last sync: 2023-Dec-04 18:38:36 UTC

Changes on Azure Policy definitions

Category Id DisplayName Description Effect Roles used Subject Change Date (UTC ymd) (i) Type
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2023-12-04 18:38:36 BuiltIn
Security Center 308fbb08-4ab8-4e67-9b29-592e93fb94fa [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.4 > 1.1.0-deprecated) 2023-12-04 18:38:36 BuiltIn
Event Grid 67dcad1a-ec60-45df-8fd0-14c9d29eeaa2 Azure Event Grid namespaces should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-17 19:29:28 BuiltIn
Event Grid cd8f7644-6fe8-4516-bded-0e465ead03ac Azure Event Grid namespace MQTT broker should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-11-17 19:29:28 BuiltIn
Azure Arc 4c660f31-eafb-408d-a2b3-6ed2260bd26c [Preview]: Deny Extended Security Updates (ESUs) license creation or modification. This policy enables you to restrict the creation or modification of ESU licenses for Windows Server 2012 Arc machines. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing Default
Deny
Allowed
Deny, Disabled
add
new Policy 2023-11-17 19:29:28 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-11-17 19:29:28 BuiltIn
Guest Configuration ec2c1bce-5ad3-4b07-bb4f-e041410cd8db [Preview]: Nexus Compute Machines should meet Security Baseline Utilizes the Azure Policy Guest Configuration agent for auditing. This policy ensures that machines adhere to the Nexus compute security baseline, encompassing various recommendations designed to fortify machines against a range of vulnerabilities and unsafe configurations (Linux only). Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-11-17 19:29:28 BuiltIn
Service Bus cfb11c26-f069-4c14-8e36-56c394dae5af Azure Service Bus namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Event Grid 1301a000-bc6b-4d90-8414-7091e3abdc40 Azure Event Grid namespace topic broker should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-11-17 19:29:28 BuiltIn
Azure Arc 4864134f-d306-4ff5-94d8-ea4553b18c97 [Preview]: Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended. Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected even after their support lifecycle has ended. Learn How to prepare to deliver Extended Security Updates for Windows Server 2012 through AzureArc please visit https://learn.microsoft.com/en-us/azure/azure-arc/servers/prepare-extended-security-updates. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Guest Configuration Resource Contributor
Hybrid Server Resource Administrator
add
new Policy 2023-11-17 19:29:28 BuiltIn
Event Hub 5d4e3c65-4873-47be-94f3-6f8b953a3598 Azure Event Hub namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
SQL b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 A Microsoft Entra administrator should be provisioned for PostgreSQL servers Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Event Grid cddcbb7e-a7b1-4380-b4d8-45cf77b0d561 Configure Azure Event Grid namespace MQTT broker with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
EventGrid Contributor
Network Contributor
add
new Policy 2023-11-17 19:29:28 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, old suffix: preview (1.2.0-preview > 1.2.1) 2023-11-17 19:29:28 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-11-17 19:29:28 BuiltIn
Security Center cbdd12e1-193a-445c-9926-560118c6daaa Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, old suffix: preview (1.0.1-preview > 1.0.2) 2023-11-17 19:29:28 BuiltIn
Service Bus 910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e Configure Azure Service Bus namespaces to disable local authentication Disable local authentication methods so that your Azure ServiceBus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. Default
Modify
Allowed
Modify, Disabled
count: 001
Azure Service Bus Data Owner
change
Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, old suffix: preview (1.3.0-preview > 1.3.1) 2023-11-17 19:29:28 BuiltIn
Event Hub 57f35901-8389-40bb-ac49-3ba4f86d889d Configure Azure Event Hub namespaces to disable local authentication Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default
Modify
Allowed
Modify, Disabled
count: 001
Azure Event Hubs Data Owner
change
Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
SQL 40e85574-ef33-47e8-a854-7a65c7500560 Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, old suffix: preview (1.1.1-preview > 1.1.2) 2023-11-17 19:29:28 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, old suffix: preview (1.3.0-preview > 1.3.1) 2023-11-17 19:29:28 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-11-17 19:29:28 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, old suffix: preview (1.1.0-preview > 1.1.1) 2023-11-17 19:29:28 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, old suffix: preview (1.3.0-preview > 1.3.1) 2023-11-17 19:29:28 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, old suffix: preview (1.3.0-preview > 1.3.1) 2023-11-17 19:29:28 BuiltIn
SQL 146412e9-005c-472b-9e48-c87b72ac229e A Microsoft Entra administrator should be provisioned for MySQL servers Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.1.0 > 1.1.1) 2023-11-17 19:29:28 BuiltIn
Event Grid 2b21ce34-9c45-4037-9c84-0ac0dbd0095f Configure Azure Event Grid namespaces with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
EventGrid Contributor
Network Contributor
add
new Policy 2023-11-17 19:29:28 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch, old suffix: preview (1.1.1-preview > 1.1.2) 2023-11-17 19:29:28 BuiltIn
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Deprecated]: Configure Microsoft Defender for APIs should be enabled This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch, suffix remains equal (1.0.2-deprecated > 1.0.3-deprecated) 2023-11-14 18:14:48 BuiltIn
General e624c84f-2923-4437-9fd9-4115c6da3888 Configure subscriptions to set up preview features This policy evaluates existing subscription's preview features. Subscriptions can be remediated to register to a new preview feature. New subscriptions will not be automatically registered. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-11-14 18:14:48 BuiltIn
Kubernetes ca8d5704-aa2b-40cf-b110-dc19052825ad Kubernetes clusters should minimize wildcard use in role and cluster role Using wildcards '*' can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-11-14 18:14:48 BuiltIn
SQL Server f692cc79-76fb-4c61-8861-467e454ac6f8 Subscribe eligible Arc-enabled SQL Servers instances to Extended Security Updates. Subscribe eligible Arc-enabled SQL Servers instances with License Type set to Paid or PAYG to Extended Security Updates. More on extended security updates https://go.microsoft.com/fwlink/?linkid=2239401. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Extension for SQL Server Deployment
Reader
add
new Policy 2023-11-14 18:14:48 BuiltIn
Security Center 9c0aa188-e5fe-4569-8f74-b6e155624d9a [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center aba46665-c3a7-4319-ace1-a0282deebac2 [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center 30f52897-df47-4ca0-81a8-a3be3e8dd226 [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) 2023-11-08 19:40:08 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (1.0.3 > 1.0.4) 2023-11-08 19:40:08 BuiltIn
Security Center 3b1a8e0a-b2e1-48be-9365-28be2fbef550 [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center c15c5978-ab6e-4599-a1c3-90a7918f5371 [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center c9ae938d-3d6f-4466-b7c3-351761d9c890 [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (3.0.0-deprecated > 3.0.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, suffix remains equal (5.2.0-deprecated > 5.2.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center 8ac833bd-f505-48d5-887e-c993a1d3eea0 API endpoints in Azure API Management should be authenticated API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-11-06 19:40:47 BuiltIn
Resilience d3ee5dcf-0c6d-49ab-aee4-f250583a7bdc [Preview]: Service Bus should be Zone Redundant Service Bus can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for a Service Bus, it means it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for Service Bus instances. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Resilience 1bf67da8-b100-45bf-b89d-e4669fc54411 [Preview]: Azure Cache for Redis should be Zone Redundant Azure Cache for Redis can be configured to be Zone Redundant or not. Azure Cache for Redis instances with fewer than 2 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis instances lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Kubernetes 5c345cdf-2049-47e0-b8fe-b0e96bc2df35 Azure Kubernetes Service Clusters should enable cluster auto-upgrade AKS cluster auto-upgrade can ensure your clusters are up to date and don't miss the latest features or patches from AKS and upstream Kubernetes. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-cluster. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Security Center 7926a6d1-b268-4586-8197-e8ae90c877d7 Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.0.2-preview > 1.0.3) 2023-11-06 19:40:47 BuiltIn
Resilience 9d2b0a20-57d6-474c-9d12-44a4a20999c6 [Preview]: Container Registry should be Zone Redundant Container Registry can be configured to be Zone Redundant or not. When the zoneRedundancy property for a Container Registry is set to 'Disabled', it means the registry is not Zone Redundant. Enforcing this policy helps ensure that your Container Registry is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
SQL c9299215-ae47-4f50-9c54-8a392f68a052 Public network access should be disabled for MySQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-11-06 19:40:47 BuiltIn
Security Center c8acafaf-3d23-44d1-9624-978ef0f8652c API endpoints that are unused should be disabled and removed from the Azure API Management service As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-11-06 19:40:47 BuiltIn
Resilience 85b005b2-95fc-4953-b9cb-f9ee6427c754 [Preview]: Storage Accounts should be Zone Redundant Storage Accounts can be configured to be Zone Redundant or not. If a Storage Account's SKU name does not end with 'ZRS' or its kind is 'Storage,' it is not Zone Redundant. This policy ensures that your Storage Accounts use ae Zone Redundant configuration. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Kubernetes a3dc4946-dba6-43e6-950d-f96532848c9f Kubernetes clusters should ensure that the cluster-admin role is only used where required The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Resilience cbe58ab0-07a8-43ea-9ccc-8ea33e4d6aa5 [Preview]: Azure Data Explorer Clusters should be Zone Redundant Azure Data Explorer Clusters can be configured to be Zone Redundant or not. An Azure Data Explorer Cluster is considered Zone Redundant if it has at least two entries in its zones array. This policy helps ensure the your Azure Data Explorer Clusters are Zone Redundant. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Resilience 42daa904-5969-47ef-92cb-b75df946195a [Preview]: API Management Service should be Zone Redundant API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if it's sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Resilience 408934a8-941a-4c1e-ba88-dd035d9688f4 [Preview]: Azure Cache for Redis Enterprise & Flash should be Zone Redundant Azure Cache for Redis Enterprise & Flash can be configured to be Zone Redundant or not. Azure Cache for Redis Enterprise & Flash instances with fewer than 3 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis Enterprise & Flash instances lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-11-06 19:40:47 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center aba46665-c3a7-4319-ace1-a0282deebac2 [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) 2023-10-31 19:02:40 BuiltIn
SQL Server 7148a409-0d59-4baa-925b-b3aae486a14e [Preview]: Enable system-assigned identity to SQL VM Enable system-assigned identity at scale to SQL virtual machines. You need to assign this policy at subscription level. Assign at resource group level will not work as expected. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
add
new Policy 2023-10-31 19:02:40 BuiltIn
Kubernetes 40f1aee2-4db4-4b74-acb1-c6972e24cca8 Configure Node OS Auto upgrade on Azure Kubernetes Cluster Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (1.0.0 > 1.0.1) 2023-10-31 19:02:40 BuiltIn
Resilience d3903bdf-ab85-4cce-85d3-2934d77629d4 [Preview]: Virtual Machine Scale Sets should be Zone Resilient Virtual Machine Scale Sets can be configured to be either Zone Aligned, Zone Redundant, or neither. Virtual Machine Scale Sets that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Virtual Machine Scale Sets with 3 or more entries in their zones array and a capacity of at least 3 are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-31 19:02:40 BuiltIn
Security Center 9c0aa188-e5fe-4569-8f74-b6e155624d9a [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) 2023-10-31 19:02:40 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-10-31 19:02:40 BuiltIn
Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (4.0.0 > 4.0.1) 2023-10-31 19:02:40 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Synapse c3624673-d2ff-48e0-b28c-5de1c6767c3c Configure Synapse Workspaces to use only Microsoft Entra identities for authentication Microsoft Entra-only authentication improves security by ensuring that Synapse Workspaces exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/Synapse. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2023-10-31 19:02:40 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (2.0.3 > 2.0.4) 2023-10-31 19:02:40 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (1.0.2 > 1.0.3) 2023-10-31 19:02:40 BuiltIn
Resilience 44c5a1f9-7ef6-4c38-880c-273e8f7a3c24 [Preview]: Cosmos Database Accounts should be Zone Redundant Cosmos Database Accounts can be configured to be Zone Redundant or not. If the 'enableMultipleWriteLocations' is set to 'true' then all locations must have a 'isZoneRedundant' property and it must be set to 'true'. If the 'enableMultipleWriteLocations' is set to 'false' then the primary location ('failoverPriority' set to 0) must have a 'isZoneRedundant' property and it must be set to 'true'. Enforcing this policy ensures Cosmos Database Accounts are appropriately configured for zone redundancy. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-31 19:02:40 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) 2023-10-31 19:02:40 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.3.0-preview > 6.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents customers from applying bad Pod Disruption Budgets. This policy relies on Gatekeeper data replication, and all ingress resources scoped to this policy will be synced into OPA. Please verify that the ingresses resources being synced won't overwhelm your memory capacity prior to assigning this policy. The policy parameters will evaluate only certain namespaces, but all resources of that kind in all namespaces will get synced. This policy is in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-31 19:02:40 BuiltIn
Kubernetes 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-31 19:02:40 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Kubernetes b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 [Preview]: Kubernetes cluster services should use unique selectors Ensure that Services in a namespace have unique selectors. This policy relies on Gatekeeper data replication and syncs all ingress resources into OPA. Prior to applying this policy, please confirm that syncing ingress resources won't exceed your memory capacity. The policy parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. This policy is currently in preview for Kubernetes Service (AKS) Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-31 19:02:40 BuiltIn
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Deprecated]: Configure Microsoft Defender for APIs should be enabled This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.0.2-preview > 1.0.2-deprecated) 2023-10-31 19:02:40 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (1.0.2 > 1.0.3) 2023-10-31 19:02:40 BuiltIn
Security Center 3b1a8e0a-b2e1-48be-9365-28be2fbef550 [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (5.2.0-preview > 5.2.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center 30f52897-df47-4ca0-81a8-a3be3e8dd226 [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center c9ae938d-3d6f-4466-b7c3-351761d9c890 [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-10-31 19:02:40 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.3.0-preview > 6.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center c15c5978-ab6e-4599-a1c3-90a7918f5371 [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) 2023-10-31 19:02:40 BuiltIn
