| Category | Id | DisplayName | Description | Effect | Roles used | Details (UTC ymd) (i) |
|---|---|---|---|---|---|---|
| SQL | c8343d2f-fdc9-4a97-b76f-fc71d1163bfc | [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
2020-08-05 13:05:29
change: DisplayName previous DisplayName: [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings |
| SQL | aeb23562-188d-47cb-80b8-551f16ef9fff | [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
2020-08-05 13:05:29
change: DisplayName previous DisplayName: [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL Managed Instance advanced data security settings |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2020-08-05 13:05:29
change: DisplayName previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identity |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-08-05 13:05:29
change: DisplayName previous DisplayName: [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows virtual machines |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-08-05 13:05:29
change: DisplayName previous DisplayName: [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux virtual machines |
| SQL | 3965c43d-b5f4-482e-b74a-d89ee0e0b3a8 | [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts | Ensure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
2020-08-05 13:05:29
change: DisplayName previous DisplayName: [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address to receive security alerts |
| App Configuration | 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 | App Configuration should use a customer-managed key | Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-08-05 13:05:29
change: DisplayName previous DisplayName: App Configuration should use a customer managed key |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2020-07-17 15:57:10
add: Policy |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2020-07-17 15:57:10
add: Policy |
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-07-17 15:57:10
change: DisplayName previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-07-17 15:57:10
change: DisplayName previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. |
| Security Center | 0e6763cc-5078-4e64-889d-ff4d9a839047 | Advanced threat protection should be enabled on Azure Key Vault vaults | Advanced threat protection provides an additional layer of protection of security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-14 15:28:17
change: DisplayName previous DisplayName: Advanced threat protection should be enabled on Key Vault |
| Security Center | 501541f7-f7e7-4cd6-868c-4190fdad3ac9 | Vulnerability assessment should be enabled on virtual machines | Monitors vulnerabilities detected by Azure Security Center vulnerability assessment on virtual machines. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-14 15:28:17
change: DisplayName previous DisplayName: [Preview] Vulnerability Assessment should be enabled on Virtual Machines |
| Security Center | 47a6b606-51aa-4496-8bb7-64b11cf66adc | Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-14 15:28:17
change: DisplayName previous DisplayName: Adaptive application controls for whitelisting safe applications should be enabled on your machines |
| SQL | a8793640-60f7-487c-b5c3-1d37215905c4 | SQL Managed Instance should have the minimal TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-07-14 15:28:17
add: Policy |
| Security Center | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | Advanced threat protection should be enabled on Azure Storage accounts | Advanced threat protection provides detections of unusual and potentially harmful attempts to access or exploit Storage accounts. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-14 15:28:17
change: DisplayName previous DisplayName: Advanced threat protection should be enabled on Storage accounts |
| Security Center | 6581d072-105e-4418-827f-bd446d56421b | Advanced data security should be enabled on SQL servers on machines | Advanced data security provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to SQL database and discovering and classifying sensitive data. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-14 15:28:17
change: DisplayName previous DisplayName: Advanced data security should be enabled on SQL Server on Virtual Machines |
| Security Center | 523b5cd1-3e23-492f-a539-13118b6d1e3a | Advanced threat protection should be enabled on Azure Kubernetes Service clusters | Advanced threat protection provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-14 15:28:17
change: DisplayName previous DisplayName: Advanced threat protection should be enabled on Azure Kubernetes Service |
| Security Center | c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 | Advanced threat protection should be enabled on Azure Container Registry registries | Advanced threat protection provides scanning of container registries for security vulnerabilities on each pushed container image and exposes detailed findings per image. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-14 15:28:17
change: DisplayName previous DisplayName: Advanced threat protection should be enabled on Azure Container Registry |
| Security Center | 123a3936-f020-408a-ba0c-47873faf1534 | Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-14 15:28:17
change: DisplayName previous DisplayName: Whitelisting rules in your adaptive application control policy should be updated |
| SQL | 32e6bbec-16b6-44c2-be37-c5b672d103cf | Azure SQL Database should have the minimal TLS version of 1.2 | Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-07-14 15:28:17
add: Policy |
| Security Center | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | Advanced threat protection should be enabled on Azure App Service plans | Advanced threat protection leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-14 15:28:17
change: DisplayName previous DisplayName: Advanced threat protection should be enabled on App Service |
| Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | [Preview]: Kubernetes cluster pods and containers should only run with approved user and group IDs | This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Network | 12430be1-6cc8-4527-a9a8-e3d38f250096 | Web Application Firewall (WAF) should use the specified mode for Application Gateway | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Fixed: audit | none |
2020-07-08 14:28:08
change: DisplayName previous DisplayName: Audit public network access setting for Azure SQL Database |
| Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | [Preview]: Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | This policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | [Preview]: Kubernetes cluster containers should only use allowed seccomp profiles | This policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Network | 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 | Web Application Firewall (WAF) should be enabled for Application Gateway | Requires Web Application Firewall (WAF) on any Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Network | be7ed5c8-2660-4136-8216-e6f3412ba909 | [Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway | Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. | Default: Deny Allowed: (Audit,Deny,Disabled) |
none |
2020-07-08 14:28:08
change: DisplayName previous DisplayName: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway |
| Network | 055aa869-bc98-4af8-bafc-23f1ab6ffe2c | Web Application Firewall (WAF) should be enabled for Azure Front Door Service | Requires Web Application Firewall (WAF) on any Azure Front Door Service. A Web Application Firewall provides greater security for your other Azure resources. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | [Preview]: Kubernetes cluster containers should run with a read only root file system | This policy ensures containers run with a read only root file system in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | [Preview]: Kubernetes cluster pods should only use allowed volume types | This policy ensures pods can only use allowed volume types in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Network | f6b68e5a-7207-4638-a1fb-47d90404209e | [Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service | Mandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. | Default: Deny Allowed: (Audit,Deny,Disabled) |
none |
2020-07-08 14:28:08
change: DisplayName previous DisplayName: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service |
| SQL | 77e8b146-0078-4fb2-b002-e112381199f0 | Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. | Fixed: AuditIfNotExists | none |
2020-07-08 14:28:08
add: Policy |
| Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | [Preview]: Kubernetes cluster containers should only use allowed ProcMountType | This policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | [Preview]: Kubernetes cluster containers should only use allowed capabilities | This policy ensures containers only use allowed capabilities in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | [Preview]: Kubernetes clusters should not allow container privilege escalation | This policy does not allow containers to use privilege escalation in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | [Preview]: Kubernetes cluster pods and containers should only use allowed SELinux options | This policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | [Preview]: Kubernetes cluster pods should only use approved host network and port range | This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Network | 425bea59-a659-4cbb-8d31-34499bd030b8 | Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | [Preview]: Kubernetes cluster containers should not use forbidden sysctl interfaces | This policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| SQL | 7698e800-9299-47a6-b3b6-5a0fee576eed | Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Fixed: audit | none |
2020-07-08 14:28:08
change: DisplayName previous DisplayName: Azure SQL Databases should have private endpoint connections |
| Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | [Preview]: Kubernetes cluster pod hostPath volumes should only use allowed host paths | This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | [Preview]: Kubernetes cluster containers should not share host process ID or host IPC namespace | This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | [Preview]: Kubernetes cluster containers should only use allowed AppArmor profiles | This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-07-08 14:28:08
add: Policy |
| SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Fixed: audit | none |
2020-07-01 14:50:07
add: Policy |
| SQL | e756b945-1b1b-480b-8de8-9a0859d5f7ad | [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings | It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-01 14:50:07
change: DisplayName previous DisplayName: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings |
| SQL | 7698e800-9299-47a6-b3b6-5a0fee576eed | Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Fixed: audit | none |
2020-07-01 14:50:07
add: Policy |
| VM Image Builder | 2154edb9-244f-4741-9970-660785bccdaa | VM Image Builder templates should use private link | Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may expose resources directly to the internet and increase the potential attack surface. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-07-01 14:50:07
add: Policy |
| SQL | 9677b740-f641-4f3c-b9c5-466005c85278 | [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts | Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-01 14:50:07
change: DisplayName previous DisplayName: Advanced data security settings for SQL server should contain an email address to receive security alerts |
| SQL | bda18df3-5e41-4709-add9-2554ce68c966 | [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings | It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-01 14:50:07
change: DisplayName previous DisplayName: Advanced Threat Protection types should be set to 'All' in SQL managed instance Advanced Data Security settings |
| SQL | 3965c43d-b5f4-482e-b74a-d89ee0e0b3a8 | [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts | Ensure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-01 14:50:07
change: DisplayName previous DisplayName: Advanced data security settings for SQL managed instance should contain an email address to receive security alerts |
| SQL | c8343d2f-fdc9-4a97-b76f-fc71d1163bfc | [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-01 14:50:07
change: DisplayName previous DisplayName: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings |
| SQL | aeb23562-188d-47cb-80b8-551f16ef9fff | [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings | Audit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
2020-07-01 14:50:07
change: DisplayName previous DisplayName: Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings |
| SignalR | 53503636-bcc9-4748-9663-5348217f160f | Azure SignalR Service should use private links | Audit Azure SignalR Service resources that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/asrs/privatelink. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-07-01 14:50:07
