcf31-878f-4eba-98eb-0818fdc6a334 | Azure Virtual Desktop hostpools should disable public network access | Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. Learn more at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.DesktopVirtualization/hostPools/publicNetworkAccess |
IF (1) •Microsoft.DesktopVirtualization/hostpools |
GA | BuiltIn | ||
Desktop Virtualization | Desktop Virtualization | a22065a3-3b04-46ff-b84c-2d30e5c300d0 | Azure Virtual Desktop hostpools should disable public network access only on session hosts | Disabling public network access for your Azure Virtual Desktop hostpool session hosts, but allowing public access for end users improves security by limiting exposure to the public internet. Learn more at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.DesktopVirtualization/hostPools/publicNetworkAccess |
IF (1) •Microsoft.DesktopVirtualization/hostpools |
GA | BuiltIn | ||
Desktop Virtualization | Desktop Virtualization | ca950cd7-02f7-422e-8c23-91ff40f169c1 | Azure Virtual Desktop service should use private link | Using Azure Private Link with your Azure Virtual Desktop resources can improve security and keep your data safe. Learn more about private links at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Disabled | IF (4) •Microsoft.DesktopVirtualization/hostpools/privateEndpointConnections[*] •Microsoft.DesktopVirtualization/hostpools/privateEndpointConnections[*].privateLinkServiceConnectionState.status •Microsoft.DesktopVirtualization/workspaces/privateEndpointConnections[*] •Microsoft.DesktopVirtualization/workspaces/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (2) •Microsoft.DesktopVirtualization/hostpools •Microsoft.DesktopVirtualization/workspaces |
GA | BuiltIn | ||
Desktop Virtualization | Desktop Virtualization | 87ac3038-c07a-4b92-860d-29e270a4f3cd | Azure Virtual Desktop workspaces should disable public network access | Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.DesktopVirtualization/workspaces/publicNetworkAccess |
IF (1) •Microsoft.DesktopVirtualization/workspaces |
GA | BuiltIn | ||
Desktop Virtualization | Desktop Virtualization | 9427df23-0f42-4e1e-bf99-a6133d841c4a | Configure Azure Virtual Desktop hostpool resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.DesktopVirtualization/hostpools •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Desktop Virtualization | Desktop Virtualization | 2a0913ff-51e7-47b8-97bb-ea17127f7c8d | Configure Azure Virtual Desktop hostpools to disable public network access | Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default Modify Allowed Modify, Disabled | count: 1 •Desktop Virtualization Host Pool Contributor |
IF (1) •Microsoft.DesktopVirtualization/hostPools/publicNetworkAccess THEN-Operations (1) •Microsoft.DesktopVirtualization/hostPools/publicNetworkAccess |
IF (1) •Microsoft.DesktopVirtualization/hostpools |
GA | BuiltIn | |
Desktop Virtualization | Desktop Virtualization | e84e8a9a-f43e-46e3-9458-bbcfb2d7e429 | Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts | Disable public network access for your Azure Virtual Desktop hostpool session hosts, but allow public access for end users. This allows users to still access AVD service while ensuring the session host is only accessible through private routes. Learn more at: https://aka.ms/avdprivatelink. | Default Modify Allowed Modify, Disabled | count: 1 •Desktop Virtualization Host Pool Contributor |
IF (1) •Microsoft.DesktopVirtualization/hostPools/publicNetworkAccess THEN-Operations (1) •Microsoft.DesktopVirtualization/hostPools/publicNetworkAccess |
IF (1) •Microsoft.DesktopVirtualization/hostpools |
GA | BuiltIn | |
Desktop Virtualization | Desktop Virtualization | 7b331e6b-6096-4395-a754-758a64505f19 | Configure Azure Virtual Desktop hostpools with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Contributor |