SQL 78215662-041e-49ed-a9dd-5385911b3a1f Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled Disabling local authentication methods and allowing only Microsoft Entra authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Microsoft Entra identities. Learn more at: aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-10-31 19:02:40 BuiltIn
Resilience 42f4f3a2-7d20-4c13-a05d-01857a626c22 [Preview]: Virtual Machines should be Zone Aligned Virtual Machines can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-31 19:02:40 BuiltIn
Synapse 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 Synapse Workspaces should use only Microsoft Entra identities for authentication Microsoft Entra-only authentication improves security by ensuring that Synapse Workspaces exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/Synapse. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-10-31 19:02:40 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (3.0.0-preview > 3.0.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-10-31 19:02:40 BuiltIn
SQL abda6d70-9778-44e7-84a8-06713e6db027 Azure SQL Database should have Microsoft Entra-only authentication enabled Disabling local authentication methods and allowing only Microsoft Entra authentication improves security by ensuring that Azure SQL Databases can exclusively be accessed by Microsoft Entra identities. Learn more at: aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-10-31 19:02:40 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-10-31 19:02:40 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (2.0.1 > 2.0.3) 2023-10-23 17:41:36 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (1.0.1 > 1.0.2) 2023-10-23 17:41:36 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch (1.0.0 > 1.0.2) 2023-10-23 17:41:36 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch, suffix remains equal (1.0.1-preview > 1.0.3-preview) 2023-10-23 17:41:36 BuiltIn
General 78460a36-508a-49a4-b2b2-2f5ec564f4bb [Preview]: Do not allow deletion of resource types This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. Default
DenyAction
Allowed
DenyAction, Disabled
add
new Policy 2023-10-23 17:41:36 BuiltIn
Kubernetes 450d2877-ebea-41e8-b00c-e286317d21bf Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-10-23 17:41:36 BuiltIn
Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.1.0 > 2.2.0) 2023-10-23 17:41:36 BuiltIn
Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (4.1.0 > 4.1.1) 2023-10-16 18:01:34 BuiltIn
Guest Configuration 828ba269-bf7f-4082-83dd-633417bc391d Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.0.0 > 1.0.1) 2023-10-16 18:01:34 BuiltIn
Internet of Things 43c323f6-0329-4f7c-a19a-6e5a5690d042 Azure Device Update accounts should use customer-managed key to encrypt data at rest Encryption of data at rest in Azure Device Update with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Learn more at:https://learn.microsoft.com/azure/iot-hub-device-update/device-update-data-encryption. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-10-16 18:01:34 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-10-16 18:01:34 BuiltIn
Machine Learning a10ee784-7409-4941-b091-663697637c0f Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Patch (1.0.2 > 1.0.3) 2023-10-09 18:04:57 BuiltIn
Network Audit-PrivateLinkDnsZones Audit the creation of Private Link Private DNS Zones This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-10-05 18:01:59 ALZ
App Configuration b08ab3ca-1062-4db3-8803-eec9cae605d6 App Configuration stores should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-09-27 17:59:47 BuiltIn
SQL Deploy-SQL-minTLS SQL servers deploys a specific min TLS version requirement. Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL Server Contributor
change
Minor (1.0.0 > 1.1.0) 2023-09-27 17:59:47 ALZ
SQL Deploy-SqlMi-minTLS SQL managed instances deploy a specific min TLS version requirement. Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL Managed Instance Contributor
change
Minor (1.0.0 > 1.2.0) 2023-09-27 17:59:47 ALZ
Monitoring DenyAction-ActivityLogs DenyAction implementation on Activity Logs This is a DenyAction implementation policy on Activity Logs. Fixed
denyAction
add
new Policy 2023-09-27 17:59:47 ALZ
Storage Deploy-Storage-sslEnforcement Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Storage Account Contributor
change
Minor (1.1.0 > 1.2.0) 2023-09-27 17:59:47 ALZ
SQL Deploy-PostgreSQL-sslEnforcement Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2023-09-27 17:59:47 ALZ
Monitoring DenyAction-DiagnosticLogs DenyAction implementation on Diagnostic Logs. DenyAction implementation on Diagnostic Logs. Fixed
denyAction
add
new Policy 2023-09-27 17:59:47 ALZ
App Configuration 72bc14af-4ab8-43af-b4e4-38e7983f9a1f Configure App Configuration stores to disable local authentication methods Disable local authentication methods so that your App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Patch (1.0.0 > 1.0.1) 2023-09-27 17:59:47 BuiltIn
Container Registry 84497762-32b6-4ab3-80b6-732ea48b85a2 Container registries should prevent cache rule creation Disable cache rule creation for your Azure Container Registry to prevent pull through cache pulls. Learn more at: https://aka.ms/acr/cache. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-09-27 17:59:47 BuiltIn
Monitoring Deploy-Diagnostics-CosmosDB Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2023-09-27 17:59:47 ALZ
SQL Deploy-MySQL-sslEnforcement Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2023-09-27 17:59:47 ALZ
Kubernetes 40f1aee2-4db4-4b74-acb1-c6972e24cca8 Configure Node OS Auto upgrade on Azure Kubernetes Cluster Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
add
new Policy 2023-09-22 17:59:46 BuiltIn
Kubernetes 04408ca5-aa10-42ce-8536-98955cdddd4c Azure Kubernetes Service Clusters should enable node os auto-upgrade AKS node OS auto-upgrade controls node-level OS security updates. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-09-22 17:59:46 BuiltIn
App Service f493116f-3b7f-4ab3-bf80-0c2af35e46c2 Configure App Service app slots to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
App Service ec71c0bc-6a45-4b1f-9587-80dc83e6898c App Service app slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
Machine Learning a10ee784-7409-4941-b091-663697637c0f Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Patch (1.0.1 > 1.0.2) 2023-09-22 17:59:46 BuiltIn
App Service 871b205b-57cf-4e1e-a234-492616998bf7 App Service apps should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
App Service 847ef871-e2fe-4e6e-907e-4adbf71de5cf App Service app slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.3 > 1.0.4) 2023-09-22 17:59:46 BuiltIn
App Service aede300b-d67f-480a-ae26-4b3dfb1a1fdc App Service apps should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
App Service 2c034a29-2a5f-4857-b120-f800fe5549ae Configure App Service app slots to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
App Service 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 Configure App Service apps to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
Managed Identity fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f [Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners This policy limits federation with GitHub repos to only approved repository owners. Default
Audit
Allowed
Audit, Disabled, Deny
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-09-22 17:59:46 BuiltIn
App Service 5e97b776-f380-4722-a9a3-e7f0be029e79 Configure App Service apps to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Virtual Machine Contributor
change
Patch, old suffix: preview (4.4.0-preview > 4.4.1) 2023-09-18 18:02:04 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
add
new Policy 2023-09-18 18:02:04 BuiltIn
Kubernetes af3c26b2-6fad-493e-9236-9c68928516ab Azure Kubernetes Service Clusters should enable Image Cleaner Image Cleaner performs automatic vulnerable, unused image identification and removal, which mitigates the risk of stale images and reduces the time required to clean them up. Learn more at: https://aka.ms/aks/image-cleaner. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-09-18 18:02:04 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch, old suffix: preview (3.9.0-preview > 3.9.1) 2023-09-18 18:02:04 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Azure Connected Machine Resource Administrator
change
Patch, old suffix: preview (2.2.0-preview > 2.2.1) 2023-09-18 18:02:04 BuiltIn
Media Services daccf7e4-9808-470c-a848-1c5b582a1afb Azure Media Services content key policies should use token authentication Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Microsoft Entra ID. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-09-18 18:02:04 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, old suffix: preview (3.4.0-preview > 3.4.1) 2023-09-18 18:02:04 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (4.3.0-preview > 4.4.0-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring 84cfed75-dfd4-421b-93df-725b479d356a Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch, old suffix: preview (1.1.1-preview > 1.1.2) 2023-09-11 17:59:12 BuiltIn
Monitoring 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-09-11 17:59:12 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring 08a4470f-b26d-428d-97f4-7e3e9c92b366 Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch, old suffix: preview (1.1.1-preview > 1.1.2) 2023-09-11 17:59:12 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Azure Connected Machine Resource Administrator
change
Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Patch, old suffix: preview (3.1.0-preview > 3.1.1) 2023-09-11 17:59:12 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Tags 36fd7371-8eb7-4321-9c30-a7100022d048 Requires resources to not have a specific tag. Denies the creation of a resource that contains the given tag. Does not apply to resource groups. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-09-11 17:59:12 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2023-09-11 17:59:12 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2023-09-11 17:59:12 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.8.0-preview > 3.9.0-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring af0082fd-fa58-4349-b916-b0e47abb0935 Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-09-11 17:59:12 BuiltIn
Security Center cbdd12e1-193a-445c-9926-560118c6daaa Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch, old suffix: preview (3.1.0-preview > 3.1.1) 2023-09-11 17:59:12 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.5-preview > 1.0.6-preview) 2023-09-01 18:00:13 BuiltIn
Data Factory f78ccdb4-7bf4-4106-8647-270491d2978a Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-09-01 18:00:13 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Minor (1.0.2 > 1.1.0) 2023-09-01 18:00:13 BuiltIn
Compute ac34a73f-9fa5-4067-9247-a3ecae514468 Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Minor (2.0.0 > 2.1.0) 2023-09-01 18:00:13 BuiltIn
Internet of Things 383856f8-de7f-44a2-81fc-e5135b5c2aa4 Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.1 > 3.1.0) 2023-09-01 18:00:13 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.5-preview > 1.0.6-preview) 2023-09-01 18:00:13 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
add
new Policy 2023-09-01 18:00:13 BuiltIn
Key Vault a2a5b911-5617-447e-a49e-59dbe0e0434b Resource logs in Azure Key Vault Managed HSM should be enabled To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-09-01 18:00:13 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Cognitive Services 67121cc7-ff39-4ab8-b7e3-95b84dab487d Cognitive Services accounts should enable data encryption with a customer-managed key Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-08-28 18:00:34 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.2.0 > 3.3.0) 2023-08-28 18:00:34 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.3.0 > 3.4.0) 2023-08-28 18:00:34 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-08-28 18:00:34 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) 2023-08-28 18:00:34 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.3.0 > 3.4.0) 2023-08-28 18:00:34 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.2.0 > 3.3.0) 2023-08-28 18:00:34 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Automanage b025cfb4-3702-47c2-9110-87fe0cfcc99b Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.0 > 1.4.0) 2023-08-22 17:59:24 BuiltIn
Security Center cbdd12e1-193a-445c-9926-560118c6daaa Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
add
new Policy 2023-08-22 17:59:24 BuiltIn
Kubernetes cf426bb8-b320-4321-8545-1b784a5df3a4 [Image Integrity] Kubernetes clusters should only use images signed by notation Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit https://aka.ms/aks/image-integrity Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center feedbf84-6b99-488c-acc2-71c829aa5ffc SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.0.0 > 4.1.0) 2023-08-22 17:59:24 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
add
new Policy 2023-08-22 17:59:24 BuiltIn
Automanage f889cab7-da27-4c41-a3b0-de1f6f87c550 Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (2.3.0 > 2.4.0) 2023-08-22 17:59:24 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
add
new Policy 2023-08-22 17:59:24 BuiltIn
Security Center ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.2 > 1.0.3) 2023-08-11 17:58:20 BuiltIn
Security Center 640d2586-54d2-465f-877f-9ffc1d2109f4 Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-08-11 17:58:20 BuiltIn
Security Center 689f7782-ef2c-4270-a6d0-7664869076bd Configure Microsoft Defender CSPM to be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Patch (1.0.1 > 1.0.2) 2023-08-11 17:58:20 BuiltIn
Monitoring 7c4214e9-ea57-487a-b38e-310ec09bc21d [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) 2023-08-11 17:58:20 BuiltIn
Monitoring a0f27bdc-5b15-4810-b81d-7c4df9df1a37 [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) 2023-08-11 17:58:20 BuiltIn
Machine Learning f110a506-2dcb-422e-bcea-d533fc8c35e2 Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. Fixed
[parameters('effects')]
change
Patch (1.0.2 > 1.0.3) 2023-08-11 17:58:20 BuiltIn
Monitoring c7f3bf36-b807-4f18-82dc-f480ad713635 [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) 2023-08-11 17:58:20 BuiltIn
Security Center 3ac7c827-eea2-4bde-acc7-9568cd320efa Machines should have secret findings resolved Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-08-03 17:56:09 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.2.0 > 3.3.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration d3b823c9-e0fc-4453-9fb2-8213b7338523 Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.0.0 > 4.1.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration 73db37c4-f180-4b0f-ab2c-8ee96467686b Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.0.0 > 4.1.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-08-03 17:56:09 BuiltIn
Kubernetes e1352e44-d34d-4e4d-a22e-451a15f759a1 Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: https://aka.ms/aks/planned-maintenance Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-08-03 17:56:09 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.1.0 > 3.2.0) 2023-08-03 17:56:09 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.4.0-preview > 3.8.0-preview) 2023-08-03 17:56:09 BuiltIn
General 16fabb5c-7379-4433-8009-042066fa3a16 Exclude Usage Costs Resources This policy enables you to exlcude Usage Costs Resources. Usage costs include things like metered storage and Azure resources which are billed based on usage. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-08-03 17:56:09 BuiltIn
General 176b7c36-ac64-4f15-a296-50bd7fafab12 Do Not Allow M365 resources Block creation of M365 resources. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-08-03 17:56:09 BuiltIn
Security Center 8ac833bd-f505-48d5-887e-c993a1d3eea0 API endpoints in Azure API Management should be authenticated API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-08-03 17:56:09 BuiltIn
App Service 242222f3-4985-4e99-b5ef-086d6a6cb01c Configure Function app slots to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 003
Managed Identity Operator
Network Contributor
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-08-03 17:56:09 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
Guest Configuration e79ffbda-ff85-465d-ab8e-7e58a557660f [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-08-03 17:56:09 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (4.0.0-preview > 4.3.0-preview) 2023-08-03 17:56:09 BuiltIn