change: DisplayName previous DisplayName: [Preview]: Azure SignalR Service should use private links |
| Guest Configuration | 5fc23db3-dd4d-4c56-bcc7-43626243e601 | Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled | This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-30 14:58:19
change: DisplayName previous DisplayName: Audit prerequisites to enable Guest Configuration policies on Windows VMs. |
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-06-29 05:46:45
change: DisplayName previous DisplayName: [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-06-29 05:46:45
change: DisplayName previous DisplayName: [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | n/a |
2020-06-29 05:46:45
remove: Policy (i) |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | n/a |
2020-06-29 05:46:45
remove: Policy (i) |
| Machine Learning | 6a6f7384-63de-11ea-bc55-0242ac130003 | [Preview]: Configure code signing for training code for specified Azure Machine Learning computes | This policy helps provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting,disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Guest Configuration | 497dff13-db2a-4c0f-8603-28fa3b331ab6 | [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2020-06-23 16:03:25
add: Policy |
| Cosmos DB | 1f905d99-2ab7-462c-a6b0-f709acca6c8f | Azure Cosmos DB account should use customer-managed keys to encrypt data at rest | Use customer-managed keys to control the encryption at rest of the data stored in Azure Cosmos DB when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. See https://aka.ms/cosmosdb-cmk | Default: audit Allowed: (audit,deny,disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Security Center | 6581d072-105e-4418-827f-bd446d56421b | Advanced data security should be enabled on SQL servers on machines | Advanced data security provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to SQL database and discovering and classifying sensitive data. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-06-23 16:03:25
change: DisplayName previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. |
| Security Center | 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 | Advanced data security should be enabled on Azure SQL Database servers | Advanced data security provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat on SQL database and discovering and classifying sensitive data. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Security Center | 308fbb08-4ab8-4e67-9b29-592e93fb94fa | Advanced threat protection should be enabled on Azure Storage accounts | Advanced threat protection provides detections of unusual and potentially harmful attempts to access or exploit Storage accounts. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Security Center | 2913021d-f2fd-4f3d-b958-22354e2bdbcb | Advanced threat protection should be enabled on Azure App Service plans | Advanced threat protection leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Cosmos DB | 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb | Azure Cosmos DB accounts should have firewall rules | Audit or deny resources that do not have any IP rules configured and allow all networks by default. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Default: Deny Allowed: (Audit,Deny,Disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Guest Configuration | faf25c8c-9598-4305-b4de-0aee1317fb31 | Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled | This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Guest Configuration | 331e8ea8-378a-410f-a2e5-ae22f38bb0da | [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-06-23 16:03:25
add: Policy |
| Guest Configuration | 3cf2ab00-13f1-4d0c-8971-2ac904541a7e | [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: modify | Contributor |
2020-06-23 16:03:25
add: Policy |
| Security Center | c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 | Advanced threat protection should be enabled on Azure Container Registry registries | Advanced threat protection provides scanning of container registries for security vulnerabilities on each pushed container image and exposes detailed findings per image. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-06-23 16:03:25
change: DisplayName previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. |
| API for FHIR | 0fea8f8a-4169-495d-8307-30ec335f387d | CORS should not allow every domain to access your API for FHIR | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. | Default: audit Allowed: (audit,disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Security Center | 4da35fc9-c9e7-4960-aec9-797fe7d9051d | Advanced threat protection should be enabled on Virtual Machines | Advanced threat protection provides real-time threat protection for virtual machine workloads and generates hardening recommendations as well as alerts about suspicious activities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Security Center | 523b5cd1-3e23-492f-a539-13118b6d1e3a | Advanced threat protection should be enabled on Azure Kubernetes Service clusters | Advanced threat protection provides real-time threat protection for containerized environments and generates alerts for suspicious activities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Security Center | 0e6763cc-5078-4e64-889d-ff4d9a839047 | Advanced threat protection should be enabled on Azure Key Vault vaults | Advanced threat protection provides an additional layer of protection of security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Guest Configuration | 385f5831-96d4-41db-9a3c-cd3af78aaae6 | [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2020-06-23 16:03:25
add: Policy |
| Kubernetes | 0a15ec92-a229-4763-bb14-0ea34a568f8d | [Preview]: Kubernetes Management Policy add-on should be installed and enabled on your clusters | Azure Kubernetes Management Policy add-on extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-06-23 16:03:25
add: Policy |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-06-22 16:06:25
change: DisplayName previous DisplayName: Deploy Dependency agent for Linux VMs |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy Dependency agent for Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-06-22 16:06:25
change: DisplayName previous DisplayName: Deploy Dependency agent for Windows VMs |
| Network | f6b68e5a-7207-4638-a1fb-47d90404209e | [Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service | Mandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. | Default: Deny Allowed: (Audit,Deny,Disabled) |
none |
2020-06-11 19:46:04
add: Policy |
| Network | be7ed5c8-2660-4136-8216-e6f3412ba909 | [Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway | Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. | Default: Deny Allowed: (Audit,Deny,Disabled) |
none |
2020-06-11 19:46:04
add: Policy |
| Guest Configuration | 3750712b-43d0-478e-9966-d2c26f6141b9 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' |
| Guest Configuration | cdbf72d9-ac9c-4026-8a3a-491a5ac59293 | Show audit results from Windows VMs that allow re-use of the previous 24 passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords |
| Guest Configuration | 7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8 | Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled |
| Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | Public network access should be disabled for Cognitive Services accounts | This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-06-09 16:25:53
add: Policy |
| Guest Configuration | 23020aa6-1135-4be2-bae2-149982b06eca | Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters |
| Guest Configuration | ec49586f-4939-402d-a29e-6ff502b20592 | Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords |
| SignalR | 53503636-bcc9-4748-9663-5348217f160f | Azure SignalR Service should use private links | Audit Azure SignalR Service resources that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/asrs/privatelink. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-06-09 16:25:53
add: Policy |
| Guest Configuration | 5c028d2a-1889-45f6-b821-31f42711ced8 | Show audit results from Windows VMs configurations in 'Security Options - Network Security' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Network Security' |
| Cognitive Services | 11566b39-f7f7-4b82-ab06-68d8700eb0a4 | Cognitive Services accounts should use customer owned storage or enable data encryption. | This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-06-09 16:25:53
add: Policy |
| Guest Configuration | 106ccbe4-a791-4f33-a44a-06796944b8d5 | Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root | This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root |
| Guest Configuration | ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' |
| Guest Configuration | f56a3ab2-89d1-44de-ac0d-2ada5962e22a | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' |
| Guest Configuration | 630c64f9-8b6b-4c64-b511-6544ceff6fd6 | [Preview]: Audit Linux virtual machines on which the use of passwords for SSH is allowed | This policy audits Linux virtual machines that use passwords for authenticating through SSH. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-09 16:25:53
add: Policy |
| Guest Configuration | 9178b430-2295-406e-bb28-f6a7a2a2f897 | Show audit results from Windows VMs configurations in 'Windows Components' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Windows Components' |
| Guest Configuration | 7040a231-fb65-4412-8c0a-b365f4866c24 | Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' |
| Guest Configuration | 68511db2-bd02-41c4-ae6b-1900a012968a | Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected |
| Guest Configuration | b18175dd-c599-4c64-83ba-bb018a06d35b | Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 |
| Guest Configuration | c961dac9-5916-42e8-8fb1-703148323994 | Show audit results from Windows VMs configurations in 'User Rights Assignment' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'User Rights Assignment' |
| Guest Configuration | 7229bd6a-693d-478a-87f0-1dc1af06f3b8 | Show audit results from Windows VMs configurations in 'Administrative Templates - Network' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network' |
| Security Center | bb91dfba-c30d-4263-9add-9c2384e659a6 | Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-09 16:25:53
add: Policy |
| Guest Configuration | 97646672-5efa-4622-9b54-740270ad60bf | Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' |
| Guest Configuration | 30040dab-4e75-4456-8273-14b8f75d91d9 | Show audit results from Windows VMs configurations in 'Security Options - Network Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' |
| Guest Configuration | d38b4c26-9d2e-47d7-aefe-18d859a8706a | Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant | This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant |
| Guest Configuration | f19aa1c1-6b91-4c27-ae6a-970279f03db9 | Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 | This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 |
| Guest Configuration | f48b2913-1dc5-4834-8c72-ccc1dfd819bb | Show audit results from Windows VMs that do not have the password complexity setting enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled |
| Guest Configuration | b872a447-cc6f-43b9-bccf-45703cd81607 | Show audit results from Windows VMs configurations in 'Security Options - Accounts' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' |
| Guest Configuration | 7227ebe5-9ff7-47ab-b823-171cd02fb90f | Show audit results from Windows VMs on which the DSC configuration is not compliant | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant |
| Kubernetes | 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 | [Preview]: Deploy GitOps to Kubernetes cluster | This policy deploys a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth from the defined git repo. For instructions on using this policy, visit https://aka.ms/K8sGitOpsPolicy. | Fixed: DeployIfNotExists | Contributor |
2020-06-09 16:25:53
add: Policy |
| Guest Configuration | c8abcef9-fc26-482f-b8db-5fa60ee4586d | Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' |
| Guest Configuration | f8b0158d-4766-490f-bea0-259e52dba473 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' |
| Guest Configuration | ddb53c61-9db4-41d4-a953-2abff5b66c12 | Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' |
| Guest Configuration | c40c9087-1981-4e73-9f53-39743eda9d05 | Show audit results from Linux VMs that have accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Linux VMs that have accounts without passwords |
| Guest Configuration | c04255ee-1b9f-42c1-abaa-bf1553f79930 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' |
| Guest Configuration | 356a906e-05e5-4625-8729-90771e0ee934 | Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days |
| Guest Configuration | 42a07bbf-ffcf-459a-b4b1-30ecd118a505 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' |