THEN-ExistenceCondition (2) •Microsoft.DesktopVirtualization/hostPools/privateEndpointConnections[*] •Microsoft.DesktopVirtualization/hostPools/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.DesktopVirtualization/hostpools THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Desktop Virtualization | Desktop Virtualization | 34804460-d88b-4922-a7ca-537165e060ed | Configure Azure Virtual Desktop workspace resources to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (3) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId |
IF (2) •Microsoft.DesktopVirtualization/workspaces •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Desktop Virtualization | Desktop Virtualization | ce6ebf1d-0b94-4df9-9257-d8cacc238b4f | Configure Azure Virtual Desktop workspaces to disable public network access | Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default Modify Allowed Modify, Disabled | count: 1 •Desktop Virtualization Workspace Contributor |
IF (1) •Microsoft.DesktopVirtualization/workspaces/publicNetworkAccess THEN-Operations (1) •Microsoft.DesktopVirtualization/workspaces/publicNetworkAccess |
IF (1) •Microsoft.DesktopVirtualization/workspaces |
GA | BuiltIn | |
Desktop Virtualization | Desktop Virtualization | 02aa841c-42e8-492f-a43d-1f2c67e58d41 | Configure Azure Virtual Desktop workspaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Contributor |
THEN-ExistenceCondition (2) •Microsoft.DesktopVirtualization/workspaces/privateEndpointConnections[*] •Microsoft.DesktopVirtualization/workspaces/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.DesktopVirtualization/workspaces THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
DevTestLabs | DevTestLabs | aca94a15-a131-4a06-ab0e-89f57e28cc5c | Allowed DevTestLabs Repo URL prefix | Fixed deny | IF (1) •Microsoft.DevTestLab/labs/artifactSources/uri |
GA | Community | ||||
Disks | Disks | bf5a4fd6-c74a-49bf-8f3c-f875b7aa4488 | Audit OS and data disks encrypted without a customer-managed key | Audit if the OS or data disk is encrypted without a customer-managed key. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Compute/disks/encryption.type |
IF (1) •Microsoft.Compute/disks |
GA | Community | ||
Event Grid | Event Grid | f8f774be-6aee-492a-9e29-486ef81f3a68 | Azure Event Grid domains should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.EventGrid/domains/publicNetworkAccess |
IF (1) •Microsoft.EventGrid/domains |
GA | BuiltIn | ||
Event Grid | Event Grid | 8bfadddb-ee1c-4639-8911-a38cb8e0b3bd | Azure Event Grid domains should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.EventGrid/domains/disableLocalAuth |
IF (1) •Microsoft.EventGrid/domains |
GA | BuiltIn | ||
Event Grid | Event Grid | 9830b652-8523-49cc-b1b3-e17dce1127ca | Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.EventGrid/domains/privateEndpointConnections[*] •Microsoft.EventGrid/domains/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.EventGrid/domains |
count: 043 Azure_Security_Benchmark_v2.0_NS-2, Azure_Security_Benchmark_v2.0_NS-3, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7 |
GA | BuiltIn | |
Event Grid | Event Grid | 8632b003-3545-4b29-85e6-b2b96773df1e | Azure Event Grid partner namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.EventGrid/partnerNamespaces/disableLocalAuth |
IF (1) •Microsoft.EventGrid/partnerNamespaces |
GA | BuiltIn | ||
Event Grid | Event Grid | 1adadefe-5f21-44f7-b931-a59b54ccdb45 | Azure Event Grid topics should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.EventGrid/topics/publicNetworkAccess |
IF (1) •Microsoft.EventGrid/topics |
GA | BuiltIn | ||
Event Grid | Event Grid | ae9fb87f-8a17-4428-94a4-8135d431055c | Azure Event Grid topics should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.EventGrid/topics/disableLocalAuth |
IF (1) •Microsoft.EventGrid/topics |
GA | BuiltIn | ||
Event Grid | Event Grid | 4b90e17e-8448-49db-875e-bd83fb6f804f | Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.EventGrid/topics/privateEndpointConnections[*] •Microsoft.EventGrid/topics/privateEndpointConnections[*].privateLinkServiceConnectionState.status |