General 335d919a-dc24-4a94-b7cb-9f81b1a8156f Do Not Allow MCPP resources Block creation of MCPP resources. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-08-03 17:56:09 BuiltIn
Network 2d21331d-a4c2-4def-a9ad-ee4e1e023beb App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (2.0.0 > 2.0.1) 2023-08-03 17:56:09 BuiltIn
App Service cd794351-e536-40f4-9750-503a463d8cad Configure Function apps to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 003
Managed Identity Operator
Network Contributor
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration fad40cac-a972-4db0-b204-f1b15cced89a Local authentication methods should be disabled on Linux machines Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
Container Instance 41ebf9df-66cb-48e9-a8d0-98afb4e150ce Configure diagnostic settings for container groups to Log Analytics workspace Deploys the diagnostic settings for Container Instance to stream resource logs to a Log Analytics workspace when any container instance which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2023-08-03 17:56:09 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.1.0 > 3.2.0) 2023-08-03 17:56:09 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (3.1.0-preview > 3.3.0-preview) 2023-08-03 17:56:09 BuiltIn
Kubernetes 2cc2e023-0dac-4046-875b-178f683929d5 Azure Kubernetes Service Clusters should enable workload identity Workload identity allows to assign a unique identity to each Kubernetes Pod and associate it with Azure AD protected resources such as Azure Key Vault, enabling secure access to these resources from within the Pod. Learn more at: https://aka.ms/aks/wi. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-08-03 17:56:09 BuiltIn
App Service 2374605e-3e0b-492b-9046-229af202562c Configure App Service apps to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 003
Managed Identity Operator
Network Contributor
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 [Preview]: Linux machines should meet STIG compliance requirement for Azure compute Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
Guest Configuration 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
App Service c6c3e00e-d414-4ca4-914f-406699bb8eee Configure App Service app slots to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled
count: 003
Managed Identity Operator
Network Contributor
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-08-03 17:56:09 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.2.0-preview) 2023-08-03 17:56:09 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.2.0 > 3.3.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-08-03 17:56:09 BuiltIn
Security Center c8acafaf-3d23-44d1-9624-978ef0f8652c API endpoints that are unused should be disabled and removed from the Azure API Management service As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-08-03 17:56:09 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (4.1.0-preview > 4.0.0-preview) 2023-07-25 17:56:05 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.6.0-preview > 3.4.0-preview) 2023-07-25 17:56:05 BuiltIn
Cost Optimization Audit-AzureHybridBenefit Audit AHUB for eligible VMs Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-07-25 17:56:05 ALZ
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set Requires affinity rules to be set. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-07-24 17:56:14 BuiltIn
Guest Configuration 480d0f91-30af-4a76-9afb-f5710ac52b09 Private endpoints for Guest Configuration assignments should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-07-24 17:56:14 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-07-24 17:56:14 BuiltIn
Security Center 766e621d-ba95-4e43-a6f2-e945db3d7888 Setup subscriptions to transition to an alternative vulnerability assessment solution Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2023-07-24 17:56:14 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-07-24 17:56:14 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-07-24 17:56:14 BuiltIn
Backup d6f6f560-14b7-49a4-9fc8-d2c3a9807868 [Preview]: Immutability must be enabled for Recovery Services vaults This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-07-24 17:56:14 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.5.0-preview > 3.6.0-preview) 2023-07-24 17:56:14 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-07-24 17:56:14 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) 2023-07-24 17:56:14 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.0.0 > 3.1.0) 2023-07-14 17:56:09 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.3.0 > 1.4.0) 2023-07-14 17:56:09 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.3.0 > 1.4.0) 2023-07-14 17:56:09 BuiltIn
Compute c3921d55-b741-4d16-8d56-7f16e99e6892 Protect your data with authentication requirements when exporting or uploading to a disk or snapshot. When export/upload URL is used, the system checks if the user has an identity in Azure Active Directory and has necessary permissions to export/upload the data. Please refer to aka.ms/DisksAzureADAuth. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
add
new Policy 2023-07-14 17:56:09 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.1.0 > 4.2.0) 2023-07-14 17:56:09 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.1.0 > 3.2.0) 2023-07-14 17:56:09 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.1.0 > 3.2.0) 2023-07-14 17:56:09 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.0.0 > 3.1.0) 2023-07-14 17:56:09 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) 2023-07-10 18:02:26 BuiltIn
SQL Managed Instance 6599ab01-29bc-4852-a6f5-de9e2151714a Transparent Data Encryption must be enabled for Arc SQL managed instances. Enable transparent data encryption (TDE) at-rest on an Azure Arc-enabled SQL Managed Instance. Learn more at https://aka.ms/EnableTDEArcSQLMI. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-07-10 18:02:26 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Patch (1.0.1 > 1.0.2) 2023-07-10 18:02:26 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) 2023-07-10 18:02:26 BuiltIn
Storage 978deb5d-c9a7-41f8-b4b2-b76880d0de1f Modify - Configure your Storage account to enable blob versioning You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. Please note existing storage accounts will not be modified to enable Blob storage versioning. Only newly created storage accounts will have Blob storage versioning enabled Default
Modify
Allowed
Modify, Disabled
count: 001
Storage Account Contributor
add
new Policy 2023-07-10 18:02:26 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.4.0-preview > 3.5.0-preview) 2023-07-10 18:02:26 BuiltIn
SQL Managed Instance bb3c7464-033e-41ee-81dc-480fde675b20 TLS protocol 1.2 must be used for Arc SQL managed instances. As a part of network settings, Microsoft recommends allowing only TLS 1.2 for TLS protocols in SQL Servers. Learn more on network settings for SQL Server at https://aka.ms/TlsSettingsSQLServer. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-07-10 18:02:26 BuiltIn
SQL Managed Instance 413923f0-ff16-41ae-8583-90c5c5d9fa8f Customer managed key encryption must be used as part of CMK Encryption for Arc SQL managed instances. As a part of CMK encryption, Customer managed key encryption must be used. Learn more at https://aka.ms/EnableTDEArcSQLMI. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-07-10 18:02:26 BuiltIn
Storage c36a325b-ae04-4863-ad4f-19c6678f8e08 Configure your Storage account to enable blob versioning You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-07-10 18:02:26 BuiltIn
SQL Deploy-Sql-vulnerabilityAssessments [Deprecated]: Deploy SQL Database vulnerability Assessments Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 003
Monitoring Contributor
SQL Security Manager
Storage Account Contributor
change
Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated)

Superseded by: Deploy SQL Database Vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments_20230706) Custom ALZ
2023-07-07 17:55:09 ALZ
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet Default
Deny
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)
2023-07-07 17:55:09 ALZ
SQL Deploy-Sql-vulnerabilityAssessments_20230706 Deploy SQL Database Vulnerability Assessments Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 003
Monitoring Contributor
SQL Security Manager
Storage Account Contributor
add
new Policy

Replaces: [Deprecated]: Deploy SQL Database vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments)
2023-07-07 17:55:09 ALZ
Backup f19b0c83-716f-4b81-85e3-2dbf057c35d6 [Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. Default
Modify
Allowed
Modify, Disabled
count: 001
Backup Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-07-03 17:55:16 BuiltIn
Security Center 3ac7c827-eea2-4bde-acc7-9568cd320efa Machines should have secret findings resolved Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-07-03 17:55:16 BuiltIn
Backup 4d479a11-f2b5-4f0a-bb1e-d2332aa95cda [Preview]: Disable Cross Subscription Restore for Backup Vaults Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. Default
Modify
Allowed
Modify, Disabled
count: 001
Backup Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-07-03 17:55:16 BuiltIn
Security Center 3ac7c827-eea2-4bde-acc7-9568cd320efa Machines should have secret findings resolved Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-06-26 17:52:13 BuiltIn
Data Factory 6809a3d0-d354-42fb-b955-783d207c62a8 Azure Data Factory linked service resource type should be in allow list Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-06-26 17:52:13 BuiltIn
Automanage 270610db-8c04-438a-a739-e8e6745b22d3 [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (4.1.1-deprecated > 4.2.1-deprecated) 2023-06-26 17:52:13 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (7.1.0 > 7.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (6.1.0 > 6.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (8.1.0 > 8.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (5.1.0 > 5.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (7.1.0 > 7.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (6.1.0 > 6.1.1) 2023-06-26 17:52:13 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (4.0.0 > 4.0.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (7.1.0 > 7.1.1) 2023-06-26 17:52:13 BuiltIn
App Platform af35e2a4-ef96-44e7-a9ae-853dd97032c4 Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default
Audit
Allowed
Audit, Disabled, Deny
change
Minor (1.1.0 > 1.2.0) 2023-06-26 17:52:13 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (5.1.0 > 5.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Patch (6.1.0 > 6.1.1) 2023-06-26 17:52:13 BuiltIn
Key Vault d8cf8476-a2ec-4916-896e-992351803c44 Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-06-26 17:52:13 BuiltIn
Data Factory 77d40665-3120-4348-b539-3192ec808307 Azure Data Factory should use a Git repository for source control Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-06-26 17:52:13 BuiltIn
Storage Deny-FileServices-InsecureAuth File Services with insecure authentication methods should be denied This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
SQL Deny-PublicEndpoint-MariaDB [Deprecated] Public network access should be disabled for MariaDB This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html Default
Deny
Allowed
Audit, Deny, Disabled
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Public network access should be disabled for MariaDB servers (fdccbe47-f3e3-4213-ad5d-ea459b2fa077) BuiltIn
2023-06-20 20:17:42 ALZ
Storage Deny-FileServices-InsecureSmbChannel File Services with insecure SMB channel encryption should be denied This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Storage Deny-FileServices-InsecureKerberos File Services with insecure Kerberos ticket encryption should be denied This policy denies the use of insecure Kerberos ticket encryption (RC4-HMAC) when using File Services on a storage account. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Network Deny-UDR-With-Specific-NextHop User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied This policy denies the creation of a User Defined Route with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway'. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Storage Deny-StorageAccount-CustomDomain Storage Accounts with custom domains assigned should be denied This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Storage Deny-Storage-SFTP Storage Accounts with SFTP enabled should be denied This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Network Deny-Subnet-Without-Penp Subnets without Private Endpoint Network Policies enabled should be denied This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Machine Learning Deny-MachineLearning-PublicNetworkAccess [Deprecated] Azure Machine Learning should have disabled public network access Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html Default
Deny
Allowed
Audit, Disabled, Deny
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Azure Machine Learning Workspaces should disable public network access (438c38d2-3772-465a-a9cc-7a6666a275ce) BuiltIn
2023-06-20 20:17:42 ALZ
Storage Deny-FileServices-InsecureSmbVersions File Services with insecure SMB versions should be denied This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2023-06-20 20:17:42 ALZ
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview) 2023-06-16 17:46:02 BuiltIn
Monitoring 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-06-16 17:46:02 BuiltIn
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-06-16 17:46:02 BuiltIn
Monitoring af0082fd-fa58-4349-b916-b0e47abb0935 Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-06-16 17:46:02 BuiltIn
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-06-16 17:46:02 BuiltIn
Logic Apps 34f95f76-5386-4de7-b824-0d8478470c9d Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (5.0.0 > 5.1.0) 2023-06-16 17:46:02 BuiltIn
App Service 2c034a29-2a5f-4857-b120-f800fe5549ae Configure App Service app slots to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service aede300b-d67f-480a-ae26-4b3dfb1a1fdc App Service apps should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service ec71c0bc-6a45-4b1f-9587-80dc83e6898c App Service app slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service 5e97b776-f380-4722-a9a3-e7f0be029e79 Configure App Service apps to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
Security Center ae89ebca-1c92-4898-ac2c-9f63decb045c Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.2 > 1.0.3) 2023-06-09 17:46:13 BuiltIn
App Service 847ef871-e2fe-4e6e-907e-4adbf71de5cf App Service app slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.2 > 1.0.3) 2023-06-09 17:46:13 BuiltIn
App Service 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 Configure App Service apps to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (4.0.1 > 4.1.0) 2023-06-09 17:46:13 BuiltIn
App Service 871b205b-57cf-4e1e-a234-492616998bf7 App Service apps should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service f493116f-3b7f-4ab3-bf80-0c2af35e46c2 Configure App Service app slots to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
Guest Configuration faf25c8c-9598-4305-b4de-0aee1317fb31 [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-deprecated > 1.1.0-deprecated) 2023-06-09 17:46:13 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.1.0-preview > 2.1.0-deprecated) 2023-06-09 17:46:13 BuiltIn
App Service 1b5ef780-c53c-4a64-87f3-bb9c8c8094ba App Service apps should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
change
Minor (1.0.0 > 1.1.0) 2023-06-09 17:46:13 BuiltIn
Security Center 1537496a-b1e8-482b-a06a-1cc2415cdc7b [Preview]: Configure supported Windows machines to automatically install the Azure Security agent Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) 2023-06-06 18:29:21 BuiltIn
Security Center 13a6c84f-49a5-410a-b5df-5b880c3fe009 [Preview]: Linux virtual machines should use only signed and trusted boot components All OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-06-06 18:29:21 BuiltIn
Backup f19b0c83-716f-4b81-85e3-2dbf057c35d6 [Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. Default
Modify
Allowed
Modify, Disabled
count: 001
Backup Contributor
add
new Policy 2023-06-06 18:29:21 BuiltIn
Security Center 808a7dc4-49f2-4e7b-af75-d14e561c244a [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-06-06 18:29:21 BuiltIn
Backup 4d479a11-f2b5-4f0a-bb1e-d2332aa95cda [Preview]: Disable Cross Subscription Restore for Backup Vaults Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. Default
Modify
Allowed
Modify, Disabled
count: 001
Backup Contributor