| Guest Configuration | 8bbd627e-4d25-4906-9a6e-3789780af3ec | Show audit results from Windows VMs configurations in 'Windows Firewall Properties' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' |
| Guest Configuration | e425e402-a050-45e5-b010-bd3f934589fc | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' |
| Guest Configuration | 9328f27e-611e-44a7-a244-39109d7d35ab | Show audit results from Windows VMs that contain certificates expiring within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days |
| Guest Configuration | 1f8c20ce-3414-4496-8b26-0e902a1541da | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' |
| Guest Configuration | 7066131b-61a6-4917-a7e4-72e8983f0aa6 | Show audit results from Windows VMs configurations in 'System Audit Policies - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - System' |
| Guest Configuration | 0a9991e6-21be-49f9-8916-a06d934bcf29 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' |
| Guest Configuration | 7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c | Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' |
| Guest Configuration | 60aeaf73-a074-417a-905f-7ce9df0ff77b | Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' |
| Guest Configuration | 909c958d-1b99-4c74-b88f-46a5c5bc34f9 | Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' |
| Guest Configuration | ce2370f6-0ac5-4d85-8ab4-10721cc640b0 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' |
| Guest Configuration | ec7ac234-2af5-4729-94d2-c557c071799d | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' |
| Guest Configuration | f3b9ad83-000d-4dc1-bff0-6d54533dd03f | Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root |
| Guest Configuration | a1e8dda3-9fd2-4835-aec3-0e55531fde33 | Show audit results from Windows VMs configurations in 'Administrative Templates - System' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - System' |
| Guest Configuration | 3470477a-b35a-49db-aca5-1073d04524fe | Deploy prerequisites to audit Linux VMs that have accounts without passwords | This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords |
| Guest Configuration | 5aa11bbc-5c76-4302-80e5-aba46a4282e7 | Show audit results from Windows VMs that do not have a minimum password age of 1 day | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day |
| Guest Configuration | 726671ac-c4de-4908-8c7d-6043ae62e3b6 | Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords | This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords |
| Cognitive Services | 2bdd0062-9d75-436e-89df-487dd8e4b3c7 | Cognitive Services accounts should enable data encryption | This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-06-09 16:25:53
add: Policy |
| Guest Configuration | c1e289c0-ffad-475d-a924-adc058765d65 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' |
| Guest Configuration | 29829ec2-489d-4925-81b7-bda06b1718e0 | Show audit results from Windows VMs configurations in 'Security Options - User Account Control' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control' |
| Guest Configuration | 225e937e-d32e-4713-ab74-13ce95b3519a | Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' |
| Guest Configuration | 12ae2d24-3805-4b37-9fa9-465968bfbcfa | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' |
| Guest Configuration | bc87d811-4a9b-47cc-ae54-0a41abda7768 | Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' |
| Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Cognitive Services accounts should enable data encryption with customer managed key | This policy audits any Cognitive Services account not using data encryption with customer managed key. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-06-09 16:25:53
add: Policy |
| Guest Configuration | e3d95ab7-f47a-49d8-a347-784177b6c94c | Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' |
| Guest Configuration | 620e58b5-ac75-49b4-993f-a9d4f0459636 | Show audit results from Windows VMs configurations in 'Security Options - System objects' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - System objects' |
| Guest Configuration | 24dde96d-f0b1-425e-884f-4a1421e2dcdc | Show audit results from Windows VMs that do not have a maximum password age of 70 days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days |
| Guest Configuration | 87b590fe-4a1d-4697-ae74-d4fe72ab786c | Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' |
| Cognitive Services | 46aa9b05-0e60-4eae-a88b-1e9d374fa515 | Cognitive Services accounts should use customer owned storage | This policy audits any Cognitive Services account not using customer owned storage. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-06-09 16:25:53
add: Policy |
| Guest Configuration | 8e170edb-e0f5-497a-bb36-48b3280cec6a | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' |
| Guest Configuration | b3802d79-dd88-4bce-b81d-780218e48280 | Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' |
| Guest Configuration | 815dcc9f-6662-43f2-9a03-1b83e9876f24 | Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' |
| Guest Configuration | ba12366f-f9a6-42b8-9d98-157d0b1a837b | Show audit results from Windows VMs configurations in 'Security Options - Recovery console' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' |
| Guest Configuration | 21e2995e-683e-497a-9e81-2f42ad07050a | Show audit results from Windows VMs configurations in 'Security Options - Audit' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Audit' |
| Guest Configuration | 2d60d3b7-aa10-454c-88a8-de39d99d17c6 | Show audit results from Windows VMs that do not store passwords using reversible encryption | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption |
| Guest Configuration | 5aebc8d1-020d-4037-89a0-02043a7524ec | Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters |
| Guest Configuration | fcbc55c9-f25a-4e55-a6cb-33acb3be778b | Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' |
| Guest Configuration | 6481cc21-ed6e-4480-99dd-ea7c5222e897 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' |
| Guest Configuration | 16390df4-2f73-4b42-af13-c801066763df | Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day |
| Guest Configuration | 8a39d1f1-5513-4628-b261-f469a5a3341b | Show audit results from Windows VMs configurations in 'Security Options - System settings' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - System settings' |
| Guest Configuration | e5b81f87-9185-4224-bf00-9f505e9f89f3 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' |
| Guest Configuration | e3a77a94-cf41-4ee8-b45c-98be28841c03 | Show audit results from Windows VMs configurations in 'Security Options - Shutdown' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown' |
| Guest Configuration | 02a84be7-c304-421f-9bb7-5d2c26af54ad | Show audit results from Windows VMs on which the remote host connection status does not match the specified one | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one |
| Guest Configuration | 2d67222d-05fd-4526-a171-2ee132ad9e83 | Show audit results from Linux VMs that allow remote connections from accounts without passwords | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords |
| Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' |
| Guest Configuration | 8ff0b18b-262e-4512-857a-48ad0aeb9a78 | Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption | This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption |
| Guest Configuration | 97b595c8-fd10-400e-8543-28e2b9138b13 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' |
| Guest Configuration | 985285b7-b97a-419c-8d48-c88cc934c8d8 | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' |
| Guest Configuration | a9a33475-481d-4b81-9116-0bf02ffe67e8 | Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' |
| Guest Configuration | bbcdd8fa-b600-4ee3-85b8-d184e3339652 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' |
| Guest Configuration | 498b810c-59cd-4222-9338-352ba146ccf3 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' |
| Guest Configuration | 40917425-69db-4018-8dae-2a0556cef899 | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' |
| Guest Configuration | 437a1f8f-8552-47a8-8b12-a2fee3269dd5 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' |
| Guest Configuration | 6fe4ef56-7576-4dc4-8e9c-26bad4b087ce | Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' |
| Guest Configuration | 3d7b154e-2700-4c8c-9e46-cb65ac1578c2 | Show audit results from Windows VMs configurations in 'Security Options - Devices' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Devices' |
| Guest Configuration | 36e17963-7202-494a-80c3-f508211c826b | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' |
| Guest Configuration | 7e84ba44-6d03-46fd-950e-5efa5a1112fa | Show audit results from Windows VMs that have not restarted within the specified number of days | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days |
| Guest Configuration | dd4680ed-0559-4a6a-ad10-081d14cbb484 | Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' |
| Guest Configuration | c5fbc59e-fb6f-494f-81e2-d99a671bdaa8 | Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days |
| Guest Configuration | 86880e5c-df35-43c5-95ad-7e120635775e | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' |
| Guest Configuration | a030a57e-4639-4e8f-ade9-a92f33afe7ee | Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected |
| Guest Configuration | f4b245d4-46c9-42be-9b1a-49e2b5b94194 | Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days | This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days |
| Guest Configuration | 5bb36dda-8a78-4df9-affd-4f05a8612a8a | Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-06-09 16:25:53
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one |
| SQL | abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 | Advanced data security should be enabled on SQL Managed Instance | Audit each SQL Managed Instance without advanced data security. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-08 18:42:36
change: DisplayName previous DisplayName: Advanced data security should be enabled on your SQL managed instances |
| Security Center | a7aca53f-2ed4-4466-a25e-0b45ade68efd | Azure DDoS Protection Standard should be enabled | DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-08 18:42:36
change: DisplayName previous DisplayName: DDoS Protection Standard should be enabled |
| Security Center | 47a6b606-51aa-4496-8bb7-64b11cf66adc | Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-08 18:42:36
change: DisplayName previous DisplayName: Adaptive Application Controls should be enabled on virtual machines |
| SQL | 1b7aa243-30e4-4c9e-bca8-d0d3022b634a | Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-08 18:42:36
change: DisplayName previous DisplayName: Vulnerability assessment should be enabled on your SQL managed instances |
| Security Center | b0f33259-77d7-4c9e-aac6-3aabcfae693c | Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-01 18:36:18
change: DisplayName previous DisplayName: Just-In-Time network access control should be applied on virtual machines |
| Kubernetes service | 0f636243-1b1c-4d50-880f-310f6199f2cb | [Deprecated]: Ensure containers listen only on allowed ports in AKS | This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2020-06-01 18:36:18
change: DisplayName previous DisplayName: [Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS |
| Kubernetes service | 5f86cb6e-c4da-441b-807c-44bd0cc14e66 | [Deprecated]: Ensure only allowed container images in AKS | This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2020-06-01 18:36:18
change: DisplayName previous DisplayName: [Limited Preview]: [AKS] Ensure only allowed container images in AKS |
| Security Center | bd352bd5-2853-4985-bf0d-73806b4a5744 | IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-06-01 18:36:18
change: DisplayName previous DisplayName: [Preview]: IP Forwarding on your virtual machine should be disabled |
| Kubernetes service | d011d9f7-ba32-4005-b727-b3d09371ca60 | [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS | This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2020-06-01 18:36:18
change: DisplayName previous DisplayName: [Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS |
| Kubernetes service | 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 | [Deprecated]: Enforce HTTPS ingress in AKS | This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2020-06-01 18:36:18
change: DisplayName previous DisplayName: [Limited Preview]: [AKS] Enforce HTTPS ingress in AKS |
| Cache | 22bee202-a82f-4305-9a2a-6d7f44d4dedb | Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-06-01 18:36:18
change: DisplayName previous DisplayName: Only secure connections to your Redis Cache should be enabled |
| Kubernetes service | 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 | [Deprecated]: Do not allow privileged containers in AKS | This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2020-06-01 18:36:18
change: DisplayName previous DisplayName: [Limited Preview]: [AKS] Do not allow privileged containers in AKS |
| Kubernetes service | a74d8f00-2fd9-4ce4-968e-0ee1eb821698 | [Deprecated]: Enforce internal load balancers in AKS | This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2020-06-01 18:36:18