IF (1) •Microsoft.EventGrid/topics |
count: 043 Azure_Security_Benchmark_v2.0_NS-2, Azure_Security_Benchmark_v2.0_NS-3, Azure_Security_Benchmark_v3.0_NS-2, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3), NZ_ISM_v3.5_INF-9, NZISM_Security_Benchmark_v1.1_INF-9, RBI_CSF_Banks_v2016_14.1, RBI_CSF_Banks_v2016_7.7 |
GA | BuiltIn | |
Event Grid | Event Grid | 8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1 | Configure Azure Event Grid domains to disable local authentication | Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default Modify Allowed Modify, Disabled | count: 1 •EventGrid Contributor |
IF (1) •Microsoft.EventGrid/domains/disableLocalAuth THEN-Operations (1) •Microsoft.EventGrid/domains/disableLocalAuth |
IF (1) •Microsoft.EventGrid/domains |
GA | BuiltIn | |
Event Grid | Event Grid | 2dd0e8b9-4289-4bb0-b813-1883298e9924 | Configure Azure Event Grid partner namespaces to disable local authentication | Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default Modify Allowed Modify, Disabled | count: 1 •EventGrid Contributor |
IF (1) •Microsoft.EventGrid/partnerNamespaces/disableLocalAuth THEN-Operations (1) •Microsoft.EventGrid/partnerNamespaces/disableLocalAuth |
IF (1) •Microsoft.EventGrid/partnerNamespaces |
GA | BuiltIn | |
Event Grid | Event Grid | 1c8144d9-746a-4501-b08c-093c8d29ad04 | Configure Azure Event Grid topics to disable local authentication | Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. | Default Modify Allowed Modify, Disabled | count: 1 •EventGrid Contributor |
IF (1) •Microsoft.EventGrid/topics/disableLocalAuth THEN-Operations (1) •Microsoft.EventGrid/topics/disableLocalAuth |
IF (1) •Microsoft.EventGrid/topics |
GA | BuiltIn | |
Event Grid | Event Grid | d389df0a-e0d7-4607-833c-75a6fdac2c2d | Deploy - Configure Azure Event Grid domains to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed deployIfNotExists, DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Event Grid | Event Grid | 36f4658a-848a-467b-881c-e6fa20cf75fc | Deploy - Configure Azure Event Grid domains with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •EventGrid Contributor •Network Contributor |
THEN-ExistenceCondition (1) •Microsoft.EventGrid/domains/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.EventGrid/domains THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Event Grid | Event Grid | baf19753-7502-405f-8745-370519b20483 | Deploy - Configure Azure Event Grid topics to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed deployIfNotExists, DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Event Grid | Event Grid | 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca | Deploy - Configure Azure Event Grid topics with private endpoints | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •EventGrid Contributor •Network Contributor |
THEN-ExistenceCondition (1) •Microsoft.EventGrid/topics/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.EventGrid/topics THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Event Grid | Event Grid | eventgrid_enforce-event-grid-sys-topic-handler-type-to-be-storage-account | Enforce event grid system topic handler type to be storage account | This policy enforce event grid system topic handler type to be storage account. | Default Deny Allowed Audit, Deny, Disabled | IF (1) •Microsoft.EventGrid/systemTopics/eventSubscriptions/destination.endpointType |
GA | Community | |||
Event Grid | Event Grid | eventgrid_enforce-event-grid-system-topic-source-type-be-storage-account | Enforce event grid system topic source type to be storage account | This policy enforce event grid system topic source type to be storage account. | Default Deny Allowed Audit, Deny, Disabled | IF (1) •Microsoft.EventGrid/systemTopics/topicType |
GA | Community | |||
Event Grid | Event Grid | 898e9824-104c-4965-8e0e-5197588fa5d4 | Modify - Configure Azure Event Grid domains to disable public network access | Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default Modify Allowed Modify, Disabled | count: 1 •EventGrid Contributor |