add
new Policy 2023-06-06 18:29:21 BuiltIn
Security Center e16f967a-aa57-4f5e-89cd-8d1434d0a29a [Preview]: Azure Security agent should be installed on your Windows virtual machine scale sets Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-06-06 18:29:21 BuiltIn
Security Center bb2c6c6d-14bc-4443-bef3-c6be0adc6076 [Preview]: Azure Security agent should be installed on your Windows virtual machines Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-06-06 18:29:21 BuiltIn
Guest Configuration 3810e389-1d92-4f77-9267-33bdcf0bd225 Windows machines should schedule Windows Defender to perform a scheduled scan every day To ensure prompt detection of malware and minimize its impact on your system, it is recommended that Windows machines with Windows Defender schedule a daily scan. Please make sure Windows Defender is supported, preinstalled on the device, and Guest Configuration prerequisites are deployed. Failure to meet these requirements may lead to inaccurate evaluation results. Learn more about Guest Configuration at https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.1.0 > 1.2.0) 2023-06-06 18:29:21 BuiltIn
Monitoring Deploy-Diagnostics-Firewall Deploy Diagnostic Settings for Firewall to Log Analytics workspace Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2023-05-30 30:17:42 ALZ
Azure Databricks 0eddd7f3-3d9b-4927-a07a-806e8ac9486c Configure Azure Databricks workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
change
Patch (1.0.0 > 1.0.1) 2023-05-26 17:43:09 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (4.2.0 > 4.3.0) 2023-05-26 17:43:09 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.2.0 > 3.3.0) 2023-05-26 17:43:09 BuiltIn
Azure Databricks 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-26 17:43:09 BuiltIn
Cosmos DB 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 Cosmos DB database accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-05-26 17:43:09 BuiltIn
Azure Databricks 258823f2-4595-4b52-b333-cc96192710d8 Azure Databricks Workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-05-26 17:43:09 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
Log Analytics Contributor
change
Patch (4.0.3 > 4.0.4) 2023-05-26 17:43:09 BuiltIn
Azure Databricks 9c25c9e4-ee12-4882-afd2-11fb9d87893f Azure Databricks Workspaces should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-05-26 17:43:09 BuiltIn
Security Center 73d6ab6c-2475-4850-afd6-43795f3492ef Deploy Workflow Automation for Microsoft Defender for Cloud recommendations Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists
count: 001
Contributor
change
Patch (5.0.0 > 5.0.1) 2023-05-26 17:43:09 BuiltIn
Security Center 509122b9-ddd9-47ba-a5f1-d0dac20be63c Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists
count: 001
Contributor
change
Patch (5.0.0 > 5.0.1) 2023-05-26 17:43:09 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.2.0 > 1.3.0) 2023-05-26 17:43:09 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.2.0 > 1.3.0) 2023-05-26 17:43:09 BuiltIn
Cosmos DB dc2d41d1-4ab1-4666-a3e1-3d51c43e0049 Configure Cosmos DB database accounts to disable local authentication Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default
Modify
Allowed
Modify, Disabled
count: 001
DocumentDB Account Contributor
change
Minor (1.0.0 > 1.1.0) 2023-05-26 17:43:09 BuiltIn
Azure Databricks 09210db3-d32c-4b2b-b4e1-f72ae920eb11 Configure Azure Databricks Workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.0.1 > 1.0.2) 2023-05-26 17:43:09 BuiltIn
Security Center f1525828-9a90-4fcf-be48-268cdd02361e Deploy Workflow Automation for Microsoft Defender for Cloud alerts Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists
count: 001
Contributor
change
Patch (5.0.0 > 5.0.1) 2023-05-26 17:43:09 BuiltIn
Monitoring Deploy-Diagnostics-APIMgmt Deploy Diagnostic Settings for API Management to Log Analytics workspace Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2023-05-22 22:17:43 ALZ
App Service Append-AppService-latestTLS AppService append sites with minimum TLS version to enforce. Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. Default
Append
Allowed
Append, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-05-22 22:17:43 ALZ
Machine Learning f110a506-2dcb-422e-bcea-d533fc8c35e2 Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. Fixed
[parameters('effects')]
change
Patch (1.0.1 > 1.0.2) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 51c1490f-3319-459c-bbbc-7f391bbed753 Azure Databricks Clusters should disable public IP Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
App Service cca5adfe-626b-4cc6-8522-f5b6ed2391bd Configure App Service app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 09210db3-d32c-4b2b-b4e1-f72ae920eb11 Configure Azure Databricks Workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 138ff14d-b687-4faa-a81c-898c91a87fa2 Resource logs in Azure Databricks Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 Azure Databricks Workspaces should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Security Center a1181c5f-672a-477a-979a-7d58aa086233 Security Center standard pricing tier should be selected The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center Default
Audit
Allowed
Audit, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-05-22 17:43:18 BuiltIn
Machine Learning f59276f0-5740-4aaf-821d-45d185aa210e Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning 438c38d2-3772-465a-a9cc-7a6666a275ce Azure Machine Learning Workspaces should disable public network access Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (2.0.0 > 2.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 9c25c9e4-ee12-4882-afd2-11fb9d87893f Azure Databricks Workspaces should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning a10ee784-7409-4941-b091-663697637c0f Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 258823f2-4595-4b52-b333-cc96192710d8 Azure Databricks Workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (2.0.0 > 2.0.1) 2023-05-22 17:43:18 BuiltIn
Security Center 090c7b07-b4ed-4561-ad20-e9075f3ccaff Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-22 17:43:18 BuiltIn
Machine Learning 7804b5c7-01dc-4723-969b-ae300cc07ff1 Azure Machine Learning Computes should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning afe0c3be-ba3b-4544-ba52-0c99672a8ad6 Resource logs in Azure Machine Learning Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
App Service 70adbb40-e092-42d5-a6f8-71c540a5efdb Configure Function app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-05-22 17:43:18 BuiltIn
Machine Learning a6f9a2d0-cff7-4855-83ad-4cd750666512 Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Patch (2.0.0 > 2.0.1) 2023-05-22 17:43:18 BuiltIn
Data Factory 3d02a511-74e5-4dab-a5fd-878704d4a61a [Preview]: Azure Data Factory pipelines should only communicate with allowed domains To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Deny
Allowed
Deny, Disabled
add
new Policy 2023-05-22 17:43:18 BuiltIn
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet Default
Deny
Allowed
Audit, Deny, Disabled
change
Major (1.0.0 > 2.0.0)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)
2023-05-17 17:17:42 ALZ
Azure Data Explorer 8945ba5e-918e-4a57-8117-fe615d12e3ba All Database Admin on Azure Data Explorer should be disabled Disable all database admin role to restrict granting highly privileged/administrative user role. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-05-16 17:42:35 BuiltIn
SQL e27a6dfc-883f-4f9e-97cc-a819fe702400 [Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled This policy is deprecated because it uses unsupported api. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID b4dec045-250a-48c2-b5cc-e0c4eec8b5b4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2023-05-16 17:42:35 BuiltIn
Security Center 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 Running container images should have vulnerability findings resolved Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-05-16 17:42:35 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) 2023-05-12 17:41:51 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) 2023-05-12 17:41:51 BuiltIn
Data Factory 496ca26b-f669-4322-a1ad-06b7b5e41882 Configure private endpoints for Data factories Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Data Factory Contributor
Network Contributor
change
Minor (1.0.0 > 1.1.0) 2023-05-12 17:41:51 BuiltIn
Security Center 17f4b1cc-c55c-4d94-b1f9-2978f6ac2957 Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-12 17:41:51 BuiltIn
SQL Server f36de009-cacb-47b3-b936-9c4c9120d064 Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. Enable or disable SQL best practices assessment on the SQL server instances on your Arc-enabled servers to evaluate best practices. Learn more at https://aka.ms/azureArcBestPracticesAssessment. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (1.0.0 > 1.0.1) 2023-05-05 17:42:17 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-05-05 17:42:17 BuiltIn
Guest Configuration 6141c932-9384-44c6-a395-59e4c057d7c9 Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed
deployIfNotExists
count: 001
Guest Configuration Resource Contributor
change
Minor (2.0.0 > 2.1.0) 2023-05-05 17:42:17 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set Requires affinity rules to be set. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-05-05 17:42:17 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-05-05 17:42:17 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-05-05 17:42:17 BuiltIn
Security Center 9297c21d-2ed6-4474-b48f-163f75654ce3 [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 931e118d-50a1-4457-a5e4-78550e086c52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.1 > 3.0.1-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (4.0.1 > 4.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (8.0.1 > 8.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 74c30959-af11-47b3-9ed2-a26e03f427a3 Configure Microsoft Defender for Storage (Classic) to be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.1 > 1.0.2) 2023-05-01 17:41:52 BuiltIn
Security Center b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 Configure Azure Defender for Resource Manager to be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.1 > 1.0.2) 2023-05-01 17:41:52 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.0.1 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 57dde185-5c62-4063-b965-afbb201e9c1c Kubernetes cluster Windows containers should only run with approved user and domain user group Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.1 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 689f7782-ef2c-4270-a6d0-7664869076bd Configure Microsoft Defender CSPM to be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
SQL 40e85574-ef33-47e8-a854-7a65c7500560 Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
App Service 829b40f3-d3db-4fd2-be46-76663d3aeeb2 Function app slots that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Security Center 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222 Configure Azure Defender for servers to be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.0.1 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 7261b898-8a84-4db8-9e04-18527132abb3 App Service apps that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2023-05-01 17:41:52 BuiltIn
Security Center 2370a3c1-4a25-4283-a91a-c9c1a145fb2f Configure Azure Defender for DNS to be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.1 > 1.0.2) 2023-05-01 17:41:52 BuiltIn
Security Center 50ea7265-7d8c-429e-9a7d-ca1f410191c3 Configure Azure Defender for SQL servers on machines to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
Log Analytics Contributor
change
Patch (4.0.2 > 4.0.3) 2023-05-01 17:41:52 BuiltIn
API Management ffe25541-3853-4f4e-b71d-064422294b11 API Management should have username and password authentication disabled To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
App Service 7008174a-fd10-4ef0-817e-fc820a951d73 App Service apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.0.0 > 4.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center b99b73e7-074b-4089-9395-b7236f094491 Configure Azure Defender for Azure SQL database to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview) 2023-05-01 17:41:52 BuiltIn
SQL e27a6dfc-883f-4f9e-97cc-a819fe702400 [Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled This policy is deprecated because it uses unsupported api. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID b4dec045-250a-48c2-b5cc-e0c4eec8b5b4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Security Center aa633080-8b72-40c4-a2d7-d00c03e80bed [Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e3e008c3-56b9-4133-8fd7-d3347377402a. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.0.1 > 9.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 9c014953-ef68-4a98-82af-fd0f6b2306c8 App Service app slots that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.1 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 496223c3-ad65-4ecd-878a-bae78737e9ed App Service apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
App Service f466b2a6-823d-470d-8ea5-b031e72d79ae App Service app slots that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Security Center 6b1cbf55-e8b6-442f-ba4c-7246b6381474 [Deprecated]: Deprecated accounts should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 9a5f4e39-e427-4d5d-ae73-93db00328bec Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.0.1 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.1 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.1 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 5485eac0-7e8f-4964-998b-a44f4f0c1e75 Kubernetes cluster Windows containers should not run as ContainerAdministrator Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Disabled
change
Minor (3.0.1 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 [Deprecated]: External accounts with read permissions should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e9ac8f8e-ce22-4355-8f04-99b911d6be52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
App Service e1d1b522-02b0-4d18-a04f-5ab62d20445f Function app slots that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 5c607a2e-c700-4744-8254-d77e7c9eb5e4 [Deprecated]: External accounts with write permissions should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 94e1c2ac-cbbe-4cac-a2b5-389c812dee87. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.1.1 > 3.2.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center e3576e28-8b17-4677-84c3-db2990658d64 [Deprecated]: MFA should be enabled on accounts with read permissions on your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (8.0.1 > 8.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Monitoring 04d53d87-841c-4f23-8a5b-21564380b55e Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (2.0.0 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (8.0.1 > 8.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes b81f454c-eebb-4e4f-9dfe-dca060e8a8fd [Preview]: Kubernetes clusters should restrict creation of given resource type Given Kubernetes resource type should not be deployed in certain namespace. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (2.1.1-preview > 2.2.0-preview) 2023-05-01 17:41:52 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.0.1 > 9.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 7238174a-fd10-4ef0-817e-fc820a951d73 Function apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.0.0 > 4.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center c9ddb292-b203-4738-aead-18e2716e858f Configure Microsoft Defender for Containers to be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (8.0.1 > 8.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 014664e7-e348-41a3-aeb9-566e4ff6a9df Configure App Service app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-05-01 17:41:52 BuiltIn
App Service fa3a6357-c6d6-4120-8429-855577ec0063 Configure Function app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Minor (1.0.0 > 1.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 46dad49f-8945-44d7-9bb1-2e1542f627d3 App Service app slots that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-05-01 17:41:52 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.0.1 > 9.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center f8456c1c-aa66-4dfb-861a-25d127b775c9 [Deprecated]: External accounts with owner permissions should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 339353f6-2387-4a45-abe4-7f529d121046. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