change: DisplayName previous DisplayName: [Limited Preview]: [AKS] Enforce internal load balancers in AKS |
| Kubernetes service | 16c6ca72-89d2-4798-b87e-496f9de7fcb7 | [Deprecated]: Enforce labels on pods in AKS | This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2020-06-01 18:36:18
change: DisplayName previous DisplayName: [Limited Preview]: [AKS] Enforce labels on pods in AKS |
| Kubernetes service | 25dee3db-6ce0-4c02-ab5d-245887b24077 | [Deprecated]: Ensure services listen only on allowed ports in AKS | This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2020-06-01 18:36:18
change: DisplayName previous DisplayName: [Limited Preview]: [AKS] Ensure services listen only on allowed ports in AKS |
| Kubernetes service | a2d3ed81-8d11-4079-80a5-1faadc0024f4 | [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS | This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2020-06-01 18:36:18
change: DisplayName previous DisplayName: [Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS |
| Event Grid | 4b90e17e-8448-49db-875e-bd83fb6f804f | Azure Event Grid topics should use private links | Audit Azure Event Grid topics that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections via private links. For more information, visit https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-05-29 15:39:09
add: Policy |
| Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | [Preview]: Deploy Dependency agent to Windows Azure Arc machines | This policy deploys the Dependency agent to Windows Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-05-29 15:39:09
change: DisplayName previous DisplayName: [Preview]: Deploy Dependency agent to hybrid Windows VMs managed in Azure Arc |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | [Preview]: Deploy Log Analytics agent to Windows Azure Arc machines | This policy deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-05-29 15:39:09
change: DisplayName previous DisplayName: [Preview]: Deploy Log Analytics agent to hybrid Windows VMs managed in Azure Arc |
| Cosmos DB | 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf | Azure Cosmos DB throughput should be limited | This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. | Default: deny Allowed: (audit,deny,disabled) |
none |
2020-05-29 15:39:09
add: Policy |
| Event Grid | 9830b652-8523-49cc-b1b3-e17dce1127ca | Azure Event Grid domains should use private links | Audit Azure Event Grid domains that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections via private links. For more information, visit https://aka.ms/privateendpoints. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-05-29 15:39:09
add: Policy |
| Monitoring | 842c54e8-c2f9-4d79-ae8d-38d8b8019373 | [Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-05-29 15:39:09
add: Policy |
| Monitoring | deacecc0-9f84-44d2-bb82-46f32d766d43 | [Preview]: Deploy Dependency agent to hybrid Linux Azure Arc machines | This policy deploys the Dependency agent to Linux Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-05-29 15:39:09
add: Policy |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container Registries should be encrypted with a Customer-Managed Key (CMK) | Audit Container Registries that do not have encryption enabled with Customer-Managed Keys (CMK). For more information on CMK encryption, please visit: https://aka.ms/acr/CMK. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-05-29 15:39:09
change: DisplayName previous DisplayName: [Preview]: Container Registries should be encrypted with a Customer-Managed Key (CMK) |
| Security Center | cdfcce10-4578-4ecd-9703-530938e4abcb | Deploy export to Event Hub for Azure Security Center alerts and recommendations | Enable export to Event Hub of Azure Security Center alerts and/or recommendations. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2020-05-29 15:39:09
add: Policy |
| Security Center | 123a3936-f020-408a-ba0c-47873faf1534 | Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-05-29 15:39:09
add: Policy |
| Cognitive Services | 037eea7a-bd0a-46c5-9a66-03aea78705d3 | Cognitive Services accounts should restrict network access | Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-05-29 15:39:09
add: Policy |
| API Management | ef619a2c-cc4d-4d03-b2ba-8c94a834d85b | API Management services should use a virtual network | Virtual network on API Management services of the specified SKU should be enabled. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-05-29 15:39:09
add: Policy |
| Monitoring | 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf | [Preview]: Deploy Log Analytics agent to Linux Azure Arc machines | This policy deploys the Log Analytics agent to Linux Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-05-29 15:39:09
add: Policy |
| Security Center | f1525828-9a90-4fcf-be48-268cdd02361e | Deploy Workflow Automation for Azure Security Center alerts | Enable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2020-05-29 15:39:09
add: Policy |
| Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container Registries should not allow unrestricted network access | Audit Container Registries that do not have any Network (IP or VNET) Rules configured and allow all network access by default. Container Registries with at least one IP / Firewall rule or configured virtual network will be deemed compliant. For more information on Container Registry Network rules, please visit: https://aka.ms/acr/vnet. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-05-29 15:39:09
change: DisplayName previous DisplayName: [Preview]: Container Registries should not allow unrestricted network access |
| Cosmos DB | 4750c32b-89c0-46af-bfcb-2e4541a818d5 | Azure Cosmos DB key based metadata write access should be disabled | This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. | Fixed: append | none |
2020-05-29 15:39:09
add: Policy |
| Security Center | 73d6ab6c-2475-4850-afd6-43795f3492ef | Deploy Workflow Automation for Azure Security Center recommendations | Enable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2020-05-29 15:39:09
add: Policy |
| Monitoring | d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e | [Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-05-29 15:39:09
add: Policy |
| Container Registry | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | Container Registries should use private links | Audit Container Registries that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/acr/private-link. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-05-29 15:39:09
change: DisplayName previous DisplayName: [Preview]: Container Registries should use private links |
| Security Center | ffb6f416-7bd2-4488-8828-56585fef2be9 | Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendations | Enable export to Log Analytics workspace of Azure Security Center alerts and/or recommendations. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Fixed: deployIfNotExists | Contributor |
2020-05-29 15:39:09
add: Policy |
| Cache | 7d092e0a-7acd-40d2-a975-dca21cae48c4 | Azure Cache for Redis should reside within a virtual network | Azure Cache for Redis has the ability to reside within a virtual network, which is a way for the resource to have a non-public endpoint controlled and managed by the user. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-05-21 16:06:38
add: Policy |
| Monitoring | 69af7d4a-7b18-4044-93a9-2651498ef203 | [Preview]: Deploy Log Analytics agent to Windows Azure Arc machines | This policy deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-05-21 16:06:38
add: Policy |
| Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | [Preview]: Deploy Dependency agent to Windows Azure Arc machines | This policy deploys the Dependency agent to Windows Azure Arc machines if the agent isn't installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-05-13 05:56:52
add: Policy |
| Machine Learning | 1d413020-63de-11ea-bc55-0242ac130003 | [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes | This policy helps provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting,disabled) |
none |
2020-05-13 05:56:52
add: Policy |
| Machine Learning | 77eeea86-7e81-4a7d-9067-de844d096752 | [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes | This policy helps provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting,disabled) |
none |
2020-05-13 05:56:52
add: Policy |
| Security Center | 8e7da0a5-0a0e-4bbc-bfc0-7773c018b616 | Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. | Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
2020-05-13 05:56:52
add: Policy |
| Security Center | 6df2fee6-a9ed-4fef-bced-e13be1b25f1c | Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. | Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
2020-05-13 05:56:52
add: Policy |
| Machine Learning | 5853517a-63de-11ea-bc55-0242ac130003 | [Preview]: Configure allowed registries for specified Azure Machine Learning computes | This policy helps provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting,disabled) |
none |
2020-05-13 05:56:52
add: Policy |
| Machine Learning | 3948394e-63de-11ea-bc55-0242ac130003 | [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes | This policy helps configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting,disabled) |
none |
2020-05-13 05:56:52
add: Policy |
| Machine Learning | 53c70b02-63dd-11ea-bc55-0242ac130003 | [Preview]: Configure allowed module authors for specified Azure Machine Learning computes | This policy helps provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. | Default: enforceSetting Allowed: (enforceSetting,disabled) |
none |
2020-05-13 05:56:52
add: Policy |
| Storage | 34c877ad-507e-4c82-993e-3452a6e0ad3c | Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2020-05-09 14:57:51
change: DisplayName previous DisplayName: Audit unrestricted network access to storage accounts |
| Compute | cccc23c7-8427-4f53-ad12-b6a63eb452b3 | Allowed virtual machine size SKUs | This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. | Fixed: Deny | none |
2020-05-09 14:57:51
change: DisplayName previous DisplayName: Allowed virtual machine SKUs |
| SQL | b52376f7-9612-48a1-81cd-1ffe4b61032c | Public network access should be disabled for PostgreSQL servers | This policy audits PostgreSQL servers in your environment with public network access enabled. For more details, visit https://go.microsoft.com/fwlink/?linkid=2120015. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-04-28 14:50:57
add: Policy |
| SQL | 18adea5e-f416-4d0f-8aa8-d24321e3e274 | Bring your own key data protection should be enabled for PostgreSQL servers | This policy audits PostgreSQL servers in your environment without bring your own key data protection enabled. For more details, visit https://aka.ms/postgresqlbyok. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-04-28 14:50:57
add: Policy |
| SQL | fdccbe47-f3e3-4213-ad5d-ea459b2fa077 | Public network access should be disabled for MariaDB servers | This policy audits MariaDB servers in your environment with public network access enabled. For more details, visit https://go.microsoft.com/fwlink/?linkid=2119542. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-04-28 14:50:57
add: Policy |
| SQL | 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 | Bring your own key data protection should be enabled for MySQL servers | This policy audits MySQL servers in your environment without bring your own key data protection enabled. For more details, visit https://aka.ms/mysqlbyok. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-04-28 14:50:57
add: Policy |
| Container Registry | e8eef0a8-67cf-4eb4-9386-14b0e78733d4 | Container Registries should use private links | Audit Container Registries that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/acr/private-link. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-04-28 14:50:57
add: Policy |
| SQL | d9844e8a-1437-4aeb-a32c-0c992f056095 | Public network access should be disabled for MySQL servers | This policy audits MySQL servers in your environment with public network access enabled. For more details, visit https://go.microsoft.com/fwlink/?linkid=2120014. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-04-28 14:50:57
add: Policy |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | [Preview]: Enforce labels on pods in Kubernetes cluster | This policy enforces the specified labels are provided for pods in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2020-04-23 15:06:19
change: DisplayName previous DisplayName: [Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | [Preview]: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster | This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2020-04-23 15:06:19
change: DisplayName previous DisplayName: [Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | [Preview]: Ensure only allowed container images in Kubernetes cluster | This policy ensures only allowed container images are running in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2020-04-23 15:06:19
change: DisplayName previous DisplayName: [Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2020-04-23 15:06:19