IF (1) •Microsoft.EventGrid/domains/publicNetworkAccess THEN-Operations (1) •Microsoft.EventGrid/domains/publicNetworkAccess |
IF (1) •Microsoft.EventGrid/domains |
GA | BuiltIn | |
Event Grid | Event Grid | 36ea4b4b-0f7f-4a54-89fa-ab18f555a172 | Modify - Configure Azure Event Grid topics to disable public network access | Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. | Default Modify Allowed Modify, Disabled | count: 1 •EventGrid Contributor |
IF (1) •Microsoft.EventGrid/topics/publicNetworkAccess THEN-Operations (1) •Microsoft.EventGrid/topics/publicNetworkAccess |
IF (1) •Microsoft.EventGrid/topics |
GA | BuiltIn | |
Event Hub | Event Hub | b278e460-7cfc-4451-8294-cccc40a940d7 | All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace | Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.EventHub/namespaces/authorizationRules |
GA | BuiltIn | |||
Event Hub | Event Hub | eventhub_audit-event-hub-authorization | Audit authorization rules on Event Hub namespaces | Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least previlege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity | Fixed Audit | IF (1) •Microsoft.EventHub/namespaces/authorizationRules |
GA | Community | |||
Event Hub | Event Hub | monitoring_event-hub-diagnostic-logs-audit | Audit enabling of diagnostic logs in Event Hub | Audit enabling of logs and retain them up to a year. This enables recreation of activity trails for investigation purposes when a security incident occurs or your network is compromised | Fixed AuditIfNotExists | THEN-ExistenceCondition (2) •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled |
IF (1) •Microsoft.EventHub/namespaces |
GA | Community | ||
Event Hub | Event Hub | eventhub_event-hub-entity-authorization-rules-audit | Audit existence of authorization rules on Event Hub entities | Audit existence of authorization rules on Event Hub entities to grant least-privileged access | Fixed AuditIfNotExists | IF (1) •Microsoft.EventHub/namespaces/eventhubs THEN-Details (1) •Microsoft.EventHub/namespaces/eventHubs/authorizationRules |
GA | Community | |||
Event Hub | Event Hub | f4826e5f-6a27-407c-ae3e-9582eb39891d | Authorization rules on the Event Hub instance should be defined | Audit existence of authorization rules on Event Hub entities to grant least-privileged access | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | IF (1) •Microsoft.EventHub/namespaces/eventhubs THEN-Details (1) •Microsoft.EventHub/namespaces/eventHubs/authorizationRules |
count: 001 RMiT_v1.0_10.55 |
GA | BuiltIn | ||
Event Hub | Event Hub | 5d4e3c65-4873-47be-94f3-6f8b953a3598 | Azure Event Hub namespaces should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. | Default Audit Allowed Audit, Deny, Disabled | IF (1) •Microsoft.EventHub/namespaces/disableLocalAuth |
IF (1) •Microsoft.EventHub/namespaces |
GA | BuiltIn | ||
Event Hub | Event Hub | 57f35901-8389-40bb-ac49-3ba4f86d889d | Configure Azure Event Hub namespaces to disable local authentication | Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. | Default Modify Allowed Modify, Disabled | count: 1 •Azure Event Hubs Data Owner |
IF (1) •Microsoft.EventHub/namespaces/disableLocalAuth THEN-Operations (1) •Microsoft.EventHub/namespaces/disableLocalAuth |
IF (1) •Microsoft.EventHub/namespaces |
GA | BuiltIn | |
Event Hub | Event Hub | ed66d4f5-8220-45dc-ab4a-20d1749c74e6 | Configure Event Hub namespaces to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 1 •Network Contributor |
IF (1) •Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*] |
IF (1) •Microsoft.Network/privateEndpoints |
GA | BuiltIn | |
Event Hub | Event Hub | 91678b7c-d721-4fc5-b179-3cdf74e96b1c | Configure Event Hub namespaces with private endpoints | Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled | count: 2 •Azure Event Hubs Data Owner •Network Contributor |