App Service 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc Function apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 1f725891-01c0-420a-9059-4fa46cb770b7 Configure Azure Defender for Key Vaults to be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.1 > 1.0.2) 2023-05-01 17:41:52 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (4.0.1 > 4.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center ebb62a0c-3560-49e1-89ed-27e074e9f8ad [Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 0cfea604-3201-4e14-88fc-fae4c427a6c5. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Cache Append-Redis-disableNonSslPort Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
Append
Allowed
Append, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-04-25 25:17:42 ALZ
Guest Configuration 5b054a0d-39e2-4d53-bea3-9734cad2c69b Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-04-25 17:42:14 BuiltIn
Guest Configuration 237b38db-ca4d-4259-9e47-7882441ca2c0 Audit Windows machines that do not have the minimum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-04-25 17:42:14 BuiltIn
Security Center af9f6c70-eb74-4189-8d15-e4f11a7ebfd4 Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data Enable export to Event Hub as a trusted service of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub as a trusted service configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-04-25 17:42:14 BuiltIn
Security Center cdfcce10-4578-4ecd-9703-530938e4abcb Deploy export to Event Hub for Microsoft Defender for Cloud data Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists
count: 001
Contributor
change
Minor (4.1.0 > 4.2.0) 2023-04-25 17:42:14 BuiltIn
Guest Configuration a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Audit Windows machines that do not restrict the minimum password length to specified number of characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-04-25 17:42:14 BuiltIn
Guest Configuration 4ceb8dc2-559c-478b-a15b-733fbf1e3738 Audit Windows machines that do not have the maximum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-04-25 17:42:14 BuiltIn
API Management ffe25541-3853-4f4e-b71d-064422294b11 API Management should have username and password authentication disabled To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-04-17 17:42:20 BuiltIn
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Deprecated]: Configure Microsoft Defender for APIs should be enabled This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2023-04-17 17:42:20 BuiltIn
Managed Grafana 67529aa1-5285-4b1c-8e6f-5ccd861ac98e Configure Azure Managed Grafana workspaces to disable public network access Disable public network access for your Azure Managed Grafana workspace so that it's not accessible over the public internet. This can reduce data leakage risks. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
add
new Policy 2023-04-17 17:42:20 BuiltIn
API Management 1b0d74ac-4b43-4c39-a15f-594385adc38d Modify API Management to disable username and password authentication To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Modify
Allowed
Modify
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2023-04-17 17:42:20 BuiltIn
Security Center 7926a6d1-b268-4586-8197-e8ae90c877d7 Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2023-04-17 17:42:20 BuiltIn
SQL Server f36de009-cacb-47b3-b936-9c4c9120d064 Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. Enable or disable SQL best practices assessment on the SQL server instances on your Arc-enabled servers to evaluate best practices. Learn more at https://aka.ms/azureArcBestPracticesAssessment. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2023-04-17 17:42:20 BuiltIn
Network Deny-RDP-From-Internet [Deprecated] RDP access from the Internet should be blocked This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html Default
Deny
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-deprecated > 1.0.1-deprecated)

Superseded by: Management port access from the Internet should be blocked (Deny-MgmtPorts-From-Internet) Custom ALZ
2023-04-17 17:17:42 ALZ
SQL Deploy-Sql-Tde [Deprecated] Deploy SQL Database Transparent Data Encryption Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL Security Manager
change
Patch, suffix remains equal (1.1.0-deprecated > 1.1.1-deprecated)

Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn
2023-04-17 17:17:42 ALZ
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (3.1.0 > 3.1.1) 2023-04-11 17:42:55 BuiltIn
Tags 36fd7371-8eb7-4321-9c30-a7100022d048 Requires resources to not have a specific tag. Denies the creation of a resource that contains the given tag. Does not apply to resource groups. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Monitoring c02729e5-e5e7-4458-97fa-2b5ad0661f28 Windows virtual machines should have Azure Monitor Agent installed Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Machine Learning f110a506-2dcb-422e-bcea-d533fc8c35e2 Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. Fixed
[parameters('effects')]
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-04-06 17:42:16 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to use specific workspace, storage account and flowlog retention policy for traffic analytics If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-04-06 17:42:16 BuiltIn
Network cd6f7aff-2845-4dab-99f2-6d1754a754b0 Deploy a flow log resource with target virtual network Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (4.1.0 > 4.2.0) 2023-04-06 17:42:16 BuiltIn
Network 4c3c6c5f-0d47-4402-99b8-aa543dd8bcee Flow logs should be configured for every virtual network Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.1.0 > 1.2.0) 2023-04-06 17:42:16 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Network 3e9965dc-cc13-47ca-8259-a4252fd0cf7b Configure virtual network to enable traffic analytics Traffic analytics can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the virtual network that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-04-06 17:42:16 BuiltIn
Managed Identity fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f [Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners This policy limits federation with GitHub repos to only approved repository owners. Default
Audit
Allowed
Audit, Disabled, Deny
add
new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.1.0 > 3.2.0) 2023-04-06 17:42:16 BuiltIn
SQL 146412e9-005c-472b-9e48-c87b72ac229e A Microsoft Entra administrator should be provisioned for MySQL servers Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.1.0 > 1.2.0) 2023-04-06 17:42:16 BuiltIn
Managed Identity ae62c456-33de-4dc8-b100-7ce9028a7d99 [Preview]: Managed Identity Federated Credentials from Azure Kubernetes should be from trusted sources This policy limits federeation with Azure Kubernetes clusters to only clusters from approved tenants, approved regions, and a specific exception list of additional clusters. Default
Audit
Allowed
Audit, Disabled, Deny
add
new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.2.0 > 2.3.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.2.0 > 2.3.0) 2023-04-06 17:42:16 BuiltIn
Managed Identity 2571b7c3-3056-4a61-b00a-9bc5232234f5 [Preview]: Managed Identity Federated Credentials should be from allowed issuer types This policy limits whether Managed Identities can use federated credentials, which common issuer types are allowed, and provides a list of allowed issuer exceptions. Default
Audit
Allowed
Audit, Disabled, Deny
add
new Policy 2023-04-06 17:42:16 BuiltIn
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Network 2f080164-9f4d-497e-9db6-416dc9f7b48a Network Watcher flow logs should have traffic analytics enabled Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-04-06 17:42:16 BuiltIn
Monitoring 3672e6f7-a74d-4763-b138-fcf332042f8f Windows virtual machine scale sets should have Azure Monitor Agent installed Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Network 27960feb-a23c-4577-8d36-ef8b5f35e0be All flow log resources should be in enabled state Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-04-06 17:42:16 BuiltIn
SQL Deploy-Sql-Tde [Deprecated] Deploy SQL Database Transparent Data Encryption Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL Security Manager
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn
2023-04-06 06:17:42 ALZ
Monitoring Deploy-Diagnostics-WVDHostPools Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.2.0 > 1.3.0) 2023-04-06 06:17:42 ALZ
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)
2023-04-06 06:17:42 ALZ
Compute Deploy-Vm-autoShutdown Deploy Virtual Machine Auto Shutdown Schedule Deploys an auto shutdown schedule to a virtual machine Fixed
deployIfNotExists
count: 001
Virtual Machine Contributor
add
new Policy 2023-04-06 06:17:42 ALZ
Monitoring Deploy-Diagnostics-VWanS2SVPNGW Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2023-04-06 06:17:42 ALZ
Cost Optimization Audit-Disks-UnusedResourcesCostOptimization Unused Disks driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-04-06 06:17:42 ALZ
Network Deny-RDP-From-Internet [Deprecated] RDP access from the Internet should be blocked This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html Default
Deny
Allowed
Audit, Deny, Disabled
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Management port access from the Internet should be blocked (Deny-MgmtPorts-From-Internet) Custom ALZ
2023-04-06 06:17:42 ALZ
Monitoring Deploy-Diagnostics-EventGridTopic Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2023-04-06 06:17:42 ALZ
Network Audit-PrivateLinkDnsZones Audit the creation of Private Link Private DNS Zones This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-04-06 06:17:42 ALZ
Cost Optimization Audit-PublicIpAddresses-UnusedResourcesCostOptimization Unused Public IP addresses driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-04-06 06:17:42 ALZ
Cost Optimization Audit-ServerFarms-UnusedResourcesCostOptimization Unused App Service plans driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-04-06 06:17:42 ALZ
API Management 1b0d74ac-4b43-4c39-a15f-594385adc38d Modify API Management to disable username and password authentication To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Modify
Allowed
Modify
count: 001
Contributor
add
new Policy 2023-03-31 17:44:15 BuiltIn
Security Center 74c30959-af11-47b3-9ed2-a26e03f427a3 Configure Microsoft Defender for Storage (Classic) to be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.0 > 1.0.1) 2023-03-31 17:44:15 BuiltIn
Key Vault 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key vaults should have deletion protection enabled Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-03-31 17:44:15 BuiltIn
Storage 361c2074-3595-4e5d-8cab-4f21dffc835c Deploy Defender for Storage (Classic) on storage accounts This policy enables Defender for Storage (Classic) on storage accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch (1.0.0 > 1.0.1) 2023-03-31 17:44:15 BuiltIn
Cosmos DB da69ba51-aaf1-41e5-8651-607cd0b37088 Configure CosmosDB accounts to disable public network access Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Default
Modify
Allowed
Modify, Disabled
count: 002
Contributor
DocumentDB Account Contributor
change
Patch (1.0.0 > 1.0.1) 2023-03-31 17:44:15 BuiltIn
Security Center 17bc14a7-92e1-4551-8b8c-80f36953e166 Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable the basic Defender for Storage capabilities (Activity Monitoring). To enable full protection, which also includes On-upload Malware Scanning and Sensitive Data Threat Detection use the full enablement policy: aka.ms/DefenderForStoragePolicy. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2023-03-31 17:44:15 BuiltIn
API Management df73bd95-24da-4a4f-96b9-4e8b94b402bd API Management should disable public network access to the service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-03-31 17:44:15 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Extension for SQL Server Deployment
change
Minor (3.3.0 > 3.4.0) 2023-03-31 17:44:15 BuiltIn
Network 4598f028-de1f-4694-8751-84dceb5f86b9 Azure Web Application Firewall on Azure Front Door should have request body inspection enabled Ensure that Web Application Firewalls associated to Azure Front Doors have request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-03-31 17:44:15 BuiltIn
API Management 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 Configure API Management services to disable access to API Management public service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
API Management Service Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-31 17:44:15 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2023-03-31 17:44:15 BuiltIn
Network e52e8487-4a97-48ac-b3e6-1c3cef45d298 Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-03-31 17:44:15 BuiltIn
API Management ef619a2c-cc4d-4d03-b2ba-8c94a834d85b API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.1 > 1.0.2) 2023-03-31 17:44:15 BuiltIn
Network 882e19a6-996f-400e-a30f-c090887254f4 Migrate WAF from WAF Config to WAF Policy on Application Gateway If you have WAF Config instead of WAF Policy, then you may want to move to the new WAF Policy. Going forward, the firewall policy will support WAF policy settings, managed rulesets, exclusions, and disabled rule-groups. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-03-31 17:44:15 BuiltIn
Security Center 308fbb08-4ab8-4e67-9b29-592e93fb94fa [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.3 > 1.0.4) 2023-03-31 17:44:15 BuiltIn
Network ca85ef9a-741d-461d-8b7a-18c2da82c666 Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-03-31 17:44:15 BuiltIn
Monitoring cd906338-3453-47ba-9334-2d654bf845af Azure Front Door Standard or Premium (Plus WAF) should have resource logs enabled Enable Resource logs for Azure Front Door Standard or Premium (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-03-31 17:44:15 BuiltIn
API Management b741306c-968e-4b67-b916-5675e5c709f4 API Management direct management endpoint should not be enabled The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. Default
Audit
Allowed
Audit, Disabled, Deny
change
Patch (1.0.1 > 1.0.2) 2023-03-31 17:44:15 BuiltIn
Key Vault 405c5871-3e91-4644-8a63-58e19d68ff5b Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-03-31 17:44:15 BuiltIn
Monitoring a142867f-3142-4ac6-b952-ab950a29fca5 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 9e6aee71-3781-4acd-bba7-aac4fb067dfa Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Databricks 9c25c9e4-ee12-4882-afd2-11fb9d87893f Azure Databricks Workspaces should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-03-27 17:43:07 BuiltIn
Monitoring 76539a09-021e-4300-953b-4c6018ac26dc Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring eb5a4c26-04cb-4ab1-81cb-726dc58df772 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.2.0-preview > 3.3.0-preview) 2023-03-27 17:43:07 BuiltIn
Monitoring ae48c709-d2b4-4fad-8c5c-838524130aa4 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
API Management ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 API Management APIs should use only encrypted protocols To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. Default
Audit
Allowed
Audit, Disabled, Deny
change
Patch (2.0.1 > 2.0.2) 2023-03-27 17:43:07 BuiltIn
Monitoring 792f8b74-dc05-44fd-b90d-340a097b80e6 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring e7c86682-34c1-488a-9aab-9cb279207992 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring a285df35-0164-4f4d-9e04-c39056742c55 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Databricks 258823f2-4595-4b52-b333-cc96192710d8 Azure Databricks Workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-03-27 17:43:07 BuiltIn
Monitoring 9ba29e83-863d-4fec-81d0-16dd87067cc3 Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring b9b976cc-59ef-468a-807e-19afa2ebfd52 Enable logging by category group for microsoft.network/p2svpngateways to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring f6d5d5d5-0fa9-4257-b820-69c35016c973 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Databricks 0eddd7f3-3d9b-4927-a07a-806e8ac9486c Configure Azure Databricks workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
new Policy 2023-03-27 17:43:07 BuiltIn