change: DisplayName previous DisplayName: [Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | [Preview]: Do not allow privileged containers in Kubernetes cluster | This policy does not allow privileged containers creation in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2020-04-23 15:06:19
change: DisplayName previous DisplayName: [Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | [Preview]: Ensure services listen only on allowed ports in Kubernetes cluster | This policy enforces services to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2020-04-23 15:06:19
change: DisplayName previous DisplayName: [Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | [Preview]: Enforce internal load balancers in Kubernetes cluster | This policy enforces load balancers do not have public IPs in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2020-04-23 15:06:19
change: DisplayName previous DisplayName: [Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster |
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Preview]: Ensure containers listen only on allowed ports in Kubernetes cluster | This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2020-04-23 15:06:19
change: DisplayName previous DisplayName: [Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | [Preview]: Enforce HTTPS ingress in Kubernetes cluster | This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2020-04-23 15:06:19
change: DisplayName previous DisplayName: [Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster |
| Monitoring | e2dd799a-a932-4e9d-ac17-d473bc3c6c10 | Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: auditIfNotExists | none |
2020-04-22 04:43:16
change: DisplayName previous DisplayName: [Preview]: Audit Dependency Agent Deployment in Virtual Machine Scale Sets - VM Image (OS) unlisted |
| Monitoring | 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 | Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: auditIfNotExists | none |
2020-04-22 04:43:16
change: DisplayName previous DisplayName: [Preview]: Audit Log Analytics Agent Deployment in Virtual Machine Scale Sets - VM Image (OS) unlisted |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Virtual Machine Contributor |
2020-04-22 04:43:16
change: DisplayName previous DisplayName: [Preview]: Deploy Dependency Agent for Linux Virtual Machine Scale Sets |
| Monitoring | 11ac78e3-31bc-4f0c-8434-37ab963cea07 | Audit Dependency agent deployment - VM Image (OS) unlisted | Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: auditIfNotExists | none |
2020-04-22 04:43:16
change: DisplayName previous DisplayName: [Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted |
| Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy Dependency agent for Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-04-22 04:43:16
change: DisplayName previous DisplayName: [Preview]: Deploy Dependency Agent for Windows VMs |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy Dependency agent for Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Virtual Machine Contributor |
2020-04-22 04:43:16
change: DisplayName previous DisplayName: [Preview]: Deploy Dependency Agent for Windows Virtual Machine Scale Sets |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy Log Analytics agent for Windows virtual machine scale sets | Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Log Analytics Contributor Virtual Machine Contributor |
2020-04-22 04:43:16
change: DisplayName previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows Virtual Machine Scale Sets |
| Monitoring | f47b5582-33ec-4c5c-87c0-b010a6b2e917 | Audit Log Analytics workspace for VM - Report Mismatch | Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. | Fixed: audit | none |
2020-04-22 04:43:16
change: DisplayName previous DisplayName: [Preview]: Audit Log Analytics Workspace for VM - Report Mismatch |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics agent for Linux virtual machine scale sets | Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Log Analytics Contributor Virtual Machine Contributor |
2020-04-22 04:43:16
change: DisplayName previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux Virtual Machine Scale Sets |
| Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-04-22 04:43:16
change: DisplayName previous DisplayName: [Preview]: Deploy Dependency Agent for Linux VMs |
| Monitoring | 053d3325-282c-4e5c-b944-24faffd30d77 | Deploy Log Analytics agent for Linux VMs | Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-04-22 04:43:16
change: DisplayName previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux VMs |
| Monitoring | 0868462e-646c-4fe3-9ced-a733534b6a2c | Deploy Log Analytics agent for Windows VMs | Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: deployIfNotExists | Log Analytics Contributor |
2020-04-22 04:43:16
change: DisplayName previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows VMs |
| Guest Configuration | 5fc23db3-dd4d-4c56-bcc7-43626243e601 | Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled | This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-03-17 09:22:59
add: Policy |
| Cosmos DB | 0473574d-2d43-4217-aefe-941fcdf7e684 | Azure Cosmos DB allowed locations | This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. |
Default: deny Allowed: (deny,audit,disabled) |
none |
2020-03-17 09:22:59
add: Policy |
| Guest Configuration | 6a7a2bcf-f9be-4e35-9734-4f9657a70f1d | [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled | This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-03-17 09:22:59
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled |
| Network | fc5e4038-4584-4632-8c85-c0448d374b2c | [Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-03-17 09:22:59
add: Policy |
| Guest Configuration | 0d9b45ff-9ddd-43fc-bf59-fbd1c8423053 | [Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-03-17 09:22:59
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled |
| Guest Configuration | bed48b13-6647-468e-aa2f-1af1d3f4dd40 | [Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled | Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. This policy requires the Azure Policy for Windows extension. For details, visit https://aka.ms/gcpol. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-03-17 09:22:59
add: Policy |
| Tags | 8ce3da23-7156-49e4-b145-24f95f9dcb46 | Require a tag and its value on resource groups | Enforces a required tag and its value on resource groups. | Fixed: deny | none |
2020-03-10 16:29:49
change: DisplayName previous DisplayName: Require tag and its value on resource groups |
| Tags | 871b6d14-10aa-478d-b590-94f262ecfa99 | Require a tag on resources | Enforces existence of a tag. Does not apply to resource groups. | Fixed: deny | none |
2020-03-10 16:29:49
change: DisplayName previous DisplayName: Require specified tag |
| Tags | 49c88fc8-6fd1-46fd-a676-f12d1d3a4c71 | Append a tag and its value to resource groups | Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | Fixed: append | none |
2020-03-10 16:29:49
change: DisplayName previous DisplayName: Append tag and its default value to resource groups |
| Tags | 2a0e14a6-b0a6-4fab-991a-187a4f81c498 | Append a tag and its value to resources | Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | Fixed: append | none |
2020-03-10 16:29:49
change: DisplayName previous DisplayName: Append tag and its default value |
| Tags | 96670d01-0a4d-4649-9c89-2d3abc0a5025 | Require a tag on resource groups | Enforces existence of a tag on resource groups. | Fixed: deny | none |
2020-03-10 16:29:49
change: DisplayName previous DisplayName: Require specified tag on resource groups |
| Tags | 9ea02ca2-71db-412d-8b00-7c7ca9fcd32d | Append a tag and its value from the resource group | Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | Fixed: append | none |
2020-03-10 16:29:49
change: DisplayName previous DisplayName: Append tag and its value from the resource group |
| Tags | 1e30110a-5ceb-460c-a204-c1c3969c6d62 | Require a tag and its value on resources | Enforces a required tag and its value. Does not apply to resource groups. | Fixed: deny | none |
2020-03-10 16:29:49
change: DisplayName previous DisplayName: Require tag and its value |
| Monitoring | 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 | Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: auditIfNotExists | none |
2020-02-29 21:43:10
change: DisplayName previous DisplayName: [Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted |
| Monitoring | 3c1b3629-c8f8-4bf6-862c-037cb9094038 | Deploy Log Analytics agent for Windows virtual machine scale sets | Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Log Analytics Contributor Virtual Machine Contributor |
2020-02-29 21:43:10
change: DisplayName previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS) |
| Monitoring | e2dd799a-a932-4e9d-ac17-d473bc3c6c10 | Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | Fixed: auditIfNotExists | none |
2020-02-29 21:43:10
change: DisplayName previous DisplayName: [Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted |
| Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Virtual Machine Contributor |
2020-02-29 21:43:10
change: DisplayName previous DisplayName: [Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS) |
| Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy Dependency agent for Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Virtual Machine Contributor |
2020-02-29 21:43:10
change: DisplayName previous DisplayName: [Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS) |
| Monitoring | 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 | Deploy Log Analytics agent for Linux virtual machine scale sets | Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed: deployIfNotExists | Log Analytics Contributor Virtual Machine Contributor |
2020-02-29 21:43:10
change: DisplayName previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS) |
| SQL | dfbd9a64-6114-48de-a47d-90574dc2e489 | MariaDB server should use a virtual network service endpoint | This policy audits MariaDB servers not configured to use a virtual network service endpoint. For more details, visit https://aka.ms/mariadbvirtualnetwork. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-02-27 09:26:21
add: Policy |
| SQL | 3c14b034-bcb6-4905-94e7-5b8e98a47b65 | PostgreSQL server should use a virtual network service endpoint | This policy audits PostgreSQL servers not configured to use a virtual network service endpoint. For more details, visit https://aka.ms/postgresqlvnet. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-02-27 09:26:21
add: Policy |
| SQL | 3375856c-3824-4e0e-ae6a-79e011dd4c47 | MySQL server should use a virtual network service endpoint | This policy audits MySQL servers not configured to use a virtual network service endpoint. For more details, visit https://aka.ms/mysqlvnet. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-02-27 09:26:21
add: Policy |
| SQL | 0564d078-92f5-4f97-8398-b9f58a51f70b | Private endpoint should be enabled for PostgreSQL servers | This policy audits PostgreSQL servers not configured to use a private endpoint. For more details, visit https://aka.ms/pgprivatelink. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-02-27 09:26:21
add: Policy |
| SQL | 0a1302fb-a631-4106-9753-f3d494733990 | Private endpoint should be enabled for MariaDB servers | This policy audits MariaDB servers not configured to use a private endpoint. For more details, visit https://aka.ms/mariadbprivatelink. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-02-27 09:26:21
add: Policy |
| SQL | 7595c971-233d-4bcf-bd18-596129188c49 | Private endpoint should be enabled for MySQL servers | This policy audits MySQL servers not configured to use a private endpoint. For more details, visit https://aka.ms/mysqlprivatelink. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-02-27 09:26:21
add: Policy |
| Security Center | 1a833ff1-d297-4a0f-9944-888428f8e0ff | [Deprecated]: Access to App Services should be restricted | Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that are too broad | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
2020-02-25 11:29:35
change: DisplayName previous DisplayName: [Preview]: Access to App Services should be restricted |
| Tags | 40df99da-1232-49b1-a39a-6da8d878f469 | Inherit a tag from the subscription if missing | Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | Fixed: modify | Contributor |
2020-02-20 08:25:18
add: Policy |
| Security Center | 201ea587-7c90-41c3-910f-c280ae01cfd6 | [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM | Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
2020-02-20 08:25:18
change: DisplayName previous DisplayName: Web ports should be restricted on Network Security Groups associated to your VM |
| Tags | b27a0cbd-a167-4dfa-ae64-4337be671140 | Inherit a tag from the subscription | Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. | Fixed: modify | Contributor |
2020-02-20 08:25:18
add: Policy |