THEN-ExistenceCondition (1) •Microsoft.EventHub/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.EventHub/namespaces THEN-Deployment (2) •Microsoft.Network/privateEndpoints •Microsoft.Resources/deployments |
GA | BuiltIn | |
Event Hub | Event Hub | 33e7e8f1-ea02-4dd0-911d-0fbe0d54d427 | Deny - Configure Event Hubs to allow only certain SKUs | The policy denies the Basic SKU because one can only create private endpoint connections with Standard or Premium SKU. | Default Deny Allowed Audit, Disabled, Deny | IF (1) •Microsoft.EventHub/namespaces/sku.name |
IF (1) •Microsoft.EventHub/namespaces |
GA | Community | ||
Event Hub | Event Hub | f6006471-31cf-4887-a7cb-42724faed672 | Deny - Configure Event Hubs to disable public network access | The policy denies accessing the resource through public network. Only private endpoints are supported. | Default Deny Allowed Deny, Audit, Disabled | IF (1) •Microsoft.EventHub/namespaces/publicNetworkAccess |
IF (1) •Microsoft.EventHub/namespaces |
GA | Community | ||
Event Hub | Event Hub | b47a96dc-ce80-49f5-8718-bee39c051a4b | Deny - Configure Event Hubs to use availability zones | The policy enforces the usage of regions with availability zones. With availability zones high availability is provided. | Default Deny Allowed Disabled, Audit, Deny | IF (1) •Microsoft.EventHub/namespaces/zoneRedundant |
IF (1) •Microsoft.EventHub/namespaces |
GA | Community | ||
Event Hub | Event Hub | 0602787f-9896-402a-a6e1-39ee63ee435e | Event Hub Namespaces should disable public network access | Azure Event Hub should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service | Default Audit Allowed Audit, Deny, Disabled | GA | BuiltIn | ||||
Event Hub | Event Hub | 836cd60e-87f3-4e6a-a27c-29d687f01a4c | Event Hub namespaces should have double encryption enabled | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Default Audit Allowed Audit, Deny, Disabled | IF (2) •Microsoft.EventHub/namespaces/clusterArmId •Microsoft.EventHub/namespaces/encryption.requireInfrastructureEncryption |
IF (1) •Microsoft.EventHub/namespaces |
GA | BuiltIn | ||
Event Hub | Event Hub | audit-deny-eh-minimum-tls-version-policyDef | Event Hub namespaces should have the specified minimum TLS version | Configure a minimum TLS version for secure communication between the client application and the Event Hub Namespace. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2. | Default Deny Allowed Audit, Deny, Disabled | IF (1) •Microsoft.EventHub/namespaces/minimumTlsVersion |
IF (1) •Microsoft.EventHub/namespaces |
GA | Community | ||
Event Hub | Event Hub | a1ad735a-e96f-45d2-a7b2-9a4932cab7ec | Event Hub namespaces should use a customer-managed key for encryption | Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. | Default Audit Allowed Audit, Disabled | IF (2) •Microsoft.EventHub/namespaces/clusterArmId •Microsoft.EventHub/namespaces/encryption.keySource |
IF (1) •Microsoft.EventHub/namespaces |
count: 007 CMMC_2.0_L2_SC.L2-3.13.10, FedRAMP_High_R4_SC-12, FedRAMP_Moderate_R4_SC-12, NIST_SP_800-171_R2_3.13.10, NIST_SP_800-53_R4_SC-12, NIST_SP_800-53_R5_SC-12, RMiT_v1.0_10.53 |
GA | BuiltIn | |
Event Hub | Event Hub | b8564268-eb4a-4337-89be-a19db070c59d | Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (1) •Microsoft.EventHub/namespaces/privateEndpointConnections/privateLinkServiceConnectionState.status |
IF (1) •Microsoft.EventHub/namespaces |
count: 036 CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L2-3.1.12, CMMC_2.0_L2_AC.L2-3.1.13, CMMC_2.0_L2_AC.L2-3.1.14, CMMC_2.0_L2_AC.L2-3.1.3, CMMC_2.0_L2_SC.L1-3.13.1, CMMC_2.0_L2_SC.L1-3.13.5, CMMC_2.0_L2_SC.L2-3.13.2, FedRAMP_High_R4_AC-17, FedRAMP_High_R4_AC-17(1), FedRAMP_High_R4_AC-4, FedRAMP_High_R4_SC-7, FedRAMP_High_R4_SC-7(3), FedRAMP_Moderate_R4_AC-17, FedRAMP_Moderate_R4_AC-17(1), FedRAMP_Moderate_R4_AC-4, FedRAMP_Moderate_R4_SC-7, FedRAMP_Moderate_R4_SC-7(3), NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.12, NIST_SP_800-171_R2_3.1.13, NIST_SP_800-171_R2_3.1.14, NIST_SP_800-171_R2_3.1.3, NIST_SP_800-171_R2_3.13.1, NIST_SP_800-171_R2_3.13.2, NIST_SP_800-171_R2_3.13.5, NIST_SP_800-53_R4_AC-17, NIST_SP_800-53_R4_AC-17(1), NIST_SP_800-53_R4_AC-4, NIST_SP_800-53_R4_SC-7, NIST_SP_800-53_R4_SC-7(3), NIST_SP_800-53_R5_AC-17, NIST_SP_800-53_R5_AC-17(1), NIST_SP_800-53_R5_AC-4, NIST_SP_800-53_R5_SC-7, NIST_SP_800-53_R5_SC-7(3) |