Monitoring a853abad-dfa4-4bf5-aaa1-04cb10c02d23 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring e488a548-7afd-43a7-a903-2a6dd36e7504 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 0628b917-d4b4-4af5-bc2b-b4f87cd173ab Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 3d034ef2-001c-46f6-a47b-e6e4a74ff89b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring fc602c00-2ce3-4556-b615-fa4159517103 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring dfbfceaa-14b2-4a90-a679-d169fa6a6a38 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 71153be3-4742-4aae-9aec-150f7589311b Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring d9f11fea-dd45-46aa-8908-b7a146f1e543 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring a9ebdeda-251a-4311-92be-5167d73b1682 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 480851ae-9ff3-49d1-904c-b5bd6f83f1ec Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 6b2899d8-5fdf-4ade-ba59-f1f82664877b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Databricks 09210db3-d32c-4b2b-b4e1-f72ae920eb11 Configure Azure Databricks Workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-03-27 17:43:07 BuiltIn
Monitoring f5094957-e0f7-4af2-9e14-13d60141dc4a Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring a81eb966-6696-46b1-9153-bed01569a7d0 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 8d253bba-a338-4fd9-9752-6b6edadca1eb Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 1abe42e1-a726-4dee-94c2-79f364dac9b7 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 3a8ff864-d881-44ce-bed3-0c63ede634cb Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
App Service a08ae1ab-8d1d-422b-a123-df82b307ba61 App Service app slots should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-03-27 17:43:07 BuiltIn
Monitoring fc744b31-a930-4eb5-bc06-e81f98bf7214 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
SignalR 21a9766a-82a5-4747-abb5-650b6dbba6d0 Azure SignalR Service should disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-03-17 18:44:06 BuiltIn
Security Center e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-03-17 18:44:06 BuiltIn
Container Instances 21c469fa-a887-4363-88a9-60bfd6911a15 Configure diagnostics for container group to log analytics workspace Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed. Default
Append
Allowed
Append, Disabled
add
new Policy 2023-03-17 18:44:06 BuiltIn
API Management 92bb331d-ac71-416a-8c91-02f2cb734ce4 API Management calls to API backends should not bypass certificate thumbprint or name validation To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. Default
Audit
Allowed
Audit, Disabled, Deny
change
Patch (1.0.1 > 1.0.2) 2023-03-17 18:44:06 BuiltIn
Machine Learning 45e05259-1eb5-4f70-9574-baf73e9d219b Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-03-17 18:44:06 BuiltIn
SignalR 62a3ae95-8169-403e-a2d2-b82141448092 Modify Azure SignalR Service resources to disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Modify
Allowed
Modify, Disabled
count: 001
SignalR/Web PubSub Contributor
change
Minor (1.0.0 > 1.1.0) 2023-03-17 18:44:06 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
Log Analytics Contributor
change
Patch (4.0.1 > 4.0.2) 2023-03-17 18:44:06 BuiltIn
Machine Learning 40cec1dd-a100-4920-b15b-3024fe8901ab [Deprecated]: Azure Machine Learning workspaces should use private link This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2023-03-17 18:44:06 BuiltIn
Kubernetes a1840de2-8088-4ea8-b153-b4c723e9cb01 Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default
Audit
Allowed
Audit, Disabled
change
Patch (2.0.0 > 2.0.1) 2023-03-17 18:44:06 BuiltIn
Guest Configuration 3810e389-1d92-4f77-9267-33bdcf0bd225 Windows machines should schedule Windows Defender to perform a scheduled scan every day To ensure prompt detection of malware and minimize its impact on your system, it is recommended that Windows machines with Windows Defender schedule a daily scan. Please make sure Windows Defender is supported, preinstalled on the device, and Guest Configuration prerequisites are deployed. Failure to meet these requirements may lead to inaccurate evaluation results. Learn more about Guest Configuration at https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-03-17 18:44:06 BuiltIn
Managed Grafana bc33de80-97cd-4c11-b6b4-d075e03c7d60 Configure Azure Managed Grafana dashboards with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-03-10 18:58:56 BuiltIn
Azure Databricks 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-03-10 18:58:56 BuiltIn
Backup 04726aae-4e8d-427c-af7d-ecf56d490022 [Preview]: Configure Azure Recovery Services vaults to disable public network access Disable public network access for your Recovery services vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. Default
Modify
Allowed
Modify, Disabled
count: 001
Backup Contributor
add
new Policy 2023-03-10 18:58:56 BuiltIn
Managed Grafana 4c8537f8-cd1b-49ec-b704-18e82a42fd58 Configure Azure Managed Grafana workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Managed Grafana workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
new Policy 2023-03-10 18:58:56 BuiltIn
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f [Preview]: Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-03-03 18:43:58 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Extension for SQL Server Deployment
change
Minor (3.2.0 > 3.3.0) 2023-03-03 18:43:58 BuiltIn
Guest Configuration 3dc5edcd-002d-444c-b216-e123bbfa37c0 [Preview]: Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data.Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-03-03 18:43:58 BuiltIn
Kubernetes a8e653d9-b5d4-48a0-afe6-14d881f9ee9a Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed Strimzi Kafka extension provides the operators to install Kafka for building real-time data pipelines and streaming applications with security and observability capabilities. Learn more here: https://aka.ms/arc-strimzikafka-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Owner
add
new Policy 2023-03-03 18:43:58 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.1.0-preview > 3.2.0-preview) 2023-03-03 18:43:58 BuiltIn
Security Center 009259b0-12e8-42c9-94e7-7af86aa58d13 [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Reader
Virtual Machine Contributor
change
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Security Center f655e522-adff-494d-95c2-52d4f6d56a42 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Managed Grafana 3a97e513-f75e-4230-8137-1efad4eadbbc Azure Managed Grafana should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Managed Grafana, you can reduce data leakage risks. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer a47272e1-1d5d-4b0b-b366-4873f1432fe0 Configure Azure Data Explorer clusters with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. Learn more at: [ServiceSpecificAKA.ms]. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Network Contributor
SQL Server Contributor
add
new Policy 2023-02-27 19:03:54 BuiltIn
Kubernetes 0adc5395-9169-4b9b-8687-af838d69410a Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Kubernetes Extension Contributor
change
Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0) 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer 7b32f193-cb28-4e15-9a98-b9556db0bafa Configure Azure Data Explorer to disable public network access Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters . Default
Modify
Allowed
Modify, Disabled
count: 001
SQL Server Contributor
add
new Policy 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer 1fec9658-933f-4b3e-bc95-913ed22d012b Azure Data Explorer should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-02-27 19:03:54 BuiltIn
Security Center c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Security Center 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Kubernetes 6b2122c1-8120-4ff5-801b-17625a355590 Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0) 2023-02-27 19:03:54 BuiltIn
Security Center 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer 43bc7be6-5e69-4b0d-a2bb-e815557ca673 Public network access on Azure Data Explorer should be disabled Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-02-27 19:03:54 BuiltIn
Security Center 6074e9a3-c711-4856-976d-24d51f9e065b [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Security Center a21f8c92-9e22-4f09-b759-50500d1d2dda [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Managed Grafana e8775d5a-73b7-4977-a39b-833ef0114628 Azure Managed Grafana workspaces should disable public network access Disabling public network access improves security by ensuring that your Azure Managed Grafana workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your workspaces. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer f7735886-8927-431f-b201-c953922512b8 Azure Data Explorer cluster should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-02-27 19:03:54 BuiltIn
Automanage fb97d6e1-5c98-4743-a439-23e0977bad9e [Preview]: Boot Diagnostics should be enabled on virtual machines Azure virtual machines should have boot diagniostics enabled. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-02-27 19:03:54 BuiltIn
Monitoring Deploy-Diagnostics-PostgreSQL Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (1.1.0 > 2.0.0) 2023-02-23 23:18:45 ALZ
Monitoring Deploy-Diagnostics-Databricks Deploy Diagnostic Settings for Databricks to Log Analytics workspace Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.2.0 > 1.3.0) 2023-02-23 23:18:45 ALZ
Automanage e4953962-5ae4-43eb-bb92-d66fd5563487 [Preview]: A managed identity should be enabled on your machines Resources managed by Automanage should have a managed identity. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 87ac3038-c07a-4b92-860d-29e270a4f3cd Azure Virtual Desktop workspaces should disable public network access Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization ca950cd7-02f7-422e-8c23-91ff40f169c1 Azure Virtual Desktop service should use private link Using Azure Private Link with your Azure Virtual Desktop resources can improve security and keep your data safe. Learn more about private links at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-02-16 18:41:08 BuiltIn
Key Vault 5f0bc445-3935-4915-9981-011aa2b46147 [Deprecated]: Private endpoint should be configured for Key Vault The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix changed: new suffix: deprecated; old suffix: preview (1.1.0-preview > 1.1.1-deprecated) 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 2a0913ff-51e7-47b8-97bb-ea17127f7c8d Configure Azure Virtual Desktop hostpools to disable public network access Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled
count: 001
Desktop Virtualization Host Pool Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization e84e8a9a-f43e-46e3-9458-bbcfb2d7e429 Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts Disable public network access for your Azure Virtual Desktop hostpool session hosts, but allow public access for end users. This allows users to still access AVD service while ensuring the session host is only accessible through private routes. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled
count: 001
Desktop Virtualization Host Pool Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Monitoring 0868462e-646c-4fe3-9ced-a733534b6a2c Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (3.0.1 > 3.1.0) 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 7b331e6b-6096-4395-a754-758a64505f19 Configure Azure Virtual Desktop hostpools with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 02aa841c-42e8-492f-a43d-1f2c67e58d41 Configure Azure Virtual Desktop workspaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization a22065a3-3b04-46ff-b84c-2d30e5c300d0 Azure Virtual Desktop hostpools should disable public network access only on session hosts Disabling public network access for your Azure Virtual Desktop hostpool session hosts, but allowing public access for end users improves security by limiting exposure to the public internet. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 34804460-d88b-4922-a7ca-537165e060ed Configure Azure Virtual Desktop workspace resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 9427df23-0f42-4e1e-bf99-a6133d841c4a Configure Azure Virtual Desktop hostpool resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Automanage fd4726f4-a5fc-4540-912d-67c96fc992d5 [Preview]: Automanage Configuration Profile Assignment should be Conformant Resources managed by Automanage should have a status of Conformant or ConformantCorrected. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization ce6ebf1d-0b94-4df9-9257-d8cacc238b4f Configure Azure Virtual Desktop workspaces to disable public network access Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled
count: 001
Desktop Virtualization Workspace Contributor
add
new Policy 2023-02-16 18:41:08 BuiltIn
Compute 7c1b1214-f927-48bf-8882-84f0af6588b1 [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated) 2023-02-16 18:41:08 BuiltIn
Monitoring 3c1b3629-c8f8-4bf6-862c-037cb9094038 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Virtual Machine Contributor
change
Minor (3.0.1 > 3.1.0) 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization c25dcf31-878f-4eba-98eb-0818fdc6a334 Azure Virtual Desktop hostpools should disable public network access Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-02-16 18:41:08 BuiltIn
Monitoring Deploy-Diagnostics-VNetGW Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (1.1.0 > 1.1.1) 2023-02-16 16:18:41 ALZ
Monitoring Deploy-Diagnostics-Website Deploy Diagnostic Settings for App Service to Log Analytics workspace Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2023-02-16 16:18:41 ALZ
Monitoring 792f8b74-dc05-44fd-b90d-340a097b80e6 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 50cebe4c-8021-4f07-bcb2-6c80622444a9 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6b359d8f-f88d-4052-aa7c-32015963ecc1 Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring ed6ae75a-828f-4fea-88fd-dead1145f1dd Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring b88bfd90-4da5-43eb-936f-ae1481924291 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring cac9e1c5-c3cb-47fa-8d4c-88b8559262d2 Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 69ab8bfc-dc5b-443d-93a7-7531551dec66 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 9e6aee71-3781-4acd-bba7-aac4fb067dfa Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring f8352124-56fa-4f94-9441-425109cdc14b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 1513498c-3091-461a-b321-e9b433218d28 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 9f4e810a-899e-4e5e-8174-abfcf15739a3 Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 480851ae-9ff3-49d1-904c-b5bd6f83f1ec Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring f969646f-b6b8-45a0-b736-bf9b4bb933dc Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring b797045a-b3cd-46e4-adc4-bbadb3381d78 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 93a604fe-0ec2-4a99-ab8c-7ef08f05555a Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 106cd3bd-50a1-466c-869f-f9c2d310477b Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 8656d368-0643-4374-a63f-ae0ed4da1d9a Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 69214fad-6742-49a9-8f71-ee9d269364ab Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 818719e5-1338-4776-9a9d-3c31e4df5986 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 20f21bc7-b0b8-4d57-83df-5a8a0912b934 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 8d253bba-a338-4fd9-9752-6b6edadca1eb Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 9ba29e83-863d-4fec-81d0-16dd87067cc3 Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 07c818eb-df75-4465-9233-6a8667e86670 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 1abe42e1-a726-4dee-94c2-79f364dac9b7 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring f08edf17-5de2-4966-8c62-a50a3f4368ff Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring fc744b31-a930-4eb5-bc06-e81f98bf7214 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 4b05de63-3ad2-4f6d-b421-da21f1328f3b Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring a9ebdeda-251a-4311-92be-5167d73b1682 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