| Container Registry | d0793b48-0edc-4296-a390-4c75d1bdfd71 | Container Registries should not allow unrestricted network access | Audit Container Registries that do not have any Network (IP or VNET) Rules configured and allow all network access by default. Container Registries with at least one IP / Firewall rule or configured virtual network will be deemed compliant. For more information on Container Registry Network rules, please visit: https://aka.ms/acr/vnet. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-02-12 02:52:44
add: Policy |
| Container Registry | 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 | Container Registries should be encrypted with a Customer-Managed Key (CMK) | Audit Container Registries that do not have encryption enabled with Customer-Managed Keys (CMK). For more information on CMK encryption, please visit: https://aka.ms/acr/CMK. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-02-12 02:52:44
add: Policy |
| App Platform | 0f2d8593-4667-4932-acca-6a9f187af109 | [Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled | Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-02-12 02:52:44
add: Policy |
| Monitoring | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | [Preview]: Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. | Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. | Fixed: deployIfNotExists | Monitoring Contributor Log Analytics Contributor |
2020-02-12 02:52:44
add: Policy |
| App Configuration | 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1 | App Configuration should use a customer-managed key | Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-02-12 02:52:44
add: Policy |
| App Configuration | ca610c1d-041c-4332-9d88-7ed3094967c7 | App Configuration should use a private link | Private endpoint connections allow clients on a virtual network to securely access Azure App Configuration over a private link. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-02-12 02:52:44
add: Policy |
| App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Ensure that 'Java version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-02-08 03:50:24
change: DisplayName previous DisplayName: Ensure that 'Java version' is the latest, if used as a part of the Funtion app |
| Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2020-02-08 03:50:24
change: DisplayName previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)' |
| Guest Configuration | 97646672-5efa-4622-9b54-740270ad60bf | Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: auditIfNotExists | none |
2020-02-08 03:50:24
change: DisplayName previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)' |
| Monitoring | b954148f-4c11-4c38-8221-be76711e194a | An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-01-29 21:53:30
add: Policy |
| Network | e372f825-a257-4fb8-9175-797a8a8627d6 | RDP access from the Internet should be blocked | This policy audits any network security rule that allows RDP access from Internet | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-01-29 21:53:30
add: Policy |
| Security Center | ac076320-ddcf-4066-b451-6154267e8ad2 | Enable Azure Security Center on your subscription | Identifies existing subscriptions that are not monitored by Azure Security Center (ASC). Subscriptions not monitored by ASC will be registered to the free pricing tier. Subscriptions already monitored by ASC (free or standard), will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. | Fixed: deployIfNotExists | Security Admin |
2020-01-29 21:53:30
add: Policy |
| Network | 2c89a2e5-7285-40fe-afe0-ae8654b92fab | SSH access from the Internet should be blocked | This policy audits any network security rule that allows SSH access from Internet | Default: Audit Allowed: (Audit,Disabled) |
none |
2020-01-29 21:53:30
add: Policy |
| Monitoring | 3b980d31-7904-4bb7-8575-5665739a8052 | An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-01-29 21:53:30
add: Policy |
| Monitoring | c5447c04-a4d7-4ba8-a263-c9ee321a6858 | An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-01-29 21:53:30
add: Policy |
| Security Center | af8051bf-258b-44e2-a2bf-165330459f9d | [Deprecated]: Monitor unaudited SQL servers in Azure Security Center | SQL servers which don't have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: 'Auditing should be enabled on advanced data security settings on SQL Server' | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-01-29 05:56:46
change: DisplayName previous DisplayName: [Deprecated] Monitor unaudited SQL servers in Azure Security Center |
| Security Center | a8bef009-a5c9-4d0f-90d7-6018734e8a16 | [Deprecated]: Monitor unencrypted SQL databases in Azure Security Center | Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent Data Encryption on SQL databases should be enabled' | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-01-29 05:56:46
change: DisplayName previous DisplayName: [Deprecated] Monitor unencrypted SQL databases in Azure Security Center |
| Security Center | f6de0be7-9a8a-4b8a-b349-43cf02d22f7c | Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-01-10 16:39:23
change: DisplayName previous DisplayName: Virtual machines should be associated with a Network Security Group |
| Security Center | 201ea587-7c90-41c3-910f-c280ae01cfd6 | [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM | Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports | Default: Disabled Allowed: (AuditIfNotExists,Disabled) |
none |
2020-01-10 16:39:23
change: DisplayName previous DisplayName: The NSGs rules for web applications on IaaS should be hardened |
| SQL | a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 | Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-01-10 16:39:23
change: DisplayName previous DisplayName: Auditing should be enabled on advanced data security settings on SQL Server |
| Security Center | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | Adaptive Network Hardening recommendations should be applied on internet facing virtual machines | Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2020-01-10 16:39:23
change: DisplayName previous DisplayName: Network Security Group Rules for Internet facing virtual machines should be hardened |
| Guest Configuration | 909c958d-1b99-4c74-b88f-46a5c5bc34f9 | Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Windows Firewall Properties' |
| Guest Configuration | f1f4825d-58fb-4257-8016-8c00e3c9ed9d | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)' |
| Guest Configuration | 7040a231-fb65-4412-8c0a-b365f4866c24 | Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Windows Components' |
| Guest Configuration | 36e17963-7202-494a-80c3-f508211c826b | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Network Security' |
| Guest Configuration | bbcdd8fa-b600-4ee3-85b8-d184e3339652 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' |
| Guest Configuration | 985285b7-b97a-419c-8d48-c88cc934c8d8 | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - Network' |
| Guest Configuration | 86880e5c-df35-43c5-95ad-7e120635775e | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' |
| Guest Configuration | ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Recovery console' |
| Guest Configuration | 6481cc21-ed6e-4480-99dd-ea7c5222e897 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Devices' |
| Guest Configuration | e425e402-a050-45e5-b010-bd3f934589fc | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - User Account Control' |
| Guest Configuration | 498b810c-59cd-4222-9338-352ba146ccf3 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Audit' |
| Guest Configuration | c04255ee-1b9f-42c1-abaa-bf1553f79930 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' |
| Guest Configuration | 12ae2d24-3805-4b37-9fa9-465968bfbcfa | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - System objects' |
| Guest Configuration | c1e289c0-ffad-475d-a924-adc058765d65 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Account Logon' |
| Guest Configuration | ce2370f6-0ac5-4d85-8ab4-10721cc640b0 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' |
| Guest Configuration | e3d95ab7-f47a-49d8-a347-784177b6c94c | Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Settings - Account Policies' |
| Guest Configuration | 8e170edb-e0f5-497a-bb36-48b3280cec6a | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Object Access' |
| Guest Configuration | 1f8c20ce-3414-4496-8b26-0e902a1541da | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Shutdown' |
| Guest Configuration | f8b0158d-4766-490f-bea0-259e52dba473 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - System' |
| Guest Configuration | 815dcc9f-6662-43f2-9a03-1b83e9876f24 | Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'User Rights Assignment' |
| Guest Configuration | 97b595c8-fd10-400e-8543-28e2b9138b13 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Policy Change' |
| Guest Configuration | 40917425-69db-4018-8dae-2a0556cef899 | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - System' |
| Guest Configuration | f56a3ab2-89d1-44de-ac0d-2ada5962e22a | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Network Access' |
| Guest Configuration | ec7ac234-2af5-4729-94d2-c557c071799d | Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - Control Panel' |
| Guest Configuration | 42a07bbf-ffcf-459a-b4b1-30ecd118a505 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' |
| Guest Configuration | e5b81f87-9185-4224-bf00-9f505e9f89f3 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Accounts' |
| Guest Configuration | 0a9991e6-21be-49f9-8916-a06d934bcf29 | Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Account Management' |
| Guest Configuration | 3750712b-43d0-478e-9966-d2c26f6141b9 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Interactive Logon' |
| Guest Configuration | 437a1f8f-8552-47a8-8b12-a2fee3269dd5 | Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' | This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol | Fixed: deployIfNotExists | Contributor |
2019-12-17 15:43:46
change: DisplayName previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - System settings' |
| App Service | c4ebc54a-46e1-481a-bee2-d4411e95d828 | Authentication should be enabled on your API app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-12-11 09:18:30
add: Policy |
| Backup | 013e242c-8828-4970-87b3-ab247555486d | Azure Backup should be enabled for Virtual Machines | This policy helps audit if Azure Backup service is enabled for all Virtual machines. Azure Backup is a cost-effective, one-click backup solution simplifies data recovery and is easier to enable than other cloud backup services. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-12-11 09:18:30
add: Policy |
| App Service | c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 | Authentication should be enabled on your Function app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-12-11 09:18:30
add: Policy |
| Guest Configuration | 6141c932-9384-44c6-a395-59e4c057d7c9 | [Preview]: Configure time zone on Windows machines. | This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. | Fixed: deployIfNotExists | Contributor |
2019-12-11 09:18:30
change: DisplayName previous DisplayName: Configure time zone on Windows machines. |
| App Service | 95bccee9-a7f8-4bec-9ee9-62c3473701fc | Authentication should be enabled on your web app | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-12-11 09:18:30
add: Policy |
| Monitoring | fbb99e8e-e444-4da0-9ff1-75c92f5a85b2 | Storage account containing the container with activity logs must be encrypted with BYOK | This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-12-11 09:18:30
add: Policy |
| Monitoring | 2f2ee1de-44aa-4762-b6bd-0893fc3f306d | [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-27 16:06:41
add: Policy |
| Monitoring | 04c4380f-3fae-46e8-96c9-30193528f602 | [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-27 16:06:41
add: Policy |
| Key Vault | f772fb64-8e40-40ad-87bc-7706e1949427 | [Preview]: Manage certificates that are within a specified number of days of expiration | This policy manages certificates that are within a specified number of days to their expiration date. | Default: audit Allowed: (audit,deny,disabled) |
none |
2019-11-19 11:26:09
change: DisplayName previous DisplayName: [Preview]: Certificates should not expire in the specified number of days |
| Key Vault | cee51871-e572-4576-855c-047c820360f0 | [Preview]: Manage minimum key size for RSA certificates | This policy manages the minimum key size for RSA certificates. | Default: audit Allowed: (audit,deny,disabled) |
none |
2019-11-19 11:26:09
change: DisplayName previous DisplayName: [Preview]: Certificate key sizes should be sufficiently large |
| Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on VMs of a location to an existing central Vault in the same location | This policy configures Azure Backup protection on VMs in a given location to an existing central vault in the same location. It applies to only those VMs that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond the defined schedule. This policy will be enhanced to support more VM images. | Default: deployIfNotExists Allowed: (deployIfNotExists,auditIfNotExists,disabled) |
Virtual Machine Contributor Backup Contributor |