GA | BuiltIn | |
Event Hub | Event Hub | 83a214f7-d01a-484b-91a9-ed54470c9a6a | Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | THEN-ExistenceCondition (5) •Microsoft.Insights/diagnosticSettings/logs.enabled •Microsoft.Insights/diagnosticSettings/logs[*] •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days •Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled •Microsoft.Insights/diagnosticSettings/storageAccountId |
IF (1) •Microsoft.EventHub/namespaces |
count: 028 Azure_Security_Benchmark_v1.0_2.3, Azure_Security_Benchmark_v2.0_LT-4, Azure_Security_Benchmark_v3.0_LT-3, CIS_Azure_1.3.0_5.3, CIS_Azure_1.4.0_5.3, CMMC_2.0_L2_AU.L2-3.3.1, CMMC_2.0_L2_AU.L2-3.3.2, FedRAMP_High_R4_AU-12, FedRAMP_High_R4_AU-12(1), FedRAMP_High_R4_AU-6(4), FedRAMP_High_R4_AU-6(5), FedRAMP_Moderate_R4_AU-12, hipaa-1207.09aa2System.4-09.aa, NIST_SP_800-171_R2_3.3.1, NIST_SP_800-171_R2_3.3.2, NIST_SP_800-53_R4_AU-12, NIST_SP_800-53_R4_AU-12(1), NIST_SP_800-53_R4_AU-6(4), NIST_SP_800-53_R4_AU-6(5), NIST_SP_800-53_R5_AU-12, NIST_SP_800-53_R5_AU-12(1), NIST_SP_800-53_R5_AU-6(4), NIST_SP_800-53_R5_AU-6(5), NZ_ISM_v3.5_AC-18, NZISM_Security_Benchmark_v1.1_AC-17, RBI_CSF_Banks_v2016_17.1, RMiT_v1.0_11.18, SWIFT_CSCF_v2021_6.4 |
GA | BuiltIn | |
Fluid Relay | Fluid Relay | 46388f67-373c-4018-98d3-2b83172dd13a | Fluid Relay should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Fluid Relay server. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. Learn more at https://docs.microsoft.com/azure/azure-fluid-relay/concepts/customer-managed-keys. | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.FluidRelay/fluidRelayServers/encryption.customerManagedKeyEncryption |
IF (1) •Microsoft.FluidRelay/fluidRelayServers |
GA | BuiltIn | ||
General | General | c1b9cbed-08e3-427d-b9ce-7c535b1e9b94 | [Deprecated]: Allow resource creation only in Asia data centers | Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West | Fixed Deny | Deprecated | BuiltIn | ||||
General | General | 94c19f19-8192-48cd-a11b-e37099d3e36b | [Deprecated]: Allow resource creation only in European data centers | Allows resource creation in the following locations only: North Europe, West Europe | Fixed Deny | Deprecated | BuiltIn | ||||
General | General | 5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54 | [Deprecated]: Allow resource creation only in India data centers | Allows resource creation in the following locations only: West India, South India, Central India | Fixed Deny | Deprecated | BuiltIn | ||||
General | General | 983211ba-f348-4758-983b-21fa29294869 | [Deprecated]: Allow resource creation only in United States data centers | Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US | Fixed Deny | Deprecated | BuiltIn | ||||
General | General | 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9 | [Deprecated]: Custom subscription owner roles should not exist | This policy is deprecated. | Default Audit Allowed Audit, Disabled | IF (4) •Microsoft.Authorization/roleDefinitions/assignableScopes[*] •Microsoft.Authorization/roleDefinitions/permissions.actions[*] •Microsoft.Authorization/roleDefinitions/permissions[*].actions[*] •Microsoft.Authorization/roleDefinitions/type |
IF (1) •Microsoft.Authorization/roleDefinitions |
count: 001 Azure_Security_Benchmark_v2.0_PA-7 |
Deprecated | BuiltIn | |
General | General | e56962a6-4747-49cd-b67b-bf8b01975c4c | Allowed locations | This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. | Fixed deny | IF (1) •Microsoft.AzureActiveDirectory/b2cDirectories |
GA | BuiltIn | |||