SQL 146412e9-005c-472b-9e48-c87b72ac229e A Microsoft Entra administrator should be provisioned for MySQL servers Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring b90ec596-faa6-4c61-9515-34085703e260 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring f873a711-0322-4744-8322-7e62950fbec2 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring eb5a4c26-04cb-4ab1-81cb-726dc58df772 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 567c93f7-3661-494f-a30f-0a94d9bfebf8 Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring bf6af3d2-fbd5-458f-8a40-2556cf539b45 Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 3d034ef2-001c-46f6-a47b-e6e4a74ff89b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6b2899d8-5fdf-4ade-ba59-f1f82664877b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 03a087c0-b49f-4440-9ae5-013703eccc8c Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 55d1f543-d1b0-4811-9663-d6d0dbc6326d Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 94d707a8-ce27-4851-9ce2-07dfe96a095b Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring e20f31d7-6b6d-4644-962a-ae513a85ab0b Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring b4a9c220-1d62-4163-a17b-30db7d5b7278 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring fe85de62-a656-4b79-9d94-d95c89319bd9 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 14e81583-c89c-47db-af0d-f9ddddcccd9f Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring e488a548-7afd-43a7-a903-2a6dd36e7504 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring edf35972-ed56-4c2f-a4a1-65f0471ba702 Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring a285df35-0164-4f4d-9e04-c39056742c55 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 3496f6fd-57ba-485c-8a14-183c4493b781 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) 2023-02-10 18:41:56 BuiltIn
Monitoring 4cabf9fc-4ed1-4990-bbaf-7248fb8751bc Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Guest Configuration f40c7c00-b4e3-4068-a315-5fe81347a904 [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) 2023-02-10 18:41:56 BuiltIn
Monitoring 0925a080-ab8d-44a1-a39c-61e184b4d8f9 Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 39741c6f-5e8b-4511-bba4-6662d0e0e2ac Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring e7c86682-34c1-488a-9aab-9cb279207992 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 56288eb2-4350-461d-9ece-2bb242269dce Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring d9f11fea-dd45-46aa-8908-b7a146f1e543 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 8fc4ca5f-6abc-4b30-9565-0bd91ac49420 Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 0628b917-d4b4-4af5-bc2b-b4f87cd173ab Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring aec4c33f-2f2a-4fd3-91cd-24a939513c60 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring a853abad-dfa4-4bf5-aaa1-04cb10c02d23 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 0f708273-cf83-4d29-b31b-ebaf8d0eb8c2 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 34c7546c-d637-4b5d-96ab-93fb6ed07af8 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 2e8a8853-917a-4d26-9c3a-c92a7fa031e8 Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
SQL b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 A Microsoft Entra administrator should be provisioned for PostgreSQL servers Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2023-02-10 18:41:56 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) 2023-02-10 18:41:56 BuiltIn
Monitoring 90c90eda-bfe7-4c67-bf26-410420ed1047 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring d3e11828-02c8-40d2-a518-ad01508bb4d7 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 614d9fbd-68cd-4832-96db-3362069661b2 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring f5094957-e0f7-4af2-9e14-13d60141dc4a Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6567d3f3-42d0-4cfb-9606-9741ba60fa07 Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring fc602c00-2ce3-4556-b615-fa4159517103 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 76539a09-021e-4300-953b-4c6018ac26dc Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring f6d5d5d5-0fa9-4257-b820-69c35016c973 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring a8de4d0a-d637-4684-b70e-6df73b74d117 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 0277b2d5-6e6f-4d97-9929-a5c4eab56fd7 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring d147ba9f-3e17-40b1-9c23-3bca478ba804 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring ae48c709-d2b4-4fad-8c5c-838524130aa4 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring a142867f-3142-4ac6-b952-ab950a29fca5 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 3a8ff864-d881-44ce-bed3-0c63ede634cb Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
API Management f1cc7827-022c-473e-836e-5a51cae0b249 API Management secret named values should be stored in Azure Key Vault Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. Default
Audit
Allowed
Audit, Disabled, Deny
change
Patch (1.0.1 > 1.0.2) 2023-02-10 18:41:56 BuiltIn
Monitoring 46b2dd5d-3936-4347-8908-b298ea4466d3 Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 441af8bf-7c88-4efc-bd24-b7be28d4acce Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 0e0c742d-5031-4e65-bf96-1bee7cf55740 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 0da6faeb-d6c6-4f6e-9f49-06277493270b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 71153be3-4742-4aae-9aec-150f7589311b Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring e9c56c41-d453-4a80-af93-2331afeb3d82 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6f3f5778-f809-4755-9d8f-bd5a5a7add85 Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring b9b976cc-59ef-468a-807e-19afa2ebfd52 Enable logging by category group for microsoft.network/p2svpngateways to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-02-10 18:41:56 BuiltIn
Monitoring dfbfceaa-14b2-4a90-a679-d169fa6a6a38 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring be9259e2-a221-4411-84fd-dd22c6691653 Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring c3b912c2-7f5b-47ac-bd52-8c85a7667961 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring fc66c506-9397-485e-9451-acc1525f0070 Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 856331d3-0169-4dd9-9b04-cbb2ad3d1cf2 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring a81eb966-6696-46b1-9153-bed01569a7d0 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 00ec9865-beb6-4cfd-82ed-bd8f50756acd Enable logging by category group for microsoft.network/p2svpngateways to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 3dd58519-427e-42a4-8ffc-e415a3c716f1 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2023-02-10 18:41:56 BuiltIn
SQL b52376f7-9612-48a1-81cd-1ffe4b61032c Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (2.0.0 > 2.0.1) 2023-02-10 18:41:56 BuiltIn
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.1.0 > 2.2.0) 2023-02-03 18:39:01 BuiltIn
Key Vault a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.1 > 1.2.1) 2023-02-03 18:39:01 BuiltIn
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (2.0.0 > 2.1.0) 2023-02-03 18:39:01 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.0.0 > 4.1.0) 2023-02-03 18:39:01 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (6.0.0 > 6.1.0) 2023-02-03 18:39:01 BuiltIn
Monitoring f17d891d-ff20-46f2-bad3-9e0a5403a4d3 Linux Arc-enabled machines should have Azure Monitor Agent installed Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.1 > 1.1.0) 2023-02-03 18:39:01 BuiltIn
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.1.0 > 2.2.0) 2023-02-03 18:39:01 BuiltIn
Monitoring ec621e21-8b48-403d-a549-fc9023d4747f Windows Arc-enabled machines should have Azure Monitor Agent installed Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.1 > 1.1.0) 2023-02-03 18:39:01 BuiltIn
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (2.0.0 > 2.1.0) 2023-02-03 18:39:01 BuiltIn
SQL 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (3.0.0 > 3.0.1) 2023-01-27 18:40:07 BuiltIn
Key Vault 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5 [Preview]: Azure Key Vault should use RBAC permission model Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-01-27 18:40:07 BuiltIn
API Management 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 API Management subscriptions should not be scoped to all APIs API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. Default
Audit
Allowed
Audit, Disabled, Deny
change
Minor (1.0.0 > 1.1.0) 2023-01-27 18:40:07 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have SQL Server extension installed Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Extension for SQL Server Deployment
change
Minor (3.1.0 > 3.2.0) 2023-01-27 18:40:07 BuiltIn
Network 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 Deploy a flow log resource with target network security group Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Fixed
deployIfNotExists
count: 001
Contributor
change
Minor (1.0.1 > 1.1.0) 2023-01-27 18:40:07 BuiltIn
Network e920df7f-9a64-4066-9b58-52684c02a091 Configure network security groups to enable traffic analytics Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.1.0 > 1.2.0) 2023-01-27 18:40:07 BuiltIn
Network 5e1cd26a-5090-4fdb-9d6a-84a90335e22d Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.1.0 > 1.2.0) 2023-01-27 18:40:07 BuiltIn
Machine Learning Deny-MachineLearning-PublicAccessWhenBehindVnet Deny public access behind vnet to Azure Machine Learning workspace Deny public access behind vnet to Azure Machine Learning workspaces. Default
Deny
Allowed
Audit, Disabled, Deny
change
Patch (1.0.0 > 1.0.1) 2023-01-24 24:18:06 ALZ
Key Vault ed7c8c13-51e7-49d1-8a43-8490431a0da2 Deploy Diagnostic Settings for Key Vault to Event Hub Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (3.0.0 > 3.0.1) 2023-01-23 18:07:09 BuiltIn
Backup 2514263b-bc0d-4b06-ac3e-f262c0979018 [Preview]: Immutability must be enabled for backup vaults This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-01-23 18:07:09 BuiltIn
Key Vault 9d4fad1f-5189-4a42-b29e-cf7929c6b6df Configure Azure Key Vaults with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Key Vault Contributor
Network Contributor
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-01-23 18:07:09 BuiltIn
Key Vault a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-01-23 18:07:09 BuiltIn
Backup 9798d31d-6028-4dee-8643-46102185c016 [Preview]: Soft delete should be enabled for Backup Vaults This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete Default
Audit
Allowed
Audit, Disabled
add
new Policy 2023-01-23 18:07:09 BuiltIn
Kubernetes 0adc5395-9169-4b9b-8687-af838d69410a Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Kubernetes Extension Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-01-23 18:07:09 BuiltIn
Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0) 2023-01-23 18:07:09 BuiltIn
Key Vault ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 Configure Azure Key Vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-01-23 18:07:09 BuiltIn
Kubernetes 6b2122c1-8120-4ff5-801b-17625a355590 Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-01-23 18:07:09 BuiltIn
Data Factory 85bb39b5-2f66-49f8-9306-77da3ac5130f Azure Data Factory integration runtime should have a limit for number of cores To manage your resources and costs, limit the number of cores for an integration runtime. Default
Audit
Allowed
Audit, Deny, Disabled
change
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2023-01-13 18:06:06 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.0.0 > 9.1.0) 2023-01-13 18:06:06 BuiltIn
Security Center 7926a6d1-b268-4586-8197-e8ae90c877d7 Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, new suffix: preview (1.0.0 > 1.0.1-preview) 2023-01-13 18:06:06 BuiltIn
Machine Learning ee40564d-486e-4f68-a5ca-7a621edae0fb Configure Azure Machine Learning workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
change
Minor (1.0.0 > 1.1.0) 2023-01-13 18:06:06 BuiltIn
Data Factory 77d40665-3120-4348-b539-3192ec808307 Azure Data Factory should use a Git repository for source control Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. Default
Audit
Allowed
Audit, Deny, Disabled
change
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2023-01-13 18:06:06 BuiltIn
Service Bus cbd11fd3-3002-4907-b6c8-579f0e700e13 Service Bus Namespaces should disable public network access Azure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2023-01-13 18:06:06 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Contributor
Log Analytics Contributor
change
Patch (4.0.0 > 4.0.1) 2023-01-13 18:06:06 BuiltIn
Data Factory f78ccdb4-7bf4-4106-8647-270491d2978a Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Default
Audit
Allowed
Audit, Deny, Disabled
change
Version remains equal, old suffix: preview (2.0.0-preview > 2.0.0) 2023-01-13 18:06:06 BuiltIn
Key Vault ad27588c-0198-4c84-81ef-08efd0274653 [Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-01-13 18:06:06 BuiltIn
Data Factory 127ef6d7-242f-43b3-9eef-947faf1725d0 Azure Data Factory linked services should use Key Vault for storing secrets To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. Default
Audit
Allowed
Audit, Deny, Disabled
change
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2023-01-13 18:06:06 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.0.0 > 9.1.0) 2023-01-13 18:06:06 BuiltIn
Key Vault 86810a98-8e91-4a44-8386-ec66d0de5d57 [Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-01-13 18:06:06 BuiltIn
App Service 7261b898-8a84-4db8-9e04-18527132abb3 App Service apps that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.0.0 > 3.1.0) 2023-01-13 18:06:06 BuiltIn
General a451c1ef-c6ca-483d-87ed-f49761e3ffb5 Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2023-01-13 18:06:06 BuiltIn
Backup 9ebbbba3-4d65-4da9-bb67-b22cfaaff090 [Preview]: Azure Recovery Services vaults should disable public network access Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-01-13 18:06:06 BuiltIn
Machine Learning f110a506-2dcb-422e-bcea-d533fc8c35e2 Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. Fixed
[parameters('effects')]
add
new Policy 2023-01-13 18:06:06 BuiltIn
Web PubSub b66ab71c-582d-4330-adfd-ac162e78691e Azure Web PubSub Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Web PubSub Service exclusively require Azure Active Directory identities for authentication. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-01-13 18:06:06 BuiltIn
Key Vault 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5 [Preview]: Azure Key Vault Managed HSM keys should have an expiration date To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-01-13 18:06:06 BuiltIn
Data Factory 6809a3d0-d354-42fb-b955-783d207c62a8 Azure Data Factory linked service resource type should be in allow list Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Default
Audit
Allowed
Audit, Deny, Disabled
change
Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2023-01-13 18:06:06 BuiltIn
SQL 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 [Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports This policy is deprecated. The policy ensures that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2023-01-13 18:06:06 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Azure Connected Machine Resource Administrator
change
Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-01-13 18:06:06 BuiltIn
Key Vault e58fd0c1-feac-4d12-92db-0a7e9421f53e [Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-01-13 18:06:06 BuiltIn
Web PubSub 17f9d984-90c8-43dd-b7a6-76cb694815c1 Configure Azure Web PubSub Service to disable local authentication Disable local authentication methods so that your Azure Web PubSub Service exclusively requires Azure Active Directory identities for authentication. Default
Modify
Allowed
Modify, Disabled
count: 001
SignalR/Web PubSub Contributor
add
new Policy 2023-01-13 18:06:06 BuiltIn
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Deprecated]: Configure Microsoft Defender for APIs should be enabled This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Patch, new suffix: preview (1.0.0 > 1.0.1-preview) 2023-01-13 18:06:06 BuiltIn
Container Registry e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 Configure Container registries to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
change
Patch (1.0.0 > 1.0.1) 2023-01-13 18:06:06 BuiltIn
Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (4.0.0 > 4.1.0) 2023-01-13 18:06:06 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.0.0 > 9.1.0) 2023-01-13 18:06:06 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.0.0 > 9.1.0) 2023-01-13 18:06:06 BuiltIn
SQL 86a912f6-9a06-4e26-b447-11b16ba8659f Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL DB Contributor
change
Minor (2.1.0 > 2.2.0) 2023-01-13 18:06:06 BuiltIn
Event Hub 0602787f-9896-402a-a6e1-39ee63ee435e Event Hub Namespaces should disable public network access Azure Event Hub should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2023-01-13 18:06:06 BuiltIn
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-01-04 18:03:56 BuiltIn
Guest Configuration 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 [Preview]: Configure Windows Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-01-04 18:03:56 BuiltIn
SQL Deploy-Sql-vulnerabilityAssessments [Deprecated]: Deploy SQL Database vulnerability Assessments Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 003
Monitoring Contributor
SQL Security Manager
Storage Account Contributor
change