2019-11-19 11:26:09
change: DisplayName previous DisplayName: Deploy prerequisites to backup VMs of a location to an existing central Vault in the same location |
| Key Vault | a22f4a40-01d3-4c7d-8071-da157eeff341 | [Preview]: Manage certificates issued by a non-integrated CA | This policy manages certificates are issued by a specified non-integrated Certificate Authority. | Default: audit Allowed: (audit,deny,disabled) |
none |
2019-11-19 11:26:09
change: DisplayName previous DisplayName: [Preview]: Certificates should be issued by an approved custom Certificate Authority provider |
| Key Vault | 0a075868-4c26-42ef-914c-5bc007359560 | [Preview]: Manage certificate validity period | This policy manages the maximum validity period for certificates in months. | Default: audit Allowed: (audit,deny,disabled) |
none |
2019-11-19 11:26:09
change: DisplayName previous DisplayName: [Preview]: Certificates should not have a lengthy validity period |
| Key Vault | 1151cede-290b-4ba0-8b38-0ad145ac888f | [Preview]: Manage allowed certificate key types | This policy manages the allowed key types for certificates. | Default: audit Allowed: (audit,deny,disabled) |
none |
2019-11-19 11:26:09
change: DisplayName previous DisplayName: [Preview]: Certificates should have the specified key types |
| Key Vault | 12ef42cb-9903-4e39-9c26-422d29570417 | [Preview]: Manage certificate lifetime action triggers | This policy manages the configuration for certificate lifetime action triggers before certificate expiration. | Default: audit Allowed: (audit,deny,disabled) |
none |
2019-11-19 11:26:09
change: DisplayName previous DisplayName: [Preview]: Certificates should have the specified lifetime action trigger |
| Key Vault | 8e826246-c976-48f6-b03e-619bb92b3d82 | [Preview]: Manage certificates issued by an integrated CA | This policy manages certificates are issued by a specified key vault integrated Certificate Authority. | Default: audit Allowed: (audit,deny,disabled) |
none |
2019-11-19 11:26:09
change: DisplayName previous DisplayName: [Preview]: Certificates should be issued by an approved Azure Key Vault supported Certificate Authority provider |
| App Service | ab965db2-d2bf-4b64-8b39-c38ec8179461 | Ensure that 'PHP version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | f0473e7a-a1ba-4e86-afb2-e829e11b01d8 | Ensure that Register with Azure Active Directory is enabled on Function App | Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | c2e7ca55-f62c-49b2-89a4-d41eb661d2f0 | Ensure that '.NET Framework' version is the latest, if used as a part of the API app | Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 7238174a-fd10-4ef0-817e-fc820a951d73 | Ensure that 'Python version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| Kubernetes service | a74d8f00-2fd9-4ce4-968e-0ee1eb821698 | [Deprecated]: Enforce internal load balancers in AKS | This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2019-11-12 19:11:12
change: DisplayName previous DisplayName: [Limited Preview]: Enforce internal load balancers in AKS |
| App Service | 88999f4c-376a-45c8-bcb3-4058f713cf39 | Ensure that 'Java version' is the latest, if used as a part of the Api app | Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 496223c3-ad65-4ecd-878a-bae78737e9ed | Ensure that 'Java version' is the latest, if used as a part of the Web app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc | Ensure that 'Java version' is the latest, if used as a part of the Function app | Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| Kubernetes service | 25dee3db-6ce0-4c02-ab5d-245887b24077 | [Deprecated]: Ensure services listen only on allowed ports in AKS | This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2019-11-12 19:11:12
change: DisplayName previous DisplayName: [Limited Preview]: Ensure services listen only on allowed ports in AKS |
| App Service | 0c192fe8-9cbb-4516-85b3-0ade8bd03886 | Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default: Audit Allowed: (Audit,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 10c1859c-e1a7-4df3-ab97-a487fa8059f6 | Ensure that '.NET Framework' version is the latest, if used as a part of the Function App | Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| Kubernetes service | 2fbff515-eecc-4b7e-9b63-fcc7138b7dc3 | [Deprecated]: Enforce HTTPS ingress in AKS | This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2019-11-12 19:11:12
change: DisplayName previous DisplayName: [Limited Preview]: Enforce HTTPS ingress in AKS |
| Kubernetes service | 7ce7ac02-a5c6-45d6-8d1b-844feb1c1531 | [Deprecated]: Do not allow privileged containers in AKS | This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2019-11-12 19:11:12
change: DisplayName previous DisplayName: [Limited Preview]: Do not allow privileged containers in AKS |
| App Service | eaebaea7-8013-4ceb-9d14-7eb32271373c | Ensure Function app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default: Audit Allowed: (Audit,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 6ad61431-88ce-4357-a0e1-6da43f292bd7 | [Deprecated]: Ensure WEB app is using the latest version of TLS encryption | Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
change: DisplayName previous DisplayName: Ensure WEB app is using the latest version of TLS encryption |
| App Service | e567365d-4228-430f-ac39-7d5d46e617ac | Ensure API app is using the latest version of TLS encryption | The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. | Fixed: | n/a |
2019-11-12 19:11:12
remove: Policy (i) |
| Kubernetes service | 0f636243-1b1c-4d50-880f-310f6199f2cb | [Deprecated]: Ensure containers listen only on allowed ports in AKS | This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2019-11-12 19:11:12
change: DisplayName previous DisplayName: [Limited Preview]: Ensure containers listen only on allowed ports in AKS |
| App Service | aa81768c-cb87-4ce2-bfaa-00baa10d760c | Ensure that Register with Azure Active Directory is enabled on WEB App | Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| Kubernetes service | 5f86cb6e-c4da-441b-807c-44bd0cc14e66 | [Deprecated]: Ensure only allowed container images in AKS | This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2019-11-12 19:11:12
change: DisplayName previous DisplayName: [Limited Preview]: Ensure only allowed container images in AKS |
| App Service | 74c3584d-afae-46f7-a20a-6f8adba71a16 | Ensure that 'Python version' is the latest, if used as a part of the Api app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 58d94fc1-a072-47c2-bd37-9cdb38e77453 | [Deprecated]: Ensure Function app is using the latest version of TLS encryption | Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
change: DisplayName previous DisplayName: Ensure Function app is using the latest version of TLS encryption |
| Kubernetes service | a2d3ed81-8d11-4079-80a5-1faadc0024f4 | [Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS | This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2019-11-12 19:11:12
change: DisplayName previous DisplayName: [Limited Preview]: Ensure CPU and memory resource limits defined on containers in AKS |
| Kubernetes service | 16c6ca72-89d2-4798-b87e-496f9de7fcb7 | [Deprecated]: Enforce labels on pods in AKS | This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2019-11-12 19:11:12
change: DisplayName previous DisplayName: [Limited Preview]: Enforce labels on pods in AKS |
| App Service | e2c1c086-2d84-4019-bff3-c44ccd95113c | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 5bb220d9-2698-4ee4-8404-b9c30c9df609 | Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. | Default: Audit Allowed: (Audit,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| Kubernetes service | d011d9f7-ba32-4005-b727-b3d09371ca60 | [Deprecated]: Enforce unique ingress hostnames across namespaces in AKS | This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. | Default: EnforceRegoPolicy Allowed: (EnforceRegoPolicy,Disabled) |
none |
2019-11-12 19:11:12
change: DisplayName previous DisplayName: [Limited Preview]: Enforce unique ingress hostnames across namespaces in AKS |
| App Service | 7008174a-fd10-4ef0-817e-fc820a951d73 | Ensure that 'Python version' is the latest, if used as a part of the Web app | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 7261b898-8a84-4db8-9e04-18527132abb3 | Ensure that 'PHP version' is the latest, if used as a part of the WEB app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 843664e0-7563-41ee-a9cb-7522c382d2c4 | Ensure that '.NET Framework' version is the latest, if used as a part of the Web app | Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 86d97760-d216-4d81-a3ad-163087b2b6c3 | Ensure that Register with Azure Active Directory is enabled on API app | Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 991310cd-e9f3-47bc-b7b6-f57b557d07db | Ensure that 'HTTP Version' is the latest, if used to run the Api app | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba | Ensure that 'PHP version' is the latest, if used as a part of the Api app | Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| App Service | 8c122334-9d20-4eb8-89ea-ac9a705b74ae | Ensure that 'HTTP Version' is the latest, if used to run the Web app | Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-11-12 19:11:12
add: Policy |
| Key Vault | bd78111f-4953-4367-9fd5-7e08808b54bf | [Preview]: Manage allowed curve names for elliptic curve cryptography certificates | This policy manages the allowed elliptic curve names for elliptic curve cryptography certificates. | Default: audit Allowed: (audit,deny,disabled) |
none |
2019-11-02 10:12:34
add: Policy |
| App Service | 0da106f2-4ca3-48e8-bc85-c638fe6aea8f | Managed identity should be used in your Function App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Monitoring | db51110f-0865-4a6e-b274-e2e07a5b2cd7 | Deploy Diagnostic Settings for Batch Account to Event Hub | Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
2019-10-29 23:04:36
add: Policy |
| App Service | 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 | FTPS only should be required in your API App | Enable FTPS enforcement for enhanced security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Monitoring | e8d096bc-85de-4c5f-8cfb-857bd1b9d62d | Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub | Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
2019-10-29 23:04:36
add: Policy |
| Guest Configuration | fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2019-10-29 23:04:36
add: Policy |
| Monitoring | 3d5da587-71bd-41f5-ac95-dd3330c2d58d | Deploy Diagnostic Settings for Search Services to Event Hub | Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
2019-10-29 23:04:36
add: Policy |
| App Service | c4d441f8-f9d9-4a9e-9cef-e82117cb3eef | Managed identity should be used in your API App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Guest Configuration | 0ecd903d-91e7-4726-83d3-a229d7f2e293 | [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. | This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. | Fixed: deployIfNotExists | Contributor |
2019-10-29 23:04:36
add: Policy |
| Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | [Preview]: Ensure services listen only on allowed ports in Kubernetes cluster | This policy enforces services to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| App Service | 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b | FTPS should be required in your Web App | Enable FTPS enforcement for enhanced security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| App Service | 2b9ad585-36bc-4615-b300-fd4435808332 | Managed identity should be used in your Web App | Use a managed identity for enhanced authentication security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Custom Provider | c15c281f-ea5c-44cd-90b8-fc3c14d13f0c | Deploy associations for a custom provider | Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. | Fixed: deployIfNotExists | Contributor |
2019-10-29 23:04:36
add: Policy |
| SQL | 48af4db5-9b8b-401c-8e74-076be876a430 | Geo-redundant backup should be enabled for Azure Database for PostgreSQL | This policy audits any Azure Database for PostgreSQL with geo-redundant backup not enabled. | Default: Audit Allowed: (Audit,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| SQL | d38fc420-0735-4ef3-ac11-c806f651a570 | Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Monitoring | 08ba64b8-738f-4918-9686-730d2ed79c7d | Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: Policy |
| App Service | f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b | Latest TLS version should be used in your Web App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Monitoring | b889a06c-ec72-4b03-910a-cb169ee18721 | Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace | Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: Policy |
| Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | [Preview]: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster | This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Monitoring | 4daddf25-4823-43d4-88eb-2419eb6dcc08 | Deploy Diagnostic Settings for Data Lake Analytics to Event Hub | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
2019-10-29 23:04:36
add: Policy |
| Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | [Preview]: Ensure only allowed container images in Kubernetes cluster | This policy ensures only allowed container images are running in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| App Service | 399b2637-a50f-4f95-96f8-3a145476eb15 | FTPS only should be required in your Function App | Enable FTPS enforcement for enhanced security | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Monitoring | edf3780c-3d70-40fe-b17e-ab72013dafca | Deploy Diagnostic Settings for Stream Analytics to Event Hub | Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
2019-10-29 23:04:36
add: Policy |
| Monitoring | a1dae6c7-13f3-48ea-a149-ff8442661f60 | Deploy Diagnostic Settings for Logic Apps to Event Hub | Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
2019-10-29 23:04:36
add: Policy |
| App Service | 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e | Latest TLS version should be used in your API App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| e567365d-4228-430f-ac39-7d5d46e617ac | Fixed: | none |
2019-10-29 23:04:36
add: Policy |
|||
| Kubernetes | 440b515e-a580-421e-abeb-b159a61ddcbc | [Preview]: Ensure containers listen only on allowed ports in Kubernetes cluster | This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Managed Application | 17763ad9-70c0-4794-9397-53d765932634 | Deploy associations for a managed application | Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. | Fixed: deployIfNotExists | Contributor |
2019-10-29 23:04:36
add: Policy |
| Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | [Preview]: Do not allow privileged containers in Kubernetes cluster | This policy does not allow privileged containers creation in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Monitoring | 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 | Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: Policy |
| App Service | f9d614c5-c173-4d56-95a7-b4437057d193 | Latest TLS version should be used in your Function App | Upgrade to the latest TLS version | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Lighthouse | 76bed37b-484f-430f-a009-fd7592dff818 | Audit delegation of scopes to a managing tenant | Audit delegation of scopes to a managing tenant via Azure Lighthouse. | Default: Audit Allowed: (Audit,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Monitoring | c84e5349-db6d-4769-805e-e14037dab9b5 | Deploy Diagnostic Settings for Batch Account to Log Analytics workspace | Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: Policy |
| Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | [Preview]: Enforce internal load balancers in Kubernetes cluster | This policy enforces load balancers do not have public IPs in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Storage | bf045164-79ba-4215-8f95-f8048dc1780b | Geo-redundant storage should be enabled for Storage Accounts | This policy audits any Storage Account with geo-redundant storage not enabled. | Default: Audit Allowed: (Audit,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Monitoring | 1f6e93e8-6b31-41b1-83f6-36e449a42579 | Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: Policy |
| Monitoring | 04d53d87-841c-4f23-8a5b-21564380b55e | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: Policy |
| Monitoring | 6b51af03-9277-49a9-a3f8-1c69c9ff7403 | Deploy Diagnostic Settings for Service Bus to Event Hub | Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
2019-10-29 23:04:36
add: Policy |
| Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | [Preview]: Enforce labels on pods in Kubernetes cluster | This policy enforces the specified labels are provided for pods in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| SQL | 0ec47710-77ff-4a3d-9181-6aa50af424d0 | Geo-redundant backup should be enabled for Azure Database for MariaDB | This policy audits any Azure Database for MariaDB with geo-redundant backup not enabled. | Default: Audit Allowed: (Audit,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Monitoring | ef7b61ef-b8e4-4c91-8e78-6946c6b0023f | Deploy Diagnostic Settings for Event Hub to Event Hub | Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Contributor |
2019-10-29 23:04:36
add: Policy |
| SQL | 82339799-d096-41ae-8538-b108becf0970 | Geo-redundant backup should be enabled for Azure Database for MySQL | This policy audits any Azure Database for MySQL with geo-redundant backup not enabled. | Default: Audit Allowed: (Audit,Disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Monitoring | bef3f64c-5290-43b7-85b0-9b254eef4c47 | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: Policy |
| Monitoring | 25763a0a-5783-4f14-969e-79d4933eb74b | Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: Policy |
| Monitoring | d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 | Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | Default: DeployIfNotExists Allowed: (DeployIfNotExists,Disabled) |
Monitoring Contributor Log Analytics Contributor |
2019-10-29 23:04:36
add: Policy |
| Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | [Preview]: Enforce HTTPS ingress in Kubernetes cluster | This policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| Kubernetes | b2fd3e59-6390-4f2b-8247-ea676bd03e2d | [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster | This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. | Default: deny Allowed: (audit,deny,disabled) |
none |
2019-10-29 23:04:36
add: Policy |
| SQL | 464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf | [Deprecated]: Require SQL Server version 12.0 | This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version other than 12.0. | Fixed: Deny | none |
2019-10-29 21:52:54
change: DisplayName previous DisplayName: Require SQL Server version 12.0 |
| Network | d63edb4a-c612-454d-b47d-191a724fcbf0 | Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-11 00:02:54
add: Policy |
| Network | ea4d6841-2173-4317-9747-ff522a45120f | Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Default: Audit Allowed: (Audit,Disabled) |
none |
2019-10-11 00:02:54
add: Policy |
| Monitoring | a70ca396-0a34-413a-88e1-b956c1e683be | The Log Analytics agent should be installed on virtual machines | This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-11 00:02:54
add: Policy |
| Network | e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9 | Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Default: Audit Allowed: (Audit,Disabled) |
none |
2019-10-11 00:02:54
add: Policy |
| Network | 2d21331d-a4c2-4def-a9ad-ee4e1e023beb | App Service should use a virtual network service endpoint | This policy audits any App Service not configured to use a virtual network service endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-11 00:02:54
add: Policy |
| Monitoring | efbde977-ba53-4479-b8e9-10b957924fbf | The Log Analytics agent should be installed on Virtual Machine Scale Sets | This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-11 00:02:54
add: Policy |
| Network | d416745a-506c-48b6-8ab1-83cb814bcaa3 | Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Default: Audit Allowed: (Audit,Deny,Disabled) |
none |
2019-10-11 00:02:54
add: Policy |
| Network | 235359c5-7c52-4b82-9055-01c75cf9f60e | Service Bus should use a virtual network service endpoint | This policy audits any Service Bus not configured to use a virtual network service endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-11 00:02:54
add: Policy |
| Network | ae5d2f14-d830-42b6-9899-df6cfe9c71a3 | SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-11 00:02:54
add: Policy |
| Network | f1776c76-f58c-4245-a8d0-2b207198dc8b | Virtual networks should use specified virtual network gateway | This policy audits any virtual network if the default route does not point to the specified virtual network gateway. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-11 00:02:54
add: Policy |
| Network | 60d21c4f-21a3-4d94-85f4-b924e6aeeda4 | Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Default: Audit Allowed: (Audit,Disabled) |
none |
2019-10-11 00:02:54
add: Policy |
| Network | c4857be7-912a-4c75-87e6-e30292bcdf78 | [Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Default: Audit Allowed: (Audit,Disabled) |
none |
2019-10-11 00:02:54
add: Policy |
| SQL | 06a78e20-9358-41c9-923c-fb736d382a12 | [Deprecated]: Audit SQL DB Level Audit Setting | Audit DB level audit setting for SQL databases | Fixed: AuditIfNotExists | none |
2019-10-08 15:55:12
change: DisplayName previous DisplayName: Audit SQL DB Level Audit Setting |
| General | 5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54 | [Deprecated]: Allow resource creation only in India data centers | Allows resource creation in the following locations only: West India, South India, Central India | Fixed: Deny | none |
2019-10-08 15:55:12
change: DisplayName previous DisplayName: Allow resource creation only in India data centers |
| Security Center | abcc6037-1fc4-47f6-aac5-89706589be24 | [Deprecated]: Automatic provisioning of security monitoring agent | Installs security agent on VMs for advanced security alerts and preventions in Azure Security Center. Applies only for subscriptions that use Azure Security Center. | Fixed: AuditIfNotExists | none |
2019-10-08 15:55:12
change: DisplayName previous DisplayName: Automatic provisioning of security monitoring agent |
| Tags | ac7e5fc0-c029-4b12-91d4-a8500ce697f9 | [Deprecated]: Allow resource creation if 'environment' tag value in allowed values | Allows resource creation if the 'environment' tag is set to one of the following values: production, dev, test, staging | Fixed: Deny | none |
2019-10-08 15:55:12
change: DisplayName previous DisplayName: Allow resource creation if 'environment' tag value in allowed values |
| Tags | cd8dc879-a2ae-43c3-8211-1877c5755064 | [Deprecated]: Allow resource creation if 'department' tag set | Allows resource creation only if the 'department' tag is set | Fixed: Deny | none |
2019-10-08 15:55:12
change: DisplayName previous DisplayName: Allow resource creation if 'department' tag set |
| Compute | 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 | [Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs | This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the selected Log Analytics workspace | Fixed: deployIfNotExists | Log Analytics Contributor |
2019-10-08 15:55:12
change: DisplayName previous DisplayName: Deploy default Log Analytics Agent for Ubuntu VMs |
| General | 94c19f19-8192-48cd-a11b-e37099d3e36b | [Deprecated]: Allow resource creation only in European data centers | Allows resource creation in the following locations only: North Europe, West Europe | Fixed: Deny | none |
2019-10-08 15:55:12
change: DisplayName previous DisplayName: Allow resource creation only in European data centers |
| General | 983211ba-f348-4758-983b-21fa29294869 | [Deprecated]: Allow resource creation only in United States data centers | Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US | Fixed: Deny | none |
2019-10-08 15:55:12
change: DisplayName previous DisplayName: Allow resource creation only in United States data centers |
| General | c1b9cbed-08e3-427d-b9ce-7c535b1e9b94 | [Deprecated]: Allow resource creation only in Asia data centers | Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West | Fixed: Deny | none |
2019-10-08 15:55:12
change: DisplayName previous DisplayName: Allow resource creation only in Asia data centers |
| General | e01598e8-6538-41ed-95e8-8b29746cd697 | [Deprecated]: Allow resource creation only in Japan data centers | Allows resource creation in the following locations only: Japan East, Japan West | Fixed: Deny | none |
2019-10-08 15:55:12
change: DisplayName previous DisplayName: Allow resource creation only in Japan data centers |
| General | 6fdb9205-3462-4cfc-87d8-16c7860b53f4 | [Deprecated]: Allow resource creation only in Japan data centers | Allows resource creation in the following locations only: Japan East, Japan West | Fixed: Deny | none |
2019-10-08 15:55:12
change: DisplayName previous DisplayName: Allow resource creation only in Japan data centers |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e442 | Log connections should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-03 22:58:00
add: Policy |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e446 | Disconnections should be logged for PostgreSQL database servers. | This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-03 22:58:00
add: Policy |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3 | Log duration should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-03 22:58:00
add: Policy |
| SQL | eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d | Log checkpoints should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-03 22:58:00
add: Policy |
| SQL | 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 | Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports | Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. | Default: AuditIfNotExists Allowed: (AuditIfNotExists,Disabled) |
none |
2019-10-03 22:58:00
add: Policy |