General | General | e765b5de-1225-4ba3-bd56-1ac6695af988 | Allowed locations for resource groups | This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. | Fixed deny | IF (1) •Microsoft.Resources/subscriptions/resourceGroups |
GA | BuiltIn | |||
General | General | a08ec900-254a-4555-9bf5-e42af04b5c5c | Allowed resource types | This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. | Fixed deny | GA | BuiltIn | ||||
General | General | 0a914e76-4921-4c19-b460-a2d36003525a | Audit resource location matches resource group location | Audit that the resource location matches its resource group location | Fixed audit | count: 001 RMiT_v1.0_10.49 |
GA | BuiltIn | |||
General | General | a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Default Audit Allowed Audit, Disabled | IF (1) •Microsoft.Authorization/roleDefinitions/type |
IF (1) •Microsoft.Authorization/roleDefinitions |
count: 046 Azure_Security_Benchmark_v1.0_4.6, Azure_Security_Benchmark_v2.0_PA-7, Azure_Security_Benchmark_v3.0_PA-7, CMMC_2.0_L2_AC.L1-3.1.1, CMMC_2.0_L2_AC.L1-3.1.2, CMMC_2.0_L2_AC.L2-3.1.5, CMMC_L3_AC.3.018, FedRAMP_High_R4_AC-2, FedRAMP_High_R4_AC-2(7), FedRAMP_High_R4_AC-6, FedRAMP_High_R4_AC-6(7), FedRAMP_Moderate_R4_AC-2, FedRAMP_Moderate_R4_AC-2(7), FedRAMP_Moderate_R4_AC-6, hipaa-1148.01c2System.78-01.c, hipaa-1230.09c2Organizational.1-09.c, IRS_1075_9.3.1.2, ISO27001-2013_A.9.2.3, NIST_SP_800-171_R2_3.1.1, NIST_SP_800-171_R2_3.1.2, NIST_SP_800-171_R2_3.1.5, NIST_SP_800-53_R4_AC-2, NIST_SP_800-53_R4_AC-2(7), NIST_SP_800-53_R4_AC-6, NIST_SP_800-53_R4_AC-6(7), NIST_SP_800-53_R5_AC-2, NIST_SP_800-53_R5_AC-2(7), NIST_SP_800-53_R5_AC-6, NIST_SP_800-53_R5_AC-6(7), NZ_ISM_v3.5_AC-18, NZISM_Security_Benchmark_v1.1_AC-17, PCI_DSS_V3.2.1_3.2, PCI_DSS_V3.2.1_7.2.1, PCI_DSS_V3.2.1_8.3.1, PCI_DSS_v4.0_3.3.3, PCI_DSS_v4.0_7.3.1, PCI_DSS_v4.0_8.4.1, RBI_CSF_Banks_v2016_8.1, RBI_CSF_Banks_v2016_8.5, RBI_CSF_Banks_v2016_8.8, RBI_ITF_NBFC_v2017_3.1.a, RBI_ITF_NBFC_v2017_3.1.f, RMiT_v1.0_10.55, RMiT_v1.0_10.60, RMiT_v1.0_10.62, SOC_2_CC6.3 |
GA | BuiltIn | |
General | General | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 | Not allowed resource types | Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. | Default Deny Allowed Audit, Deny, Disabled | count: 001 RMiT_v1.0_11.4 |
GA | BuiltIn | |||
Guest Configuration | Guest Configuration | faf25c8c-9598-4305-b4de-0aee1317fb31 | [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled | This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | IF (5) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/provisioningState •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines |
Deprecated | BuiltIn | ||
Guest Configuration | Guest Configuration | 5fc23db3-dd4d-4c56-bcc7-43626243e601 | [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled | This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled | IF (5) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType THEN-ExistenceCondition (3) •Microsoft.Compute/virtualMachines/extensions/provisioningState •Microsoft.Compute/virtualMachines/extensions/publisher •Microsoft.Compute/virtualMachines/extensions/type |
IF (1) •Microsoft.Compute/virtualMachines |
Deprecated | BuiltIn | ||
Guest Configuration | Guest Configuration | ec49586f-4939-402d-a29e-6ff502b20592 | [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | f19aa1c1-6b91-4c27-ae6a-970279f03db9 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 4d1c04de-2172-403f-901b-90608c35c721 | [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 3470477a-b35a-49db-aca5-1073d04524fe | [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 884b209a-963b-4520-8006-d20cb3c213e0 | [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 7a031c68-d6ab-406e-a506-697a19c634b0 | [Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled | This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | ec7ac234-2af5-4729-94d2-c557c071799d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 985285b7-b97a-419c-8d48-c88cc934c8d8 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 40917425-69db-4018-8dae-2a0556cef899 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | e5b81f87-9185-4224-bf00-9f505e9f89f3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 498b810c-59cd-4222-9338-352ba146ccf3 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 6481cc21-ed6e-4480-99dd-ea7c5222e897 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 3750712b-43d0-478e-9966-d2c26f6141b9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | bbcdd8fa-b600-4ee3-85b8-d184e3339652 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 86880e5c-df35-43c5-95ad-7e120635775e | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | f56a3ab2-89d1-44de-ac0d-2ada5962e22a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 36e17963-7202-494a-80c3-f508211c826b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 1f8c20ce-3414-4496-8b26-0e902a1541da | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 12ae2d24-3805-4b37-9fa9-465968bfbcfa | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 437a1f8f-8552-47a8-8b12-a2fee3269dd5 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | e425e402-a050-45e5-b010-bd3f934589fc | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | e3d95ab7-f47a-49d8-a347-784177b6c94c | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | c1e289c0-ffad-475d-a924-adc058765d65 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 0a9991e6-21be-49f9-8916-a06d934bcf29 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 42a07bbf-ffcf-459a-b4b1-30ecd118a505 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | c04255ee-1b9f-42c1-abaa-bf1553f79930 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 8e170edb-e0f5-497a-bb36-48b3280cec6a | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 97b595c8-fd10-400e-8543-28e2b9138b13 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | ce2370f6-0ac5-4d85-8ab4-10721cc640b0 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | f8b0158d-4766-490f-bea0-259e52dba473 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 815dcc9f-6662-43f2-9a03-1b83e9876f24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 7040a231-fb65-4412-8c0a-b365f4866c24 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 909c958d-1b99-4c74-b88f-46a5c5bc34f9 | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 144f1397-32f9-4598-8c88-118decc3ccba | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 93507a81-10a4-4af0-9ee2-34cf25a96e98 | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | b821191b-3a12-44bc-9c38-212138a29ff3 | [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members | This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | d38b4c26-9d2e-47d7-aefe-18d859a8706a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant | This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 68511db2-bd02-41c4-ae6b-1900a012968a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 5bb36dda-8a78-4df9-affd-4f05a8612a8a | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 32b1e4d4-6cd5-47b4-a935-169da8a5c262 | [Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 6a7a2bcf-f9be-4e35-9734-4f9657a70f1d | [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer THEN-ExistenceCondition (1) •Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines THEN-Deployment (3) •Microsoft.Compute/virtualMachines •Microsoft.Compute/virtualMachines/extensions •Microsoft.hybridcompute/machines |
Deprecated | BuiltIn | |
Guest Configuration | Guest Configuration | 726671ac-c4de-4908-8c7d-6043ae62e3b6 | [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords | This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed deployIfNotExists | count: 1 •Contributor |
IF (6) •Microsoft.Compute/imageOffer •Microsoft.Compute/imagePublisher •Microsoft.Compute/imageSKU •Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration •Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType •Microsoft.HybridCompute/imageOffer |
IF (2) •Microsoft.Compute/virtualMachines •Microsoft.HybridCompute/machines |