Patch (1.0.0 > 1.0.1)

Superseded by: Deploy SQL Database Vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments_20230706) Custom ALZ
2023-01-04 04:18:03 ALZ
Security Center Deploy-ASC-SecurityContacts Deploy Microsoft Defender for Cloud Security Contacts Deploy Microsoft Defender for Cloud Security Contacts Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Minor (1.0.0 > 1.1.0) 2022-12-28 28:18:06 ALZ
Security Center 8893442c-e7cb-4637-bab8-299a5d4ed96a [Preview]: ChangeTracking extension should be installed on your Linux virtual machine Install ChangeTracking Extension on Linux virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (2.0.0 > 3.0.0) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory a7acfae7-9497-4a3f-a3b5-a16a50abbe2f [Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
add
new Policy 2022-12-21 17:43:51 BuiltIn
Guest Configuration 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 [Preview]: Configure Windows Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-12-21 17:43:51 BuiltIn
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (1.0.1 > 2.0.0) 2022-12-21 17:43:51 BuiltIn
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (2.0.0 > 3.0.0) 2022-12-21 17:43:51 BuiltIn
App Service f5c0bfb3-acea-47b1-b477-b0edcdf6edc1 App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2022-12-21 17:43:51 BuiltIn
Machine Learning f59276f0-5740-4aaf-821d-45d185aa210e Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
Guest Configuration fad40cac-a972-4db0-b204-f1b15cced89a Local authentication methods should be disabled on Linux machines Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
Machine Learning afe0c3be-ba3b-4544-ba52-0c99672a8ad6 Resource logs in Azure Machine Learning Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring 7f89b1eb-583c-429a-8828-af049802c1d9 Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. Fixed
AuditIfNotExists
change
Patch (2.0.0 > 2.0.1) 2022-12-21 17:43:51 BuiltIn
Security Center 9c0aa188-e5fe-4569-8f74-b6e155624d9a [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5192 [Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
Storage 7bd000e3-37c7-4928-9f31-86c4b77c5c45 Configure diagnostic settings for Queue Services to Log Analytics workspace Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (4.0.0 > 4.0.1) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
App Service 33228571-70a4-4fa1-8ca1-26d0aba8d6ef [Deprecated]: App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-12-21 17:43:51 BuiltIn
Kubernetes c5110b6e-5272-4989-9935-59ad06fdf341 Azure Kubernetes Clusters should enable Container Storage Interface(CSI) The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Azure Kubernetes Service. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Disabled
add
new Policy 2022-12-21 17:43:51 BuiltIn
App Service ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd [Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-12-21 17:43:51 BuiltIn
Security Center d30025d0-6d64-656d-6465-67688881b632 [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Contributor
change
Major, suffix remains equal (2.0.1-preview > 3.0.0-preview) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory 8fd85785-1547-4a4a-bf90-d5483c9571c5 [Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (3.0.0 > 4.0.0) 2022-12-21 17:43:51 BuiltIn
Security Center 938c4981-c2c9-4168-9cd6-972b8675f906 Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2022-12-21 17:43:51 BuiltIn
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (1.0.1 > 2.0.0) 2022-12-21 17:43:51 BuiltIn
Security Center c9ae938d-3d6f-4466-b7c3-351761d9c890 [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Security Center f08f556c-12ff-464d-a7de-40cb5b6cccec [Preview]: Configure ChangeTracking Extension for Windows virtual machines Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Azure Databricks 51c1490f-3319-459c-bbbc-7f391bbed753 Azure Databricks Clusters should disable public IP Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2022-12-21 17:43:51 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4d2c [Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Security Center 1288c8d7-4b05-4e3a-bc88-9053caefc021 [Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory bef2d677-e829-492d-9a3d-f5a20fda818f [Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory 1142b015-2bd7-41e0-8645-a531afe09a1e [Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
Security Center ec88097d-843f-4a92-8471-78016d337ba4 [Preview]: Configure ChangeTracking Extension for Linux virtual machines Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Guest Configuration 5fe81c49-16b6-4870-9cee-45d13bf902ce Local authentication methods should be disabled on Windows Servers Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows servers don't have local authentication methods disabled. This is to validate that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory 4485d24b-a9d3-4206-b691-1fad83bc5007 [Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major, suffix remains equal (2.1.1-preview > 3.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Security Center 30f52897-df47-4ca0-81a8-a3be3e8dd226 [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory ef9fe2ce-a588-4edd-829c-6247069dcfdb [Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
Azure Databricks 138ff14d-b687-4faa-a81c-898c91a87fa2 Resource logs in Azure Databricks Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2022-12-21 17:43:51 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Virtual Machine Contributor
change
Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2022-12-21 17:43:51 BuiltIn
App Service 801543d1-1953-4a90-b8b0-8cf6d41473a5 App Service apps should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (3.0.0 > 4.0.0) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
add
new Policy 2022-12-21 17:43:51 BuiltIn
Azure Databricks 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (5.0.0 > 6.0.0) 2022-12-21 17:43:51 BuiltIn
Security Center 10caed8a-652c-4d1d-84e4-2805b7c07278 [Preview]: Configure ChangeTracking Extension for Linux Arc machines Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
App Service a691eacb-474d-47e4-b287-b4813ca44222 App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2022-12-21 17:43:51 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4d00 [Preview]: ChangeTracking extension should be installed on your Windows virtual machine scale sets Install ChangeTracking Extension on Windows virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
App Service 5747353b-1ca9-42c1-a4dd-b874b894f3d4 App Service app slots should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2022-12-21 17:43:51 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4cd5 [Preview]: Configure ChangeTracking Extension for Windows Arc machines Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Storage 2fb86bf3-d221-43d1-96d1-2434af34eaa0 Configure diagnostic settings for Table Services to Log Analytics workspace Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (4.0.0 > 4.0.1) 2022-12-21 17:43:51 BuiltIn
Security Center 221aac80-54d8-484b-83d7-24f4feac2ce0 [Preview]: ChangeTracking extension should be installed on your Windows virtual machine Install ChangeTracking Extension on Windows virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Security Center e71c1e29-9c76-4532-8c4b-cb0573b0014c [Preview]: ChangeTracking extension should be installed on your Linux virtual machine scale sets Install ChangeTracking Extension on Linux virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Azure Connected Machine Resource Administrator
change
Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory ad1eeff9-20d7-4c82-a04e-903acab0bfc1 [Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (3.0.0 > 4.0.0) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory b6faa975-0add-4f35-8d1c-70bba45c4424 [Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring Deploy-Diagnostics-DataFactory Deploy Diagnostic Settings for Data Factory to Log Analytics workspace Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2022-12-16 16:17:44 ALZ
Monitoring c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 Deploy Diagnostic Settings for Network Security Groups This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. Fixed
deployIfNotExists
count: 002
Monitoring Contributor
Storage Account Contributor
change
Patch (2.0.0 > 2.0.1) 2022-12-09 17:45:23 BuiltIn
SQL ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Major (2.0.0 > 3.0.0) 2022-12-09 17:45:23 BuiltIn
Monitoring Deploy-Diagnostics-LogAnalytics Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2022-11-22 22:17:43 ALZ
Monitoring Deploy-Diagnostics-Databricks Deploy Diagnostic Settings for Databricks to Log Analytics workspace Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2022-11-21 21:17:43 ALZ
SQL Deploy-Sql-Tde [Deprecated] Deploy SQL Database Transparent Data Encryption Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL Security Manager
change
Minor (1.0.0 > 1.1.0)

Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn
2022-11-17 17:17:42 ALZ
SQL Deploy-Sql-SecurityAlertPolicies Deploy SQL Database security Alert Policies configuration with email admin accounts Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL Security Manager
change
Minor (1.0.0 > 1.1.1) 2022-11-17 17:17:42 ALZ
Network Deny-PublicIP [Deprecated] Deny the creation of public IP [Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters. Default
Deny
Allowed
Audit, Deny, Disabled
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Not allowed resource types (6c112d4e-5bc7-47ae-a041-ea2d9dccd749) BuiltIn
2022-11-14 14:17:43 ALZ
Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (3.0.0 > 3.0.1) 2022-11-04 17:41:52 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (2.1.0 > 3.0.0) 2022-11-04 17:41:52 BuiltIn
Security Center 1f90fc71-a595-4066-8974-d4d0802e8ef0 Microsoft Defender CSPM should be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2022-11-04 17:41:52 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (1.1.0 > 2.0.0) 2022-11-04 17:41:52 BuiltIn
Security Center 689f7782-ef2c-4270-a6d0-7664869076bd Configure Microsoft Defender CSPM to be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2022-11-04 17:41:52 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Major (1.1.0 > 2.0.0) 2022-11-04 17:41:52 BuiltIn
Network Deploy-DDoSProtection Deploy an Azure DDoS Network Protection Deploys an Azure DDoS Network Protection Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
change
Patch (1.0.0 > 1.0.1) 2022-11-03 03:17:41 ALZ
Monitoring Deploy-Nsg-FlowLogs [Deprecated] Deploys NSG flow logs and traffic analytics [Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure network security groups to enable traffic analytics (e920df7f-9a64-4066-9b58-52684c02a091) BuiltIn
2022-11-02 02:17:41 ALZ
Monitoring Deploy-Nsg-FlowLogs-to-LA [Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics [Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 005
Contributor
Log Analytics Contributor
Network Contributor
Storage Account Contributor
Storage Account Key Operator Service Role
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

Superseded by: Configure network security groups to enable traffic analytics (e920df7f-9a64-4066-9b58-52684c02a091) BuiltIn
2022-11-02 02:17:41 ALZ
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-10-28 16:42:53 BuiltIn
Automation dea83a72-443c-4292-83d5-54a2f98749c0 Automation Account should have Managed Identity Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code . Default
Audit
Allowed
Audit, Disabled
add
new Policy 2022-10-28 16:42:53 BuiltIn
Security Center 938c4981-c2c9-4168-9cd6-972b8675f906 Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2022-10-28 16:42:53 BuiltIn
Machine Learning a6f9a2d0-cff7-4855-83ad-4cd750666512 Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Modify
Allowed
Modify, Disabled
count: 001
Contributor
change
Major (1.0.0 > 2.0.0) 2022-10-28 16:42:53 BuiltIn
Kubernetes 5485eac0-7e8f-4964-998b-a44f4f0c1e75 Kubernetes cluster Windows containers should not run as ContainerAdministrator Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2022-10-28 16:42:53 BuiltIn
Machine Learning e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Audit
Allowed
Audit, Deny, Disabled
change
Major (1.0.0 > 2.0.0) 2022-10-28 16:42:53 BuiltIn
Monitoring Deploy-Diagnostics-AA Deploy Diagnostic Settings for Automation to Log Analytics workspace Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-iotHub Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-NIC Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-Relay Deploy Diagnostic Settings for Relay to Log Analytics workspace Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-Firewall Deploy Diagnostic Settings for Firewall to Log Analytics workspace Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-VNetGW Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-Databricks Deploy Diagnostic Settings for Databricks to Log Analytics workspace Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-WVDAppGroup Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.1 > 1.1.1) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-PostgreSQL Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-MariaDB Deploy Diagnostic Settings for MariaDB to Log Analytics workspace Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-ExpressRoute Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-DataFactory Deploy Diagnostic Settings for Data Factory to Log Analytics workspace Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-Website Deploy Diagnostic Settings for App Service to Log Analytics workspace Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-AVDScalingPlans Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-HDInsight Deploy Diagnostic Settings for HDInsight to Log Analytics workspace Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-LoadBalancer Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-LogicAppsISE Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-WebServerFarm Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-WVDHostPools Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.1.0 > 1.2.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-EventGridTopic Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-EventGridSystemTopic Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-TrafficManager Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-VM Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-CDNEndpoints Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-VMSS Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-SignalR Deploy Diagnostic Settings for SignalR to Log Analytics workspace Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-MySQL Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-DLAnalytics Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-Bastion Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-ApplicationGateway Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-Function Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-ACR Deploy Diagnostic Settings for Container Registry to Log Analytics workspace Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-CosmosDB Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-TimeSeriesInsights Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-AnalysisService Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-SQLElasticPools Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-ApiForFHIR Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-RedisCache Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-WVDWorkspace Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.1 > 1.1.1) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-FrontDoor Deploy Diagnostic Settings for Front Door to Log Analytics workspace Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-NetworkSecurityGroups Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-DataExplorerCluster Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-PowerBIEmbedded Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-APIMgmt Deploy Diagnostic Settings for API Management to Log Analytics workspace Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-ACI Deploy Diagnostic Settings for Container Instances to Log Analytics workspace Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-CognitiveServices Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-MediaService Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-SQLMI Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-VirtualNetwork Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-MlWorkspace Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled